Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / September 2005

Tip: Looking for answers? Try searching our database.

Are my Responses Encrypted?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Chris Arnold - 27 Sep 2005 16:58 GMT
Hi All,

If I call a WebMethod and supply a UsernameToken, a MessageSignature and an
EncrypedData object I know that my message to the server is secure.

If I do nothing other than return the 'result' in my WebMethod, is the
Response sent back to the client secure?

If so, is it automatically Encrypted & Signed with the Security Token the
client sent in the Request?

Chris
Reply to this Message
Pablo Cibraro - 27 Sep 2005 18:24 GMT
Hi Chris,
The answer is no. You are only protecting the request message, so you will
have to do the same for the response message.

Regards,
Pablo Cibraro
www.lagash.com

> Hi All,
>
[quoted text clipped - 8 lines]
>
> Chris
Reply to this Message
Chris Arnold - 27 Sep 2005 20:13 GMT
Thanks Pablo.

I am now attaching a UsernameToken to the Response message sent from the
server. However, when I try to implement my own UsernameTokenManager on the
client it fails to load with the following exception ...

System.Configuration.ConfigurationException: WSE032: There was an error
loading the microsoft.web.services2 configuration section. --->
System.Configuration.ConfigurationException: WSE040: Type
WSE_Test.ClientUsernameTokenManager, ClientUsernameTokenManager could not be
loaded. Please check the configuration file.
  at
Microsoft.Web.Services2.Security.Configuration.SecurityConfiguration.LoadSecurityTokenManager(String
typeName, String configSection, XmlNodeList configData)
  at
Microsoft.Web.Services2.Security.Configuration.SecurityConfiguration.ParseSecurityTokenManager(XmlElement
child)
  at
Microsoft.Web.Services2.Security.Configuration.SecurityConfiguration.Load(XmlNode
section)
  at
Microsoft.Web.Services2.Configuration.WebServicesConfiguration.System.Configuration.IConfigurationSectionHandler.Create(Object
parent, Object configContext, XmlNode section)
  at
System.Configuration.ConfigurationRecord.EvaluateRecursive(IConfigurationSectionHandler
factory, Object config, String[] keys, Int32 iKey, XmlTextReader reader)
  at System.Configuration.ConfigurationRecord.Evaluate(String configKey)
  at System.Configuration.ConfigurationRecord.ResolveConfig(String
configKey)
  at System.Configuration.ConfigurationRecord.GetConfig(String configKey)
  at
System.Configuration.DefaultConfigurationSystem.System.Configuration.IConfigurationSystem.GetConfig(String
configKey)
  at System.Configuration.ConfigurationSettings.GetConfig(String
sectionName)
  at
Microsoft.Web.Services2.Configuration.WebServicesConfiguration.Initialize()
  --- End of inner exception stack trace ---

I have just copied the settings from the Web.config file of my web service
and entered it in the App.config file of my client - but I'm obviously doing
something wrong! Anyone got any examples of Authentication etc on the client
side?

> Hi Chris,
> The answer is no. You are only protecting the request message, so you will
[quoted text clipped - 16 lines]
>>
>> Chris
Reply to this Message
Burton Rodman - 29 Sep 2005 20:36 GMT
since you are signing the message, one option you have is to set the client
to not send the password.  WSE will automatically "verify the password" based
on verifying the message signature (since the password was used to generate
the signature).  

depending on the level of security you're going for, you have two options to
encrypt the response:
echo the usernametoken back and resign and encrypt the message with the
original token
or
sign and encrypt the response with an X.509 cert.

i'm not real sure exactly how secure resigning the response with the
original token is.  could someone comment on this??

> Thanks Pablo.
>
[quoted text clipped - 60 lines]
> >>
> >> Chris
Reply to this Message
William Stacey [MVP] - 29 Sep 2005 20:58 GMT
I could be wrong as I have not tried this on a reply, but:
1) The client has the UT.
2) The server has the UT cached after verification including the pw or pw
equiv. Regardless of (none, hashed, sendplain)
3) In the reply, just encrypt/sign with the UT.
4) The client "knows" the UT in the reply, so WSE should just verify the
reply automatically as the UT is cached. (maybe you need the cache the UT
locally, not sure here or if this is done automatically)

That said, I would not use a UT for this anyway for security reasons.  I
would use a SCT both ways.

Signature

William Stacey [MVP]

> since you are signing the message, one option you have is to set the
> client
[quoted text clipped - 88 lines]
>> >>
>> >> Chris
Reply to this Message

 Rate this thread:







Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.