I read many and many and many articles on WCF security etc... but i'm really confused on what is the best method to protect my software.
Problem: my client software [CS] has to call my webservice [WS]. CS calls functions in WS many times during it working time because when an user click on a item on a list, user want to see some detailed information that are stored on my server and that are updated frequently. Adding to this CS send to WS many information during runtime to update some stats (and check the license is OK).
why implement security: - CS will have a paid subscription to use it, so i have to protect againt piracy. - WS send to CS hot informations that no one else have to take. - CS sent hot information to WS. WS store it and i want to avoid malicious information are sent by "Man in the middle"
obviously i want each message sent/received is UNIQUE so no one can send again a message to WS.
Request: - Client have to ensure that WS is the official WS and not a cracked proxy/emulation of the WS - WS have to know who is the CS sending the message, so it can validate license/subscription numbers and return results based on the account.
What is the best strategy to take?
Limits: - Probably initially i can't buy a valid SSL certificate (but i will if someone buy my subscription) - WS will be on a shared windows hosting (so i think NO SSL)
i've read about Transport Security, Message security and hybrid of those. but what property to set? what authentication method use? "Certificate x.509"? "Secure Token Service"? "Username"?
thanks to all!
UPDATE: Thanks JonoW! Ok, i can afford a VPS... but not a real certified Certificate... i think i don't need a real certificate. to validate the license i can make the CS send a processed serial derived from hardware serials... i just only need a client don't use the software at the same time on multiple PC. so if someone clone/stole credentials of another user i will block the account or i will reset the user password automatically.
The problem is just avoid that someone emulate "this username/password/serial have a valid license" message of my WS and sending it from a fake WS and avoid someone send malicious data to my WS impersonating another client... do you think SSL and Verisign certificate is the only way? Why "Secure Token Service" or "Username/Password" isn't a good idea?
Using X.509 certificates with WCF would probably help you achieve most of what you want, but that still means buying a certificate from a certificate authority. It also means the clients would need to install certificates on their end, which may not be a reasonable thing to ask them to do.
Using SSL means you can trust that data hasn't been tampered with in transit, and you can trust that data from the WS is genuine, but the WS won't be able to guarantee that data sent from the CS is definitely from that licensed client, you will need some other mechanism for that.
As for using SSL on a shared host, it depends on the host obviously, some may allow it. Maybe consider using a VPS?
Update
Why "Secure Token Service" or "Username/Password" isn't a good idea?
Both these solutions will prove to the WS that the client is a valid user, but the client can't guarantee that the WS is the genuine WS. I.e. a hacker could change DNS settings to route traffic intended for the WS to their own server, to respond that a user/license is valid, even if it's not. That's where SSL helps, because the client knows that the SSL cert is genuine (this is done for you by .Net), then if data that can be decrypted from the WS, using the SSL cert, it MUST have come from the WS, and not a "fake" WS.