Secure webservices in WCF
Background
- We want to create a secure WCF service that has does encryption/decryption of data. The nature of data that will be encrypted and decrypted requires the highest level of security possible.
- Consumers of this service will be applications within our network. The will be asp.net websites, other wcf services, console applications and possibly java based applications running on linux
- Consumers will be running on local computer accounts that dont have any domain membership.
I have done a lot of reading about wcf security and do understand the concepts to a large extent. I am looking for a reference architecture that has worked well for others with similar needs.
Question
- What authentication method should i use given that the new wcf service cannot depend on any database etc to store credentials, and also cannot depend of consumers to be members of a windows domain. I should be able to identify the consumer correctly within the service because the functionality will change slightly depending on who is the consumer.
- What type of transfer security should i use- transport/message/mixed? Do any of these have performance considerations?
- What else should i be thinking about?
Hope it helps!
EDITED:
The header value should be a private one. Only you and your client should know about it. It’s like what if I know your Gmail password, it will not take long to find out your login.
If you don’t think it is secure enough you may skip custom header and map each client to an IP or a set of IPs. For example, IP 12.32.456.10 corresponds to client A. Then you can store this mappings in custom config file section and you can encrypt this section so that even people who has access to your service files can’t get the mappings.
Don’t forget to mark the answer as helpful if it is 😉