Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net Security (http://www.velocityreviews.com/forums/f62-asp-net-security.html)
-   -   Need for encryption in WSE 3.0 if using SS-avoid man-in-middle att (http://www.velocityreviews.com/forums/t769046-need-for-encryption-in-wse-3-0-if-using-ss-avoid-man-in-middle-att.html)

John K 10-17-2006 06:04 PM

Need for encryption in WSE 3.0 if using SS-avoid man-in-middle att
 
Hello.

I plan on upgrading my .NET 2.0 web service to use WSE 3.0. I am using my
web service over SSL and the PC client application access the web service
directly (no middle man server(s)). I will be adding the UserNameToken
option to authenticate the user to the web service. I am considering adding
"usernameForCertificateSecurity" for additional security; even though I am
also using SSL. I am concerned about "man in the middle" attacks for both
the password and data being sent back and forth. How do I decide if SSL is
sufficient? Is the password sent in an encrypted format if I only use
"usernameOverTransport Security"? Is it possible for someone to find out the
password that the PC sends for authentication to the web service if I only
use "usernameOverTransport Security"? If it is possible to see someone's
password; what's a good way to verify the PC application is "talking" to a
valid server before it tries to authenticate by sending the user ID/Password?
--
Thank you.

Dominick Baier 10-17-2006 06:40 PM

Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle att
 
SSL is not prone to MITM attacks. You don't need additional message based
security.

SSL also does server authentication by default. Before you send data, the
client checks the server certificate which has to be trusted and the common
name must match the DNS name portion of the URL.

http://www.google.com/search?q=how+d...x=&startPage=1

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

> Hello.
>
> I plan on upgrading my .NET 2.0 web service to use WSE 3.0. I am
> using my web service over SSL and the PC client application access the
> web service directly (no middle man server(s)). I will be adding the
> UserNameToken option to authenticate the user to the web service. I
> am considering adding "usernameForCertificateSecurity" for additional
> security; even though I am also using SSL. I am concerned about "man
> in the middle" attacks for both the password and data being sent back
> and forth. How do I decide if SSL is sufficient? Is the password
> sent in an encrypted format if I only use "usernameOverTransport
> Security"? Is it possible for someone to find out the password that
> the PC sends for authentication to the web service if I only use
> "usernameOverTransport Security"? If it is possible to see someone's
> password; what's a good way to verify the PC application is "talking"
> to a valid server before it tries to authenticate by sending the user
> ID/Password?
>




John K 10-17-2006 08:25 PM

Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
 
The web address my PC client program goes to for the web services is editable
by the user. This is in case the customer wants to host the server side
components on their own server. Thus they need the ability to change the
address. Thus, some malicious user could change the address to some other
server with an SSL certificate. Then an unknowing, authorized user could
attempt to log into the web site with the PC client program, thinking its the
correct one since they don't know someone changed it (i.e. like a physical
key stroke logger hardware). The PC client program would then go to
authorize, unfortuantely to the wrong server; would then malicious server see
the user's password if I only use usernameOvertransportSecurity? I would
think the PC client would send the password unencrypted, but I am not sure if
it is still encrypted with that setting.
--
Thank you.


"Dominick Baier" wrote:

> SSL is not prone to MITM attacks. You don't need additional message based
> security.
>
> SSL also does server authentication by default. Before you send data, the
> client checks the server certificate which has to be trusted and the common
> name must match the DNS name portion of the URL.
>
> http://www.google.com/search?q=how+d...x=&startPage=1
>
> ---
> Dominick Baier, DevelopMentor
> http://www.leastprivilege.com
>
> > Hello.
> >
> > I plan on upgrading my .NET 2.0 web service to use WSE 3.0. I am
> > using my web service over SSL and the PC client application access the
> > web service directly (no middle man server(s)). I will be adding the
> > UserNameToken option to authenticate the user to the web service. I
> > am considering adding "usernameForCertificateSecurity" for additional
> > security; even though I am also using SSL. I am concerned about "man
> > in the middle" attacks for both the password and data being sent back
> > and forth. How do I decide if SSL is sufficient? Is the password
> > sent in an encrypted format if I only use "usernameOverTransport
> > Security"? Is it possible for someone to find out the password that
> > the PC sends for authentication to the web service if I only use
> > "usernameOverTransport Security"? If it is possible to see someone's
> > password; what's a good way to verify the PC application is "talking"
> > to a valid server before it tries to authenticate by sending the user
> > ID/Password?
> >

>
>
>


Dominick Baier 10-18-2006 04:59 AM

Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
 
if the other endpoint has a trusted and valid SSL certificate, he would see
the data in cleartext.

