|
SessionEncryptionKey Best Practices |
Post Reply 
|
| Author |
 Share Topic Printable Version Delicious Digg Facebook Furl Google Boomarks Google Buzz MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search  Topic Options
|
kimj 
IdeaBlade 
Joined: 09-May-2007 Posts: 1391 |
 Post Options
 Quote Reply
 Topic: SessionEncryptionKey Best PracticesPosted: 08-Dec-2008 at 7:38pm |
|
Out-of-the-box, DevForce does not use a secure binding for communications between client applications and a BOS, but this is easily done by using a .config file containing WCF ServiceModel configuration. Here are some sample configuration files showing various security options. We don't yet have an end-to-end tutorial, but that will be coming within the next release or so.
|
|
 |
|
|
kimj
IdeaBlade
Joined: 09-May-2007 Posts: 1391 |
Post Options
Quote Reply
Posted: 05-Dec-2008 at 1:35pm |
|
Haven't tried SSL outside of IIS, but I'd guess it would work with a Windows Service too.
I'll need to check around for any examples; we might have to whip up something for you.
|
|
|
|
|
dkearney1
Newbie 
Joined: 20-Jul-2007 Location: United States Posts: 27 |
Post Options
Quote Reply
Posted: 05-Dec-2008 at 12:12pm |
|
Got it, the SessionBundle is what's protected out-of-the-box.
"... user SSL or customize the binding stack to add security features." Can or cannot be done when using the BOS as a service (ServerService.v4.exe)? Where would I find an examples? |
|
|
Dan
“In anything at all, perfection is finally attained not when there is no longer anything to add, but when there is no longer anything to take away.” Saint-Exupéry Wind, Sand, and Stars |
|
|
|
|
kimj
IdeaBlade
Joined: 09-May-2007 Posts: 1391 |
Post Options
Quote Reply
Posted: 05-Dec-2008 at 10:58am |
|
The SessionBundle stores encrypted credentials, and those credentials will be encrypted using the SessionEncryptionKey if provided, otherwise a default hardcoded key is used. The SessionBundle is created by a Login call (whether performed explicitly or implicitly by the framework), and then passed as part of the message in all subsequent calls.
The encryption key is actually used to generated a salted hash key, which is then used to encrypt the credentials using AES. The default hardcoded key can be obtained from the DevForce assemblies using a disassembler, which is why you might want to specify your own SessionEncryptionKey.
Since encryption is done only on the credentials, if you need to secure the entire message you should use SSL or customize the binding stack to add security features.
|
|
|
|
|
dkearney1
Newbie
Joined: 20-Jul-2007 Location: United States Posts: 27 |
Post Options
Quote Reply
Posted: 04-Dec-2008 at 8:38pm |
|
I'm looking for more information on the use and effects of the SessionEncryptionKey attribute of the ObjectServer node in the app.config.
Is there a good reason to override the default? Is it a random string? Does it protect only the SessionBundle, or does it protect all data passed between the client and the BOS? In the end I want to tell my customers that I'm doing my part to protect their data as it's travelling through the wild, and I'm not sure I understand enough to say so confidently. |
|
|
Dan
“In anything at all, perfection is finally attained not when there is no longer anything to add, but when there is no longer anything to take away.” Saint-Exupéry Wind, Sand, and Stars |
|
|
|
|
Post Reply
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |