WCF Transport vs Message

by

Security in WCF actually consists of several features. The difference between those two is how are messages signed and encrypted.

Transport security provides only point-to-point channel security. It means that HTTPS establish secure channel only between client and server exposed to client. But if this server is just a load balancer or reverse proxy server it has direct access to content of the message.

Message security provides end-to-end channel security. It means that security is part of transferred data and only intended destination can decrypt the data (load balancer or proxy sees only encrypted message). Message security in most cases also uses certificates to provide encryption and signing but it is usually slower because transport security can use HW acceleration.

In advanced scenarios these methods can be combined. For example you can have communication to your load balancer secured by HTTPS because you trust your internal network after load balancer but in the same time you can have the message signed (message security) so you can prove that it wasn’t changed.

Another difference between those two is that transport security is related to single transport protocol whereas message security is independent on transport protocol.

Message security is based on interoperable protocols (but be aware that not every configuration in WCF is interoperable). WCF supports at least partially these protocols:

  • WS-Security 1.0 and 1.1 – basic rules for encryption, signing, token transport, timestamps, etc.
  • UserName token profile 1.0 – definition of token used for transporting user name and password. This specification is implemented only partially because WCF out of the box doesn’t support digested password and requires using this token either with transport or message encryption.
  • X509 token profile 1.1 – definition of token used for transporting certificates.
  • Kerberos token profile 1.1 – definition of token used for transporting Kerberos tickets.
  • SAML 1.1 token profile 1.0 and 1.1 – definition of token used for federated security. SAML 2.0 is provided by WIF.
  • WS-SecurityPolicy 1.1 and 1.2 – provides support for defining security assertion in WSDL.
  • WS-SecureConversation 1.3 and Feb. 2005 – provides support for security session where credentials are exchanged only during first call and rest of the communication uses unique security token.
  • WS-Trust 1.3 and Feb. 2005 – provides support for federated scenarios and Security token services (STS).

WCF also supports WS-I Basic Security Profile 1.0 which is just subset of former protocols with prescribed configuration.

For non interoperable features WCF offers features like Windows security or TLSNego and SPNego (both should be generally interoperable but their are not available in many SOAP stacks) for service credentials exchange.

More Related Contents:

  1. Correct way communicate WSSE Usernametoken for SOAP webservice
  2. Authentication Service using WCF
  3. How to get the X509Certificate from a client request
  4. Signing SOAP messages using X.509 certificate from WCF service to Java webservice
  5. How i can use wcf in a wpf application [closed]
  6. What is the best workaround for the WCF client `using` block issue?
  7. WCF vs ASP.NET Web API [closed]
  8. How does WCF deserialization instantiate objects without calling a constructor?
  9. What are the downsides to turning off ProxyCreationEnabled for CTP5 of EF code first
  10. Pattern for calling WCF service using async/await
  11. Could not find an implementation of the query pattern
  12. Task does not contain a definition for ‘GetAwaiter’
  13. how to generate a unique token which expires after 24 hours?
  14. WCF gives an unsecured or incorrectly secured fault error
  15. Get the object is null using JSON in WCF Service
  16. CORS Support within WCF REST Services
  17. WCF error : 405 Method Not Allowed
  18. Dependency Injection wcf
  19. Patterns for Compensating Lack of Inheritance in SOA
  20. WCF HttpTransport: streamed vs buffered TransferMode
  21. WCF ResponseFormat For WebGet
  22. How do I prevent a WCF service from enter a faulted state?
  23. WCF: Adding Nonce to UsernameToken
  24. WCF and interfaces on data contracts
  25. How to use Custom Serialization or Deserialization in WCF to force a new instance on every property of a datacontact ?
  26. How to handle WCF exceptions (consolidated list with code)
  27. What steps do I need to take to use WCF Callbacks?
  28. WCF, Interface return type and KnownTypes
  29. SqlConnection Thread-Safe?
  30. Is TLS 1.1 and TLS 1.2 enabled by default for .NET 4.5 and .NET 4.5.1?

Leave a Comment