All geek questions in one place

How to protect sensitive data in a WCF client application?

I have a WCF web service and a client that calls this service. This client will be deployed in many places. I have to authenticate and allow each client uniquely. Thus, each location will have a unique username and password.

Now my questions

  • How to identify each customer uniquely?
  • How to store some sensitive data on the client side?

I was thinking of several approaches,

  • Using a certificate to identify a customer. I need to create and deploy a certificate.
  • Having an active directory on the server side and let each client use a Windows user account.
  • Encrypt username and password and save them in the configuration file. I believe that encrypting configuration files with aspnet_regiis will not help me, as anyone can decrypt it if they gain access to the machine.
+4
source share
2 answers

Your question can be divided into three parts. Two of them are directly related to security in WCF, and one of them is beyond the scope.

Authentication and authorization - yes, it is possible. WCF offers several settings that allow you to authenticate the client and provide its roles. You can also create your own. The most common scenario for authenticating clients that are not in your AD domain are username and password credentials with user verification on the service or using client certificates.

Conflict and integrity - Due to your attention to security, you must also include the secure transfer of credentials (and message data). If you do not provide safe transport, someone on the network can sniff the connection and steal credentials (or data). The attacker will also be able to intercept the connection and change the data transferred. To ensure communication, you need transport security (TLS, SSL / HTTPS) or message security β€” in the Internet script provided by certificates.

Client credential protection is mainly because of your control. After you deploy the client application with credentials to a client computer that is not under your control, you can never ensure the security of the provided credentials. It depends on your users / clients. If you somehow incorporate credentials into your application, the end user / attacker is likely to always be able to obtain them. But this is the problem of every secure solution - someone must have access to credentials.

+1
source

I prefer certificates. They are more difficult to compromise than y / r.

If your client data is fairly lightweight, simply encrypt the XML file using symmetric encryption in the client application.

If you are concerned that the client application is at risk, you can asymmetrically encrypt data using the server’s public key. Then, when you need it, you send the light encrypted data to the server and return it back to the WCF response. This can be workable if it only happens when the session starts (otherwise it is a lot of traffic).

0
source

Source: https://habr.com/ru/post/1338747/

More articles:


All Articles