Last post Nov 17, 2016 08:31 PM by PatriceSc
Nov 16, 2016 08:50 PM|omega71044|LINK
I'm pretty new and done some research. I'm trying to integrate security measures and would like to have both username and password encrypted, when establishing HTTPS get method/connection, The encryption should be SHA-2, what's the web config file tags code
lines should be used/called and what's the C# code to decrypt network credentials so we can establish secure connection and be able to call the API
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(URL);
request.Method = "GET";
request.ContentType = "application/xml";
request.Accept = "application/xml";
request.Credentials = new NetworkCredential(ID, token);
Nov 16, 2016 09:38 PM|PatriceSc|LINK
SSL/TLS allows to create an encrypted channel between two points. It is done for you at a lower level and requires basically no change in the client or server app. It is unrelated to user authentication (unless maybe using a client side certificate as well)
which will happen then over the encrypted connection.
URL uses a https: prefix? Do you have a problem when this code runs? You could also have a look at
https://www.ssllabs.com/ to test your SSL config.
Nov 17, 2016 04:52 AM|omega71044|LINK
I think there is misunderstanding; I would like to encrypt and decrypt network credentials for establishing secure API communication
Nov 17, 2016 08:31 PM|PatriceSc|LINK
Using https IS encrypting ALL data exchanged between the client and the server. If you want to encrypt (or rather hash ?) the password, it seems you want something such as "digest authentication". See
If you want full control over how it is hashed then you would likely have to write your own custom code.
Using digest is AFAIK rare :
- over http, it protects only the password but not the content
- over https, it would hash a password and then the request that includes this hashed password would be encrypted anyway
For APIs another common option is to use API keys (ie you "identify" which app is using your service). You can then change or revoke those keys more easily than if you are using a single user/password account for all applications accessing a particular service.
Edit: don't assume "if encrypted it is safe". Try to identify a problem and do things to solve a problem you identified. A thing I see often is encrypting the query string but :
- depending on how it is done, if I log to the same app and got for example a screenshot showing this id, I could perhaps still gain access to the same page
- another app that doesn't encrypt this value, could do a check and see that the current user is not allowed to access this row id and then reject the request
ie the "encryption" would not really prevent unauthorized access (unlike the 2nd application). It' just make the id harder to guess.