But if you let customers change the endpoint address they must be also able
to change the server certificate for mutual authentication..so i don't see
a real advantage to use additional message security - and you are in the
same situation as with transport security.

Make sure that only authorized people (e.g. an admin) can change URIs on
the client.

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

> The web address my PC client program goes to for the web services is
> editable by the user. This is in case the customer wants to host the
> server side components on their own server. Thus they need the
> ability to change the address. Thus, some malicious user could change
> the address to some other server with an SSL certificate. Then an
> unknowing, authorized user could attempt to log into the web site with
> the PC client program, thinking its the correct one since they don't
> know someone changed it (i.e. like a physical key stroke logger
> hardware). The PC client program would then go to authorize,
> unfortuantely to the wrong server; would then malicious server see the
> user's password if I only use usernameOvertransportSecurity? I would
> think the PC client would send the password unencrypted, but I am not
> sure if it is still encrypted with that setting.
>
> "Dominick Baier" wrote:
>
>> SSL is not prone to MITM attacks. You don't need additional message
>> based security.
>>
>> SSL also does server authentication by default. Before you send data,
>> the client checks the server certificate which has to be trusted and
>> the common name must match the DNS name portion of the URL.
>>
>> http://www.google.com/search?q=how+d...m.microsoft:en
>> -us&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1
>>
>> ---
>> Dominick Baier, DevelopMentor
>> http://www.leastprivilege.com
>>> Hello.
>>>
>>> I plan on upgrading my .NET 2.0 web service to use WSE 3.0. I am
>>> using my web service over SSL and the PC client application access
>>> the web service directly (no middle man server(s)). I will be
>>> adding the UserNameToken option to authenticate the user to the web
>>> service. I am considering adding "usernameForCertificateSecurity"
>>> for additional security; even though I am also using SSL. I am
>>> concerned about "man in the middle" attacks for both the password
>>> and data being sent back and forth. How do I decide if SSL is
>>> sufficient? Is the password sent in an encrypted format if I only
>>> use "usernameOverTransport Security"? Is it possible for someone to
>>> find out the password that the PC sends for authentication to the
>>> web service if I only use "usernameOverTransport Security"? If it
>>> is possible to see someone's password; what's a good way to verify
>>> the PC application is "talking" to a valid server before it tries to
>>> authenticate by sending the user ID/Password?
>>>




Steven Cheng[MSFT] 10-18-2006 07:59 AM

Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
 
Hi John,

If you only applied SSL/https as the transport channel and not use message
layer security feature in WSE, WSE will certainly send out the soap message
(include username/password credentials) in clearText format. However, I
think SSL/HTTPS should be strong enough for secure the mesages transfering
over the transport layer. If your concern is that some malicious one else
may redirect the request to a fake server with SSL/certificates, then you
can add codelogic in your client application to valiate the server
certificate exposed from the SSL/HTTPS server. The ServicePointManager
class in .net framework provide ServerCertificateValidationCallback event
that can let us add custom code logic to verify the server (which provide
the SSL/HTTPS service channel). And this event will occur at the initial
time when your webservice (or other webclient) which connect to HTTPS/SSL
server through .net webrequest components:


#ServicePointManager.ServerCertificateValidationCa llback Property
http://msdn2.microsoft.com/en-us/lib...ntmanager.serv
ercertificatevalidationcallback.aspx

#RemoteCertificateValidationCallback Delegate
http://msdn2.microsoft.com/en-us/lib...emotecertifica
tevalidationcallback.aspx


Anyway, I also think that you can choose either
SSL/HTTPS(UsernameOverTransport) or message layer
security(UsernameOverCertificate), use both of them may be a bit redundant.

Please feel free to post here if you have any other concerns or ideas on
this.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.


John K 10-18-2006 09:05 PM

Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
 
How do I perform mutual authentication; in particular, how can my application
verify it is talking to the right server before it tries to log into the web
service? Is this done with certificates (private on server and public
version of it on client)? I already have an SSL certificate from Verisign
for the server. Do I generate a "public" certificate based on that server
(private) certificate and then distribute it with the app and then the app.
verifies the certificates are for the same server? Is there an article with
an example on how to do this? I want to make sure I don't talk to a malicous
server and give it the password without first verifying it is a valid server.
Remember that my application needs the ability to change what server it
points to.
--
Thank you.


