tags:

views:

66

answers:

1
Q: 

Serialize/Encrypt/Transmit Web Form Data to Web Service

I have an ASP.NET 1.1 form gathering data on a public-facing site, within a DMZ. The data is represented by a serializable class. My problem is that I need to serialize, encrypt and transmit the data to a Web Service running on an internal server - the service logic should then decrypt and deserialize the data before writing the XML to a shared folder.

Can someone point me in the right direction? What's the most straightforward way of doing this?

+1  A: 

Is it possible to use SSL to secure the Web Service on the internal server? This would seem to offer the protection you require.

If you don't have SSL, you will want to serialize the class to XML and then encrypt it. Then decrypt to the serialized XML format. You could then deserialize the XML files created on the share.

Encryption is fairly straightforward to program because you have a string of XML that you want to encrypt and decrypt. The challenge is with the choice of the encryption algorithm and the storage of encryption keys. You should read up on symmetric and assymetric encryption. If the key is exposed then an attacker can easily decrypt your data. Use file permissions to tightly control access.

The simplest option is to use symmetric keys and store the keys on the both ends. There are a number of examples and docs out there.

BrianLy  2010-07-15 20:37:45
Yes, I can use SSL to go from DMZ to internal server - presumably I'm okay using our own CA for this. Actually, don't need to deserialize, can leave it in folder as XML file. What data type do I use to pass the serialized object to the Web Service?
IrishChieftain  2010-07-15 23:15:48
Your own CA should suffice, but protecting your certificates etc is similar to protecting encryption keys.Someone will probably disagree but I would say just pass over the XML as a string if you simply need to get it across the wire. You are probably going to add some dev time on by trying to model the service to match the XML data that you want to pass over.
BrianLy  2010-07-16 15:23:24
Brian, could you expand a little on "protecting your certificates"? Thanks :)
IrishChieftain  2010-07-16 17:06:43
Basically being careful where you store them and making sure only required users have permissions to access. I've seen developers being careless and leaving key files like this lying around in directories which could be accessed by others.
BrianLy  2010-07-16 18:57:10
Thank Brian - marked as answer and an up vote for Irish Engineering ;-)
IrishChieftain  2010-07-16 19:19:23

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?