secure web service

Question

I am going to be creating a web service that will be passing confidential information across the network.

What would be the best way to secure the web service? how do I know if the application requesting the information is who it says it is, and it's not another application that is using another's user name and password?

Answer 1

Have a look at WIF (aka Geneva framework). Its purpose is to solve the exact problem you describe. http://msdn.microsoft.com/en-us/security/aa570351.aspx

Answer 2

I've done this once or twice in the past:

• Use SSL
• Write the webservice to require a token which is retrieved from a method on the webservice.
• Have the token returned from a method which requires a login and password.

• After a certain number of webservice requests, or at random intervals, change the token required, thus forcing a re-authentication.

• If you want to, encrypt the data in the ssl stream, by using an encryption method which both parties understand. (if you're paranoid.)

Answer 3

Use WCF for your web service! It has tons of security capabilities:

You can

• secure your clients via Certificates - only those that have the appropriate certificate will be allowed to get their calls processed

• secure your clients by looking them up in your internal Active Directory domain - only those with AD accounts will be allowed to get their requests processed

• secure your clients with custom username/passwords which you can look up against anything you want (this is the most flexible, but also the most complicated option, and offer the most potential for failure if you get something wrong)

Plus, with WCF, you also have loads of options to secure the transport between client and service, or encrypt and sign the messages going back and forth.

See the WCF Developer Center as a great starting point for all things WCF.

If you're serious about safely and securely programming WCF services, grab a copy of the Programming WCF Services book by Juval Lowy - it's the bible for WCF.

Answer 4

You don't write which implementation technology you intent to use, so let me start by recommending that you use Windows Communication Foundation (WCF) instead of asmx web services.

With WCF you can select between many different bindings, many of which offer data protection. Overall, there are two different styles of data protection for web services:

• Transport protection, where the transport mechanism itself offers protection in form of encryption. The best known version of this is HTTPS/SSL. However, note that unless you employ client certificates, the service has no guarantee that the client is what it says it is.
• Message protection, where the message itself is encrypted and signed. Such messages can travel over otherwise unprotected networks and still be protected.

The WsHttpBinding offers message protection according to open standards. That's where I would start.