tags:

views:

139

answers:

1
Q: 

Secure Silverlight to Web-Service communication without IIS using Public-key cryptography

If I have a Silverlight client connecting to a web service hosted in a windows service, there's no obvious way to secure communications between the two if you're not using IIS. SSL isn't available, and wsHttpBinding isn't supported by Silverlight.

So here's what I'm planning on doing, and just wanted to see if I'd missed any obvious security holes. This will all be on an intranet, SSL-secured hosting on IIS will be used if we ever make it internet-enabled.

  1. Create a certificate and put it in the user store for the service account for the web service. Web-service retrieves the certificate keys on startup.
  2. Add a clear-text method to the web service to return the public key from the certificate as a string.
  3. Call the web-service from the Silverlight client to get the public key.
  4. Encrypt all data sent to the web-service from the Silverlight client using the public key. The data returned to the Silverlight client does not need to be encrypted.

Am I missing anything? I can't figure out any other way to do it!

A: 

You can't encrypt large ammounts of data with RSA cryptography, is just too darn slow (100s of ms per RSA modulus length I think). All schemes use RSA to bootstrap a symmetric key and encrypt the data using this key. Use any of the established key exchange protocols. You'd be surprised how easy is to implement SSL 3.0 or TLS 1.0 if you have a copy of Rescorla's book SSL and TLS: Designing and Building Secure Systems

Remus Rusanu  2009-09-01 20:53:20
You are correct, I should have specified that only data in need of protection would be encrypted, such as user credentials.
David Allen  2009-09-01 21:17:23
How do you plan to ensure that the certificate is not comming from an attacker in-the-middle? Are you going to verify that the certificate is signed by a trusted authority (trusted by the client or trusted by you?) and has appropiate attributes (ie. subject) ?
Remus Rusanu  2009-09-01 21:59:10
I'm not, this will be on an intranet so I think the risk is acceptable. If there is any chance of that I'd host it in IIS instead, I think.
David Allen  2009-09-03 01:53:21

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?