Click here to Skip to main content
15,867,568 members
Articles / Web Development / ASP.NET

Web Service Authentication

Rate me:
Please Sign up or sign in to vote.
4.35/5 (41 votes)
25 Nov 2009CPOL3 min read 464.5K   8.3K   197   47
A simple mechanism to authenticate users to a WebService

Sample Image - WebServiceAuthentication.gif

Introduction

This is a simple mechanism to authenticate users to a Web Service, using a Time Token and MD5 Hashing to encrypt password.

Background

In CodeProject, you can find at least two others' mechanism to authenticate users to a Web Service. Dan_P wrote Authentication for Web Services as a Simple authentication for web services using SOAP headers. But the username and password are sent in clear text and there is no encryption for the data. HENDRIK R. is the author of An introduction to Web Service Security using WSE, that is really a complete solution, but too much complicated for my purposes. The username is sent in clear text, but it is possible to use Password Digest to encrypt the password. The data are encrypted using XML Encryption specification to encrypt portions of the SOAP messages.

My solution is something in the middle of the above two. The username is sent in clear text, but I use MD5 to encrypt the password. I do not need to send sensitive data, so the data returned by the Web Service is not encrypted.

Using the Code

The basic idea is to send UserName and Password from the client to the Web Service using MD5 Hash Code as encryption system. In this way, the password never travels in clear over the network. The Web Service retrieves the user password from a DB or anything else and uses the same MD5 algorithm to test if the password is correct. To be sure that if someone intercepts the Hash, this can be used to authenticate in a later time, I added a timestamp before hashing the Key string. Last, as we are not always on the same server and/or the client clock may be in a different Time Zone or simply not synchronized, I added the possibility to request a Token containing the time mark to the server.

I provided a sample in ASP.NET C# for the client side, but it is possible to use any language: ASP classical JScript or VBScript, PHP, Python, etc. Anyway, on the client side we need to build up the Key using UserName, Password and the hashed timestamp Token previously got from the same Web Service. We can then call the Service and we will get the answer (or an authentication failure warning) that is displayed on the web page.

C#
private void ButtonUseToken_Click(object sender, System.EventArgs e)
{
    string ret;
    string UserName, Password, ServiceName, Token;
    string Key, ToHash;

    UserName=this.TextBoxUserName.Text;
    Password=this.TextBoxPwd.Text;
    ServiceName=this.TextBoxService.Text;
    Token=this.TextBoxToken.Text;
    ToHash=UserName.ToUpper()+"|"+Password+"|"+Token;
    Key=Hash(ToHash)+"|"+UserName;

    ServicePointReference.ServicePoint Authenticate = 
                             new ServicePointReference.ServicePoint();
    ret=Authenticate.UseService(Key, ServiceName);
    this.ServResponse.Text=ret;
}

The MD5 Hash procedure is very simple in C#; this one was written by Vasudevan Deepak Kumar in Securing Web Accounts.

C#
private string Hash(string ToHash)
{
    // First we need to convert the string into bytes,
    // which means using a text encoder.
    Encoder enc = System.Text.Encoding.ASCII.GetEncoder();

    // Create a buffer large enough to hold the string
    byte[] data = new byte[ToHash.Length];
    enc.GetBytes(ToHash.ToCharArray(), 0, ToHash.Length, data, 0, true);

    // This is one implementation of the abstract class MD5.
    MD5 md5 = new MD5CryptoServiceProvider();
    byte[] result = md5.ComputeHash(data);

    return BitConverter.ToString(result).Replace("-", "").ToLower();
}

On Web Service server side, I implemented just three Web Methods:

GetToken is used to get the Time-marked token. The token you get this way is intended to be used in the basic Authenticate method, or in the UseService that can also verify the access rights for the users authenticated to the requested service. The core of the system is implemented by TestHash. Here the password is hard-coded, but in the sample provided, you have also the code to get it from a database:

