Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Securing a PDA Web service that uses GPRS

I'm writing a project for a PDA (.NET Compact Framework) that gets and writes back its data captured over Web services using GPRS. Can you tell me how you reckon I could secure this system (as there's some sensitive data being written back)? I've been thinking of using named logins into the Web server and SSL for encryption.
If your conversation is just between your PDA and the initiating client, i.e. a single hop, you could use SSL for both encryption and authentication. (See my previous answers for some of the problems with using SSL in multi-hop scenarios.) Using SSL mutual authentication means that you would need SSL certificates on both the client and the PDA Server. On the other hand, SSL mutual authentication means that you don't have to worry about what platform the client is running as long as it supports an SSL implementation.

A better approach would be to use the WSE sdk in the .NET release, which contains a limited implementation of WS-Security. The WSE sdk has not yet been released for production use. Therefore, if you don't plan on an immediate release of your product, you would be better served to use WSE as this is the future direction of Web services security. While the WSE doesn't yet support the Compact Framework, it does support the building blocks for using WS-Security. When you use WS-Security the client and server do not have to support the same platform or language and it supports multi-hop scenarios. You can download and find out about WSE at http://www.microsoft.com/downloads/details.aspx?familyid=21fb9b9a-c5f6-4c95-87b7-fc7ab49b3edd&displaylang=en. I would recommend learning how to use the WSE and make sure your product will be able to support WS-Security in the future.

In summary: For the near term SSL is a good solution as long as you play within the limitations of SSL. I would recommend using SSL mutual authentication. You will also need some kind of authorization. Depending on your scenario, you could use a simple ACL list to permit or deny the authorized user access. Do not neglect this second step, as authentication is not sufficient to secure your resources. Prepare your application to move to WS-Security in the not too distant future.

Dig Deeper on Topics Archive

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.