I am implementing security on a WCF service from basicHttp to WShttp, the issue is the service sends some passwords for connections to the database that the user can define,test and save.
The service implements a X509 certificate for the service and client credentials and wanted to know if I should do more to secure the Passwords on the server or the client?
<wsHttpBinding>
<binding name="CustomLargeHttpsBinding" maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="32" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>
<reliableSession ordered="false" inactivityTimeout="01:00:00" enabled="false"/>
<security>
<transport clientCredentialType="None" proxyCredentialType="None"/>
<message clientCredentialType="Certificate" negotiateServiceCredential="true" algorithmSuite="Basic256Rsa15" establishSecurityContext="true"/>
</security>
</binding>
</wsHttpBinding>
The typical scenario would go like this :
- Retrieve encrypted password from database
- Send data through the service
- Client uses data to test database connection on server X(Password is put into a secure string here after being decrypted
- Issue being that I would like to remove the encrypting class as it has a constant key stored in code.
