 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / February 2005Shared Secret (or Equivalent) + WSE 2.0
Ok, so I've spent the better part of a day now trying to upgrade our web services from V1.0 of WSE to V2.0. The first thing we found was that you can't use the WSE 1.0 share secret functionality because it's been depreciated. Then I found a couple of blog entries about using UsernametokenManager.... Now I must say the configuration of this stuff is aweful, but I can live with that. What I have a problem with is that it's completely insecure too. (as per the blogs telling me that it's insecure and telling me to use a X509 certificate) What I'm looking for is a way to, using a shared secret or some other equivalent, encrypt EVERYTHING that is sent to and from the web service. At no time should any password be sent as clear text, nor should the password be the only thing encrypted (because then you just have to send the encrypted password even if you don't know what it is). I've tried X509, and it requires a certificate. Well you can buy one, which is expensive and install it manually, you can make your own and install it manually. None of this works for our scenario. We need something that will encrypt and properly decrypt on the other side, without either side having to purchase or install any type of certificate ahead of time. (i.e. SSL isn't going to happen) The functionality in V1.0 of WSE was great for this and it worked nicely. We need to upgrade to WSE 2.0 for some of the other fixes (i.e. half the stuff to do with DIME attachments is broken in WSE 1.0) but need to maintain the same level of simple encryption on everything sent in the messsage. Does anyone have any suggestions at all on how to do this with WSE 2.0 keeping in mind the above, and that the user must not have to do anything at all to configure certificates etc.? Please tell me that they didn't remove functionality and give a direct replacement! Thanks, James Hancock Hello James, William had a nice article [0] on how to do it without x509 certs [0] - http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!273.entry HTH Regards, Dilip Krishnan MCAD, MCSD.net dkrishnan at geniant dot com http://www.geniant.com > Ok, so I've spent the better part of a day now trying to upgrade our > web services from V1.0 of WSE to V2.0. [quoted text clipped - 36 lines] > Thanks, > James Hancock Thanks Dilip. I had been thinking I could make that simplier, and here is the first version http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!303.entry I removed the PKI private key on client, the two-way entropy, KeyVerifier, and some misc fields. Need some more eye balls on it, but feels better so far. Cheers!  SignatureWilliam Stacey, MVP http://mvp.support.microsoft.com > Hello James, > William had a nice article [0] on how to do it without x509 certs [quoted text clipped - 48 lines] > > Thanks, > > James Hancock Thanks! This helps! MS: You really really really need to fix your documentation! If you're going to remove something from one version and replace it with something else in the next, you better have a sample that shows you how to do it right so that people aren't left out in the cold! James Hancock > Thanks Dilip. I had been thinking I could make that simplier, and here is > the first version [quoted text clipped - 58 lines] >> > Thanks, >> > James Hancock Hi James, Thanks for the info. I will definitely communicate this to our Documentation team and will definitely keep this in mind for the future. William, I will take a look at the artcile you have below and have more eyes on it. Sidd [MSFT] > Thanks! This helps! > [quoted text clipped - 7 lines] > > Thanks Dilip. I had been thinking I could make that simplier, and here is > > the first version http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!303.entry > > I removed the PKI private key on client, the two-way entropy, KeyVerifier, > > and some misc fields. Need some more eye balls on it, but feels better so [quoted text clipped - 4 lines] > >> > >> [0] - http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!273.entry > >> HTH > >> Regards, [quoted text clipped - 43 lines] > >> > Thanks, > >> > James Hancock Thanks Sidd. As side note, this solution requires we have confidence in the public key we use as we are not using a cert to check this (to prevent someone from resigning our assem and doing a MITM on us.) The best I can come up with is SN sign the assem *and include the public key string inside the code. Some top level method will check that the public key on the assem matches the embedded public key and fail if not. Also obfuscate the assem to prevent round-tripping. Now the assem can not be used if resigned or changed and they can not ildasm it - so at least for now, this can head off the MITM...I think. SignatureWilliam Stacey, MVP http://mvp.support.microsoft.com > Hi James, > [quoted text clipped - 19 lines] > is > > > the first version http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!303.entry > > > I removed the PKI private key on client, the two-way entropy, > KeyVerifier, [quoted text clipped - 6 lines] > > >> > > >> [0] - http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!273.entry > > >> HTH > > >> Regards, [quoted text clipped - 46 lines] > > >> > Thanks, > > >> > James Hancock Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.