-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Introduction This article studies a mechanism of securing connection between client and server, especially for the service-oriented applications. It points out the cases why using SSL is not enough to guarantee the application security and maintainability. The suggested mechanism is based on the asymmetric encryption algorithms and uses key exchange approach for establishing the secure session between client and server. Without using SSL the web service developer have to take care about the security mechanisms manually, but creating and implementing such a mechanism manually will take some time and efforts from developers. In order to avoid described issue, a reusable library has been created in the scope of the current research; the library can be used by the web service developers to secure web methods by simply adding one additional line in the code. Unlike other mechanisms the suggested one is also generic and can be configured for example to use different encryption algorithms, specific key lengths and other settings, preferred by the developers.
2. Establishing Secure Connection This section describes the mechanism of establishing secure connection between client and server. The secure session establishing process is based on the well knows handshaking approach. First the client requests a secure session from server, server answers with the required session token. Client answers confirming that the session token has been received and adds the user’s authentication credentials (username and password); with the servers final response the secure connection is being established. The Figure 1 below describes the establishing process in more details.
In order to encrypt and decrypt the message we need to extend the level 2 and 7, so the Client Proxy and the Server Dispatcher should be extended. The class that represents the Proxy on the client side implements IClientMessageInspector interface that have defined the following two methods.
- object BeforeSendRequest(ref Message request, IClientChannel channel)
- void AfterReceiveReply(ref Message reply, object correlationState) On the server side the class that represents the Dispatcher implements IDispatchMessageInspector interface with the methods.
- object AfterReceiveRequest(ref Message request, IClientChannel channel, InstanceContext instanceContext)
- void BeforeSendReply(ref Message reply, object correlationState) In the scope of the methods above developer has access to the message (request, reply) and can encrypt (decrypt) the message and add the appropriate message headers. Author suggest the library that contains a base classed for both, Proxy and Dispatcher, so in order to achieve the secure connection between Client and Server the application developer needs to extend from the corresponding classes. There are further instructions for the developers that comes along with the library files, in case if one intend to change the library default settings like default hash, symmetric and asymmetric encryption function providers.