I have a web site with users and their data accordingly.
我有一个网站,其中包含用户及其数据。
What is the safest way to implement web services / API such that users' login credentials and in turn data are secure? oAuth isn't really an option, because usage will not necessarily be in other web apps.
实现Web服务/ API最安全的方法是什么,以便用户的登录凭据和数据安全? oAuth不是一个真正的选择,因为使用不一定在其他网络应用程序中。
My concern is that having the username and password as an input is dangerous to be transmitted plainly, and a token could also be stolen and reused maliciously.
我担心的是,将用户名和密码作为输入是明确传输的危险,并且令牌也可能被盗并被恶意重用。
Do I need to come up with my own method of encrypting and decrypting data, or is there a common practice(s) already in use?
我是否需要提出自己的加密和解密数据的方法,或者是否已经使用了常用的做法?
The whole point is that it's as open as possible for anyone in the world to use, but safe by definition nonetheless. Documentation will be available to everyone to use.
重点是世界上任何人都尽可能地使用它,但是根据定义是安全的。每个人都可以使用文档。
5 个解决方案
#1
There's always the WS-Security standard:
始终存在WS-Security标准:
.NET has its implementations in .NET 1.1 and .NET 2.0 via the Microsoft Web Service Enhancements:
.NET通过Microsoft Web服务增强功能在.NET 1.1和.NET 2.0中实现:
WSE 2.0 (.NET 1.1)
WSE 3.0 (.NET 2.0)
WSE 2.0(.NET 1.1)WSE 3.0(.NET 2.0)
It provides various methods on encrypting the SOAP Envelope before it is sent over the wire, safely transmitting the data inside.
它提供了各种方法来加密SOAP Envelope,然后通过线路发送,安全地传输内部数据。
#2
What about using an SSL connection?
使用SSL连接怎么样?
#3
Don't write your own encryption.
不要编写自己的加密。
What is wrong with a bit of SSL? With "regular" WSDL/SOAP clients (asmx), it isn't uncommon yo use a SOAP header for this (over SSL).
有点SSL有什么问题?对于“常规”WSDL / SOAP客户端(asmx),您可以使用SOAP标头(通过SSL)并不罕见。
With WCF, this is formalised into TransportWithMessageCredential (just search). Of course, you could use certificates, federation, kerberos, etc...
使用WCF,这将形式化为TransportWithMessageCredential(仅搜索)。当然,你可以使用证书,联邦,kerberos等...
In addition to transport security (SSL), WCF also supports message-based security - with the added feature that you can encrypt just the security headers. Personally, I like to keep it simple, with TransportWithMessageCredential (i.e. SSL).
除了传输安全性(SSL)之外,WCF还支持基于消息的安全性 - 增加的功能是您可以仅加密安全头。就个人而言,我喜欢使用TransportWithMessageCredential(即SSL)保持简单。
#4
Any authentication method that's shared with a 3rd party is open to exploitation, you have to draw a line somewhere. Using HTTP/S and WS-* services to secure the connection is probably your best approach. If the service is only going to be accessed by known systems with fixed IP addresses then use firewalling to further secure your box from external interference.
任何与第三方共享的身份验证方法都可以利用,您必须在某处绘制一条线。使用HTTP / S和WS- *服务来保护连接可能是您最好的方法。如果该服务仅由具有固定IP地址的已知系统访问,则使用防火墙进一步保护您的盒子免受外部干扰。
#5
Why don't you use the standard WS-Security for that?
为什么不使用标准的WS-Security呢?
Edit: Just want to add to Justin's answer, that it is also implemented in WCF.
编辑:只想添加到Justin的答案,它也在WCF中实现。
#1
There's always the WS-Security standard:
始终存在WS-Security标准:
.NET has its implementations in .NET 1.1 and .NET 2.0 via the Microsoft Web Service Enhancements:
.NET通过Microsoft Web服务增强功能在.NET 1.1和.NET 2.0中实现:
WSE 2.0 (.NET 1.1)
WSE 3.0 (.NET 2.0)
WSE 2.0(.NET 1.1)WSE 3.0(.NET 2.0)
It provides various methods on encrypting the SOAP Envelope before it is sent over the wire, safely transmitting the data inside.
它提供了各种方法来加密SOAP Envelope,然后通过线路发送,安全地传输内部数据。
#2
What about using an SSL connection?
使用SSL连接怎么样?
#3
Don't write your own encryption.
不要编写自己的加密。
What is wrong with a bit of SSL? With "regular" WSDL/SOAP clients (asmx), it isn't uncommon yo use a SOAP header for this (over SSL).
有点SSL有什么问题?对于“常规”WSDL / SOAP客户端(asmx),您可以使用SOAP标头(通过SSL)并不罕见。
With WCF, this is formalised into TransportWithMessageCredential (just search). Of course, you could use certificates, federation, kerberos, etc...
使用WCF,这将形式化为TransportWithMessageCredential(仅搜索)。当然,你可以使用证书,联邦,kerberos等...
In addition to transport security (SSL), WCF also supports message-based security - with the added feature that you can encrypt just the security headers. Personally, I like to keep it simple, with TransportWithMessageCredential (i.e. SSL).
除了传输安全性(SSL)之外,WCF还支持基于消息的安全性 - 增加的功能是您可以仅加密安全头。就个人而言,我喜欢使用TransportWithMessageCredential(即SSL)保持简单。
#4
Any authentication method that's shared with a 3rd party is open to exploitation, you have to draw a line somewhere. Using HTTP/S and WS-* services to secure the connection is probably your best approach. If the service is only going to be accessed by known systems with fixed IP addresses then use firewalling to further secure your box from external interference.
任何与第三方共享的身份验证方法都可以利用,您必须在某处绘制一条线。使用HTTP / S和WS- *服务来保护连接可能是您最好的方法。如果该服务仅由具有固定IP地址的已知系统访问,则使用防火墙进一步保护您的盒子免受外部干扰。
#5
Why don't you use the standard WS-Security for that?
为什么不使用标准的WS-Security呢?
Edit: Just want to add to Justin's answer, that it is also implemented in WCF.
编辑:只想添加到Justin的答案,它也在WCF中实现。