Securing Web Services

Question

I am creating an API with a bunch of public methods to be published on the web and I need to secure them. In this case it is not about encryption but authentication.

The idea is that whoever is consuming the web services is a registered user on the DataBase so that we can keep outsiders out. I have being reading about API Keys but I don't know neither if they are the correct approach for my issue nor how to implement them.

So, question is: How do I keep unknown people from consuming the web services?

Notes: Logs are likely to be made to requests made by known users to keep track of what they do and terminate connections on suspicious activities. Also I'm using ASP.NET.

Answer 1

I came back to explain how I ended up doing it.

First, I used a (custom implementation of a) per-application API Key, so for each application that would consume my web services I created and gave them a key. Such key has to be provided alongside some application data needed to regenerate the key and match against what was provided by the application.

Second, I used SoapHeader and a variation of this method in order to accomplish my goal. Basically, the key and app data come with the message as part of the header for each call to a method. So, the validation process happens every time an app calls on a public method.

I appreciate the answers that were given to me and the approached are really interesting, the reason why I decided to it this way was because the web services were already up and running and is .NET 3.5... so neither WCF nor ASP. WSE could provide me of the best and easier to implement solution.

Thanks.

Answer 2

API Keys are a good idea.

The idea is just that you assign each user a private key which they must provide (or, better yet, give proof of possession via a challenge-response) in order to make an API call.

Answer 3

ASP.net Web Service Extensions support client side certificate based authentication. The more up to date equivelent is WCF which also supports client certs.