C#
private bool TestHash (string HashStr, 
             string UserName, int minutes, string ServiceName)
{
    string Pwd, ToHash;
    string sResult, sResultT, sResultToken;
    try
    {
        // JUST FOR TEST: the password is hard-coded:
        Pwd="SeCrEt";

        DateTime dt = DateTime.Now;
        System.TimeSpan minute = new System.TimeSpan(0,0,minutes,0,0);
        dt = dt-minute;
        //before hashing we have:
        //USERNAME|PassWord|YYYYMMDD|HHMM
        ToHash=UserName.ToUpper()+"|"+Pwd+"|"+dt.ToString("yyyyMMdd")+
                                             "|"+dt.ToString("HHmm");
        sResult = Hash(ToHash);
        //TokenWeGotBefore
        ToHash=dt.ToString("yyyyMMdd")+"|"+dt.ToString("HHmm");
        sResultToken = Hash(ToHash);
        //USERNAME|PassWord|TokenWeGotBefore
        ToHash=UserName.ToUpper()+"|"+Pwd+"|"+sResultToken;
        sResultT = Hash(ToHash);
    
        if ((sResult==HashStr) || (sResultT==HashStr)) 
            return true;
        else
            if (minutes==0) // allowed max 2 minutes - 1
                            // second to call web service
            return TestHash (HashStr, UserName, 1, ServiceName);
        else
            return false;
    }
    catch
    {
        return false;
    }
}

To request a hashed time-stamped Token to the Web Service, the method is:

C#
[WebMethod]
public string GetToken ()
{
    string ToHash, sResult;
    DateTime dt = DateTime.Now;
    ToHash=dt.ToString("yyyyMMdd")+"|"+dt.ToString("HHmm");
    sResult = Hash(ToHash);
    return sResult;
}

The method that checks the user authentication is also kept very simple; in a real application you normally need to access a database to check the authentication level and may need to return some data to the caller:

C#
[WebMethod]
public string UseService (string Key, string ServiceName)
{
    string [] HashArray;
    string UserName, level;

    // Key string: HASH|User|OptionalData
    HashArray=Key.Split('|');
    level = "-1";    //default level

    if (TestHash(HashArray[0], HashArray[1], 0, ServiceName))
    {
        try
        {
            UserName=HashArray[1];
            // JUST FOR TEST: the User authentication level is hard-coded
            // but may/should be retrieved from a DataBase
            switch (UserName)
            {
                case "MyUserName":
                    level="1";
                    break;
                case "OtherUser":
                    level="2";
                    break;
                default:
                    level="-1";
                    break;
            }
            if (level=="1") return "YOU ARE AUTHORIZED";
        }
        catch (Exception exc)
        {
            return "Authentication failure: " + exc.ToString();
        }
    }
    return "Authentication failure";
}

Points of Interest

TestHash checks to see if the Hash contains a timestamp or an already-hashed token, and calls itself once again in case of failure: if someone is calling the service, let's say, at 11:34:58 the Key is valid from 11:34:00 until 11:35:59, that is during two minutes minus one second.

The client side may be implemented in any language: ASP classical, JScript or VBScript, PHP, Python, etc. I have the intention to post this code too next time...

History

  • 01/20/2005 - Article created
  • 11/25/2009 - Updated source code

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Web Developer
Italy Italy
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Comments and Discussions

