How to Securely Transmit Data to/from a Public Web Service

Question

An app I'm working on interfaces with an existing application running on a remote box. Communicaitons with the remote app are via its public web services. I've been asked to build an enhancement which will involve a client making use of the web service to handle sensitive data which will need to be transmitted securely.

Could anyone give me some pointers on how best to proceed?

Answer 1

To start, you should be using SSL and reject any requests that are not using it. This will encrypt data as it's being transmitted over the Internet.

If you are using SOAP, you could define a custom header in your service that takes a username / password. Then, for the first line in each public method, validate the username and password against a database. If successful, set the HttpContext.Current.User appropriately, and your service will tie in nicely with the built in Asp.NET infrastructure.

ADDED: Below is a sample SoapHeader that includes a username / password for authentication.

// define the header
public class AuthenticationHeader : SoapHeader
{
    public String UserName { get; set; }
    public String Password { get; set; }
}

// your service
public class PublicWebService : WebService
{
    // defines an instance of the header as part of the service
    public AuthenticationHeader Authentication;

    private void Authenticate()
    {
        // validate the username / password against a database
        // set the HttpContext.Current.User if successful.
        // Maybe throw a SoapException() if authentication fails
    }

    // Notice the SoapHeader("Authentication") attribute...
    // This tells ASP.Net to look for the incoming header for this method...
    [WebMethod]
    [SoapHeader("Authentication")]
    public void PublicMethod1()
    {
        Authenticate();

        // your code goes here
    }

    // Expose another method with the same authentication mechanism
    [WebMethod]
    [SoapHeader("Authentication")]
    public void PublicMethod2()
    {
        Authenticate();

        // your code goes here
    }
}

Now, if you run the wsdl tool, the generated proxy class will include the defined authentication header:

PublicWebService s = new PublicWebService();
s.Authentication = new AuthenticationHeader();
s.Authentication.UserName = "xxxxxxxx";
s.Authentication.Password = "yyyyyyyy";
s.PublicMethod1();
s.PublicMethod2();

Answer 2

DIY route:

1. Read up on security (start with "Secrets and Lies" and other such general books before moving on to the technicalities)

2. Perform a risk analysis and thread assessment. Understand what you are protecting and from what, and where threats will come from. You are unlikely to need "High Security"¹.

3. Use TLS (aka SSL).

4. In the client, verify the server's certificate is correct.

Better route: employ an expert who has an established reputation to help you.

---

¹ Unless you really are building a nuclear weapons plant or similar.