WCF / ASMX :: Message Security And Encryption

Feb 8, 2011

I need to get message integrity by encrypting the data while dataflow between Service <-> client (by directional). Below are the details.

Development Environment: .net framework 4.0; Windows 7, IIS7, VS2010.
Production Environment: .net framework 4.0; Windows 2008, IIS7.
Business Requirement:

I have an WCF Service hosted in IIS7. There are multiple Windows Forms Application as clients to my service. Services will be consumed via internet.User, Role information are stored in SQL Server 2008 database. Need to Authenticate and Authorize requests agains the SQL Server database. Dataflow is bi-directional. Clients will write data to service. And also Service will serve data to clients Data transfered in wires must be encrypted, in both directions. My approch to solution:

Below is the configuration setting in Service web.config file.
<system.serviceModel> <bindings> <wsHttpBinding> <binding name="POCWsHttpBinding"> <security mode="Message"> <message clientCredentialType="UserName" negotiateServiceCredential="true" /> </security> </binding> </wsHttpBinding> </bindings> <services> <service behaviorConfiguration="POCServiceBehaviour" name="SecurityPOC.SecuredService"> <endpoint address="" binding="wsHttpBinding" bindingConfiguration="POCWsHttpBinding" name="POCwsHttpBindingEndPoint" contract="SecurityPOC.ISecuredService" /> </service> </services> <behaviors> <serviceBehaviors> <behavior name="POCServiceBehaviour"> <serviceMetadata httpGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="false" /> <serviceCredentials> <serviceCertificate findValue="CN=WCFServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" /><userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Common.MyCustomUsernamePasswordValidator, Common" /> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> <serviceHostingEnvironment multipleSiteBindingsEnabled="true" /> </system.serviceModel>

Questions & Assumptions:

My assumption is that, client certificate is used for authentication. I am not using Certificates at Client side, becuase my client authentication will be done using UserNameValitions against the Database.

Am I write? Using only Server side Certificate, with negotiateServiceCredential="true".

Is it required is install Server certificate on client machines in this case?
I am assuming Server Certificate details will be downloaded to client site during the first call..
<security mode="Message">,
Assuming this setting takes care about the message security/encryption using the Server certificate, in both directions. As per my requirement, message must encryped on wire while tranfer between Server to client and while Client to Server.

Am I write?
My Last question...How to ensure that messages are being encripted on both directions, from Testing point-of-view. I need to take test evidences out of it.

View 3 Replies


Similar Messages:

Security :: Encryption Algorithm - Encryption Of Data Required In The Coding?

Sep 16, 2010

Not sure if I'm posting the question in the right category.

1) I'm working in a project where encryption of data is high priority. Could some one suggest what would be the best encryption method to protect data from being cracked.

I'm using TCP/IP protocol.

2) Is HTTPS totally secured. If I'm using HTTPS, does that mean that there is no encryption of data required in the coding?

View 3 Replies

WCF / ASMX :: Incoming Message Has An Unexpected Message Format 'Raw'

Mar 2, 2011

I am having a wcf service that is throwing this error...here is my code:

this is the javascript calling

this._Proxy = function (serviceURL, serviceParam, dataType, type, data) {
this._URL = serviceURL + encodeURIComponent(serviceParam);
this._DataType = dataType == null || dataType == 'undefined' || dataType == '' ? defaultDataType : dataType;
this._Type = type == null || type == 'undefined' || type == '' ? defaultType : type;
this._Data = data;
this.Invoke = function () {
debugger;
$.ajax({
url: this._URL,
dataType: this._DataType,
type: this._Type,
data: data,
success: function () {
//Do nothing on success
return;
},
}

View 1 Replies

Security :: No Encryption In URL?

Aug 4, 2010

I am using a Query Encryption Technique shown in Thread[URL]I am facing a problem with the above module status bar always displays real URL,& when ever i right click on page then properties than Address URL shows Real URL

View 4 Replies

Security :: AES 256 Bit Encryption?

Jul 24, 2010

I would like to use the System.Security.Cryptography to encrypt / decrypt my passwords strings for my custom membership provider login.I've read some basic article's but they don't explain much about the process in detail. I've decided to use AES because it is said to replace DES encryption. How can I encrypt and decrypt my password strings in the strongest way possible with AES? I would really like a very detailed explanation about the method to use for this task.

View 1 Replies

Security :: SSL And Further Encryption?

