VSTS, Oslo, INETA, ASP.NET, Debugging .NET Applications, Tips and Tricks

January 18, 2005

WSE send encrypted password

William Stacey points out one major problem when using SendHashed and SendNone options. They are both vulnerable to dictionary attack. As he offers to present a solution using custom UsernameTokenManager and Crypto API, I would recommend that you implement SecureConversation and use option SendPlainText. This way your calls can be automatically authorized depending on their group membership. The only drawback is that you must have server certificate, but you can always generate one with makecert.exe util.

# posted by Martin Kulov @ 7:24 PM

Share |







|

<< Home

This page is powered by Blogger. Isn't yours?

  




Calendar Martin Kulov's Calendar   RSS Aggregate this blog




Recent posts



Locations of visitors to this page



History

November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
June 2008
July 2008
August 2008
October 2008
November 2008
January 2009
February 2009
March 2009
April 2009
May 2009
June 2009
July 2009
August 2009
September 2009
October 2009
November 2009
December 2009
January 2010
 
Copyright © 2004-2008 CodeAttest Ltd. All Rights Reserved.
<%-- Google Analytics code --%> <%-- Google Analytics code --%>