Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is TransportWithMessageCredential without certificate secure enough for a WCF service?

I have developed a WCF self-hosted service, for which I have two basic security requirements as it will be accessed over the Internet:

  • The transport layer should prevent tampering and sniffing, especially the retrieval of authentication credentials. This is what SSL does, but from what I have seen setting up SSL requires the installation of certificates (except maybe through this hack that uses plain certificate files), which I prefer not to have to do.

  • The authentication layer should consist of a username/password validator.

I configured my service to use:

      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="UserName" />
        <transport clientCredentialType="Basic" />
      </security>

Even if the transport layer is HTTP (not HTTPS), does this make WCF create another security layer that is equivalent to SSL? If not, what is the difference in terms of security strength?

Also, is there any way to secure the meta data endpoint without using a SSL certificate (not essential but would be appreciated)?

Here is my full configuration code for the self-hosted service:

<?xml version="1.0"?>
<configuration>
<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/></startup>
  <system.serviceModel>
    <services>
      <service name="MyService">
        <host>
          <baseAddresses>
            <add baseAddress = "http://localhost:8000/Services" />
          </baseAddresses>
        </host>
        <endpoint address ="MyService" binding="wsHttpBinding" contract="IMyService">
          <identity>
            <dns value="localhost"/>
          </identity>
        </endpoint>
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="Binding1" maxReceivedMessageSize="2147483647">
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="UserName" />
            <transport clientCredentialType="Basic" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceMetadata httpGetEnabled="True"/>
          <serviceCredentials>
            <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="CR.Common.Services.CustomValidator, Common" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>
</configuration>

Thank you!

like image 557
Erwin Mayer Avatar asked May 22 '12 05:05

Erwin Mayer


People also ask

How do you secure your WCF?

To secure an application that runs exclusively on a Windows domain, you can use the default security settings of either the WSHttpBinding or the NetTcpBinding binding. By default, anyone on the same Windows domain can access WCF services. Because those users have logged on to the network, they are trusted.

Is WCF encrypted?

By default, WCF does not encrypt the Action value but signs it if message security is used. Therefore, this information is available to all intermediaries, but no one can change it. Support for multiple transports.

Which of the following client credential type can be used with WCF security?

WCF ensures that the transport is secured when using user name credentials. Allows the service to require that the client be authenticated using an X. 509 certificate.

What is WCF security?

Windows Communication Foundation (WCF) is a SOAP message-based distributed programming platform, and securing messages between clients and services is essential to protecting data.


1 Answers

By default, all secure WCF bindings (like wsHttpBinding) will encrypt and sign messages.

SSL mandatory use a certificate, and the hack in the link you give is hacking wcf, not SSL. Because without SSL WCF forbid the use of the basicHttpBinding (which send xml in clear) and UserNamePasswordValidator, because in this case anyone that intercept the message can get the username/password.

With WSHttpBinding you could avoid SSL and put the security on the message level.

I strongly advise you to read this article, especially the Service Credentials and Negotiation chapter:

To support mutual authentication and message protection, services must provide credentials to the caller. When transport security is used (SSL), service credentials are negotiated through the transport protocol. Service credentials for message security can also be negotiated when Windows credentials are used; otherwise a service certificate must be specified

With the UserNamePasswordValidator, you must configure a certificate on the server to allow the client the sign and encrypt each message (using the certificate's public key). If you were using Windows authentication, it'll not be needed.

Why are you so worried about certificate ?

like image 105
Fabske Avatar answered Oct 20 '22 01:10

Fabske