Re: secure a WS called via GPRS
- From: "Trapulo" <trapulo@xxxxxxxxxxxxxxx>
- Date: Sun, 13 Aug 2006 13:26:13 +0200
"Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:v4XK0dRvGHA.3920@xxxxxxxxxxxxxxxxxxxxxxxx
Hello Trapulo,
Hello Steven,
From your description, I understand you're consider a security mechanism
to
secure your ASP.NET webservice which will be consumed by many smart
devices(mobile .... ) using CF 2.0, correct?
Yes
Based on my experience, you may consider the following options:
1. I'm afraid using WSE 3.0 is not doable here, the bottleneck is your
client consumers(smart devices), since WSE 3.0 only support .net framework
2.0 (not compact framework ).
Ok. I miss this, beacuse I see that VS 2005 starts wizard and imports dlls
either in a 2.0 mobile project.
2. Is it possible to use transport protocol security? Since webservice
currently most rely on HTTP, a very common and sophisticated security
approach is using https/ssl to secure our webservice.
Yes, but this solve only one problem: security. How can I test client's
identity in my application? I need to be sure that only authorized clients
connect to my WS.
If I use SSL, what about session's overhead? I think that to create an SSL
session required some times and data transfer (I can see it either using a
normal PC) before the session is active: how this can impact a CF client
performance? And if I make some different calls, does CF start every time a
new SSL session, or can reuse the last one (if it is still valid, of
course)?
3. If using https/ssl is not possible for your scenario, I think you need
to consider implementing a custom security component which will help
encrypt and sign your webservice request/response SOAP messages. And for
ASP.NET webservice, the SoapExtension is such a plugable component, which
can intercept the request/response SOAP message of ASP.NET webservice
webmethod(at both server-side and client proxy side). Thus, we can define
a
custom security SoapExtension which encrypt and sign the soap message.
Here is a tech article whch has demonstrate a simple securing soap
extension:
#Encrypting SOAP Messages
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspnet/ht
ml/asp09272001.asp
This can be interesting, I'll check if it is hard to implement in my
solution.
In addition, .net framework(also compact framework 2.0) has provided
enchanced cryptographics support, you can leverage them in your custom
webservice security extension:
#Cryptographic Services
http://msdn2.microsoft.com/en-us/library/93bskf9z.aspx
#Cryptographic Tasks
http://msdn2.microsoft.com/en-us/library/7yx4d854.aspx
Hope this helps. If there is any other information you're interested,
please feel free to let me know.
Reading your link, I was thinking to transfer data from my client to the
server using a custom XML command-response protocol. So I can sign the XML
value, and if I'll need I'll can also encrypt it. I can control all process,
and I can manage remote client's account (public key's authorizations list)
from my application and integrated in my BLL. However, I see that namespace
System.Security.Cryptography.Xml is not available on CF but only on standard
framework. Is there any solution to this? Is this a bad idea, your opinion?
thank you
.
- Follow-Ups:
- Re: secure a WS called via GPRS
- From: Steven Cheng[MSFT]
- Re: secure a WS called via GPRS
- References:
- secure a WS called via GPRS
- From: Trapulo
- RE: secure a WS called via GPRS
- From: Steven Cheng[MSFT]
- secure a WS called via GPRS
- Prev by Date: Re: establishing a security context using usernameForCertificateSecurity
- Next by Date: Cannot find the certificate and private key for decryption at Microsoft.Web.Services.Security.X509.X509Certificate.get_Key()
- Previous by thread: Re: secure a WS called via GPRS
- Next by thread: Re: secure a WS called via GPRS
- Index(es):
Relevant Pages
|
