Troubleshooting Tips
LANGUAGES: All .NET Languages
ASP.NET VERSIONS: All
Built-in HTTP Security
Authentication and SSL
By Don Kiely
One of the most common network protocols in use today is HTTP - the Web's Hypertext Transfer Protocol. When using HTTP for transmitting XML across the network, such as for Web services or other uses on the Web, you can use the security features built into HTTP. There are two basic HTTP security options: authentication and Secure Sockets Layer (SSL).
Authentication
Authentication is the process of making sure that whoever is trying to access a resource is who they say they are. On the Web, this includes actions such as a user trying to load a Web page into a browser, or an application invoking a Web service. There are three authentication schemes in wide use: Anonymous, Basic, and Operating System.
Anonymous Authentication. Anonymous authentication is really the lack of authentication. If this option is enabled on the Web server (a server that receives and handles requests via HTTP) the request is associated with a particular login on the server. If that login name has the appropriate permissions to respond to the request, the server fulfills the request. If it doesn't, and no other authentication scheme is active on the server, the server returns an error message to the requestor.
If other authentication schemes are enabled on the server, it returns via HTTP information about the schemes it can accept.
Basic Authentication. Basic authentication is an Internet standard, so it's available with most browsers and tools that communicate via HTTP. It requires the requestor to enter a user name and password, which is then encoded using base64 encoding. This scheme is described as both "transmitting the password in clear text" over the Internet, and as "weakly encrypted." Both have a kernel of truth, but you cannot rely on this kind of encoding to keep your data confidential. And it does nothing to hide or protect the data exchanged between the server and requestor.
Operating System Authentication. Web servers can also take advantage of authentication built into the operating system on which they run. This means that if the requestor is already authenticated against the network (a user has logged into the network) the Web server can use those network credentials as sufficient authentication.
Secure Sockets Layers
Authentication is the first part of allowing a user or application to access a resource via HTTP. But the data itself, by default, is transmitted in clear text. For confidential XML data, you can also sign and encrypt your data using Secure Sockets Layer (SSL) with HTTP. SSL requires that you obtain a digital signature from either a trusted third-party certificate authority (CA) such as Verisign, or, within an enterprise, an in-house certificate server. Once you obtain the digital signature you can install it for use on the Web server. From then on, requests to resources with SSL activated are strongly encrypted and signed. This means that even if someone used a packet sniffer to examine TCP/IP packets as they pass across the Internet, they would be unable to read or decrypt the data to make sense of it without taking thousands of years of a mainframe's time to break the encryption.
Don Kiely is senior technology consultant for Information Insights, a business and technology consultancy in Fairbanks, AK. E-mail him at mailto:[email protected].
