none
Message level secutiy with SSL in WCF RRS feed

  • Question

  • I am trying to use WCF to design web service over internet. The requirement is that we need to provide the TLS (Transport Layer Security) and MLS (Message Layer Security). For this purpose, we are using "ws2007HttpBinding" with security mode as "TransportWithMessageCredential". Here, I find that the request is transferred over SSL but when using Fiddler (for https) I find that the soap body is in clear text format.

    For the transport level security, I have used ClientCredentialType as "None" and for message level security, I have used "Certificate" as ClientCredentialType.

    I am using .net framework 3.5.

    For your information, I am using different certificate for SSL & server.

    My Web.config for Server is as follows.

    <system.serviceModel>
       
    <services>
           
    <service behaviorConfiguration="API_WCF.Service1Behavior" name="API_WCF.API">
               
    <endpoint address="https://localhost/API_WCF/API.svc" name="API" binding="ws2007HttpBinding" bindingConfiguration="customWsHttpBinding" contract="API_WCF.IAPI">
                   
    <identity>
                       
    <dns />
                   
    </identity>
               
    </endpoint>
               
    <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
           
    </service>
       
    </services>
       
    <bindings>
           
    <ws2007HttpBinding>
               
    <binding name="customWsHttpBinding">
         
    <!-- For http  -->
         
    <!--
          <security mode="Message">
            <message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false"/>
          </security>
          -->

         
    <!-- For https  -->
           
    <security mode="TransportWithMessageCredential">
           
    <transport clientCredentialType="None"/>
                       
    <message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false"/>
                   
    </security>
               
    </binding>
           
    </ws2007HttpBinding>
       
    </bindings>
       
    <behaviors>
           
    <serviceBehaviors>
               
    <behavior name="API_WCF.Service1Behavior">
                   
    <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
                   
    <serviceMetadata httpsGetEnabled="true" httpsGetUrl="https://localhost/API_WCF/API.svc/API"/>
                   
    <serviceCredentials>
                       
    <serviceCertificate findValue="CN=WSE2QuickStartServer" storeLocation="LocalMachine" x509FindType="FindBySubjectDistinguishedName" storeName="My"/>
                       
    <clientCertificate>
                           
    <authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck"/>
                       
    </clientCertificate>
                   
    </serviceCredentials>

                   
    <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
                   
    <serviceDebug includeExceptionDetailInFaults="true"/>

               
    </behavior>
           
    </serviceBehaviors>
       
    </behaviors>
       
    <diagnostics wmiProviderEnabled="true" performanceCounters="ServiceOnly">
           
    <messageLogging logEntireMessage="true" logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" maxMessagesToLog="3000"/>
       
    </diagnostics>
    </system.serviceModel>

    Kindly guide how to achieve to message level security with transport layer security in WCF over internet.



    Saturday, April 13, 2013 5:04 AM

Answers

  • I am trying to use WCF to design web service over internet. The requirement is that we need to provide the TLS (Transport Layer Security) and MLS (Message Layer Security). For this purpose, we are using "ws2007HttpBinding" with security mode as "TransportWithMessageCredential". Here, I find that the request is transferred over SSL but when using Fiddler (for https) I find that the soap body is in clear text format.

    [...]

    Kindly guide how to achieve to message level security with transport layer security in WCF over internet.


    In TransportWithMessageCredential, message-layer security is used only for passing credentials. Integrity and confidentiality are handled by transport-layer security.

    Why would you need to encrypt the SOAP body when the whole session is already proctected by SSL?


    Marcus Björklund

    Please use "Mark As Answer" if my post has answered your question, and/or vote for it if you find it helpful. Thanks!

    Sunday, April 14, 2013 2:09 AM
  • I am trying to use WCF to design web service over internet. The requirement is that we need to provide the TLS (Transport Layer Security) and MLS (Message Layer Security). For this purpose, we are using "ws2007HttpBinding" with security mode as "TransportWithMessageCredential". Here, I find that the request is transferred over SSL but when using Fiddler (for https) I find that the soap body is in clear text format.

    [...]

    Kindly guide how to achieve to message level security with transport layer security in WCF over internet.


    In TransportWithMessageCredential, message-layer security is used only for passing credentials. Integrity and confidentiality are handled by transport-layer security.

