I'm looking for a simple way to encrypt my soap communication in my C# Web-Service.
I was looking into WSE 3.0 but it seems Microsoft dropped support for it, and therefore it's not straightforward to use.
It seems WCF could've been an option but I prefer not to upgrade from .NET 2.0 .
Any simple, straightforward encryption method?
I think this can help; last year we used this to compress the webservices and it performed very well, I believe it could be enhanced with encryption classes;
Creating Custom SOAP Extensions - Compression Extension
Anything you do to provide "encryption" that isn't using SSL/TLS is likely to be vulnerable. Now you have to ask yourself, is it worth burning dev hours you could be spending on features on a rubber-chicken security measure? Maybe it is.
.NET APIs like DPAPI and the Win32 crypt32 API make it easy to encrypt blobs of data with static keys. But how will your clients receive the keys? Any installed SOAP client will have to either have the key burned into its configuration, or receive it over the insecure Internet.
This is the problem SSL/TLS solves for you; the dance you do with TLS certificates is what solves the problem of communicating public keys over untrusted channels.
Perhaps I'm being naive, but would
forcing the communication to be via
https be acceptable? I develop web
services that run on 2.0 and have had
success with just getting IIS to
enforce https on the virtual
directory.
That would be the simplest way to go
probably, but unfortunately I don't
have control over the IIS
configuration, and can't guarantee
that it can run https.
In that case, perhaps the best bet is to either case-by-case encrypt portions of the SOAP messages (after all, you may not need the entire message to be encrypted - just certain sensitive fields?), or you could opt to use an HttpModule to intercept all the messages and operate on the contents. In either case you're probably going to have to provide custom proxies.
Perhaps I'm being naive, but would forcing the communication to be via https be acceptable?
I develop web services that run on 2.0 and have had success with just getting IIS to enforce https on the virtual directory.
Alternatively, or in addition, you can check the HttpRequest.IsSecureConnection property.
We actually use WSE 3.0 in our web services, which were originally developed pre-WCF. For security, we use a SAML token based system built on the Cryptography classes in System.Security.
It works very well. However, this method is by no means "simple".
You can use parameters encryption in C# using the System.Security.Cryptography extension.
Encrypting your parameters and decrypting them would be harder but much more secure.
How To: Encrypt and Decrypt Data Using a Symmetric (Rijndael) Key (C#/VB.NET)
I'm using this aproach for an OTP (one time password) web service, and it works fine for me.