wcf - How to authenticate an application, instead of a user? -


in context of wcf/web services/ws-trust federated security, accepted ways authenticate application, rather user? gather, seems certificate authentication way go, ie generate certificate application. on right track here? there other alternatives consider?

what trying solve general digital rights management problem, unsolved problem @ moment.

there whole host of options remote attestation involve trying hide secrets of sort (traditional secret keys, or semi-secret behavioural characteristics).

some simple examples might deter casual users of api working around it:

  • include &officialclient=yes in request
  • include &appkey=<some big random key> in request
  • store secret app , use simple challenge/response: send random nonce app , app returns hmac(secret,nonce))

in general 'defenders advantage' quite small - effort put in try , authenticate bit of software talking in fact software, isn't going take attacker/user more effort emulate it. (to break third example gave, don't need reverse engineer official client - user can hook official client answer challenges own client receives.)

the more robust avenue can pursue licencing / legal options. famous example twitter, prevent knocking old client through api licence terms , conditions - if created own (popular) client pretended twitter api official twitter client, assumption lawyers come a-knocking.


Comments

Popular posts from this blog

Detect support for Shoutcast ICY MP3 without navigator.userAgent in Firefox? -

web - SVG not rendering properly in Firefox -

java - JavaFX 2 slider labelFormatter not being used -