Dec 16, 2010

If a website is already using SSL, this guarantees a secure channel between the client and the website right. If I do another encrypt on the information being transmitted via HTTP POST would this be an overkill?

View 2 Replies

Security :: Upgraded .Net From 1.1 To 2.0 - MD5 Encryption Is Different?

Mar 19, 2010

I inherited a ASP.Net website. Some changes need to be implemented. The login for the application is encrypted using the md5cryptoserviceprovider class. After upgrading to 2.0, the password is no longer encrypted the same as when it was 1.1.

I left the 1.1 virtual directory and it's still working. On the same box, I loaded the 2.0 code and setup a new virtual directory (which isn't encrypting the same as 1.1).

I copied the section below from the 1.1 machine.config section into the web.config and the 2.0 machine.config.

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1"/>

Here is the code that is generating the hash.

MD5CryptoServiceProvider encryptionServiceProvider = new MD5CryptoServiceProvider();

var bytes = ASCIIEncoding.ASCII.GetBytes(inputString);

View 1 Replies

Security :: What Is Two Way Encryption And How Does That Work

Jul 27, 2010

what is two way encryption and how does that work ?

View 2 Replies

Security :: AES / Rijndeal Encryption

Apr 11, 2010

I have a hex string (encrypted)I need to use Rijndael classes with these settings:

Encryption: AES

View 9 Replies

Security :: DES Encryption, (c#) And Mcrypt (php)?

Jun 11, 2010

I have a problem trying to encrypt a string in PHP and also in C# using DES (cbc) encryption. The problem I'm facing is that I'm getting different results using the different languages.In C#:

[Code]....

You can see that they are close...

PHP: HLp51qoFW0rimOTafCVTVQ==
C# : HLp51qoFW0ojU8eGEGkk4w==

But something is going wrong somewhere, I suspect it's a difference between (PHP) pack("H*", '0F26EF560F26EF56') and (C#) StringToBytes.ConvertHex("0F26EF560F26EF56") but I'm really struggling to spot it.

View 1 Replies

Security :: Encryption Last 4 Digits

Jul 23, 2010

my code:

[Code]....

I have a stored encryption: "dkljas84u238jidasjidoia"When I get in this instance decryption "11111111111111111"show how the combobox "****************** 1111 "Something like: SELECT RIGHT ('11111111111111111 ', 4)

View 5 Replies

C# - JSON Security And Encryption?

Sep 2, 2010

I'm just starting to really get into JSON as a tool for my sites. I was showing my friend how I am calling a WS and returning the data, and he asked me about security of passing JSON data to and from a web service as he saw the data from the "POST" (via Firebug). Many of our public facing sites deal with member information and contain PHI. Can I encrypt the JSON data and then unencrypt it? Is that a good way to go about it to ensure a layer of protection? Or is there another "better/right" way of doing it? Or are his concerns unfounded? Is there an article about how to encrypt or secure the JSON data when needed? Just trying to gather as much knowledge as possible before I go down a path that won't work for the company.

View 4 Replies

Security :: Encryption Of ConnectionString?

Sep 18, 2010

My website has to connect to a hosted SQL Server database. The connectiostring, incluing username and password, is stored in the web config file.I have two questions.The first is that everything I read says this must be encrypted so that it cannot be read and used by others. Well, how would that happen. My understanding of ASP.net is that all the work is carried out on the hosted server and the rendered page is then delivered to the user. How would a user be able to view my connectionstring.Secondly, I have used some msdn vb.net code to encrypt the connection string in the web config file. Following on from the first question, how can I confirm that the encryption is intact on the published web.config file.

View 7 Replies

Security :: Encryption - Application Vs DB?

Jan 4, 2010

I am creating an application that will save financial data.I am in the process of creating an architecture for this application.I am stuck deciding wether to do encryption on the application side or SQL Server side. I am planning to use AESManaged algorithm for this.My requirement is such that the ecnryption key is unique for each user (based on user's password).I am of the opinion that it should be on the application server side as it becomes easily scalable. Another attractive thing that I find is that if my frontend is Silverlight then I can pass on the actual encryption load onto the client system.

View 7 Replies

Security :: C# Cryptography Again..With SQL Encryption?

Jan 26, 2010

I am trying to use both .NET Cryptography as well as SQL Symmetric Encryption with Triple DES, if it's possible. I was able to set up a test database with encryption on a single field like so:

[Code]....

I am using this because of SQL Reportas that are being ran and I don't have access to C# development within them. Now to insert the encrypted key what do I use? I found the following code on another post http://forums.asp.net/p/902066/1000988.aspx#1000988:
[Code]....

How do I modify OR what code do I use to Encrypt/Decrypt the SQL Encryption, does the SQL Encryption method need to change..Is it even possible?

View 2 Replies

Security :: Encryption Without A Key File?

Mar 16, 2011

I'm trying to encrypt username and password using a key file generated using enterprise library and every thing works fine, but the problem is that key can only be used on the mashine on which i have generated the key,eithor by machine mode or user mode, i want to ask if their any way to use encryption without using a key file ...

for example by machine key in web config..

View 3 Replies

Security :: Which Is The Latest Encryption For Passwords

Feb 3, 2010

I am trying to encrypt my passwords and store in database..i want to know which is the latest one..

View 2 Replies

Security :: PIN Encryption Into 4 Byte Binary

Mar 30, 2010

how to encrypt a PIN in to 4 byte binary. The MD5 and other hashes I have known give the result as 8 or 16 byte. I need only 4 bytes because it is alloted only varchar(4) in the database.

View 3 Replies

Security :: Encryption/Decryption With CAPICOM?

Jun 9, 2010

I am trying to encrypt/decrypt a file with CAPICOM in javascript. I have to encrypt file with private key and decrypt with public key. But I dont know how to do this with CAPICOM.

View 1 Replies

Security :: Web.Config Encryption/decryption?

Mar 13, 2010

This is meant to be easy ...so ive been told, but still cant get it to work!I have a sql database hosted on a shared server which requires the use of sql authentication.As a result I require to encrypt my sensitive data in the config (connection strings etc).I understand that you can do this using aspnet_regiis etc, but ive been told that as I have no direct acccess to the server, I may need to program the encryption.
I have seen a few examples, but as a novice I have been banging away at this, looking at an errors screen most of the time!

View 18 Replies

Security :: Want To Know Encryption Method For Password?

Aug 2, 2010

I want to know how can I protect my password in login & register pages because I am not using .net's Login or CreateUserWizard controls.I want an encryption method for this process e.g. when storing password in the database form the register page and when comparing the password with stored password in database to varify a user in login page.

View 3 Replies

Security :: Password Encryption Using Formsauthentication?

Dec 1, 2010

Just a quick question i've been asked to look at enhancing security but encrypting passwords we store in a db table, essentially the data thats linked to the user account isnt sensitive however its more to stop someone reading passwords out of the table directly etc

I've read multiple ways of implimenting hashing etc i've started using FormsAuthentication.HashPasswordForStoringInConfigFile
//create new salt and update the password
Hashtable newInfo = new Hashtable();
newInfo["salt"] = GenerateFriendlyPassword(5);
string tmppass = FormsAuthentication.HashPasswordForStoringInConfigFile(txtNewPass1.Text.ToString() + newInfo["salt"].ToString(), "SHA1");
newInfo["passwordHash"] = tmppass;

Generate friendly password returns a 5 char string based on a random position in a valid char array containing a - z and 0 - 9At present the functionality is at page level in the code behind, re this is the forms authentication HashPasswordForStoringInConfigFile function thread safe? Or do i need to look at implimenting this in a different wayCheers appreciate your response as im always jubious about multi threading etc,

View 1 Replies

Security :: Database Password Encryption?

Mar 8, 2011

Can anyone help with best practice for storage of database passwords/connectionstrings for ASP.NET applications? Most tutorials suggest storing the connection string (along with the password) in Web.config. I don't like this solution because the connectionstring is visible to anyone working on the application (although I appreciate it is secured from the consumer). You can use aspnet_regiis to encrypt sections of Web.config, but then surely anyone with access to the web server could easily decrypt it anyway. For an enterprise level application what should I be doing?I could store it in Web.config and encrypt with my own key, but then would that offer any advantage over aspnet_regiis, because the key would have to reside on the web server anyway?

View 1 Replies

Security :: How To Makle Encryption In Web.config

Oct 25, 2010

m trying to encrypt the <connectionStrings> in my web.config site using this code:

[Code]....

View 1 Replies

Security :: HMAC Encryption Key Store?

Feb 17, 2010

I am developing a asp.net application to use the HMAC encryption (SHA1). I do not want to store the encryption keys in .config files or in database. In .net is there any other alternatives to securely store the encrption keys

View 1 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved