Re: Web service Security

---

• From: "Ravi" <sayravi@xxxxxxxxx>
• Date: 6 May 2006 01:53:39 -0700

---

When I read MS article about WES 3.0, they have suggested the following
methods.
1. Direct Authentication thru SSL
2. Brokered Authentication
1. X.509 certificates
2. Kerberos
3. STS (Security Token Service).

Since the webservice will be exposed to the outside world thru
internet, we need to secure the soap header as well as message itself.
We plan to use .NET 2.0 /Windows Advanced Server 2003.

Which method of the above would best suit our scenario.

Pls correct me if our aproach has got any flaw.

Since i'm new to WSE concept, i'm struggling to understand the examples
given my MS. does anybody have much easier implementation sample?

Regards
Ravi
Ben Voigt wrote:

<sayravi@xxxxxxxxx> wrote in message
news:1146747918.202571.324470@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hi,

We have propesed a solution to our client which uses webservices to
expose certain interfaces to internet.

We are currently thinking of how to secure a web service when exposed
to internet.

Is SSL/Certificates the only way of securing a webservice?

No.

Is there any effective & secure solution which doesnt use SSL
encryption, certificates?

Of course.

SSL and certificates use public/private key encryption to set up
connections, which is effective but slow.

It provides:
(1) secrecy
(2) tamper detection
(3) non-repudiation

Do you need all of these? If you need only tamper detection, a message
authentication code -- strong hash over (shared key + data) -- will be far
faster.

If you need secrecy, a symmetric key protocol would be much faster.

For non-repudiation, only asymmetric-key cryptography can work.

If you need protection against replay attacks, make sure your messages
expire based on some included date/time.

any information, links would be a great help for me.

Thanks in advance.

Regards
Ravi

.

---

• References:
  • Web service Security
    • From: sayravi
  • Re: Web service Security
    • From: Ben Voigt

• Prev by Date: Re: Dynamic cast possible?
• Next by Date: Re: How to remove xmlns attribute from XML document (.net)
• Previous by thread: Re: Web service Security
• Next by thread: Webservice failure URGENT!
• Index(es):
  • Date
  • Thread

---

Relevant Pages SSL CA signed certficates ... It surprises me that SSL certificates signed by CAs are (fully ... If I need to secure ... I have to generate a new request and have that hostname ... (comp.security.misc) Re: secure without the https??? ... >>details on always displayed the secure features. ... > will do absolutely nothing to protect you against spyware or the like, ... SSL only gives you protection against sensitive ... handling of certificates. ... (alt.computer.security) Re: [Lit.] Buffer overruns ... http://www.garlic.com/~lynn/2001e.html#39 Can I create my own SSL key? ... http://www.garlic.com/~lynn/2001g.html#19 Root certificates ... (sci.crypt) Re: SSL certificate modification ... > That's only one reason for the existance of SSL server ... > that certificates contains certified public keys which are used during ... implication then the domain name infrastructure is a trusted server ... (comp.security.misc) Re: Setting up Push Mail in SBS 2003 ... there are problems with the SSL certificates. ... Generally the first hits you'll get in Google will be SSL cert related. ... Outlook Mobile access on SBS 2003. ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > DotNet  > microsoft.public.dotnet.languages.csharp  > 2006-05