none
netTCP clientcredentialtype=windows and encrypt and sign RRS feed

  • Question

  • If i'm using client credential type of windows and setting the protection level to encrypt and sign, what security is being used?  What I understand is that there isn't a certificate being used but then how are the messages encrypted over TLS?  I have provided my web.config below.  I have another developer complaining that this may not be compliant with regard to PCI compliance and FISMA.  I would like to know algorithms used if possible.  Thanks.

    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
      <system.serviceModel>
        <behaviors>
          <serviceBehaviors>
            <behavior name="mexBehavior">
              <serviceMetadata httpGetEnabled="true" />
            </behavior>
          </serviceBehaviors>
        </behaviors>
        <services>
          <service behaviorConfiguration="mexBehavior" name="ConnectionStringTunnel.ConnectionStringTunnel">
            <endpoint address="ConnectionStringTunnel" binding="netTcpBinding" bindingConfiguration="myNetTcpBinding" contract="ConnectionStringTunnel.IConnectionStringTunnel" />
            <host>
              <baseAddresses>
                <add baseAddress="http://test-services/ConnectionStringTunnel:abc" />
                <add baseAddress="net.tcp://test-services/ConnectionStringTunnel:xyz" />
              </baseAddresses>
            </host>
          </service>
        </services>
        <bindings>
          <netTcpBinding>
            <binding name="myNetTcpBinding">
              <security mode="Transport">
                <transport protectionLevel="EncryptAndSign" clientCredentialType="Windows" />
              </security>
            </binding>
          </netTcpBinding>
        </bindings>
      </system.serviceModel>
    </configuration>

    Monday, April 11, 2016 9:18 PM

Answers

  • Hello Mike,

    >>If i'm using client credential type of windows and setting the protection level to encrypt and sign, what security is being used?

    When the security mode is set to Transport, the entire message is protected by the transport mechanism.
    In the transport security, the user credentials and claims are passed using the transport layer. Each transport protocol (TCP, IPC, MSMQ, or HTTP) has its own mechanism for passing credentials and handling message protection. The most common approach for this is to use Secure Sockets Layer (SSL) for encrypting and signing the contents of the packets sent over Secure HTTP (HTTPS).

    For more information, please refer to:
    #
    WCF Security Fundamentals:
    https://msdn.microsoft.com/en-us/library/ff650862.aspx .

    >>What I understand is that there isn't a certificate being used but then how are the messages encrypted over TLS?  

    For the netTcpBinding, when using Windows authentication, the binding uses the service’s Windows token to provide message protection. When using non-Windows authentication such as certificate authentication, we have to configure a service certificate as service credentials. The binding uses the service certificate for message protection.

    For information, please try to refer to:
    #Message and Transport Security:
    https://msdn.microsoft.com/en-us/library/ff648863.aspx .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, April 12, 2016 10:00 AM
    Moderator

All replies

  • Hello Mike,

    >>If i'm using client credential type of windows and setting the protection level to encrypt and sign, what security is being used?

    When the security mode is set to Transport, the entire message is protected by the transport mechanism.
    In the transport security, the user credentials and claims are passed using the transport layer. Each transport protocol (TCP, IPC, MSMQ, or HTTP) has its own mechanism for passing credentials and handling message protection. The most common approach for this is to use Secure Sockets Layer (SSL) for encrypting and signing the contents of the packets sent over Secure HTTP (HTTPS).

    For more information, please refer to:
    #
    WCF Security Fundamentals:
    https://msdn.microsoft.com/en-us/library/ff650862.aspx .

    >>What I understand is that there isn't a certificate being used but then how are the messages encrypted over TLS?  

    For the netTcpBinding, when using Windows authentication, the binding uses the service’s Windows token to provide message protection. When using non-Windows authentication such as certificate authentication, we have to configure a service certificate as service credentials. The binding uses the service certificate for message protection.

    For information, please try to refer to:
    #Message and Transport Security:
    https://msdn.microsoft.com/en-us/library/ff648863.aspx .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, April 12, 2016 10:00 AM
    Moderator
  • Amy, I didn't get an alert that you replied.  I apologize that I didn't respond, thanks for your answer.  With regard to level of security in an intranet scenario is it safe to say that TLS using the windows token is safe? From what I've read it seems to be safe enough because the transport only has one hop.  We are dealing with PCI DSS changes and I want to make sure that I'm not digging a grave by using the netTcp binding.
    • Edited by Mike Dovell Tuesday, April 19, 2016 11:28 PM
    Tuesday, April 19, 2016 4:36 AM
  • Hi Mike,

    >>With regard to level of security in an intranet scenario is it safe to say that TLS using the windows token is safe?

    Yes, you are right, it is safe, because the Windows token will be used to encrypt the transport. In my mind you can continue using the netTcpBinding-WCF Service with the Windows authentication.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Sunday, April 24, 2016 3:02 PM
    Moderator
  • Thank you for your help.
    Monday, April 25, 2016 5:03 PM