Best IT Recipes

Is transport-level security necessary when using message-level security in WCF?

I'm still trying to better understand WCF security.

One question I cannot understand is ... if message level protection is used, then the whole message can be signed / encrypted. If so, does it make sense to use message-level security and transport-level security? In other words, if the message itself is secure, why should I use something like HTTPS for transport security?

Thank.

+7
security wcf
Jan 28 '11 at 14:50
source share
3 answers

HTTPS (SSL, TLS) offer point-to-point features. I have already explained what this means in one of my previous answers .

The term Security in WCF consists of 4 components:

  • Authentication - credentials passed to the server to identify the client
  • Authorization - selectively determine which operations can be performed by an authenticated client
  • Confidentality - encryption - only the expected recipient can decrypt the message and read sensitive data
  • Integrity - signature - the expected recipient can confirm that this message is from the advertised client, and it was not changed during the transfer.

Authorization is always part of the WCF application itself. Authentication is part of a WCF application or hosting system. The transport protocol can only be used to transfer credentials, and not to verify them. Confidentality and Integrity are responsible for the transport protocol (transport security) or the WCF application (message security). Therefore, if you use encryption and sign at the message level, you do not need transport security.

+7
Jan 28 '11 at 17:29
source share

If you use message-level security in the form of encryption, you do not need to use transport-level encryption either. However, this will make your message more secure. If you use only the security level at the message level to sign outgoing messages, you will also need to use security at the transport level if your message contains confidential information.

It is important to use transport-level security if message-level encryption is not used. In fact, WCF requires you to use SSL when using the plaintext UsernameToken, for example.

0
Jan 28 2018-11-11T00:
source share

As far as I remember, when using NetMsmqBinding, you can only use transport security and message level.

0
Jan 28 '11 at 18:38
source share


More articles:


All Articles