dotnet security: Securing Web Servicesq -- dotnet security

You're in the

dotnet security

group:

Securing Web Servicesq

Chris
12/20/2006 8:38:04 PM

dotnet security:

I want to secure a web service so only authorized client apps can use it.
Will using SSL with an encrypted username and password in the soap header do
the job? I know you could potentially capture a post to a web service (or
anything sent over the web). Will SSL mean you can't capture the stream to
the web service and resend it? I am thinking if the post to the web service
contains the username and password then it is useless unless SSL means it
can't be captured and reused? Regards.

Re: Securing Web Servicesq

<Andy>
12/21/2006 12:00:00 AM

The stream can not be replayed. Each SSL connection has a unique session key
so just replaying an old stream on a new connection will not work

Remember to only send a hash of the password and not the full password. This
means that you don't have to store actual passwords on the server.

Regards,

Andy Kendall

[quoted text, click to view]

Re: Securing Web Servicesq

<Andy>
12/21/2006 12:00:00 AM

I forgot to say, a replay attack on the same session is also avoided because
each packet has an incremental sequence number which is remembered by the
SSL session.

[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.

Don't see what you're looking for? Try a search.

View other messages in the dotnet security group.

home · blog · groups

Questions? Comments? Contact the dn