I have read the documentation provided at MSDN, and some other posts on this site. However, its still a bit unclear whether WCF (specifically, NetTcpBinding) will actually encrypt message contents when using message security w/ certificates. Does anyone know for sure?
For instance you can specify both transport and message credentials in your config:
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate"/>
<message clientCredentialType="Certificate"
negotiateServiceCredential="true" />
</security>
As far as I can tell the MSDN documentation implies that message security simply relies on either username/password or certificate-based authentication (negotiation), but doesn't specifically state that the message themselves are actually encrypted at the message level.
For instance if I use ONLY message security, with certificate-based negotiation, I don't think message contents are actually encrypted (ie. a packet sniffer could intercept the raw message contents -- even if the service enforces authentication)?
If true message-level encryption is possible (using NetTcpBinding) how is it done in code? I believe this is related to the AlgorithmSuite, though I'm not sure,
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
binding.Security.Message.AlgorithmSuite = new System.ServiceModel.Security.TripleDesSecurityAlgorithmSuite();
WCF service provides us high level security framework which provide enterprise level security. It uses WS-I standard to provide secure service. But Web API uses web standard security such as basic authentication, token authentication and for more complex such as OAuth; Web API provides more flexibility.
Programming WCF security is based on three steps setting the following: the security mode, a client credential type, and the credential values. You can perform these steps either through code or configuration.
Windows Communication Foundation (WCF) security has three common security modes that are found on most predefined bindings: transport, message, and "transport with message credential." Two additional modes are specific to two bindings: the "transport-credential only" mode found on the BasicHttpBinding, and the "Both" ...
Encryption converts data into scrambled text. The unreadable text can only be decoded with a secret key. The secret key is a number that's: Created on your device and the device you message.
Not sure if this fully answers your question, but according to this article TCP encrypts by default.
NetTcpBinding is secure by default. Specifically, callers must provide Windows credentials for authentication and all message packets are signed and encrypted over TCP protocol.
In other words, if you customise the configuration but use a security mode other than 'None',
By default, all secure WCF bindings will encrypt and sign messages. You cannot disable this for transport security, however, for message security you may wish to disable this for debugging purposes, or when an alternate method of protection is used such as IPSec.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With