"Dominick Baier" wrote:

> if the other endpoint has a trusted and valid SSL certificate, he would see
> the data in cleartext.
>
> But if you let customers change the endpoint address they must be also able
> to change the server certificate for mutual authentication..so i don't see
> a real advantage to use additional message security - and you are in the
> same situation as with transport security.
>
> Make sure that only authorized people (e.g. an admin) can change URIs on
> the client.
>
> ---
> Dominick Baier, DevelopMentor
> http://www.leastprivilege.com
>
> > The web address my PC client program goes to for the web services is
> > editable by the user. This is in case the customer wants to host the
> > server side components on their own server. Thus they need the
> > ability to change the address. Thus, some malicious user could change
> > the address to some other server with an SSL certificate. Then an
> > unknowing, authorized user could attempt to log into the web site with
> > the PC client program, thinking its the correct one since they don't
> > know someone changed it (i.e. like a physical key stroke logger
> > hardware). The PC client program would then go to authorize,
> > unfortuantely to the wrong server; would then malicious server see the
> > user's password if I only use usernameOvertransportSecurity? I would
> > think the PC client would send the password unencrypted, but I am not
> > sure if it is still encrypted with that setting.
> >
> > "Dominick Baier" wrote:
> >
> >> SSL is not prone to MITM attacks. You don't need additional message
> >> based security.
> >>
> >> SSL also does server authentication by default. Before you send data,
> >> the client checks the server certificate which has to be trusted and
> >> the common name must match the DNS name portion of the URL.
> >>
> >> http://www.google.com/search?q=how+d...m.microsoft:en
> >> -us&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1
> >>
> >> ---
> >> Dominick Baier, DevelopMentor
> >> http://www.leastprivilege.com
> >>> Hello.
> >>>
> >>> I plan on upgrading my .NET 2.0 web service to use WSE 3.0. I am
> >>> using my web service over SSL and the PC client application access
> >>> the web service directly (no middle man server(s)). I will be
> >>> adding the UserNameToken option to authenticate the user to the web
> >>> service. I am considering adding "usernameForCertificateSecurity"
> >>> for additional security; even though I am also using SSL. I am
> >>> concerned about "man in the middle" attacks for both the password
> >>> and data being sent back and forth. How do I decide if SSL is
> >>> sufficient? Is the password sent in an encrypted format if I only
> >>> use "usernameOverTransport Security"? Is it possible for someone to
> >>> find out the password that the PC sends for authentication to the
> >>> web service if I only use "usernameOverTransport Security"? If it
> >>> is possible to see someone's password; what's a good way to verify
> >>> the PC application is "talking" to a valid server before it tries to
> >>> authenticate by sending the user ID/Password?
> >>>

>
>
>


Steven Cheng[MSFT] 10-19-2006 07:25 AM

Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
 
Hello John,

If you use WSE message layer security, the "mutualCertificate10" and
"mutualCertificate11" will both support mutual authentication againt both
server and client.

As for transport layer secruity through SSL/HTTPS, as I mentioned in the
last reply, you can add code logic in your webservice client and hook the
Server Certificate validation process to determine whether the https/SSL
server is a valid and expected server.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.


John K 10-19-2006 01:41 PM

Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
 
Dominick said I don't need message level security since I am using SSL, thus
message level security adds unnecessary overhead. Is there a good way to do
mutual authentication at first connection to the web service so there is no
signficant overhead for message based security? Is there any "how to" or
examples on how to implement mutual authentication, ideally, without
requiring message based security? Finally, if I do need a client certificate
to do the mutual authentication; how do I generate a client certificate? Can
I generate a client certificate from a server SSL certificate (which my
server has) OR do I need another type of certificate on my server.

I know there are several questions here, but please answer each one.
--
Thank you.


"Steven Cheng[MSFT]" wrote:

> Hello John,
>
> If you use WSE message layer security, the "mutualCertificate10" and
> "mutualCertificate11" will both support mutual authentication againt both
> server and client.
>
> As for transport layer secruity through SSL/HTTPS, as I mentioned in the
> last reply, you can add code logic in your webservice client and hook the
> Server Certificate validation process to determine whether the https/SSL
> server is a valid and expected server.
>
> Sincerely,
>
> Steven Cheng
>
> Microsoft MSDN Online Support Lead
>
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>


Dominick Baier 10-19-2006 04:40 PM

Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
 
> SSL, thus message level security adds unnecessary overhead. Is there
> a good way to do mutual authentication at first connection to the web
> service so there is no signficant overhead for message based security?


thats _exactly_ what SSL is doing.

for client certificate authentication, simply require SSL client certificates
in IIS (directory security tab).

