RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Implement Secure .NET Web Services with WS-Security : Page 4

Implement secure .NET Web services by digitally signing, encrypting, and adding security credentials to SOAP messages.

Encrypting SOAP Messages
When you use the Web service infrastructure provided by the .NET Framework, Web service calls are not encrypted. That means anyone who understands Internet protocols can read your messages and change them! When such a message is signed with a signature, as shown in the previous section, the attacker has no chance to compromise it—but he can still read the content of the SOAP call!

To avoid this security risk you can encrypt the SOAP bodies of your messages, so that a network sniffer cannot read them. An attacker will see only unimportant chars and will not be able to reconstruct the original SOAP call.

For the encryption of SOAP messages the WSE offers you the following three possibilities:

  • Use an X.509 certificate
  • Use a shared secret
  • Use a custom binary token
  • The Web service itself must provide a class that implements the interface IDecryptionKeyProvider:

    public interface IDecryptionKeyProvider
       public DecryptionKey GetDecryptionKey(
         String algorithmUri, 
         KeyInfo keyInfo);

    When the WSE runtime decrypts a SOAP request, it calls the method GetDecryptionKey. This method must return a key that can decrypt the request. If this key cannot, because you perhaps supplied a wrong key, the Web service rejects the request and throws an exception of type SoapException.

    The following listing shows the required code to implement the IDecryptionKeyProvider interface. The function GetDecryptionKey returns a key based on the Triple-DES-Algorithm:

    public DecryptionKey GetDecryptionKey(String algorithmUri, 
       KeyInfo keyInfo)
       byte [] keyBytes = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 
          12, 13, 14, 15, 16 };
       byte [] ivBytes = { 1, 2, 3, 4, 5, 6, 7 };
       foreach (KeyInfoClause clause in keyInfo)
          if (((KeyInfoName)clause).Value == Solvion Symmetric 
             SymmetricAlgorithm algo = new 
             algo.Key = keyBytes;
             algo.IV = ivBytes;
             SymmetricDecryptionKey key = new 
             return key;
       return null;

    The class implementing the interface also must be registered in the file web.config, as shown here:

                WebService1 />

    The Web method itself is programmed as simply as possible:

    public String EncryptedSoapMessage()
       SoapContext requestContext = 
       String strResult = ;
       if (requestContext != null)
          strResult = Hello World from my encrypted Web 
       return strResult;

    In the client code, I have written the method GetEncryptionKey, which returns the key for the encryption of the SOAP message. This key is then added to the proxy of the Web service, so that the WSE can encrypt the SOAP call:

    private void CallEncryptedSoapMessage()
       MyProxyClass proxy = new MyProxyClass();
       SoapContext requestContext = proxy.RequestSoapContext;
       EncryptionKey key = GetEncryptionKey();
          requestContext.Timestamp.Ttl = 60000;
       catch (SoapException ex)

    When you are debugging the Web service call, you can see that the method GetDecryptionKey is called before the Web method is executed. When you provide an incorrect key in the client code, you see that the WSE automatically rejects the call to the Web method. When you take a closer look at the trace files, you see that the whole body of the SOAP request is encrypted and it cannot be decrypted without the right key.

    The Cornerstone of the GXA
    This article has given you a brief introduction to the WSE and has shown how you can program secure Web services using WS-Security. This current WSE release offers you the possibilities to sign and encrypt Web service requests. Its actual implementation is the cornerstone of the GXA architecture, which provides many more proposal standards for Web services infrastructure issues.

    Klaus Aschenbrenner is CEO of Solvion, a company that specializes in designing and programming enterprise applications based on the .NET Framework and Windows 2003. Find further information about him and his projects at www.csharp.at. You can reach Klaus by e-mail at Klaus.Aschenbrenner@csharp.at.
    Email AuthorEmail Author
    Close Icon
    Thanks for your registration, follow us on our social networks to keep up-to-date