    Why would you need to encrypt the SOAP body when the whole session is already proctected by SSL?


    Marcus Björklund

    Please use "Mark As Answer" if my post has answered your question, and/or vote for it if you find it helpful. Thanks!


    Since this is very specific client requirement, we need to implement the security at both (Transport & Message) layers. Also, in WCF book by John Sharp, I found that it is possible to use to both layer security. but I am not able to implement the same. I know that when we use message layer security it is always time consuming. this leads to performance degradation of application also.

    Kindly confirm my following understanding for TransportWithMessageCredential security mode.

    When this security mode is used, the entire session is definitely protected by SSL but when the request is coming through multiple hops, data may get tampered. and soap body is in clean text as I found it through Fiddler2, if somebody tampers with soap body, the server can not verify the integrity of data using client certificate.

    Waiting for your reply.

    Thanking You,

    Bhavin Shah

    Sunday, April 14, 2013 7:04 AM

All replies

  • I am trying to use WCF to design web service over internet. The requirement is that we need to provide the TLS (Transport Layer Security) and MLS (Message Layer Security). For this purpose, we are using "ws2007HttpBinding" with security mode as "TransportWithMessageCredential". Here, I find that the request is transferred over SSL but when using Fiddler (for https) I find that the soap body is in clear text format.

    [...]

    Kindly guide how to achieve to message level security with transport layer security in WCF over internet.


    In TransportWithMessageCredential, message-layer security is used only for passing credentials. Integrity and confidentiality are handled by transport-layer security.

    Why would you need to encrypt the SOAP body when the whole session is already proctected by SSL?


    Marcus Björklund

    Please use "Mark As Answer" if my post has answered your question, and/or vote for it if you find it helpful. Thanks!

    Sunday, April 14, 2013 2:09 AM
  • Message level security if used will always be used secure your soap packets.

    you security mode should look something like this - replace client credential type with certificate

    <security mode ="TransportWithMessageCredential">
              <message clientCredentialType="UserName" />

    </security>


    Pravin Chandankhede

    Sunday, April 14, 2013 6:36 AM
  • I am trying to use WCF to design web service over internet. The requirement is that we need to provide the TLS (Transport Layer Security) and MLS (Message Layer Security). For this purpose, we are using "ws2007HttpBinding" with security mode as "TransportWithMessageCredential". Here, I find that the request is transferred over SSL but when using Fiddler (for https) I find that the soap body is in clear text format.

    [...]

    Kindly guide how to achieve to message level security with transport layer security in WCF over internet.


    In TransportWithMessageCredential, message-layer security is used only for passing credentials. Integrity and confidentiality are handled by transport-layer security.

    Why would you need to encrypt the SOAP body when the whole session is already proctected by SSL?


    Marcus Björklund

    Please use "Mark As Answer" if my post has answered your question, and/or vote for it if you find it helpful. Thanks!


    Since this is very specific client requirement, we need to implement the security at both (Transport & Message) layers. Also, in WCF book by John Sharp, I found that it is possible to use to both layer security. but I am not able to implement the same. I know that when we use message layer security it is always time consuming. this leads to performance degradation of application also.

    Kindly confirm my following understanding for TransportWithMessageCredential security mode.

    When this security mode is used, the entire session is definitely protected by SSL but when the request is coming through multiple hops, data may get tampered. and soap body is in clean text as I found it through Fiddler2, if somebody tampers with soap body, the server can not verify the integrity of data using client certificate.

    Waiting for your reply.

    Thanking You,

    Bhavin Shah

    Sunday, April 14, 2013 7:04 AM
  • Message level security if used will always be used secure your soap packets.

    you security mode should look something like this - replace client credential type with certificate

    <security mode ="TransportWithMessageCredential">
              <message clientCredentialType="UserName" />

    </security>


    Pravin Chandankhede

    Hey,

    As per my understanding, in security mode as "TrasnportWithMessageCredential", client credential type in message is only used to authenticate the user. It is not used to secure the packets.

    Kindly confirm my understanding.

    Thanking You,

    Bhavin Shah

    Sunday, April 14, 2013 7:07 AM
  • Hi, I would agree with you.
    Tuesday, April 16, 2013 8:33 AM