 
QuestionWould server and client being in different time-zones cause this authentication to fail? Pin
mathiasbanda25-Apr-16 15:38
mathiasbanda25-Apr-16 15:38 
AnswerRe: Would server and client being in different time-zones cause this authentication to fail? Pin
faina25-Apr-16 20:58
professionalfaina25-Apr-16 20:58 
GeneralRe: Would server and client being in different time-zones cause this authentication to fail? Pin
mathiasbanda26-Apr-16 0:03
mathiasbanda26-Apr-16 0:03 
QuestionExpired in 24 hours Pin
dkosasih22-Sep-14 15:59
dkosasih22-Sep-14 15:59 
GeneralMy vote of 5 Pin
Aamer Alduais12-Oct-12 21:06
Aamer Alduais12-Oct-12 21:06 
GeneralRe: My vote of 5 Pin
faina12-Oct-12 22:10
professionalfaina12-Oct-12 22:10 
GeneralRe: My vote of 5 Pin
Aamer Alduais4-Nov-12 20:11
Aamer Alduais4-Nov-12 20:11 
GeneralMy vote of 5 Pin
Jack_32127-May-12 4:07
Jack_32127-May-12 4:07 
GeneralMy vote of 1 Pin
ali32b17-Nov-10 9:45
ali32b17-Nov-10 9:45 
GeneralNOBODY wants to answer the 404 Page Not Found question Pin
LawrenceMayo29-Jun-09 14:57
LawrenceMayo29-Jun-09 14:57 
GeneralRe: NOBODY wants to answer the 404 Page Not Found question Pin
faina24-Nov-09 23:33
professionalfaina24-Nov-09 23:33 
Generalattempting to change the time feature. Pin
charles Frank15-Jun-09 4:51
charles Frank15-Jun-09 4:51 
GeneralRe: attempting to change the time feature. Pin
faina24-Nov-09 23:08
professionalfaina24-Nov-09 23:08 
GeneralJust wanted to say thanks, Pin
pimpmurph7-Aug-07 7:49
pimpmurph7-Aug-07 7:49 
Generalneed help on the source code files [modified] Pin
Cheng Dehua12-Apr-07 17:02
Cheng Dehua12-Apr-07 17:02 
GeneralRe: need help on the source code files Pin
faina18-Apr-07 21:16
professionalfaina18-Apr-07 21:16 
GeneralRe: need help on the source code files Pin
Cheng Dehua18-Apr-07 21:44
Cheng Dehua18-Apr-07 21:44 
GeneralFalse sense of security Pin
Lord of Scripts5-Apr-07 21:25
Lord of Scripts5-Apr-07 21:25 
GeneralRe: False sense of security Pin
faina5-Apr-07 22:52
professionalfaina5-Apr-07 22:52 
GeneralRe: False sense of security Pin
Dewey19-Apr-07 22:00
Dewey19-Apr-07 22:00 
QuestionRe: False sense of security Pin
diegotegravi30-Aug-07 9:14
diegotegravi30-Aug-07 9:14 
AnswerRe: False sense of security Pin
L Viljoen2-May-12 20:55
professionalL Viljoen2-May-12 20:55 
You Can most certainly use SSL with web services, the assemetric encryption is pretty secure unless it's a middleman attack.

Another way would be to use a Symmetric Rihnjeal(spelling) algorithm when securing your web service data.

for instance

For this you need to write a library for integrating to your web service to encrypt and decrypt data between the client and server)
, and use some kind of obfuscation tool (Eazfuscator free) to avoid someoen from obtaining the keys easily
So basically the steps then would be

1)Client Requests Session Token Sending Client ID (Guid.NewGuid() (used to encrypt data)
2)Server generates a token Guid.NewGuid() and stores it in a static dictionary<guid,guid> (this should maybe keep track of date of last activity too to clean up unused and exired tokens
3)Server Encrypts Session Token with Unique Key A
4)Sends encrypted data to Client
5)Client Decrypts Data using unique key A
6)Sends its login info thats encrypted using a combination of Token and Key A along with the Client ID
7)Server gets the login info looks up the token of the client ID in the dictionary and uses a combination of token + keyA to unlock
8) This process can also be made more complicated to make it harder to hack security and all incoming and outgoing comms can be encrypted decrypted in a similar way

You can also use your own type of SSL using Asymetric public private key encryption with the transfer of info
Chona1171
Web Developer (C#), Silverlight

QuestionWhat should be the setting in IIS [modified] Pin
nzhuda13-Dec-06 15:47
nzhuda13-Dec-06 15:47 
GeneralHelp me!! Pin
omkarphatak2-Dec-06 7:01
omkarphatak2-Dec-06 7:01 
GeneralRe: Help me!! Pin
faina3-Dec-06 20:07
professionalfaina3-Dec-06 20:07 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.