How to avoid proxy spoofing

J.D. Meier, Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen.

To avoid proxy spoofing you will be required to do mutual authentication. This can be accomplished with the following scenarios:
  1. In HTTP bindings, client authenticates to the service with any authentication scheme (certificate, basic, digest, username, windows) and service uses transport security. In this scenario service will negotiate a secure session where client will authenticate the service. Service will be required to provide certificate to protect the transport.
  2. In wshttpBinding, client authenticates to the service with authentication schemes (username, certificate, issuetoken), and service uses message security with negotiate credentials configured to true. In this scenario service will negotiate secure session where client authenticates the service. Service will be required to provide certificate to protect the message.
  3. In wshttpBinding, client authenticates to the service with authentication schemes (username, certificate, issuetoken) and services uses message security with negotiate credentials configured to false. Service will be required to provide certificate to sign the message. Service will be required to install the client certificate public key to protect the message and validate client signature. Client will be required to provide certificate to sign the message. Client will be required to install the service certificate public key to protect the message and validate service signature.
  4. In wshttpBinding, client authenticates to the service with authentication scheme of windows and service uses message security with negotiate credentials configured to true . In this scenario service will negotiate secure session where client authenticates the service.
  5. In wshttpBinding, client authenticates to the service with authentication scheme of windows and service uses message security with negotiate credentials configured to false. In this scenario client will use Kerberos direct to obtain a session ticket to authenticate the service.
  6. In basichttpBinding, client authenticates to the service with any authentication scheme (username, certificate) and service uses message security. Service will be required to provide certificate to sign the message. Service will be required to install the client certificate public key to protect the message and validate client signature. Client will be required to provide certificate to sign the message. Client will be required to install the service certificate public key to protect the message and validate service signature.
  7. In TCP binding, client authenticates to the service with windows scheme and service uses transport security. In this scenario service will negotiate a secure session where client will authenticate the service.
  8. In TCP binding, client authenticates to the service with windows scheme and service uses transport security. In this scenario service will negotiate a secure session where client will authenticate the service.
  9. In TCP binding, client authenticates to the service with certificate scheme and service uses transport security. In this scenario service will negotiate a secure session where client will authenticate the service.

Last edited May 8, 2008 at 7:43 AM by prashantbansode, version 1

Comments

No comments yet.