473,320 Members | 1,694 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Web service Security

Hi,

We have propesed a solution to our client which uses webservices to
expose certain interfaces to internet.

We are currently thinking of how to secure a web service when exposed
to internet.

Is SSL/Certificates the only way of securing a webservice?

Is there any effective & secure solution which doesnt use SSL
encryption, certificates?

any information, links would be a great help for me.

Thanks in advance.

Regards
Ravi

May 4 '06 #1
3 2116
I'd recommend SSL on the web server with also a username/password
required for each method (or session authentication if the client can
make use of this)

May 4 '06 #2

<sa*****@gmail.com> wrote in message
news:11**********************@i39g2000cwa.googlegr oups.com...
Hi,

We have propesed a solution to our client which uses webservices to
expose certain interfaces to internet.

We are currently thinking of how to secure a web service when exposed
to internet.

Is SSL/Certificates the only way of securing a webservice?
No.

Is there any effective & secure solution which doesnt use SSL
encryption, certificates?
Of course.

SSL and certificates use public/private key encryption to set up
connections, which is effective but slow.

It provides:
(1) secrecy
(2) tamper detection
(3) non-repudiation

Do you need all of these? If you need only tamper detection, a message
authentication code -- strong hash over (shared key + data) -- will be far
faster.

If you need secrecy, a symmetric key protocol would be much faster.

For non-repudiation, only asymmetric-key cryptography can work.

If you need protection against replay attacks, make sure your messages
expire based on some included date/time.

any information, links would be a great help for me.

Thanks in advance.

Regards
Ravi

May 4 '06 #3
When I read MS article about WES 3.0, they have suggested the following
methods.
1. Direct Authentication thru SSL
2. Brokered Authentication
1. X.509 certificates
2. Kerberos
3. STS (Security Token Service).

Since the webservice will be exposed to the outside world thru
internet, we need to secure the soap header as well as message itself.
We plan to use .NET 2.0 /Windows Advanced Server 2003.

Which method of the above would best suit our scenario.

Pls correct me if our aproach has got any flaw.

Since i'm new to WSE concept, i'm struggling to understand the examples
given my MS. does anybody have much easier implementation sample?

Regards
Ravi
Ben Voigt wrote:
<sa*****@gmail.com> wrote in message
news:11**********************@i39g2000cwa.googlegr oups.com...
Hi,

We have propesed a solution to our client which uses webservices to
expose certain interfaces to internet.

We are currently thinking of how to secure a web service when exposed
to internet.

Is SSL/Certificates the only way of securing a webservice?


No.

Is there any effective & secure solution which doesnt use SSL
encryption, certificates?


Of course.

SSL and certificates use public/private key encryption to set up
connections, which is effective but slow.

It provides:
(1) secrecy
(2) tamper detection
(3) non-repudiation

Do you need all of these? If you need only tamper detection, a message
authentication code -- strong hash over (shared key + data) -- will be far
faster.

If you need secrecy, a symmetric key protocol would be much faster.

For non-repudiation, only asymmetric-key cryptography can work.

If you need protection against replay attacks, make sure your messages
expire based on some included date/time.

any information, links would be a great help for me.

Thanks in advance.

Regards
Ravi


May 6 '06 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: cd | last post by:
Is there a specific process or permissions that must be granted to get a .NET (framework 1.4) Window Service to run properly on a Windows 2003 Server? I built a Windows Service to start two local...
2
by: epaetz | last post by:
I'm getting Not associated with a trusted SQL Server connection errors on a .Net windows service I wrote, when it's running on my application server. It's not a problem with mixed mode...
3
by: Amjad | last post by:
Hi, I just wrote a test Windows Service that creates a text file on startup (please see my code below). The file is never created. Protected Overrides Sub OnStart(ByVal args() As String) Dim...
5
by: Buddy Ackerman | last post by:
My app is a .NET forms app that runs in the taskbar and periodically polls a web service. I have a client that wants the app to integrate with their Active Directory. They do not want the user to...
4
by: Henrik Skak Pedersen | last post by:
Hi, I have a set up where a windows client connects to a web service to retrieve a license file. The client is a consumer product which is beeing distributed to multiple locations. 1) I would...
4
by: Kevin Burton | last post by:
I found an article on calling a .NET web service from Java but it seemed to rely on GLUE and I was unable to find out how to download that software. There seems to be alot written on the Sun site,...
16
by: sunil | last post by:
Hi, I have a service written in c# that I need to run as a "Network Service". I am using a setup project to install the service. If I install the service in User's Personal Folder, I get the...
33
by: JamesB | last post by:
I am writing a service that monitors when a particular app is started. Works, but I need to get the user who is currently logged in, and of course Environment.UserName returns the service logon...
0
by: yoozioo | last post by:
hello, This year I'm learning C# at school and now we focus on web services. I created and published a web service which contains a method that calls another web service written by my class...
3
by: Enda Manni | last post by:
Hi, I have a gSoap Web Service written using C++, it uses SOAP username and password authentication. I also have a C# form client consuming the web service, all this was working fine until...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.