开发者

Is there a security bug in MY wcf application?

开发者 https://www.devze.com 2023-03-25 00:55 出处:网络
I did wcf username/password authentication to my SOA application. Security model is Message, and the key is a x509 certificate encrypted RSA 4096 bits. Every client has the same key in config file

I did wcf username/password authentication to my SOA application. Security model is Message, and the key is a x509 certificate encrypted RSA 4096 bits. Every client has the same key in config file

<certificate encodedValue="VeryVeryBigRsaKey />

I am curious if for example one application user, having the VeryVeryBigRsaKey can sniff the packets of other users, that share the same key (VeryVeryBigRsaKey). If yes i think is a very serious issue, and i have to change the security model to TransportWithMessageCredential.

EDIT:

I generated my key using pluralsight self cert, and exported it into a *.cer file with 开发者_StackOverflow中文版Base 64 encoding. And opened generated *.cer with notepad, and that gave me the rsa key (VeryVeryBigRsaKey) :)


I think you mean you use the UserName credential type and the < certificate > is used to identify the server so that client can trust it gets the message from the correct server.

if another user wants to sniff the package, he needs the server certificate that can only be owned by the real server.

Therefore, your concern is no reason.


The configuration you refer to is I think in the endpoint identity element. If so, this represents the identity of the service, which the client stack will check before communicating with the server. It therefore has to be the same on every client.

The keys used to secure message traffic are derived from the client credentials. Your fears based on this certificate identity are groundless.


I'm sure there is a security bug in WCF but this isn't it.

The certificate is used to

a) verify the server
b) encrypt a client-generated symmetric key and send it to the server

Another client can not break in to this.

0

精彩评论

暂无评论...
验证码 换一张
取 消