.NET Remoting Security
kzavalo1_at_lenel.com
Date: 02/10/05
- Next message: john: "Re: get computer name of client machine"
- Previous message: Nicole Calinoiu: "Re: get computer name of client machine"
- Next in thread: Nicole Calinoiu: "Re: .NET Remoting Security"
- Reply: Nicole Calinoiu: "Re: .NET Remoting Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 10 Feb 2005 10:47:03 -0800
We have the client application making calls to the server using .NET
Remoting. The communication is protected by authentication,
authorization, and encryption, so nobody can get into the channel.
Also the client and the server applications are digitally signed. Now
we assume that somebody knows valid user credentials and create its own
client application to make calls to our server. We would like to
implement another layer of protection that allows only specific (signed
by us) clients to make a remote call. From what I learned about the
.NET Remoting the client sink sends the calling assembly strong name as
part of the stream. Theoretically it would give us the idea who the
caller is. But it looks like this information can be overwritten right
in the client sink, so the "bad" client can use the old strong name
that is recognized by our server to make a call. I tried to find any
information on what part of message data is always authentic and can be
trusted by the server, so we can use it in order to identify the
caller, but I did not find any definite answer.
- Next message: john: "Re: get computer name of client machine"
- Previous message: Nicole Calinoiu: "Re: get computer name of client machine"
- Next in thread: Nicole Calinoiu: "Re: .NET Remoting Security"
- Reply: Nicole Calinoiu: "Re: .NET Remoting Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
