views:

530

answers:

2

My goal is to launch an installation with admin credentials(user with install rights), In order to do this I need to pass these user credentials from a webservice. So the question is What is the most secure way I could pass this data. Keeping in mind the user of the end client is not logged in as an administrator but I would assume has access to the data during transport(ie I cannot count on channel security alone.)

Myclient code would be a vb or C# application talking to an asp.net webservice.

A: 

Using encryption of message body (WS-Encryption) in pair with HTTPS is a quite secured in most cases.

gedevan
+1  A: 

Encryption will protect admin credentials during transport from WebService to application memory, as pointed by gedevan.

Do you mean you also want to protect them from the user who launches application? Keep in mind, he is an owner of your process, so with the right tooling and a lot of determination he should be able to extract credentials from process memory.

Alexander Abramov
Your right at some point I need to decrypt this data and move it to a secure string. It would be nice to have it flow right into a secure string in the from the webservice proxy.
Aaron Fischer
Excuse me, but I don't really understand what you mean by "secure string". Windows CryptoProvider storage?I was trying to say, that from OS perspective application has no more rights than owning user. It means there is no place accessible by application, but protected from user.
Alexander Abramov