Web service Security

S

sayravi

Hi,

We have propesed a solution to our client which uses webservices to
expose certain interfaces to internet.

We are currently thinking of how to secure a web service when exposed
to internet.

Is SSL/Certificates the only way of securing a webservice?

Is there any effective & secure solution which doesnt use SSL
encryption, certificates?

any information, links would be a great help for me.

Thanks in advance.

Regards
Ravi
 
C

Chris S.

I'd recommend SSL on the web server with also a username/password
required for each method (or session authentication if the client can
make use of this)
 
B

Ben Voigt

Hi,

We have propesed a solution to our client which uses webservices to
expose certain interfaces to internet.

We are currently thinking of how to secure a web service when exposed
to internet.

Is SSL/Certificates the only way of securing a webservice?
No.


Is there any effective & secure solution which doesnt use SSL
encryption, certificates?
Click to expand...

Of course.

SSL and certificates use public/private key encryption to set up
connections, which is effective but slow.

It provides:
(1) secrecy
(2) tamper detection
(3) non-repudiation

Do you need all of these? If you need only tamper detection, a message
authentication code -- strong hash over (shared key + data) -- will be far
faster.

If you need secrecy, a symmetric key protocol would be much faster.

For non-repudiation, only asymmetric-key cryptography can work.

If you need protection against replay attacks, make sure your messages
expire based on some included date/time.
 
R

Ravi

When I read MS article about WES 3.0, they have suggested the following
methods.
1. Direct Authentication thru SSL
2. Brokered Authentication
1. X.509 certificates
2. Kerberos
3. STS (Security Token Service).

Since the webservice will be exposed to the outside world thru
internet, we need to secure the soap header as well as message itself.
We plan to use .NET 2.0 /Windows Advanced Server 2003.

Which method of the above would best suit our scenario.

Pls correct me if our aproach has got any flaw.

Since i'm new to WSE concept, i'm struggling to understand the examples
given my MS. does anybody have much easier implementation sample?

Regards
Ravi
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Accessing SSL remote web service 4
Speeding up a web service over SSL 8
Calling web service from activex 2
WebService interfaces and Serialization 8
Vista and HttpWebRequest 1
Making (enhancing) a remoting system to become a web service sysem 8
Webservice Security 8
Need clarification 1

Top