How to Securely Transmit Data to/from a Public Web Service

Question

An app I'm working on interfaces with an existing application running on a remote box. Communicaitons with the remote app are via its public web services. I've been asked to build an enhancement which will involve a client making use of the web service to handle sensitive data which will need to be transmitted securely.

Could anyone give me some pointers on how best to proceed?

What kind of web service SOAP? WCF? Do you need just transport security or authentication? — Dirk Brockhaus, Nov 18 '10 at 10:20
@Dirk - I believe its a SOAPy one. I think I just need transport security, the services are all publicly accessible. — immutabl, Nov 18 '10 at 10:54

dana · Accepted Answer · 2010-11-22T17:19:40.743

To start, you should be using SSL and reject any requests that are not using it. This will encrypt data as it's being transmitted over the Internet.

If you are using SOAP, you could define a custom header in your service that takes a username / password. Then, for the first line in each public method, validate the username and password against a database. If successful, set the HttpContext.Current.User appropriately, and your service will tie in nicely with the built in Asp.NET infrastructure.

ADDED: Below is a sample SoapHeader that includes a username / password for authentication.

// define the header
public class AuthenticationHeader : SoapHeader
{
    public String UserName { get; set; }
    public String Password { get; set; }
}

// your service
public class PublicWebService : WebService
{
    // defines an instance of the header as part of the service
    public AuthenticationHeader Authentication;

    private void Authenticate()
    {
        // validate the username / password against a database
        // set the HttpContext.Current.User if successful.
        // Maybe throw a SoapException() if authentication fails
    }

    // Notice the SoapHeader("Authentication") attribute...
    // This tells ASP.Net to look for the incoming header for this method...
    [WebMethod]
    [SoapHeader("Authentication")]
    public void PublicMethod1()
    {
        Authenticate();

        // your code goes here
    }

    // Expose another method with the same authentication mechanism
    [WebMethod]
    [SoapHeader("Authentication")]
    public void PublicMethod2()
    {
        Authenticate();

        // your code goes here
    }
}

Now, if you run the wsdl tool, the generated proxy class will include the defined authentication header:

PublicWebService s = new PublicWebService();
s.Authentication = new AuthenticationHeader();
s.Authentication.UserName = "xxxxxxxx";
s.Authentication.Password = "yyyyyyyy";
s.PublicMethod1();
s.PublicMethod2();

I think I'm going to go with your suggestion re: custom headers - could you link to a walk-thru please? — immutabl, Nov 22 '10 at 12:19
@5arx - I added some sample code for adding a custom SOAP Header to your service. Let me know if you have any questions. — dana, Nov 22 '10 at 17:21

score -1 · Answer 2 · answered Nov 18 '10 at 10:28

-1

DIY route:

Read up on security (start with "Secrets and Lies" and other such general books before moving on to the technicalities)
Perform a risk analysis and thread assessment. Understand what you are protecting and from what, and where threats will come from. You are unlikely to need "High Security"¹.
Use TLS (aka SSL).
In the client, verify the server's certificate is correct.

Better route: employ an expert who has an established reputation to help you.

¹ Unless you really are building a nuclear weapons plant or similar.

answered Nov 18 '10 at 10:28

Richard

106,783
21
203
265

You know apart from 3. and perhaps 4. your response wasn't terribly helpful. I'm a jobbing developer - I don't have time to read a whole book before implementing a relatively small feature ;-) – immutabl Nov 18 '10 at 10:59
@5arx steps 1 & 2 are about doing steps 3 and 4 right (and *why* you need to get them right). The footnote is about not going over the top with excessive security. Step 1 is key, because just putting in transport layer security is unlikely to provide much net security (interception of data in transport is unlikely to be a significant threat: if the server isn't itself secured against, for example, internal staff then you've failed to protect data your users might expect to be protected). *If you're looking at the minimum effort to appear secure please tell me your app name so I can avoid it.* – Richard Nov 18 '10 at 11:17
I can't help but think you're missing the point of sites like SO which is to get targetted advice about specific questions from other developers. I'd hazard a guess that most of us on here have enough intelligence to realise that in an ideal world we probably should read extensively around the subject or, better still, shell out thousands on an expert consultant in the field. However back here in the real world we have clients screaming about deadlines and just need to get stuff done; trite advice like 'Read a book about it' or 'try Googling for the answer' just won't wash I'm afraid ;-) – immutabl Nov 18 '10 at 13:20
@5arx: 1. Check out my profile here, and then please reconsider the first part of your comment. 2. Just because you want a quick answer doesn't mean that there is one. The danger of just adding SSL is that you will believe your system is "secure". It might be, but there is more than protecting one data channel to making a system safe for private data. The SO model is not suitable for expanding on that topic to the depth it needs. hence the references. – Richard Nov 18 '10 at 14:09
@Richard - 1. Sorry, didn't mean to disrespect your sagacity - I did pepper my responses with winking smilies. I already did check you out and in fact I believe I've voted for many of your (numerous) excellent responses during my short time as a StackOverflower. Your profile is indeed impressive which is why my expectations were very high, as they are of anyone who has a 'k' after their score ;-) Hence my bemusement at such a massively broad answer... – immutabl Nov 18 '10 at 14:19
@Richard - 2. Perhaps I should have made myself clearer - an assumption built into my question is that the remote box and the app it runs (both outwith my control, I am just connecting clients to them) are as 'secure' as they can be in terms of physical access. As this aspect is neither my responsibility or under my control I don't need to concern myself with it. I just need to understand (quickly) how to talk to it securely :-( – immutabl Nov 18 '10 at 14:24
@5arx unless the Q explicitly says that this is just one piece of a holistic approach to securing a system I assume it isn't. In my experience too many cases of securing an application are like that--and thus not securing the application. Of course if your customers are aware that the total system security is down to someone else, you should be OK if legal writs start flying if things turn out not to be secure. – Richard Nov 19 '10 at 07:33
@Richard - understood. Could you please give me some pointers re: SSL/TLS in this scenario. – immutabl Nov 19 '10 at 09:06
1

@5arx Enable it on the server, and ensure your href's on the client start "https:". Not sure about checking server certificate, that rather depends on the details of which technology stack and client options you are using. – Richard Nov 19 '10 at 10:17

How to Securely Transmit Data to/from a Public Web Service

2 Answers2