I've been looking into some of the ways of securing my WCF communication. What I am building is a client/server application, both in .Net. They communicate over WCF using nettcp over an intranet only. My concern is how to best encrypt the communication without adding complication to the installation process. It looks to me like using a self-signed certificate only on the server might be my best bet but I don't want the customer to have to deal with having to generate and install a certificate. So my thought was to generate the certificate on the server with .net using a third-party class I found on the internet (http://btburnett.com/2009/05/create-a-self-signed-ssl-certificate-in-net.html
). I was thinking I would just generate the certificate with an absurdly late expiration date when the server runs for the first time but then I came up with another idea.
Does anyone know if it would be possible to generate the certificate each time the server starts and just keep it in memory, then assign it to WCF to use? I was thinking that by doing this I could avoid having to store the certificate on the server which might be a good thing. Keep in mind, this application is only going to be used on an intranet so the only reason for needing any encryption at all would be if someone was to gain access to the client's network they couldn't packet sniff for the user's passwords (which are being MD5 hashed and stored in the server's database). Any thoughts on this would be helpful.
I have considered strictly using the built in Windows authentication but it's unclear to me just what the client would have to do in order to configure each terminal to gain access to the server. Keep in mind, this really needs to be simple for the customer to install and configure on their own. At the moment all that is needed is to enter the server's IP address in each terminal once the application is installed and I would like to keep it that way. Of coarse each user has to have an account setup with a username and password but that's it and that's pretty simple. I'm not looking for identity verification with this certificate, just encryption so self-signed is fine. Any thoughts or advice about this would be helpful.
FYI: currently working with .net 4 on VS2010 RC