thesnoman
asked on
Generating a self-signed certificate in memory for WCF encryption
Hi folks,
I've been looking into some of the ways of securing my WCF communication. What I am building is a client/server application, both in .Net. They communicate over WCF using nettcp over an intranet only. My concern is how to best encrypt the communication without adding complication to the installation process. It looks to me like using a self-signed certificate only on the server might be my best bet but I don't want the customer to have to deal with having to generate and install a certificate. So my thought was to generate the certificate on the server with .net using a third-party class I found on the internet (http://btburnett.com/2009/05/create-a-self-signed-ssl-certificate-in-net.html). I was thinking I would just generate the certificate with an absurdly late expiration date when the server runs for the first time but then I came up with another idea.
Does anyone know if it would be possible to generate the certificate each time the server starts and just keep it in memory, then assign it to WCF to use? I was thinking that by doing this I could avoid having to store the certificate on the server which might be a good thing. Keep in mind, this application is only going to be used on an intranet so the only reason for needing any encryption at all would be if someone was to gain access to the client's network they couldn't packet sniff for the user's passwords (which are being MD5 hashed and stored in the server's database). Any thoughts on this would be helpful.
I have considered strictly using the built in Windows authentication but it's unclear to me just what the client would have to do in order to configure each terminal to gain access to the server. Keep in mind, this really needs to be simple for the customer to install and configure on their own. At the moment all that is needed is to enter the server's IP address in each terminal once the application is installed and I would like to keep it that way. Of coarse each user has to have an account setup with a username and password but that's it and that's pretty simple. I'm not looking for identity verification with this certificate, just encryption so self-signed is fine. Any thoughts or advice about this would be helpful.
FYI: currently working with .net 4 on VS2010 RC
Thanks,
Casey
I've been looking into some of the ways of securing my WCF communication. What I am building is a client/server application, both in .Net. They communicate over WCF using nettcp over an intranet only. My concern is how to best encrypt the communication without adding complication to the installation process. It looks to me like using a self-signed certificate only on the server might be my best bet but I don't want the customer to have to deal with having to generate and install a certificate. So my thought was to generate the certificate on the server with .net using a third-party class I found on the internet (http://btburnett.com/2009/05/create-a-self-signed-ssl-certificate-in-net.html). I was thinking I would just generate the certificate with an absurdly late expiration date when the server runs for the first time but then I came up with another idea.
Does anyone know if it would be possible to generate the certificate each time the server starts and just keep it in memory, then assign it to WCF to use? I was thinking that by doing this I could avoid having to store the certificate on the server which might be a good thing. Keep in mind, this application is only going to be used on an intranet so the only reason for needing any encryption at all would be if someone was to gain access to the client's network they couldn't packet sniff for the user's passwords (which are being MD5 hashed and stored in the server's database). Any thoughts on this would be helpful.
I have considered strictly using the built in Windows authentication but it's unclear to me just what the client would have to do in order to configure each terminal to gain access to the server. Keep in mind, this really needs to be simple for the customer to install and configure on their own. At the moment all that is needed is to enter the server's IP address in each terminal once the application is installed and I would like to keep it that way. Of coarse each user has to have an account setup with a username and password but that's it and that's pretty simple. I'm not looking for identity verification with this certificate, just encryption so self-signed is fine. Any thoughts or advice about this would be helpful.
FYI: currently working with .net 4 on VS2010 RC
Thanks,
Casey
ASKER
Hi CodeCruiser.
Well assuming that WCF uses the Public Key/Private Key model, like SSL does then the service would need to pass the public key off to the client during the initial handshake. Obviously with SSL the client never needs a certificate to communicate securely with the server. One thing that doesn't look possible to me at this point is transport security with SSL over nettcp, but I could be mistaken.
At the moment I am just generating and storing the certificate on the services' first run. Then I check to ensure the certificate is found and assign it to my service using SetCertificate. I'm still having trouble getting the client to connect, looks like some sort of a DNS identity problem but I am making progress.
I'm still learning this stuff and so far the security portion of it is pretty daunting so please have patience with me.
Thanks,
Casey
Well assuming that WCF uses the Public Key/Private Key model, like SSL does then the service would need to pass the public key off to the client during the initial handshake. Obviously with SSL the client never needs a certificate to communicate securely with the server. One thing that doesn't look possible to me at this point is transport security with SSL over nettcp, but I could be mistaken.
At the moment I am just generating and storing the certificate on the services' first run. Then I check to ensure the certificate is found and assign it to my service using SetCertificate. I'm still having trouble getting the client to connect, looks like some sort of a DNS identity problem but I am making progress.
I'm still learning this stuff and so far the security portion of it is pretty daunting so please have patience with me.
Thanks,
Casey
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Following links may help
http://msdn.microsoft.com/en-us/library/ms730301.aspx
http://msdn.microsoft.com/en-us/library/ms732362.aspx