Encryption in C# Web-Services

2019-04-18 11:45发布

问题:

I'm looking for a simple way to encrypt my soap communication in my C# Web-Service.

I was looking into WSE 3.0 but it seems Microsoft dropped support for it, and therefore it's not straightforward to use.
It seems WCF could've been an option but I prefer not to upgrade from .NET 2.0 .

Any simple, straightforward encryption method?

回答1:

I think this can help; last year we used this to compress the webservices and it performed very well, I believe it could be enhanced with encryption classes;

Creating Custom SOAP Extensions - Compression Extension



回答2:

Anything you do to provide "encryption" that isn't using SSL/TLS is likely to be vulnerable. Now you have to ask yourself, is it worth burning dev hours you could be spending on features on a rubber-chicken security measure? Maybe it is.

.NET APIs like DPAPI and the Win32 crypt32 API make it easy to encrypt blobs of data with static keys. But how will your clients receive the keys? Any installed SOAP client will have to either have the key burned into its configuration, or receive it over the insecure Internet.

This is the problem SSL/TLS solves for you; the dance you do with TLS certificates is what solves the problem of communicating public keys over untrusted channels.



回答3:

Perhaps I'm being naive, but would forcing the communication to be via https be acceptable? I develop web services that run on 2.0 and have had success with just getting IIS to enforce https on the virtual directory.

That would be the simplest way to go probably, but unfortunately I don't have control over the IIS configuration, and can't guarantee that it can run https.

In that case, perhaps the best bet is to either case-by-case encrypt portions of the SOAP messages (after all, you may not need the entire message to be encrypted - just certain sensitive fields?), or you could opt to use an HttpModule to intercept all the messages and operate on the contents. In either case you're probably going to have to provide custom proxies.



回答4:

Perhaps I'm being naive, but would forcing the communication to be via https be acceptable? I develop web services that run on 2.0 and have had success with just getting IIS to enforce https on the virtual directory.

Alternatively, or in addition, you can check the HttpRequest.IsSecureConnection property.



回答5:

We actually use WSE 3.0 in our web services, which were originally developed pre-WCF. For security, we use a SAML token based system built on the Cryptography classes in System.Security.

It works very well. However, this method is by no means "simple".



回答6:

You can use parameters encryption in C# using the System.Security.Cryptography extension.

Encrypting your parameters and decrypting them would be harder but much more secure.

How To: Encrypt and Decrypt Data Using a Symmetric (Rijndael) Key (C#/VB.NET)

I'm using this aproach for an OTP (one time password) web service, and it works fine for me.