stackoom
  简体   繁体   中英

Is is possible to apply custom encryption to Microsoft Web API?

 原文  2015-01-30 16:26:47       c#/ asp.net/ asp.net-web-api2

Question

We are using Web API 2.0 to serve clients in a context where SSL can't be used (no public internet access, clients can't be expected to trust a self-signed certificate). To secure content moving between the client and server, we'd like to be able to encrypt it. We're OK with un-encrypted HTTP headers (only need to encrypt payload). The question is: is there a way to insert a custom handler into both the request and response message pipelines so that we can apply a decryption as a request pre-processing step and an encryption as a response post-processing step?

We are using the built-in features of Web API to serialize/de-serialize between JSON and model classes, and don't want to have to refactor any of that existing code. So an encryption handler would have to be inserted at the very start/end of the request/response pipeline. Is this possible, and if so, what is the technique to insert custom request/response content pre/post processing?

The network is "public" in that users bring their own devices, but the network is isolated from the public internet. Clients will only use a custom application we are developing to consume our Web API service, so we can address implementation issues of a custom encryption scheme on both client and server side.

1 answers

solution1
 0  2015-01-30 17:02:28

If you control the client application, you can hard-code the SSL certificate that the server is expected to return, which means that it doesn't have to validate through the normal PKI means (sometimes called certificate pinning ). Most other approach will result in you attempting to re-invent SSL, but with some fatal flaw.

To be explicit, I think you are seeing a conflict between "a context where SSL can't be used (no public internet access, clients can't be expected to trust a self-signed certificate)" and "Clients will only use a custom application we are developing" where one doesn't necessarily exist. The user doesn't have to know that the certificate is self-signed, and self-signed does not always imply untrusted.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Web API - custom routing Web API 2 custom authentication custom encryption #2 AspNetCore Web Api Microsoft Account Authentication Microsoft Azure authentication with c# web api Easiest path for Microsoft Web API to generate WSDL Microsoft Web API file upload to Post method Microsoft WEB API Get User Info From Microsoft Account Why C# Encryption and Decryption works Windows Form and not in Web API 2? How to apply colors to outlook calendar events using Microsoft graph api?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM