none
Encryption clarification - Message Security vs. Transport with Message Credential RRS feed

  • Question

  • All, I have been trying to understand the difference between 'message security' and 'transport with message credential'. I see that the message security option generates message encryption. However, I am not sure what happens in TransportWithMessageCredential option. For example in the following, option <security mode = "TransportWithMessageCredential">, will the message also gets encrypted in addition to the transport (HTTPS):

    <wsHttpBinding>

            <binding name="wsHttpBasic" closeTimeout="00:01:00" openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">

              <readerQuotas maxDepth="32" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />

              <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />

              <security mode="TransportWithMessageCredential">

                <transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />

                <message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" />

              </security>

            </binding>

          </wsHttpBinding>

    Thanks in advance,

    Cheers,

    Pingala


    SP

    Wednesday, August 24, 2016 12:58 PM

Answers

  • Hi Pingala,

    When using message security, the user credentials and claims are encapsulated in every message using ws-security to secure message. When using TransportWithMessageCredential, client authentication is provided at the message level, and message protection and service authentication are provided at the transport level.

    You could refer the link below for more information.

    # Chapter 7: Message and Transport Security

    https://msdn.microsoft.com/en-us/library/ff648863.aspx

    >> will the message also gets encrypted in addition to the transport (HTTPS):

    Yes, the message will be encrypted by https, and the message will be secured by Windows credential. But, for wsHttpBinding, there is no need to set transport, you could configure the computer with an SSL certificate bound to a port.

    You could refer the link below for more information.

    #How to: Use Transport Security and Message Credentials

    https://msdn.microsoft.com/en-us/library/ms789011(v=vs.110).aspx

    Best Regards,

    Edward


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Thursday, August 25, 2016 8:25 AM

All replies

  • Hi Pingala,

    When using message security, the user credentials and claims are encapsulated in every message using ws-security to secure message. When using TransportWithMessageCredential, client authentication is provided at the message level, and message protection and service authentication are provided at the transport level.

    You could refer the link below for more information.

    # Chapter 7: Message and Transport Security

    https://msdn.microsoft.com/en-us/library/ff648863.aspx

    >> will the message also gets encrypted in addition to the transport (HTTPS):

    Yes, the message will be encrypted by https, and the message will be secured by Windows credential. But, for wsHttpBinding, there is no need to set transport, you could configure the computer with an SSL certificate bound to a port.

    You could refer the link below for more information.

    #How to: Use Transport Security and Message Credentials

    https://msdn.microsoft.com/en-us/library/ms789011(v=vs.110).aspx

    Best Regards,

    Edward


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Thursday, August 25, 2016 8:25 AM
  • Thanks Edward. I read the article before. However, my question is still not answered.  In the TransportWithMessagecredential case, I know that the HTTPS encrypts the entire payload (that includes the message with credentials). Once it reaches to the other point, the payload is decrypted and handed over to the client/service. At that time, I am assuming that the message received by client/service is not encrypted. Please correct me if it is not the case. Otherwise, why we do we need double encryption?

    Thanks in advance,

    Pingala


    SP

    Thursday, August 25, 2016 10:40 AM
  • Hi Pingala,

    >>the payload is decrypted and handed over to the client/service.

    Yes, you are right. After you receiving message at service side, the message will be not encrypted, and the credential of message is used to authenticate the client. The first encryption is used to provide message protection at transport level which is used to make sure message is integrity and confidentiality, and the second encryption is used to provide message protection at message level which is used to authenticate the client.

    Best Regards,

    Edward


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Friday, August 26, 2016 5:29 AM
  • Thanks Edward for the clarification!

    Edward wrote: "But, for wsHttpBinding, there is no need to set transport, you could configure the computer with an SSL certificate bound to a port"

    Thanks for the correction. We removed it and it works great!

    Cheers,

    Pingala


    SP

    Friday, August 26, 2016 6:06 PM