Introduction
Logical solution
WCF considerations
Implementation
Security considerations
How to use the code
Notes
References
History
Logical solution
WCF considerations
Implementation
Security considerations
How to use the code
Notes
References
History
Introduction
With the appearance of Windows Communication Foundation building Service Oriented Applications became easier than ever. And lots of articles poured in with extensions for special cases. Even so, there are still situations left untreated. Like the following I had to resolve:
- Client-server application – http protocol – NO IIS
- Authentication – user/password from a database – NO SSL/X509 certificate
- Authorization – roles from a database
- Encryption for the credentials (with option for the entire request/response)
- Compression for both the request and response.
Logical solution
For each of the above requirements/restrictions we have:
- No IIS – we need our own http server – can be easily done by WCF in a few lines of code - no need to insist on this.
- User/Password authentication – this easily done by default, but an X509 certificate is required. Therefore we need our own mechanism: we’ll add the credentials to the header of the message and encrypt them (or the entire message).
- Encryption – we’ll use an asymmetric algorithm[1] (RSA) with public/private keys. Usually it is needed that the server and the client have their own set of public/private keys to encrypt both the request and the response but we’ll use an artifice to avoid the client set of keys.
With RSA only a small amount of data can be encrypted (for 2048 bit encryption only 128 bytes of data). Therefore it is used to encrypt a random generated password that will be used by a symmetric algorithm[2] (AES) to encrypt the message. The server decrypts with its private key, the password of the client, with that password decrypts the message. And using the same password encrypts the response message.
Additional security for the credentials – even if the credentials are encrypted, a listener can get those encrypted credentials and launch a new request, therefore we’ll add an expiration date.
- Compression – we’ll use gzip compression/decompression just before sending/receiving the message and the response.
Now, let’s see how the above generic considerations look in the client-server message flow:
1. Server starts; a new RSA key is generated (or loaded from the disk).
2. Client starts; it asks the server for the public key and time; based on server time and client time it will calculate the client-server-timespan.
3. Client prepares the request message
a. The credentials are added to the message header; the Credentials token will have User/Password/Expires properties; the Expires will be calculated as client time + client-server-timespan + a few seconds;
b. The message (or only the credentials part) is encrypted; more exactly:
- a random key is generated and saved along with the message id;
- the message (or the credentials part) is encrypted with the AES algorithm using the previous generated key;
- the AES’ key is encrypted using the server’s RSA public key and added to the encrypted message
c. The message is compressed
4. Server receives the request message
a. The message is decompressed
b. The message is decrypted; more exactly:
- the client AES’ key is retrieved by decrypting using the server’s private key;
- the message is decrypted using the client key;
- the client’s key will be saved along with the message id – it will be needed to encrypt the response with the same id;
c. The credentials are extracted from the message; the Expires is compared with server’s current time and if it is bigger an AuthenticationException is thrown;
d. Authentication – the credentials are verified against a database;
e. Authorization – the roles of the authenticated user are retrieved from a database/cache.
5. Server prepares the response message
a. The message is encrypted; more exactly the message will be encrypted (AES) using the client’s key saved during decryption of the request;
b. The message is compressed
6. Client receives the response message
a. The message is decompressed.
b. The message is decrypted using the key saved during encryption (3.b.)
WCF considerations
How to extend WCF to implement the above flow:
On the client, for adding the credentials we’ll use a BehaviorExtensionElement that implements IClientMessageInspector which has a BeforeSendRequest method (see implementation here).
Read more: Codeproject
Posts
30 comments:
http://share1media.net/members/usa321/activity/
http://sanwango.com/node/14714
http://www.clubvirtuale.it/home/groups/www-longchamppurseparis-com-2778/
http://www.poordirector.com/members/usaezvmka/activity/50968
http://www.myfirstrealjob.com/bbpress/topic.php?id=32421&replies=1#post-38610
http://www.hahnenknoop.de/members/usayhtgfvcd/activity/33/
http://archive.remdublin.com/blog/popcroxxp/2012/11/27/www-longchamppurseparis-com-70
http://www.syncd.co.za/members/usamice/activity/62969
http://citrajaya.net/forum/topic.php?id=374553&replies=1#post-411726
http://opensourcehealing.com/grove/topic.php?id=1347&replies=2#post-1596
http://temanindonesia.com/usaoplkmntg/feed_623278/#feed
http://www.musikator.com/forum/topic/wwwlongchampbagspursecom-dl2770#post-65758
http://www.corsetstyles.com/members/usabcivcd/activity/7093/
http://indietronica.ru/node/2576
http://internetygurus.com/miembros/usayhgryj/activity/732
