Webservice for uploading data: security considerations
Posted
by Philip Daubmeier
on Stack Overflow
See other posts from Stack Overflow
or by Philip Daubmeier
Published on 2010-05-02T21:41:40Z
Indexed on
2010/05/02
21:48 UTC
Read the original article
Hit count: 209
Hi everyone!
Im not sure about what authentification method I should use for my webservice. I've searched on SO, and found nothing that helped me.
Preliminary
Im building an application that uploads data from a local database to a server (running my webservice), where all records are merged and stored in a central database. I am currently binary serializing a DataTable
, that holds a small fragment of the local database, where all uninteresting stuff is already filtered out. The byte[]
(serialized DataTable), together with the userid and a hash of the users password is then uploaded to the webservice via SOAP. The application together with the webservice already work exactly like intended.
The Problem
The issue I am thinking about is now: What is if someone just sniffs the network traffic, 'steals' the users id and password hash to send his own SOAP message with modified data that corrupts my database?
Options
The approaches to solving that problem, I already thought of, are:
- Using ssl + certificates for establishing the connection:
- I dont really want to use ssl, I would prefer a simpler solution. After all, every information that is transfered to the webservice can be seen on the website later on. What I want to say is: there is no secret/financial/business-critical information, that has to be hidden. I think ssl would be sort of an overkill for that task.
- Encrypting the
byte[]
:- I think that would be a performance killer, considering that the goal of the excercise was simply to authenticate the user.
- Hashing the users password together with the data:
- I kind of like the idea: Creating a checksum from the data, concatenating that checksum with the password-hash and hashing this whole thing again. That would assure the data was sent from this specific user, and the data wasnt modified.
The actual question
So, what do you think is the best approach in terms of meeting the following requirements?
- Rather simple solution (As it doesnt have to be super secure; no secret/business-critical information transfered)
- Easily implementable retrospectively (Dont want to write it all again :) )
- Doesnt impact to much on performance
What do you think of my prefered solution, the last one in the list above?
Is there any alternative solution I didnt mention, that would fit better?
You dont have to answer every question in detail. Just push me in the right direction. I very much appreciate every well-grounded opinion.
Thanks in advance!
© Stack Overflow or respective owner