The only thing is send hashed is easy to dictionary attack off the wire -
especially if users have simple passwords. If they have totally random 6-10
char passwords, then propabably ok. However, as your talkin about security
upgrades, I would use SCTs instead of UTs. Even MS recommends not using UTs
unless they protected with a secure channel or security token such as an
SCT.
--
William Stacey [MVP]
[quoted text, click to view] "Chris Arnold" <chris.arnold@data-interface.net> wrote in message
news:e98dA$0wFHA.3152@TK2MSFTNGP10.phx.gbl...
>I am using UTs with passwords sent Hashed. I am happy with the model that I
>have constructed for this part of the process.
>
>
> "William Stacey [MVP]" <staceyw@mvps.org> wrote in message
> news:uAOmUlswFHA.3860@TK2MSFTNGP09.phx.gbl...
>>I would first question the use of UsernameTokens. How are you sending the
>>password (hash, none, clear). I would tend to favor SCTs over UT if
>>security is important.
>>
>> --
>> William Stacey [MVP]
>>
>> "Microsoft" <chris.arnold@data-interface.net> wrote in message
>> news:OXoD9DrwFHA.3312@TK2MSFTNGP09.phx.gbl...
>>> Hi All,
>>>
>>> I have almost completed the first stage of our security upgrades for our
>>> web services. So far I have implemented Authentication, Authorization,
>>> Signing & Encryption from client to server. The first 2 of these I can
>>> test very simple. However, I am uncertain how to test the latter 2
>>> subjects (short of becoming a fulltime hacker who can intercept the SOAP
>>> message and change it!).
>>>
>>> Does anyone have any proven methods for testing the integrity of the
>>> messages?
>>>
>>> As background, I am using UsernameToken object as my SecurityToken
>>> model; I have implemented my own UsernameTokenManager that assigns Roles
>>> to the authenticated token.
>>>
>>> Many thanks,
>>>
>>> Chris
>>>
>>
>>
>
>
