locked
Passing User credential with every message to the server using custom encryption in WCF RRS feed

  • Question

  • User-1874132285 posted

    I want to know is it fine if I pass the credentials in the message data to the service in encrypted form with every message. Like if I have to pass some object as parameter to a WCF method then I was thinking if I can add properties to the object for username and password and serialize the object and apply encoding such as AES algorithm and sent to the server.

    At the server end, the server decrypts the serialized data, deserializes and gets the data. Is that fine doing so ?

    I don't want to use WS security reason being Certificates, we need certificates to authenticate user which needs to get setup on the server, so I was thinking of having an alternate of certiftcates without using real/dummy certificates.

    Is my process for sending credentials legitmate ?

    Monday, March 10, 2014 5:30 AM

Answers

  • User-417640953 posted

    By adding the token as a property to my data class, serialize it and then encrypt the serialized data using an encryption algorithm like AES by a password (kept at config file) and then when I send the data to the service, I will decrypt the response using the password (kep at the database) and check for the existence of the token if found then accept the response else reject. Now I have some queries to ask.

    Does that sound workable solution ?

    Are there any Security concern I should be worried about ?

    It sounds like a solution with custom authentication and message protection.

    In the wcf message transmission process, I think you can protect the message by encryption algorithm and validate client by username and password.

    However, there has no idea make sure message consistent and prevent message not changed by others in the message transmission process.

    What ever, I think X509 certificate also a good approach.

    Thanks.

    Best Regards!

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, March 16, 2014 9:43 PM

All replies

  • User-417640953 posted

    I was thinking if I can add properties to the object for username and password and serialize the object and apply encoding such as AES algorithm and sent to the server.

    Hi n00raina,

    Thank you post the issue to asp.net forum.

    Wcf client side and server side comunicate each other with the contract. I'm afraid we cannot add the properties to datacontract unilaterally in client side.

    If you prefer to use the username and password for WCF authentication, you can try to use the asp.net membership provider.

    In the client side, we just call service method like below.

      ServiceReference1.Service1Client proxy = new ServiceReference1.Service1Client();
      proxy.ClientCredentials.UserName.UserName = "username";
      proxy.ClientCredentials.UserName.Password = "password";
      proxy.CallServiceTest();

    In the server side, we use the security mode as Message and clientCredentialType as "UserName" like below.

     <wsHttpBinding>
            <binding name="MyWSBind1"> 
              <security mode="Message">
                <message clientCredentialType="UserName"/>
              </security>
            </binding>
     </wsHttpBinding>

    For more information about wcf authencation with asp.net membership provider, you can refer to below.

    http://www.codeproject.com/Articles/379636/WCF-Basic-Authentication-with-SQL-Membership-Provi

    Hope that helps, thanks.

    Best Regards!

    Tuesday, March 11, 2014 5:50 AM
  • User-1874132285 posted

    In the client side, we just call service method like below.

      ServiceReference1.Service1Client proxy = new ServiceReference1.Service1Client();
      proxy.ClientCredentials.UserName.UserName = "username";
      proxy.ClientCredentials.UserName.Password = "password";
      proxy.CallServiceTest();

    In the server side, we use the security mode as Message and clientCredentialType as "UserName" like below.

     <wsHttpBinding>
            <binding name="MyWSBind1"> 
              <security mode="Message">
                <message clientCredentialType="UserName"/>
              </security>
            </binding>
     </wsHttpBinding>

    Hi thanks for your reply, I did know about the example you gave but I am afraid does it want any kind of Certificate to authenticate

    Friday, March 14, 2014 12:47 AM
  • User-417640953 posted

    Hi,

    Thanks for your back.

    but I am afraid does it want any kind of Certificate to authenticate

     For username password authentication to work your server hosting the service needs an X509 certificate.

    Else all service invocations will fail. This certificate is specified in the service behavior.

    <serviceCertificate findValue="Farm" storeLocation="LocalMachine" storeName="TrustedPeople"  x509FindType="FindBySubjectName"/>

    http://codebetter.com/petervanooijen/2010/03/22/a-simple-wcf-service-with-username-password-authentication-the-things-they-don-t-tell-you/

    Hope that helps, thanks.

    Best Regards!

    Friday, March 14, 2014 3:32 AM
  • User-1874132285 posted

    For username password authentication to work your server hosting the service needs an X509 certificate.

    Ok, I guess certificate is indeed required, but what I was thinking of I will add a globally unique token to every message,

    By adding the token as a property to my data class, serialize it and then encrypt the serialized data using an encryption algorithm like AES by a password (kept at config file) and then when I send the data to the service, I will decrypt the response using the password (kep at the database) and check for the existence of the token if found then accept the response else reject. Now I have some queries to ask.

    Does that sound workable solution ?

    Are there any Security concern I should be worried about ?

    If this solution is not going not to work securely then what can I do to make it without using Certificate

    P.S. I have no enmity with Certificate I can do at last Smile

    Friday, March 14, 2014 8:21 AM
  • User-417640953 posted

    By adding the token as a property to my data class, serialize it and then encrypt the serialized data using an encryption algorithm like AES by a password (kept at config file) and then when I send the data to the service, I will decrypt the response using the password (kep at the database) and check for the existence of the token if found then accept the response else reject. Now I have some queries to ask.

    Does that sound workable solution ?

    Are there any Security concern I should be worried about ?

    It sounds like a solution with custom authentication and message protection.

    In the wcf message transmission process, I think you can protect the message by encryption algorithm and validate client by username and password.

    However, there has no idea make sure message consistent and prevent message not changed by others in the message transmission process.

    What ever, I think X509 certificate also a good approach.

    Thanks.

    Best Regards!

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, March 16, 2014 9:43 PM
  • User-1874132285 posted

     

    Thanks, I think that was helpfulSmile

    Tuesday, March 18, 2014 1:37 AM