By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,092 Members | 1,546 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,092 IT Pros & Developers. It's quick & easy.

single secure web service call

P: n/a
I have a .NET web service that needs to be called from any platform. I need
to make the Login method of the web service secure. It doesnt matter about
the remaining methods, just the password parameter of the Login call needs to
be encrypted. Trying to do this platform independently seems to be
difficult. I feel certificates is a bit over the top for what I am trying to
acheive.

Does anyone know of a way to make a single mthod of a web service secure, or
the simplest way to make a web service secure (encrypted), just for
authentication?

Nov 23 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
The simplest way of securing a password being sent to a web service is
to have it go through a one way hash and send the base64 representation
of the hashed password. Then on your web service, you can look up the
password from your user data store and hash the stored password for the
user and compare the two hashes. If they match the password is valid
and the user can log in and use your service. The thing to remember
here is that both the client and the sevice must use the same hashing
algorithm like MD5 or SHA.

This usually works for me as there is no need to using either symmetric
or asymmetric encryption (as a result no key sharing), and hashing the
password is secure enough. You might also want to use a salt value
while hashing your password to avoid replay attacks.

Nov 23 '05 #2

P: n/a
you could also check out Web Service Enhancements (WSE). It implements
WS-Security spec and allows various ways to secure your web service.

http://msdn.microsoft.com/library/?u...326ff206ed.asp

Nov 23 '05 #3

P: n/a
Hello Kevin,
Especially since you want your service to be called from any platform
you would need to use standard authentication mechanisms i.e. WS-Security
and use the username token profile... I'd suggest you use WSE [0]

[0] - http://msdn.microsoft.com/webservice...e/default.aspx
[1] - http://msdn.microsoft.com/webservice...wssecdrill.asp
[2] - http://www.devx.com/dotnet/Article/19986/0/page/1
HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
http://www.geniant.com
I have a .NET web service that needs to be called from any platform.
I need to make the Login method of the web service secure. It doesnt
matter about the remaining methods, just the password parameter of the
Login call needs to be encrypted. Trying to do this platform
independently seems to be difficult. I feel certificates is a bit
over the top for what I am trying to acheive.

Does anyone know of a way to make a single mthod of a web service
secure, or the simplest way to make a web service secure (encrypted),
just for authentication?

Nov 23 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.