The obvious solution would be to use WCF to establish an SSL or TLS connection instead of attempting to build that into the application.
This is not possible since that requires a hosting provider that is able to run a WCF service. I am attempting to create a secure connection between a Silverlight application and a php webpage, that is used to query a database and send back the results in xml. It is also used to update the database.
The hosting provider does not offer ssl connections. I am attempting to build the security into the application so as not to rely on SSL/TLS. – cmaduro Apr 23 '10 at 3:50.
SSL/TLS suffers from the same problem that any Diffie-Hellman-based implementation you come up with would have, in that it can still be broken by a man-in-the-middle attack. The reason TLS is secure and trusted is because the client, when receiving the server's certificate, authenticates it by checking that it is signed with another certificate from a known trusted identity - say, VeriSign. Thus far, this makes it impossible to enact a man-in-the-middle attack without having VeriSign's private key - when the interloper sends a fake certificate proclaiming to be the server, the client would easily detect that this certificate is not signed using the trusted identity's certificate, and bails out of the connection, displaying a warning to the user.
For your purposes, it's likely easiest to use TLS. To make it secure, you would generate a certificate for your server, and then embed in your client the public key for that certificate. The client can then verify that it is talking to your server, without having to expose the private key, which you don't have to distribute.
EDIT: In response to your comment on Jerry's answer, if your hosting provider doesn't allow SSL/TLS connections at all, preventing a man-in-the-middle attack will be tricky. If this is your only reason for avoiding TLS, I would suggest getting your provider to turn it on, or finding a provider that allows for it. EDIT: In response to your edited question: even if you're now using RSA in your Silverlight client to send data to your web service, you cannot guarantee that the client itself has not been modified.It's quite possible for an attacker to dig into your client, determine the algorithm you're using to perform the encryption/handshake, and then write code to impersonate your client (or indeed, modify the client to include their code).
Once they've done that, they can start analyzing your API and use it to make calls to your web service. It's the same with SSL/TLS - the client can validate the identity of the host using the host's certificate, and as long as the host's server is secured, the client can trust the output from the host; however, there is no mechanism in which the host can 100% validate that the client is who they say they are, as the client will be run on a machine which does not have a controlled execution environment. However - despite the above being true, and that it's possible that an attacker can compromise your system in this way, it's likely not probable -- unless you're working on a public-facing system that attracts a lot of attention/use, or a system that deals directly with money in some form, the attacker needs to make some effort before being able to send their own input to your web service.
Your best bet is to validate the input received by your web service thoroughly, and don't leave dangling APIs accessible that your regular client would never use.
– cmaduro Apr 23 '10 at 3:55 You should be able to use the WebClient class and pass it a https: URI to communicate with PHP. The web server then just needs to be configured with a certificate. A cursory search on Google reveals that you may also have to set an XML setting with your application to allow TLS connections; I could not find more concrete information than that, being unfamiliar with Silverlight.
– Blair Holloway Apr 23 '10 at 4:05 If your hosting provider doesn't allow SSL/TLS connections at all, it's time to get a new hosting provider... – BlueRaja - Danny Pflughoeft May 4 '10 at 15:25.
I recommend starting with this JavaScript+PHP DH key Exchange protocol: enanocms.org/News:Article/2008/02/20/Dif... You can then re-write the javascript in silverlight. I recommend using Wireshark to dump packets then you can use Meld or whatever to diff the packets to see where your implementation is differs from the original. Good Luck!(Disclaimer: I totally agree with the Enano dev team, this is not a full replacement of SSL and SSL should be used whenever possible.).
I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.