I have a web service that is outward-facing, however I need to generate a verification system to ensure that a request came from a valid client.

Let’s say the original web service is defined as follows:

[OperationContract] public void Service.RequestMethod (string clientId, int reqNumber,     string reqText) {     // do stuff with the parameters } 

I want to make sure that the request actually came from the client specified by the clientId parameter.

My current plan is to add another parameter to the method signature, giving a checksum of sorts.

[OperationContract] public void Service.RequestMethod (string clientId, int reqNumber,     string reqText, string reqChecksum) {     // verify reqChecksum, then     // do stuff with the parameters } 

I need a function that verifies that the checksum was calculated by the approved client. It should be calculated on the reqNumber and reqText parameters as well as a client-specific ‘password’ known by both client and server.

In effect, it should be:

private bool VerifyChecksum(int reqNumber, string reqText,     string clientPassword, string reqChecksum) {     // hash reqNumber, reqTxt, and clientPassword     // ensure it matches reqChecksum } 

Does anyone have any suggestions for this hashing function or the model as a whole?

It needs to be message-specific, client-specific, and hard to guess (high entropy).