Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

WCF Transport vs Message

Tags:

c#

wcf

wcf-security

i was reading about WCF security implementations and found out that there are 2 types of security: Transport Mode and Message Mode (or both)

If i used HTTPS for Transport Mode, is it more secured if i used Message security also? i am asking this because what i understand is as follows:

https uses SSL protocol which encrypts messages... so why should i add Message Security and encrypt the SSL encrypted message? or am i misunderstanding stuff?

like image 580
scatman Avatar asked Apr 15 '11 06:04

scatman

People also ask

What is transport WCF?

The main transports used in Windows Communication Foundation (WCF) are HTTP, HTTPS, TCP, and named pipes. The topics in this section discuss choosing among these transports, configuring the transport, and setting tuning properties. WCF includes additional transports.

Which of the following is an advantage of message security over transport security?

Securing the message with message-level security instead of transport-level security has the following advantages: End-to-end security. Transport security, such as Secure Sockets Layer (SSL) only secures messages when the communication is point-to-point.

What is WCF message security?

Windows Communication Foundation (WCF) is a SOAP message-based distributed programming platform, and securing messages between clients and services is essential to protecting data.

What is TransportCredentialOnly?

In other words, TransportCredentialOnly security mode passes the user credentials in the SOAP message without encrypting or signing the SOAP message, and the underlying transport connection (typically TLS/SSL) needs to ensure that the message contents cannot be seen or altered by a third-party.

2 Answers

Security in WCF actually consists of several features. The difference between those two is how are messages signed and encrypted.

Transport security provides only point-to-point channel security. It means that HTTPS establish secure channel only between client and server exposed to client. But if this server is just a load balancer or reverse proxy server it has direct access to content of the message.

Message security provides end-to-end channel security. It means that security is part of transferred data and only intended destination can decrypt the data (load balancer or proxy sees only encrypted message). Message security in most cases also uses certificates to provide encryption and signing but it is usually slower because transport security can use HW acceleration.

In advanced scenarios these methods can be combined. For example you can have communication to your load balancer secured by HTTPS because you trust your internal network after load balancer but in the same time you can have the message signed (message security) so you can prove that it wasn't changed.

Another difference between those two is that transport security is related to single transport protocol whereas message security is independent on transport protocol.

Message security is based on interoperable protocols (but be aware that not every configuration in WCF is interoperable). WCF supports at least partially these protocols:

  • WS-Security 1.0 and 1.1 - basic rules for encryption, signing, token transport, timestamps, etc.
  • UserName token profile 1.0 - definition of token used for transporting user name and password. This specification is implemented only partially because WCF out of the box doesn't support digested password and requires using this token either with transport or message encryption.
  • X509 token profile 1.1 - definition of token used for transporting certificates.
  • Kerberos token profile 1.1 - definition of token used for transporting Kerberos tickets.
  • SAML 1.1 token profile 1.0 and 1.1 - definition of token used for federated security. SAML 2.0 is provided by WIF.
  • WS-SecurityPolicy 1.1 and 1.2 - provides support for defining security assertion in WSDL.
  • WS-SecureConversation 1.3 and Feb. 2005 - provides support for security session where credentials are exchanged only during first call and rest of the communication uses unique security token.
  • WS-Trust 1.3 and Feb. 2005 - provides support for federated scenarios and Security token services (STS).

WCF also supports WS-I Basic Security Profile 1.0 which is just subset of former protocols with prescribed configuration.

For non interoperable features WCF offers features like Windows security or TLSNego and SPNego (both should be generally interoperable but their are not available in many SOAP stacks) for service credentials exchange.

like image 99
Ladislav Mrnka Avatar answered Sep 23 '22 01:09

Ladislav Mrnka

This link outlines the reasons to use or not to use Message security.

Basically, transport security is preferred unless it cannot be used.

An excerpt fro the link:

Pros and Cons of Transport-Level Security

Transport security has the following advantages:

Does not require that the communicating parties understand XML-level security concepts. This can improve the interoperability, for example, when HTTPS is used to secure the communication.

Generally improved performance.

Hardware accelerators are available.

Streaming is possible.

Transport security has the following disadvantages:

Hop-to-hop only.

Limited and inextensible set of credentials.

Transport-dependent.

Disadvantages of Message-Level Security

Message security has the following disadvantages:

Performance

Cannot use message streaming.

Requires implementation of XML-level security mechanisms and support for WS-Security specification. This might affect the interoperability.

like image 22
Aliostad Avatar answered Sep 23 '22 01:09

Aliostad
Sign in to Comment

Related questions

Replacing Process.Start with AppDomains
Ignore IgnoreAttribute
What is the C# standard for capitialising method names? [closed]
Add vertical scroll bar to panel
EntityFramework Same Table Many to Many Relationship
ASP.NET Core 2.0 LDAP Active Directory Authentication
LINQPad, using multiple datacontexts
Why we need Thread.MemoryBarrier()?
Can I save an 'Object' in a SQL Server database?
Why does the string type have a .ToString() method?
Is there a way to set properties on struct instances using reflection?
Get Time Zones list in c# [duplicate]
There is no Unicode byte order mark. Cannot switch to Unicode
What is the equivalent datatype of SQL Server's Numeric in C#
Why can't I use System.IO.File methods in an MVC controller?
DataColumn Name from DataRow (not DataTable)
WPF Binding to parent DataContext
Using an array in Azure web app settings
What does the error "the exec task needs a command to execute" mean?
Properties private set;

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!