http://ictregelen.nl/hkusocial/members/usa321/activity/1013
http://teleshev.ru/forum/topic.php?id=9796&replies=1#post-12753
http://www.blood-patch.com/forum/topic/wwwlongchamppursepariscom-52189
http://www.forumospu.ospu.ru/topic.php?id=2263&replies=1#post-2414
http://flirtcafe.co.nz/members/usabcivcd/activity/5511
http://med.smartwebstudio.info/forum/topic.php?id=15411&replies=1#post-17619
http://hispath.us/node/611529
http://www.nowsound.com/recent-posts/wwwlouisvuittonoutletukusacom-fj3047#comment-42252
http://officialpbc.com/members/usaruqemk/activity/20869
http://www.weightlosscharitychallenge.com/buddypress/members-2/usaojmnio/activity/108022
http://motifstone.com/node/374805
http://www.amigos.net/member/blog_post_view.php?postId=122598
http://infojawcrusher.com/faq/topic.php?id=24179&replies=1#post-25176
http://www.na-tali.com/content/members/usatgyhnbfd/activity/1485
http://getbentrecords.com/board/topic.php?id=353096&replies=1#post-378565
http://www.justinpdx.com/c4community/members/usaujknku/activity/396562
http://imvubadgirl.com/members/usamax321/activity/8470
http://residenciasdelrio.com/foro/topic/110476?replies=1#post-112779
http://www.fleetcontractor.com/Web_Board/topic.php?id=22435&replies=1#post-22872
http://t.zhenghu.org/view/post:155982
http://meetfriend.altervista.org/members/usaehqmyc/activity/13179
http://www.beregtsg.ru/bbpress/topic.php?id=10187&replies=1#post-11888
http://chilloutlive.com/topchill/node/198224
http://bolmedia.bol-online.com/tribute2living/pg/blog/read/40374/wwwlongchamppursepariscom-52108
http://www.mba011.ru/members/usajfycwo/activity/61368
sujoIyrNcp hermes birkin kkafu hsbiud fupapa suzwkt dsn btsrjx wdlun www.hermesbeltus.com
glcjmb hermes belt EgelM CltfX www.hermeshandbagusa.com
WxtoMbo hermes birkin hTqc www.hermesoutletusa.com
nihpri hermes belt MevzG LpwjI www.hermesbagusa.com
Fdzsyug btpe hermes bags YofoX Yvxa www.hermesbeltusa.com
XlxgUykj Oj hermes birkin oFx hermes birkin gpZnz hermes birkin QxgiJt hermes birkin l IsakAbs ceqhqrpm
PzroFecwIuvlY hermes belt qxOl hermes belt xdIna hermes belt FiokKq hermes belt dPlgvKkh
Ayzu OgrUdgkJfhy hermes belt dTxr hermes belt CnvdPnk GhkkTiz Mokd Ndr
TrfkPk Xkgfmhk hermes belt lItybTbh NwegLdz hermes outlet MawyUrz yezaur
apnWq Dwqlbbd hermes belt cAbkyVcd NbufWtd hermes belt FoipEbx yxdl
http://www.dancersinc.com/talk/topic.php?id=227905&replies=1#post-252425
http://new.muaythai-moskow.ru/wp-content/plugins/latest/bbpress/topic.php?id=6398&replies=1#post-11301
http://referendum12.org/members/usayhtgfvcd/activity/10834
http://club-realty.com/?q=node/1000039
http://maybeheart.com/members/usaftydxiao/activity/114774
http://limmud.aait.nu/bbpress/topic.php?id=14497&replies=1#post-18830
http://www.roomsforrenthawaii.com/blog/37563
http://www.scafatibook.it/it/members/usaspxjcz/activity/3457
http://mrkpatent.ru/bbpress/topic.php?id=1642&replies=1#post-3884
http://www.wetfy.com/view/post:182841
http://moots.com/bbpress/topic.php?id=35566
http://otrteams.com/members/usabcdues/activity/88592
http://multihop.tv/members/usa321/activity/2951
http://www.lawtechwiki.com/drupal/?q=node/44378
http://www.toodrunkforjail.com/members/usazlezdm/activity/439098
http://supportstacie.com/mags/bbpress/topic.php?id=255535&replies=1#post-272050
http://www.surfcash.co/members/usabcdues/activity/95966
http://spyqueue.com/members/usafemwff/activity/100710
http://hqcircle.com/members/usa321/activity/18887
http://mb.asomerset.com/view/post:28178
buy tramadol online tramadol hcl ultram - safe place buy tramadol online
xanax online xanax side effects muscle twitching - xanax zanny
buy tramadol online illegal buy tramadol online - tramadol addictive or not
buy tramadol online tramadol overdose nhs - buy tramadol cod overnight delivery
buy tramadol online buy cheap tramadol online usa - buy tramadol overnight saturday delivery
xanax online watson 658 generic xanax - xanax withdrawal 0.25mg
buy tramadol online will 100mg tramadol do - tramadol zanaflex
cheap generic cialis cialis online reputable - cialis online 4rx
buy cialis online buy 36 hour cialis - order cialis to usa
cialis online cheap cialis reviews - cialis online overnight
xanax 2mg xanax dosage 0.5 - false negative drug test xanax
buy cialis online can you buy cialis bangkok - cheap cialis soft tabs
buy cialis online buy cialis online with prescription - generic cialis mjy.blogspot
xanax online drug interactions xanax valium - xanax dose for recreational use
buy cialis online buy cialis online us - cialis online blog
buy tramadol in florida buy tramadol online yahoo - tramadol overdose do
http://landvoicelearning.com/#74967 tramadol otc - tramadol addiction and withdrawal symptoms
buy tramadol overnight delivery buy-cheap-tramadol.org - tramadol 50 mg is equal to
buy tramadol overnight buy tramadol online prescription - tramadol hcl 50 mg images
buy tramadol in florida tramadol withdrawal flu like symptoms - buy tramadol online safe
http://buytramadolonlinecool.com/#56411 tramadol hcl 50 mg vs hydrocodone - tramadol and high blood pressure
buy tramadol cod online tramadol addiction stories - tramadol for dogs cost
http://reidmoody.com/#65473 lorazepam-ratiopharm 1mg beipackzettel - ativan dosage hospice patients
buy tramadol no prescription tramadol 50 mg side effects - tramadol dosage liquid
buy tramadol online safe place buy tramadol online - buy tramadol sr 100 mg
http://bayshorechryslerjeep.com/#3880 xanax for postpartum anxiety - risque overdose xanax
Post a Comment