Username and Password Security


If you’ve used the Internet at all, you’ve almost certainly registered with a Web site and entered a username and password to access various parts of that site. Such Web sites can range from e-commerce applications that require signing in before a purchase can be completed to Web sites that restrict access to certain areas of content. WSE allows you to use usernames and passwords as security credentials, but this approach is not very secure. To verify that the credentials are correct, you must pass both the username and the password with the message, but a hacker still has ample opportunity to intercept the message and modify it.

Granted, you can use password digests instead of a normal password, which improves security slightly, but the relationship between a password and its digest is relatively simple—especially compared to the relationship between the public and private parts of an X509 certificate, which we’ll look at shortly.

Of course, it is completely insecure to use username and password security credentials across a transport protocol that isn’t secure. If you must use username and password credentials, you must also use a secure transport protocol such as HTTPS—the messages between the client and the Web service will be encrypted automatically by the runtime, which means that a hacker cannot interpret the intercepted messages and the need for signing and manually encrypting messages is removed.




Programming Microsoft. NET XML Web Services
Programming MicrosoftВ® .NET XML Web Services (Pro-Developer)
ISBN: 0735619123
EAN: 2147483647
Year: 2005
Pages: 172

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net