Re: How to secure a webservice - could some expert advise?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

We have a similar scenario and did the following:

Communication is secured using SSL. We operate our own certificate server
and the root certificate is installed with the windows application.
Individual client certs are not used.

A username and hashed password is sent in a soap header with every request.
A soap extension on the server validates every request by checking the
hashed password against a database record.

It is a best practice not to store unhashed passwords in a DB, incase the
server is compromised.

I guess the bit that may be tricky for you here maintaining your own
Certificate Authority. Perhaps PGP or similar could be used to encrypt the
channel.

This is all pre-WSE.


"thomas" <tom@xxxxxxx> wrote in message
news:jRDXg.6438$NE6.834@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi everybody,

Here is the scenario: webservice and a windows client application.

Requirements:
1. Only authenticated and authorized users shall be able to call web
methods.
2. User names or passwords shall never be sent over http.

Constraints:
3. Webservice cannot use Windows or LDAP authentication - users and their
passwords are stored in a SQL database.
4. The use of x.509 certificates is not an option - too expensive,
distribution impractical. Does this eliminate WSE? Perhaps, but this level
of security is NOT necessary.

Note: although that would be nice, communication does NOT have to be
encrypted. When really need, meaning when I have to start transmitting
credit card numbers etc, this perhaps could be accomplished using https.

Again, the solution does NOT have to be absolutely secure - it only has to
be "good enough".

I, of course, have some solutions in mind, but I would appreciate if some
expert who has REAL experience in implementing similar solutions could
provide advice or share some thoughts.

Thank you,

Tomasz




.

Relevant Pages

  • Re: is HTTPS crackable
    ... As soon as you install a server certificate, configure a secure website ...
    (microsoft.public.inetserver.iis.security)
  • Problem with Mapping Certificate to User account
    ... I'm using IIS 6.0 on Windows 2003 server. ... The user account I'm mapping a certificate to is a local user account on the ... Server - the server is not a domain controller. ... The problem is that I'm not able to figure out, on the secure web page, what ...
    (microsoft.public.inetserver.iis.security)
  • Re: subtext search in encrypted text
    ... > * clients access the system by communication with a application server ... both a client certificate and a server certificate. ... How secure is the memory of the phone? ...
    (sci.crypt)
  • Re: Howto Configure SBS 2003 R2 Broadband/DSL VPN
    ... I noticed from the log files that when I try to access my LAN Server this does so as follows: ... passwords down, especially on sticky notes attached to their monitors. ... What you can also do is require that the browser ... presents another digital certificate to the server to prove *its* identity. ...
    (microsoft.public.windows.server.sbs)
  • Re: SSH-style public key authentication for web app login
    ... User obtains or generates a SSL certificate. ... implementations of RSA encryption written in javascript and PHP - so ... My first thought was for the server to generate a keypair when a user ... passwords. ...
    (comp.lang.php)