Webservice for uploading data: security considerations

Posted by Philip Daubmeier on Stack Overflow See other posts from Stack Overflow or by Philip Daubmeier
Published on 2010-05-02T21:41:40Z Indexed on 2010/05/02 21:48 UTC
Read the original article Hit count: 206

Filed under:
|
|
|
|

Hi everyone!

Im not sure about what authentification method I should use for my webservice. I've searched on SO, and found nothing that helped me.

Preliminary

Im building an application that uploads data from a local database to a server (running my webservice), where all records are merged and stored in a central database. I am currently binary serializing a DataTable, that holds a small fragment of the local database, where all uninteresting stuff is already filtered out. The byte[] (serialized DataTable), together with the userid and a hash of the users password is then uploaded to the webservice via SOAP. The application together with the webservice already work exactly like intended.

The Problem

The issue I am thinking about is now: What is if someone just sniffs the network traffic, 'steals' the users id and password hash to send his own SOAP message with modified data that corrupts my database?

Options

The approaches to solving that problem, I already thought of, are:

  • Using ssl + certificates for establishing the connection:
    • I dont really want to use ssl, I would prefer a simpler solution. After all, every information that is transfered to the webservice can be seen on the website later on. What I want to say is: there is no secret/financial/business-critical information, that has to be hidden. I think ssl would be sort of an overkill for that task.
  • Encrypting the byte[]:
    • I think that would be a performance killer, considering that the goal of the excercise was simply to authenticate the user.
  • Hashing the users password together with the data:
    • I kind of like the idea: Creating a checksum from the data, concatenating that checksum with the password-hash and hashing this whole thing again. That would assure the data was sent from this specific user, and the data wasnt modified.

The actual question

So, what do you think is the best approach in terms of meeting the following requirements?

  • Rather simple solution (As it doesnt have to be super secure; no secret/business-critical information transfered)
  • Easily implementable retrospectively (Dont want to write it all again :) )
  • Doesnt impact to much on performance

What do you think of my prefered solution, the last one in the list above?

Is there any alternative solution I didnt mention, that would fit better?

You dont have to answer every question in detail. Just push me in the right direction. I very much appreciate every well-grounded opinion.

Thanks in advance!

© Stack Overflow or respective owner

Related posts about c#

Related posts about .NET