SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Evangelist mrwooster's Avatar
    Join Date
    Jan 2006
    Posts
    518
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Unhappy Web Service security question... have I got it right? Slightly advanced, (I think)

    I am implementing security for a web service on my site whereby a user can submit data securely to my web service.

    This is how I have implemented it... are there any huge flaws in it?

    I have generated a self signed openSSL certificate and have two files, one containing the certificate (without the private key (I hope... is there any way of checking this, I have never used openSSL before)) and another file containing the private key. Neither of the files are in the web root of my site.

    When a user connects to my (SOAP) webservice, he calls the 'getCertificate' function which returns a string containing the public certificate (in x509 form). The client then uses the public certificate to encrypt a randomly generated 'key'.

    The client then encrypts (using mcrypt) the data it is sending to the webservice using this randomly generated 'key' (I am using blowfish ATM, is there a better one to use). And sends the encrypted data along with the (SSL) encrypted 'key' to the webservice.

    My webservice receives the (blowfish encrypted) data and first of all uses the private key to decrypt the clients (SSL) encrypted key (used to encrypt the data using blowfish)... it then uses this key to decrypt the 'blowfish encrypted' data. My webservice then encrypts the response using blowfish and the 'key' generated by the client and returns the response which the client decrypts using its original randomly generated key...

    I know that I am not generating different keys for the client and the service, but this does not require military grade encryption, but should have enough to prevent people from snooping....

    I am very new to web security so would appreciate if anyone could point out the huge holes which are undoubtedly in my logic....

  2. #2
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Actually SSL/TLS does all this - you should not reimplement it yourself (because there are too many "underwater rocks" so to say).
    http://publib.boulder.ibm.com/infoce...c/sy10660_.htm

  3. #3
    SitePoint Evangelist mrwooster's Avatar
    Join Date
    Jan 2006
    Posts
    518
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    But how do I implement SSL/TLS on a SOAP web service?

  4. #4
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What service platform are you using?
    I have very little knowledge about SOAP, but at least wikipedia says that:
    SOAP may also be used over HTTPS (which is the same protocol as HTTP at the application level, but uses an encrypted transport protocol underneath) with either simple or mutual authentication; this is the advocated WS-I method to provide web service security as stated in the WS-I Basic Profile 1.1.
    So I think that it's a matter of enabling SSL support on SOAP server that you are using.

  5. #5
    SitePoint Evangelist mrwooster's Avatar
    Join Date
    Jan 2006
    Posts
    518
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the info... I will look into it


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •