2

I am planning to work on an Asp.Net/C# RESTful Web Api 2 project. One of REST actions is receiving "username" and "password" with GET method. The value of "password" passed in query string is needed to be protected from REST client programmers/consumers. The "password" passed in query string (please see a sample REST call below) is sensitive data entered from any non-technical user who is not REST client programmer but who is using REST client programmers' software applications.

REST client programmers are RESTful web service consumers who write software applications in any device platform and any programming language (Java, C++, or Object-C, C, PHP, etc.).

I am supposed to use HTTPS protocol (not HTTP) to host my Asp.Net Rest Web Api services. And one sample GET call to get "password" from client/consuming programmers looks like:

https://www.mycompanyhost.com/account?username=abc&password=some_password

My questions:

1/ Is using https protocol secured enough for my Web Api services side receiving sensitive data and for the consumer/client side sending sensitive data?

2/ if https protocol is not secured enough, then how do I as web service provider and service consumers/programmers to protect sensitive data like "password" as I mentioned?

For me, the follows sound complex:

If Rest web service consumers use some encrypting method/algorithm, then on my Rest service provider side, how can I understand the same encrypting method/algorithm to decrypt "password"?

On my side as provider I am using C#, but web service consumers can use any programming language and device as mentioned above, how do we (both sides) understand each other with encrypting approach?

Improve this question
3
  • 2
    You can't protect data entered into an application from the programmer of that application. Commented Feb 28, 2015 at 14:40
  • @CodesInChaos not unless you wanted them to never know their data ;) Commented Feb 28, 2015 at 14:49
  • @CodesInChaos: so the consuming client program needs to pass sensitive data in the URI as query string key/value pair or in the body or somewhere of a web service request object? Commented Mar 1, 2015 at 14:34

1 Answer 1

Reset to default
1

To achieve secure communication has a long history as you might guess (maybe since the day of digital communication born?). In your question, please consider https is the must-do yet minimum security standard that you can rely on.

Moreover, there are two things that you can consider.

  • I don't know why you have to GET password from server. Almost all web service treat password as hashed manner (written with several mathematically encryption). So it can compare only, cannot read words back.
  • It is only your decision which crypto algorithm you choose. There are many encryption/decryption library provider in .NET. I recommend you to buy-and-apply one of them.

Finally, I strongly recommend you a book to read "Pro ASP.NET Web Api Security" (amazon link). It will give you enough knowledge to make decision in your technical domain.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Why do I use GET? After some user logs in the web-service-consuming (client) application, the client program (in C++ or Java or PHP) needs to use GET method together with username and password to make a call to my Rest web service. When my REST web api receives such GET call, it will use those username and password to get data and send extra information of that user back to client application. You may notice that the "user" here is not the web service client but it is anyone who uses the client application that is written in other language (C++, Java, etc.)
"It is only your decision which crypto algorithm you choose." My providing web service is written in C# language while client (consuming) applications are written in other languages (C++, JAVA, PHP, etc). How is a certain selected crypto algorithm understood in both sides?
@Thomas.Benz // First of all, there was my misunderstanding that receiving password from server via GET. But, I think you are preparing to use basic authentication method which embeds username+password in the header while calling GET query to server. One important thing it that, you should not send password in QueryString. Just embed username+password in Http Header and the header is going to be encrypted with HTTPS.
Then, HTTPS security standards handles all of crypto handling nicely between server and client communication. It already contains to handle which crypto algorithm to use and which key is valid. For this reason, the key(certificate) for HTTPS encryption is published by authorized dealer worldwidely, called Root Certificate Authority.
How to know the algorithm? In https, the algorithm like SHA-1 or SHA-256 is designated when certificate generated by Root CA. The computer, whether it is iphone, android, or Windows server, already has a list of Root CA and security handler. It's just factory built-in. Your computer already has a bunch of Root CA list too. The client (your api clients) will assure the communication is secure by certificate-dedicated encryption algorithm when certificate is from Root publisher.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.