How to incorporate SHA 256 Encryption in WCF Rest Web Service? RRS feed

  • Question

  • Hi,

    I have recently developed a Web Service that my clients can call upon.

    I would like to show you a sample Inteface class of my code:
        public interface IEventHandler
            [WebGet(UriTemplate = "Holidays", ResponseFormat = WebMessageFormat.Xml)]
            List<Holidays> GetHolidays();


    List<Holidays> is actually my own written Class. This class contains all the necessary details of a Holidays.

    My client will receive this as a XML string containing the returned data regarding Holidays.

    My question is, i would like to ensure that the data can only be read by my client and no others.

    I have thought of incorporating SHA256 encryption into my web service.

    My idea would be:
    1. Just as my web service return the List<Holidays> to my client, the data will be encrypted using SHA256
     (only my Web Service and my client will have the decrypt key) and send over to my client.
    2. Once my client receives it, he will use the common key to decrpyt the data before he can have access to it.

    My Problem is: How can encryption be done in a Web Service? When a client calls upon the Web Service method,
    the processing will take place and List<Holidays> will be returned. How to ensure that as the List<Holidays>
    is being returned, there is SHA256 encryption taking place?

    Really need your help on this...


    Tuesday, August 25, 2009 8:32 AM


All replies

  • Just a note: SHA256 isn't an encryption mechanism, it's a hashing function (you can't "decrypt" after applying SHA256 to something).

    If you want to incorporate some encryption mechanism based on a shared key, you can use the same pattern as the compression encoder (http://msdn.microsoft.com/en-us/library/ms751458.aspx) - you'll have the encrypting encoder which will wrap the encoder from the REST binding, and it will do the encryption on its WriteMessage method.

    Tuesday, August 25, 2009 8:57 AM
  • Hi,

    I will have a total of 3 clients, and they are Java, Flash and PHP based respectively.

    I'm sorry i'm still new in the area of WCF.. the expected scenario will be like this:

    1. Client will access my Restful Web Service via a url -
    2. Once called, my client should receive a chunk of random string containing the returned list of Holidays (in the encoded format)
    3. Next, he will use the shared key to decode the string into a XML string before he do further processing.

    Can this be done? for a String data type i can easily encode and send to client, but i'm dealing with a List<Holidays>

    Apologise for the lack of knowledge.. i'm really new to WCF web service and encryption.

    Tuesday, August 25, 2009 9:32 AM
  • Maybe if i try to rephrase my question..?

    What are the possible way to implement Encrpytion and Decryption in a Restful Web Service creating in WCF?

    When a client makes a GET call.. he shd receive an encrypted data where he must decrypt to know the content.
    At the same time, when a client makes a POST call, the data that he POST will be encrypted and when the
    Web Service receives the data, the Web Service will decrypt to know the content.

    Are default encryption/decryption capability already provided for Restful Web Service created in WCF?

    • Edited by RedTinCan Tuesday, August 25, 2009 9:52 AM Add new info
    Tuesday, August 25, 2009 9:48 AM
  • Hi,

    You can simply use a secure connection with Https (WCF service with transport security). Https will encrypt the whole communication channel (and all the messages that flow in there), so only the client/services will able to see the content.

    There is no need to complicate everything with key interchanges and encryption algorithms, Https already does that with standard mechanisms.


    Pablo Cibraro - http://weblogs.asp.net/cibrax
    Tuesday, August 25, 2009 1:45 PM
  • Hi Pablo,

    does that means that the Restful Web Service that i created using WCF (hosted in Windows Azure) already contains the necessary mechanism to ensure security is taking place? Or do i have to manually implement these security measures myself?

    I believe i am currently using webHttpBinding for my current Rest Web Service? Does webHttpBinding contains any security

    Can i show you my web.config file? i hope i'm going in the right direction and i hope i can give you a better idea as well..


            <binding name="webBinding"
                     maxReceivedMessageSize="2147483647" >
            <behavior name="webBehavior">
            <behavior name="Rest_EventHandler_WebRole.EventHandlerBehavior">
              <serviceMetadata httpGetEnabled="true" />
              <serviceDebug includeExceptionDetailInFaults="false" />
          <service behaviorConfiguration="Rest_EventHandler_WebRole.EventHandlerBehavior"
            <endpoint address="" binding="webHttpBinding" contract="Rest_EventHandler_WebRole.IEventHandler" behaviorConfiguration="webBehavior" bindingConfiguration="webBinding">
                <dns value="localhost" />
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />

    Appreciate your explanations..


    Wednesday, August 26, 2009 2:03 AM
  • and 1 thing..

    The reason for me to use webHttpBinding is because i had previously ask in the Azure forum and the
    moderator recommend me to use the webHttpBinding.

    If i were to change to wsHttpBinding, my Restful web service cannot work..

    Please help me..
    Wednesday, August 26, 2009 7:16 AM
  • As was mentioned in the thread http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/f759262f-4f82-471c-a5db-e2f2132b0883, you need to set the security mode of the WebHttpBinding to "Transport" to enable HTTPS in the communication.

    Thursday, August 27, 2009 5:13 PM