XML & Web Services Magazine - Encrypting SOAP Messages in .Net

FTPOnline

Channels

Conferences

Resources

Hot Topics

Partner Sites

Magazines

About FTP

	email article
	printer friendly
	get the code

Encrypting SOAP Messages in .Net
.Net provides a way to write a custom encryption application to encrypt sensitive parts of a SOAP message
by Dan Wahlin

October 2002 Issue

Web Services provide an excellent way to talk between distributed systems using HTTP GET, HTTP POST, or SOAP. However, all of these communication schemes send data as clear text by default, which can present a problem when the data needs to be encrypted to protect sensitive information. There are several ways to handle encryption, including using Secure Sockets Layer (SSL), custom encryption, and a variety of up and coming standards such as WS-Security and XML Encryption. While using SSL arguably provides the easiest way to encrypt SOAP messages, it involves encrypting the entire message when only a small part of the message may actually need encrypting. WS-Security looks to be the future for securing SOAP messages in an end-to-end manner, but it is still "in the works" at the time of this writing.

Here I'll demonstrate how to use custom SOAP attributes along with SOAP headers and extensions to encrypt sensitive parts of a SOAP message sent between systems rather than the entire message, as with SSL techniques. This method of encryption allows the message to stay intact while still protecting sensitive data. Although writing a custom encryption application isn't always the best solution, especially since Microsoft will likely release code that will handle this task automatically for you in the future (causing the custom solution to be discarded), it does provide an excellent environment for learning more advanced concepts of .Net Web Services.

Why Encrypt SOAP Messages?
A sample SOAP response message shown in Listing 1. This message contains unencrypted data that prying eyes could access as the message is transferred over the wire. By using the custom SOAP parameter encryption class we'll discuss here, specific parts of the SOAP message can be encrypted to protect the data during the transfer from the Web service to the client (see Listing 2).

Although there are several ways to encrypt data, the application we're using as an example uses asymmetric (public/private) key encryption. This concept works by using two different keys referred to as public and private keys. The private key is used to generate a public key that can be distributed to other applications. By using the public key (along with special encryption objects), applications can encrypt data and send them back to the owner of the private key where the data can be decrypted and used. The data can be decrypted only by using the private key and is therefore useless without it.