Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / September 2005

Tip: Looking for answers? Try searching our database.

Testing Routine for WSE 2.0

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Microsoft - 26 Sep 2005 16:41 GMT
Hi All,

I have almost completed the first stage of our security upgrades for our web
services. So far I have implemented Authentication, Authorization, Signing &
Encryption from client to server. The first 2 of these I can test very
simple. However, I am uncertain how to test the latter 2 subjects (short of
becoming a fulltime hacker who can intercept the SOAP message and change
it!).

Does anyone have any proven methods for testing the integrity of the
messages?

As background, I am using UsernameToken object as my SecurityToken model; I
have implemented my own UsernameTokenManager that assigns Roles to the
authenticated token.

Many thanks,

Chris
Reply to this Message
Chris Arnold - 26 Sep 2005 18:41 GMT
BTW, I'm not from Microsoft - I was just a little lazy with the setting up
of this newsgroup :)
Reply to this Message
William Stacey [MVP] - 26 Sep 2005 19:37 GMT
I would first question the use of UsernameTokens.  How are you sending the
password (hash, none, clear).  I would tend to favor SCTs over UT if
security is important.

Signature

William Stacey [MVP]

> Hi All,
>
[quoted text clipped - 15 lines]
>
> Chris
Reply to this Message
Chris Arnold - 27 Sep 2005 11:37 GMT
I am using UTs with passwords sent Hashed. I am happy with the model that I
have constructed for this part of the process.

>I would first question the use of UsernameTokens.  How are you sending the
>password (hash, none, clear).  I would tend to favor SCTs over UT if
[quoted text clipped - 19 lines]
>>
>> Chris
Reply to this Message
William Stacey [MVP] - 27 Sep 2005 15:37 GMT
The only thing is send hashed is easy to dictionary attack off the wire -
especially if users have simple passwords.  If they have totally random 6-10
char passwords, then propabably ok.  However, as your talkin about security
upgrades, I would use SCTs instead of UTs.  Even MS recommends not using UTs
unless they protected with a secure channel or security token such as an
SCT.

Signature

William Stacey [MVP]

>I am using UTs with passwords sent Hashed. I am happy with the model that I
>have constructed for this part of the process.
[quoted text clipped - 22 lines]
>>>
>>> Chris
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.