1

I need your help please.

I developed some REST services with .NET Web API.

These sevices must authenticate the clients with username and password.

The solution I find out in Internet is "Basic Authentication".

The BIG problem is that I can't use SSL for secure the comunication. I don't have HTTPS.

Using basic authentication without SSL is not a good solution.

I'm not able searching on Internet to find out a solution that can authenticate the clients over http using username and password.

Please can you help me?

Summarizing I need to authenticate the user in a Web.API using username and password. I can't use SSL. My comunication is on HTTP.

Thanks!!!

GabroG
  • 9
  • 2
  • You can use HMAC authentication, check it in here: http://stackoverflow.com/questions/11775594/how-to-secure-an-asp-net-web-api/11782361#11782361 – cuongle Feb 06 '13 at 03:27

4 Answers4

0

You could use the ASP.NET membership provider:

http://msdn.microsoft.com/en-us/library/yh26yfzy(v=vs.100).aspx

paul
  • 21,653
  • 1
  • 53
  • 54
  • How can I use it with Web.API? How can I send the client credentials to the service on a non secure network like HTTP? – GabroG Feb 05 '13 at 14:44
  • salt + hash the users credentials client side with something like MD5 to keep them safe whilst going across the wire – paul Feb 05 '13 at 15:02
0

The only other common approach for username + password authentication I am aware of is digest access authentication. There is a blog here showing an example for WebApi.

This will give you some protection without SSL as it uses hashes; however, I wouldn't really advocate it until all the disadvantages of this approach a fully read and understood.

Community
  • 1
  • 1
Mark Jones
  • 12,156
  • 2
  • 50
  • 62
0

Basically - you can't do that.

Sure there are scheme that don't transfer credentials in clear text over the wire - but it is not only about the credentials. All the data is going over the wire in the clear as well, you have no authentication of the server, no confidentiality, no integrity protection, no replay protection etc…

If you don't care about all these features - why bother with (secure) authentication at all?

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • I don't agree with this answer. There are well proven methods which are so insecure as SSL to encrypt parts of your message without using SSL. – Rafa Feb 17 '14 at 14:07
0

Without SSL, basic is not secure but digest is also not secure due to man-on-the-middle attacks. I would recommend you to use some public/private key based approaches like HMAC or encrypting as paul said with hash + salt.

Rafa
  • 2,328
  • 3
  • 27
  • 44