locked
How to authenticate application (not a user)? RRS feed

  • Question

  • How to authenticate application (not a user)?

     

    Hi.

     

    We have a client (Windows Forms) application that accesses ADO.NET Data service. I am looking for suggestions of how can I ensure that only that client application can access a service? Let me explain.

     

    We are doing everything properly to authenticate and authorize user, but the problem is what if user builds a small utility application and tries to access our service directly from his machine. Based on what we did, user’s credentials would allow him access the service from that utility application and that is what we are trying to avoid. We would like that the user can access a service only using our application, and not anything else.

     

    Any help, as always, is much appreciated.


    - .NET 3.5
     

    PV

    Tuesday, December 22, 2009 1:30 PM

All replies

  • Hi,

    I'm just wondering how would you imagine that to work.
    In order for your application to authenticate against the server, the application must know some secret (like password, key or something like that) that the server will verify. But since the application is running on user's computer that secret is also accesible to the user. You can make it harder to get to it (obfuscation and so on), but ultimately you can't truly hide it from the user, since the user (the user's computer) must know the secret to run your application.
    This is kind of like a DRM, you can't really make it secure, you can just try to make it hard enough for people not to bother.

    Note that this is different from user authentication, since in that case the secret is known by the user (person) and you can assume that the user will tell nobody.

    In general it is a wrong design for the server to assume that he can trust the client (that is the application in your case). The server should never trust the client with anything. So if you want your user not to be able to do something, then it's the server who must prohibit this, not your client application.

    Thanks,
    Vitek Karas [MSFT]
    Tuesday, December 22, 2009 2:04 PM
    Moderator
  • Hi.

    Vitek, you are right. That is exactly why I asked this question.

    I know that there is no absolute security, but I was just trying to see what is everybody else doing. If one does not do anything, then the service is wide open and the user, who is otherwise authenticated to use the service through my application, would be able to hit it using different application running in the context of that user.


    So, the question remains, how to avoid something like this from happening (or, to be politically correct, increase level of security)?

    Thanks,

    P.

    Tuesday, December 22, 2009 6:59 PM
  • Hi,

    To be technically correct, we should not call this "security" then :-).

    I don't have a suggestion on how to make it harder to access the service (I'm not an expert on those things). I think that if you want to do the right thing, you should assume that anybody will be able to get to your service using any kind of tool. So you need to rely on user authentication and using that make the server secure. If you're going to host interesting enough data on the server, no road block you put in front of it will make a difference. The fact that you're assuming that users will try to "attack" the server means that there might something interesting to get from the server and thus you should use real security instead of obscurity. But this is just my idealistic view. I understand that there are other things in play (timelines for one :-)).

    Thanks,
    Vitek Karas [MSFT]
    Tuesday, December 22, 2009 9:14 PM
    Moderator
  • Thanks Vitek.

    So, the question still remains: "How to authenticate the application?"

    If anybody would share their experiences/approaches, that would be fantastic and it would help us all build better solutions.


    Thanks in advance,

    PV

    Wednesday, December 23, 2009 3:27 PM
  • Hi,

    Sorry, but I just couldn't resist. It is highly questionable if creating a fake security-like application authentication can be called a better solution. It might provide a false sense of security, even though it's not secure at all. As I described above, whatever you do is basically just obscuring the real thing. User with enough determination can always get around it.
    It might be enough for your usage, but I would not call it a solution for all.

    And as for a solution to what you're asking about. You can start with storing a password in your application resources and use it to authenticate the application. Normal user won't be able to hack around it, but experienced developer will have no problem.

    Thanks,
    Vitek Karas [MSFT]
    Friday, December 25, 2009 2:08 PM
    Moderator
  • Me neither (resistance thing).

     

    I just want to do something, man. Doing nothing is just dangerous. Also, why are you calling it "fake one". I am looking for something that would not be any different that user's authentication (if you do not want to call that one fake one as well).

    Anyway, I understand your point. Anybody else?


    Thanks,

     

    PV

    Saturday, December 26, 2009 11:45 PM
  • We have restricted access to a Web Service to specific Windows app by using client certificates.
    Maybe it is possible to do something similar with WCF Data Services.

    We signed the Windows app with a certifcate.

    Configured the Web Service proxy in the client like this:
    ...
    someservice.url=...
    someservice.ClientCertificates.Add(X509Certificate.CreateFromSignedFile(exefilename)

    Installed the certificate on the web server and configured the web service to only accept request with this certificate.

    See http://support.microsoft.com/kb/901183
    • Proposed as answer by ISTEC Tuesday, March 2, 2010 7:31 AM
    • Unproposed as answer by PV66 Friday, March 5, 2010 2:21 PM
    Tuesday, January 26, 2010 1:39 PM