?
Solved

C# SOAP header data encryption

Posted on 2007-09-28
9
Medium Priority
?
3,542 Views
Last Modified: 2013-11-18
Passing authentication information in SOAP header as text strings is inherently insecure since the username and password are passed along in plain-text. That is, a nefarious hacker monitoring the network traffic could see the username and password sent along to the Web service. A better approach is to use a one-way hash function to encrypt the password. Please advise how to do this in least code possible in C#. Thanks.
0
Comment
Question by:ksfok
9 Comments
 
LVL 22

Accepted Solution

by:
JimBrandley earned 1500 total points
ID: 19981766
This will do it.

public static string PasswordHash(string plainText )
{
   string Encrypted = null;
   try
   {
      byte[] pwdHash = null;
      MD5CryptoServiceProvider hashmd5;

      //generate an MD5 hash from the password.
      //a hash is a one way encryption meaning once you generate
      //the hash, you cant derive the password back from it.
      hashmd5 = new MD5CryptoServiceProvider();
      pwdHash = Hashmd5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(plainText));
      hashmd5 = null;


      Encrypted = Convert.ToBase64String(pwdHash);
   }
   catch(Exception e)
   {
      string str = "Hash failed:" + e.Message;
   }
   return Encrypted;
}

Jim
0
 

Author Comment

by:ksfok
ID: 19982538
How do you decrypt on the WS host side?
0
 
LVL 22

Assisted Solution

by:JimBrandley
JimBrandley earned 1500 total points
ID: 19982552
Hash functions are unidirectional. That means that once hashed, you cannot recover the plaintext. This works great where you have the password, or hashed password in a database. Then, after getting the hashed value from the user, just compare it to the value in the DB. Your question did specify "one-way hash function". Is that not correct for your application?

Jim
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:ksfok
ID: 19991799
How is the stored password compared to the one entered at next login?
0
 
LVL 22

Assisted Solution

by:JimBrandley
JimBrandley earned 1500 total points
ID: 19991853
We store the hash of the password in the DB. Then, when the user logs in, we compare the hashed value from the DB with the hash of the PW submitted by the user.

Jim
0
 

Author Comment

by:ksfok
ID: 19993882
Is it possible to move the hashing function in the Sqlserver 2000 backend?
0
 
LVL 22

Assisted Solution

by:JimBrandley
JimBrandley earned 1500 total points
ID: 19994252
If you do that, then you have to pass the password around in plaintext. Doesn't that defeat the purpose of what you started out to do?

Jim
0
 

Expert Comment

by:richard_gleed
ID: 21791375
All of the web service I build for my company use ssl certs so we don't need to worry about this. Makes life easier and more secure.
0
 

Expert Comment

by:wullie1980
ID: 22250146
I'm curious to know how this increases security? If a hacker was listening to the soap request they would see the username and hashed password in the soap headers. They could then log in and use the service whenever they wanted. Sure, they wont know the origonal string password, but what difference would that make, they know the encrypted password, which gives them access to the service.

Surely a 2 way encryption would be required to make the service secure. This way the service would be able to decrypt the password and ensure the clients authenticity.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
Calculating holidays and working days is a function that is often needed yet it is not one found within the Framework. This article presents one approach to building a working-day calculator for use in .NET.
The viewer will learn how to count occurrences of each item in an array.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question