C# SOAP header data encryption

Passing authentication information in SOAP header as text strings is inherently insecure since the username and password are passed along in plain-text. That is, a nefarious hacker monitoring the network traffic could see the username and password sent along to the Web service. A better approach is to use a one-way hash function to encrypt the password. Please advise how to do this in least code possible in C#. Thanks.
ksfokAsked:
Who is Participating?
 
JimBrandleyCommented:
This will do it.

public static string PasswordHash(string plainText )
{
   string Encrypted = null;
   try
   {
      byte[] pwdHash = null;
      MD5CryptoServiceProvider hashmd5;

      //generate an MD5 hash from the password.
      //a hash is a one way encryption meaning once you generate
      //the hash, you cant derive the password back from it.
      hashmd5 = new MD5CryptoServiceProvider();
      pwdHash = Hashmd5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(plainText));
      hashmd5 = null;


      Encrypted = Convert.ToBase64String(pwdHash);
   }
   catch(Exception e)
   {
      string str = "Hash failed:" + e.Message;
   }
   return Encrypted;
}

Jim
0
 
ksfokAuthor Commented:
How do you decrypt on the WS host side?
0
 
JimBrandleyCommented:
Hash functions are unidirectional. That means that once hashed, you cannot recover the plaintext. This works great where you have the password, or hashed password in a database. Then, after getting the hashed value from the user, just compare it to the value in the DB. Your question did specify "one-way hash function". Is that not correct for your application?

Jim
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
ksfokAuthor Commented:
How is the stored password compared to the one entered at next login?
0
 
JimBrandleyCommented:
We store the hash of the password in the DB. Then, when the user logs in, we compare the hashed value from the DB with the hash of the PW submitted by the user.

Jim
0
 
ksfokAuthor Commented:
Is it possible to move the hashing function in the Sqlserver 2000 backend?
0
 
JimBrandleyCommented:
If you do that, then you have to pass the password around in plaintext. Doesn't that defeat the purpose of what you started out to do?

Jim
0
 
richard_gleedCommented:
All of the web service I build for my company use ssl certs so we don't need to worry about this. Makes life easier and more secure.
0
 
wullie1980Commented:
I'm curious to know how this increases security? If a hacker was listening to the soap request they would see the username and hashed password in the soap headers. They could then log in and use the service whenever they wanted. Sure, they wont know the origonal string password, but what difference would that make, they know the encrypted password, which gives them access to the service.

Surely a 2 way encryption would be required to make the service secure. This way the service would be able to decrypt the password and ensure the clients authenticity.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.