> Finally, if I do need a client certificate to do the mutual
> authentication; how do I generate a client certificate? Can I


You can use a public CA or Windows Certificate Services or makercert.exe



---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

> Dominick said I don't need message level security since I am using
> SSL, thus message level security adds unnecessary overhead. Is there
> a good way to do mutual authentication at first connection to the web
> service so there is no signficant overhead for message based security?
> Is there any "how to" or examples on how to implement mutual
> authentication, ideally, without requiring message based security?
> Finally, if I do need a client certificate to do the mutual
> authentication; how do I generate a client certificate? Can I
> generate a client certificate from a server SSL certificate (which my
> server has) OR do I need another type of certificate on my server.
>
> I know there are several questions here, but please answer each one.
>
> "Steven Cheng[MSFT]" wrote:
>
>> Hello John,
>>
>> If you use WSE message layer security, the "mutualCertificate10" and
>> "mutualCertificate11" will both support mutual authentication againt
>> both server and client.
>>
>> As for transport layer secruity through SSL/HTTPS, as I mentioned in
>> the last reply, you can add code logic in your webservice client and
>> hook the Server Certificate validation process to determine whether
>> the https/SSL server is a valid and expected server.
>>
>> Sincerely,
>>
>> Steven Cheng
>>
>> Microsoft MSDN Online Support Lead
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>




John K 10-19-2006 05:14 PM

Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
 
SSL only validates you are talking to a SSL certified server; not necessarily
the "right" SSL certified server. We allow the client user to change what
URL the software uses for accessing web services. This is our customer wants
to host the server components of the system we are selling on their server(s)
instead of ours. Thus, we do not need to send a special version of the
software to the customer. They can simply edit the URL the client program
access.

Thus, I am wondering what is a secure way of verifying the client program is
talking to a "valid" server (the one with the acutal web services that need
to be accessed) BEFORE it sends the user's ID and password. I believe this
can be done by using a X.509 certificate on both ends, but I thought the adds
message level security which is overkill since we are using SSL. What do you
recommend for testing if the client program is talking to the "right" server
before it freely gives the user ID and password for authentication. Since we
allow the user to change the URL in the client program; a malicous user could
temporarily change the URL and then an unsuspecting user would attempt to log
in and when the S/W tries to do that; it would give the "malicious" server
it's password.
--
Thank you.


"Dominick Baier" wrote:

> > SSL, thus message level security adds unnecessary overhead. Is there
> > a good way to do mutual authentication at first connection to the web
> > service so there is no signficant overhead for message based security?

>
> thats _exactly_ what SSL is doing.
>
> for client certificate authentication, simply require SSL client certificates
> in IIS (directory security tab).
>
> > Finally, if I do need a client certificate to do the mutual
> > authentication; how do I generate a client certificate? Can I

>
> You can use a public CA or Windows Certificate Services or makercert.exe
>
>
>
> ---
> Dominick Baier, DevelopMentor
> http://www.leastprivilege.com
>
> > Dominick said I don't need message level security since I am using
> > SSL, thus message level security adds unnecessary overhead. Is there
> > a good way to do mutual authentication at first connection to the web
> > service so there is no signficant overhead for message based security?
> > Is there any "how to" or examples on how to implement mutual
> > authentication, ideally, without requiring message based security?
> > Finally, if I do need a client certificate to do the mutual
> > authentication; how do I generate a client certificate? Can I
> > generate a client certificate from a server SSL certificate (which my
> > server has) OR do I need another type of certificate on my server.
> >
> > I know there are several questions here, but please answer each one.
> >
> > "Steven Cheng[MSFT]" wrote:
> >
> >> Hello John,
> >>
> >> If you use WSE message layer security, the "mutualCertificate10" and
> >> "mutualCertificate11" will both support mutual authentication againt
> >> both server and client.
> >>
> >> As for transport layer secruity through SSL/HTTPS, as I mentioned in
> >> the last reply, you can add code logic in your webservice client and
> >> hook the Server Certificate validation process to determine whether
> >> the https/SSL server is a valid and expected server.
> >>
> >> Sincerely,
> >>
> >> Steven Cheng
> >>
> >> Microsoft MSDN Online Support Lead
> >>
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>

>
>
>



All times are GMT. The time now is 10:07 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.