(c) 2002 Visual Studio Magazine 
Fawcette Technical Publications

Issue: June 2002
Section: Secure Web Services
Author: Wei Meng Lee

VB.NET	Pass the User's Credential Using the NetworkCredential Class
Listing 1	You can pass the user name, password, and domain using the NetworkCredential object. Attach the NetworkCredential object to the Web service proxy object using the Credentials property.

Private Sub cmdGetBalance_Click(ByVal sender _
	As System.Object, ByVal e As _
	System.EventArgs) Handles cmdGetBalance.Click

	Dim ws As New BasicAuth.Service1()   
	'---proxy for the web service
	Dim cre As New NetworkCredential()
	cre.UserName = txtUserID.Text
	cre.Password = txtPasswd.Text
	cre.Domain   = "staff"

	ws.Credentials = cre
	Try
		lblBalance.Text = "Your balance is :" _
			& ws.getBalance()
	Catch err As WebException
		MsgBox("Authentication failed!")
	Catch err As Exception
		MsgBox("Operation failed!")
	End Try

End Sub

VB.NET	Expose the Public Key Using the getPublicKey() Web Method
Listing 2	The Web service generates the public/private key pair only once. It then stores the pair in Application variables.

<WebMethod()> Public Function getPublicKey() _
	As String
	Dim publicPara As String
	Dim privatepara As String

	If Not Application("KeyAccessed") Then
		Dim RSA As New RSACryptoServiceProvider()
		publicPara = RSA.ToXmlString(False)  
		' gets the public key
		privatepara = RSA.ToXmlString(True) 
		' gets the private key
		Application("publicKey") = publicPara
		Application("privateKey") = privatepara
		Application("KeyAccessed") = True
	End If
	Return Application("publicKey")

End Function


VB.NET	Use This Code for the Login() Web Method
Listing 3	The Login() method decryps the encrypted password using Asymmetric decryption. The user name and password is hard-coded here.

<WebMethod()> Public Function Login(ByVal _
	UserID As String, ByVal password As _
	String) As Boolean
	Dim AD As New Encryption.Asymmetric()
	Dim privatepara As String
	privatepara = Application("privateKey")
	Dim decryptedpassword As String = _
		AD.Decrypt(password, privatepara) 
		'---Decrypt with private key
	If (UserID = "lwm") And ( _
		decryptedpassword = "secret") Then
		Return True
	Else
		Return False
	End If
End Function


VB.NET	Enable Users to Check Their Bank Balance
Listing 4	Use this code for the getBalance() Web method. Pass the user's credential using the SOAP header. 

Public Class UserInfo
	Inherits _
		System.Web.Services.Protocols.SoapHeader
	Public UserID As String
	Public Password As String
End Class

	<WebMethod(), SoapHeader("userLogin")> _
		Public Function getBalance() As String
		Dim AD As New Encryption.Asymmetric()
		Dim secretkey As String = _
			"1234567890123456"
		Dim SE As New Encryption.Symmetric()

		If (userLogin.UserID = "lwm") And _
			(AD.Decrypt(userLogin.Password, _
			Application("privateKey")) = _
			"secret") Then
			Return SE.Encrypt( _
				"Your balance is currently " & _
				"$1000000", secretkey, secretkey)
		Else
			Return SE.Encrypt( _
				"Wrong password, dude!", _
				secretkey, secretkey)
		End If
	End Function

VB.NET	Create Code for the Login Button
Listing 5	First, obtain the public key from the Web service. Then, encrypt the password using the public key before sending it to the Web service.

Private Sub cmdLogin_Click(ByVal sender As _
	System.Object, ByVal e As _
	System.EventArgs) Handles cmdLogin.Click
	Dim ws As New _
		WebserviceEncryption.Service1()
	Dim AE As New Encryption.Asymmetric()
	Dim publicpara As String
	'---gets the Web service public key---
	publicpara = ws.getPublicKey
	'---display the status---
	StatusBar1.Text = "Encrypting Password ..."

	'---encrypting the password---
	Dim EncryptedPassword As String = _
		AE.Encrypt(txtPassword2.Text, publicpara)
	'---display the encryptedpassword in the 
	'textbox---
	txtEncryptedPassword.Text = EncryptedPassword

	'---display the status---
	StatusBar1.Text = "Logging in ..."
	If ws.Login(txtUserID2.Text, _
		EncryptedPassword) = True Then
		StatusBar1.Text = "Login successful!"
	Else
		StatusBar1.Text = "Login failed."
	End If
End Sub

VB.NET	Create the Code for the Get Balance Button
Listing 6	Decrypt the result using a symmetric key. A good candidate for the symmetric key is the user's login password.

Private Sub cmdGetBalance2_Click(ByVal _
	sender As System.Object, ByVal e As _
	System.EventArgs) Handles _
	cmdGetBalance2.Click
	Dim ws As New WebserviceEncryption.Service1()
	Dim user As New _
		WebserviceEncryption.UserInfo()

	Dim AE As New Encryption.Asymmetric()
	Dim SD As New Encryption.Symmetric()

	Dim secretkey As String = "1234567890123456"

	user.UserID = txtUserID2.Text
	'---encrypts the password---
	user.Password = AE.Encrypt( _
		txtPassword2.Text, ws.getPublicKey)

	'---pass the userID and password via the 
	'SOAPHeader---
	ws.UserInfoValue = user
	'---decrypts the result---
	lblBalance2.Text = SD.Decrypt( _
		ws.getBalance(), secretkey, secretkey)
End Sub
