security - Can using self-signed certificates with WCF be secure? -


imagine moment we're using classic asymmetric encription wcf (private/public key pairs). it's secure until private keys aren't stolen. don't need trust chains between keys, right? client needs know server's public key , vice versa.

a problem arises if client doesn't know server's public key in advance , gets on first access. here have risk actual server "man-in-the-middle" instead of real server. here need certificates. client accesses server, gets certificate (which contains public key) , validates it.

for validation client needs make sure server's certificate issued particular server. , here need trust chains. right?

if client accessing server via wcf messagesecurity.mode=certificate knowns in advance server's certificate (its public key), can communication secure if certificate self-signed?

usualy it's believed using self-signed certifacate not secure , should avoided in production.
why? if client knows expected public key gets certificate, treats trusted (by matching public key expected one) doesn't cancel fact server must encypt payload private key. , cypher can decrypted successfuly pulbic key if , if private key , public key created together.

can see flaws in reasoning?

if it's correct can sure using custom x509certifacatevalidator , setting client proxy's clientcredentials.servicecertificate.defaultcertificate fixed (on client) x509certificate secure?

custom x509certifacatevalidator this:

public class customcertificatevalidator : x509certificatevalidator {     private readonly x509certificate2 m_expectedcertificate;      public customcertificatevalidatorbase(x509certificate2 expectedcertificate)     {         m_expectedcertificate = expectedcertificate;     }      public override void validate(x509certificate2 certificate)     {         argumentvalidator.ensureargumentnotnull(certificate, "certificate");          if (certificate.thumbprint != m_expectedcertificate.thumbprint)             throw new securitytokenvalidationexception("certificated not issued trusted issuer");     } }

yes, understanding correct, misses 1 thing - things change on time. if server's private key disclosed or server's certificate becomes invalid in other way (whatever), pki offers mechanism certificate revocation , revocation checking. , self-signed certificates not possible (at least without building custom pki infrastructure).

one way address problem create custom self-signed certificate used ca certificate. use certificate sign server certificate , put revocation information ca certificate. add ca certificate trusted on client side, , perform validation of server's certificate against ca certificate , check revocation. means have either publish crls on (possibly private) web server, or run ocsp responder.


Comments

Post a Comment

Popular posts from this blog

asp.net - repeatedly call AddImageUrl(url) to assemble pdf document -

i'm using abcpdf , i'm curious if can recursively call addimageurl() function assemble pdf document compile multiple urls? something like: int pagecount = 0; int theid = thedoc.addimageurl("http://stackoverflow.com/search?q=abcpdf+footer+page+x+out+of+", true, 0, true); //assemble document while (thedoc.chainable(theid)) { thedoc.page = thedoc.addpage(); theid = thedoc.addimagetochain(theid); } pagecount = thedoc.pagecount; console.writeline("1 document page count:" + pagecount); //flatten document (int = 1; <= pagecount; i++) { thedoc.pagenumber = i; thedoc.flatten(); } //now try again theid = thedoc.addimageurl("http://stackoverflow.com/questions/1980890/pdf-report-generation", true, 0, true); //assemble document while (thedoc.chainable(theid)) { thedoc.page = thedoc.addpage(); theid = thedoc.addimagetoc...
Read more

java - Android recognize cell phone with keyboard or not? -

in android app, want detect user's device if device has keyboard(like motorola milestone) , show corresponding user interface. guys know how that? ! regards justicepenny http://developer.android.com/reference/android/content/res/configuration.html public int keyboard the kind of keyboard attached device. 1 of: keyboard_nokeys, keyboard_qwerty, keyboard_12key. that's it!
Read more

iphone - How would you achieve a LED Scrolling effect? -

how achieve led scrolling effect example below? led sign - led ticker emulator iphone , ipad http://img.skitch.com/20101201-rsfh4p1bajb1wp94k466pdpiuj.preview.jpg sometimes remunerates comment in other posts :) have put code you, should implement font '8pin matrix' realistic feeling. uilabel *label; - (void)viewdidload { [super viewdidload]; label = [[uilabel alloc]initwithframe:cgrectmake(10, 50, 300, 20)]; label.font = [uifont fontwithname:@"courier-bold" size:16.0]; label.backgroundcolor = [uicolor blackcolor]; label.textcolor = [uicolor greencolor]; label.linebreakmode = uilinebreakmodecharacterwrap; // otherwise "…" label.text = @"this led text scrolled "; // blanks space between [self.view addsubview:label]; [nstimer scheduledtimerwithtimeinterval:0.12f target:self selector:@selector(scrolllabel) use...
Read more