Few basic question about wcf & asmx web service & security RRS feed

  • Question

  • i have just started reading wcf. so many things is not clear to me.

    1) i hard that we can provide security in wcf in the area of message level or transport level. is it true ? but in what are the areas we can provide security in asmx web service ?

    2) i like to visualize or understand what does it mean like security in transport level or message level...anyone can elaborate what does it mean like transport level or message level security ?

    3) when people would go for transport level security or message level security ?

    4) anyone can give me the sample wcf config file for transport level security and message level security please because i want to see how config look like when people use  transport level security or message level security in their wcf application.

    5) what is SSH and how to use it in wcf ?

    6) if certificate cert file only contain public key then i like to know how browser decrypt incoming data when cer certificate file is used at web server end?

    it will be huge help if some one answer my all question in detail point wise.

    Thursday, July 24, 2014 7:20 PM


  • I think you need a book on WCF.

    A few (possibly subjective) stabs at answering some of your (very broad) questions:

    1) Yes, you can have transport and/or message level security in WCF. ASMX is a legacy technology, which at least supports some forms of transport security (SSL).

    2/3) Transport level security means that all traffic is encrypted by the transport layer, e.g. SSL/HTTPS. Message level security is software encryption of the actual message only and is mostly used among heterogeneous systems whose security protocols for transports are incompatible. Transport security is usually both easier to implement and more efficient.

    4) This is a broad area. There's a configuration tool in your IDE (on the Tools menu) that you can use to experiment with the various settings.

    5) SSH is the encryption standard used for secure web communication (HTTPS), among other things.

    6) Certificates are used with symmetric encryption. There are two parts of the key, the public part and the private part. Anybody can read the public key and encrypt messages with it, only the party who has the private key can decrypt those messages. This type of encryption is very slow, so it is almost always used only to exchange a private key, generated on the fly, between client and server which is then used to encrypt subsequent traffic using the more efficient AES-type encryption algorithms.

    Friday, July 25, 2014 10:49 AM