none
Transport + Message (Both mode) security in WCF ? RRS feed

  • Question

  • Hello,

    In WCF, how transport + message security is implemented ?

    i.e. How X.509 certificates are used to encrypt transport + message (BOTH mode) security ?

    Thanks in advance

    Sunday, June 15, 2014 7:15 AM

Answers

  • Hi,

    When we use the certificate authentication in the TransportwithMessageCredentials, then it will need two certificates. One is the service certificate. The other is the client certificate. So the Transport Security will use SSL with the X.509 Service Certificates and Client Credentials are encrypted using X.509 Client Certificates.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by SixtyNine Tuesday, June 17, 2014 6:33 AM
    Monday, June 16, 2014 1:46 PM
    Moderator

All replies

  • Hi,

    >> how transport + message security is implemented ?

    It seem that you want to implement the both transport and message security mode in one wcf application, I will suggest you use the security mode TransportWithMessageCredential.
    When the TransportWithMessageCredential security mode is configured, the transport security is used to provide confidentiality and integrity for the transmitted messages and to perform the service authentication. However, the client authentication is performed by putting the client credential directly in the message. This allows you to use any credential type that is supported by the message security mode for the client authentication while keeping the performance benefit of transport security mode. In one word is that client authentication is provided at the message level, and message protection and service authentication are provided at the transport level.

    For more information, please try to refer to:
    #Message and Transport Security:
    http://msdn.microsoft.com/en-us/library/ff648863.aspx .

    >>How X.509 certificates are used to encrypt transport + message (BOTH mode) security

    In the service side, the X.509 certificates will use to provide the message protection and service authentication. If you used the certificate authentication, then in the client side, the X.509 certificates will use to identify itself to the server.

    For more information, please try to refer to:
    #How to: Secure a Service with an X.509 Certificate:
    http://msdn.microsoft.com/en-us/library/ms788968(v=vs.110).aspx .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Monday, June 16, 2014 6:07 AM
    Moderator
  • Hi,

    Suppose, we implement Transport with Message Credentials in WCF, Transport Security will use SSL thru X.509 Certificates and Client Credentials are encrypted using X.509 Certificates again in Message Security.

    I mean to say, X.509 Certificates are used twice (in transport and message security) ? Is this correct ?

    Thanks in advance

    Monday, June 16, 2014 1:01 PM
  • Hi,

    When we use the certificate authentication in the TransportwithMessageCredentials, then it will need two certificates. One is the service certificate. The other is the client certificate. So the Transport Security will use SSL with the X.509 Service Certificates and Client Credentials are encrypted using X.509 Client Certificates.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by SixtyNine Tuesday, June 17, 2014 6:33 AM
    Monday, June 16, 2014 1:46 PM
    Moderator
  • Sol It means If I use this : Use wsHttpBinding with UserName
    Authentication and TransportWithMessageCredentials in
    WCF Calling from Windows Forms. 

    With this Can I achieve Transport level security and Message level security (  Encrypting Whole SOAP message) ?. Like a double security 


    Saturday, January 24, 2015 8:15 PM