We are dealing with one huge client that provides technological solutions based on SAP and .NET. They hired us for developing the presentation layer, and it's damn difficult to make them change the way they work, even if we know that they aren't making the best decisions. Anyway, i don't see how changing from web-services to flash remoting would solve the problem. It's still a SOA architecture, with exposed services, and the only difference is that the data is transferred in binary (but not difficult to be interpreted - even more now with the release of the AMF specification). PKI seems to be the solution, but our expertise is not security. Also, i have doubts on:
1- Does Flex has tools to deal with this kind of things? 2- From what i recall, PKI needs a private key on both sides. This would mean that the key was hard-coded on the Flash Client. I am thinking on something simple like: 1- The client communicates with a web-service requesting access 2- The server initiates a session, returning a random string 3- The client runs some kind of algorithm, made by us, to "encrypt" the string, and returns it. Or, it uses a known algorithm that encrypts the string using a keyword. 4- The server runs the same algorithm on the string, and compares the result with the returned encrypted string. If they are the same, the session changes it's state to validated, allowing access to the web-services. If not, the session is terminated. This is far from being perfect, and far from being secure because the client could be decompiled and the "encryption" algorithm could be easily broken, but at least it would be a bit more reliable than having the web-service completely exposed. We are dealing here with probabilities... What do you think?
