Wednesday, March 29, 2017
Code Search
Code Bank
.NET Applications
XSD Schema Generator
.NET/XML Training


Encrypt SOAP Message Parameters using Custom Attributes and Headers

Web Services provide an excellent way to talk between distributed systems. However, the data within the SOAP messages sent between systems may need to be encrypted when it contains sensitive information. There are several ways to handle this including the use of SSL, custom encryption, and a variety of up and coming standards such as WS-Security.

This sample application demonstrates how custom SOAP attributes can be used to encrypt only the sensitive parts of a SOAP message sent between systems rather than the entire message. This allows the message to stay intact while the sensitive data is still protected. While writing a custom encryption application admittingly is not always the best solution especially since Microsoft will likely release code that will handle this task automatically for you in the future (causing the custom solution to be discarded), it does provide an excellent environment for learning more advanced concepts of .NET Web Services.

To clarify what the application will do, examine the following SOAP message which contains unencrypted data that prying eyes could access:

<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="" xmlns:xsi="" xmlns:xsd=""> <soap:Body> <GetAccountResponse xmlns=""> <GetAccountResult> <AccountID>124837</AccountID> <AccountName>Wahlin Consulting<AccountName> <AccountContact>Dan Wahlin</AccountContact> <AccountPhone>123-123-1234</AccountPhone> </GetAccountResult> </GetAccountResponse> </soap:Body> </soap:Envelope>

By using the custom SOAP parameter encryption class in this sample application, specific parts of the SOAP message can be encrypted as shown below:

<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="" xmlns:xsi="" xmlns:xsd=""> <soap:Body> <GetAccountResponse xmlns=""> <GetAccountResult> <AccountID> grIKlJMCSYHrgXlRThnxEYqZicqWeio0OJ3 p+8NzFuqxzA8Yl55qaN/iy1Ywmm86fwqFmP 8HL4/8lRA9dIfMySAkB5MF1KyEv5ReConcE DLoyl4sXJiYgWPQceh4XF06r49PkQGk8mvb WIpRbiiTJ76Uk22gCjdiU5IcWHnzB3k= </AccountID> <AccountName> wDz/BvGUlJwL6WXNsc2/FGXiG9tlW4818VP wzlOSetiCSSz7kw4jwp1QvDJhJ+tr78X1uT zPkOQUbrUjHjaVnEwyP/Ez/uqVX7WW5zmvA y3ZtPmkkzHIJnM8f+FyRMG6Fr6nzZ/ZDEw6 s+Vai5LTTLs3JZ297i5XTMAsaITgc74= </AccountName> <AccountContact> kzEYJ/ulnvbu5lyYg9BmcC97dca5tPM5+ER oQQJje/z/Kt2bZGHnWPp9Lnn9ZhOLk+V5sM bqFLFoXCtj17NZ42tUIR3zdTdYrK5Qb2nrg ECTM3yHX92nVkrIH9EVBpAsefyMwic1ssg1 yj7/Drq5ib1x17d1VaElSRva2Po7QkM= </AccountContact> <AccountPhone>123-123-1234</AccountPhone> </GetAccountResult> </GetAccountResponse> </soap:Body> </soap:Envelope>

This encryption is accomplished by using asymmetric (Public/Private) key encryption. The client sends their public key to the Web Service within a SOAP header and the Web Service uses the key to encrypt sensitive parts of the SOAP message. The returned message is then decrypted by the client using their private key.

Parameters within the response SOAP message can easily be encrypted using the public key supplied by the client by simply applying the following attribute to a Web Method:

[ParamEncryptionExtension( EncryptParamNames= new string[]{"AccountID","AccountName","AccountContact"}, LogRequestResponse=false) ]

When applied to a Web Method, this particular attribute will cause the AccountID, AccountName, and AccountContact parameters returned to the client to be encrypted. The attribute can also be used to log incoming and outgoing SOAP messages to a file.

The downloadable sample code includes the Web Service and custom SOAP header and attribute classes within a project as well as a sample Windows Forms test client project.

Teaches Web Services, Cryptography, SOAP Headers and Attributes
Requirements .NET 1.0
Sample Windows Client: Click Here
View Source Code: Click Here
Download Code: Click Here


.NET, SharePoint and Silverlight Training Solutions
    Online, Onsite and Video Training on .NET and SharePoint technologies available through The Wahlin Group.

© 2007 Wahlin Consulting LLC
XML for ASP.NET Developers in bookstores