WebService Security

Question

I'm developing an project, which consists in a webservice and a client application. It's a fair simple scenario. The webservice is connected to a database server, and the client consumes from the webserver in order to get information retrieved from the database.

The thing is: 1. The client application can only display data after a previous authentication; 2. All the data transferred between Web Service and clients must be confidential; 3. Data integrity shouldn’t be compromised;

I'm wondering what is the best way to achieve these requirements. The first thing I thought about, was sending the server a digital signature containing a client certificate, to be stored in the server, and used as comparison for authentication. But I investigated a little about webservice security, and I'm no longer certain that this is the best option.

Can anyone give me an opinion about this?

TIA

Merlyn Morgan-Graham · Accepted Answer

You should use a known good scheme to achieve this sort of secure connection: SSL. If the technologies (programming languages, libraries, etc) you are using have a known SSL pattern, then use that.

If your session is secure, then you don't need any extra data encryption. The latest versions of SSL are pretty strong by today's standards.

In the case of a C# application, I'd use WCF with SSL.

http://en.wikipedia.org/wiki/Transport_Layer_Security
http://www.codeproject.com/KB/WCF/WCF.aspx (though I'd make sure I checked MSDN too, to ensure that the approach you end up using is up to date)

Your client needs to know they can trust the server, so you'll need a server certificate. If you're okay with a client only needing a password to access that data, then you don't need client certificates.

WebService Security

Answers (2)

Related Questions