What do you think is the best way to connect two servers through a C# web service? I don't want to use SSL, because it consumes to much server CPU and I don't want to add more load on the machines. And besides, it's slower.
Perhaps OAuth2, WS-Security or any custom service like sending tokens (nonce+timestamp) maybe to prevent resend attacks. Thanks for any suggestions.
My bet would still be on SSL. Use client certificates in order to verify incomming requests. It's in use on a large scale to protect sensitive information exchange and is especially well suited to protect against MITM.
The overhead of SSL will most likely not affect your CPU-usage noticably, have you measured? The handshake might be an issue if you're handling large amounts of small requests but if I understand you correctly you only have two servers and in that case that overhead (if my understanding of SSL/TLS is correct) will be amortized over the lifetime of the SSL session.
Short answer: It's unlikely that your CPU-usage will be adversly affected by adding SSL but you should always profile your scenario before jumping to conclusions.
More reading
WS-Security has mutual authentication and message signing. This mode requires that the sending server has a certificate (public ky) of the receiver. The sender can then check that the response has not been tampered with by verifying the signature and can check that the signing certificate use to sign the response was the correct one for receiver.
