ksfok
asked on
C# SOAP header data encryption
Passing authentication information in SOAP header as text strings is inherently insecure since the username and password are passed along in plain-text. That is, a nefarious hacker monitoring the network traffic could see the username and password sent along to the Web service. A better approach is to use a one-way hash function to encrypt the password. Please advise how to do this in least code possible in C#. Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How is the stored password compared to the one entered at next login?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is it possible to move the hashing function in the Sqlserver 2000 backend?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
All of the web service I build for my company use ssl certs so we don't need to worry about this. Makes life easier and more secure.
I'm curious to know how this increases security? If a hacker was listening to the soap request they would see the username and hashed password in the soap headers. They could then log in and use the service whenever they wanted. Sure, they wont know the origonal string password, but what difference would that make, they know the encrypted password, which gives them access to the service.
Surely a 2 way encryption would be required to make the service secure. This way the service would be able to decrypt the password and ensure the clients authenticity.
Surely a 2 way encryption would be required to make the service secure. This way the service would be able to decrypt the password and ensure the clients authenticity.
ASKER