none
WCF replay detection using nonce cache with certificate based message security RRS feed

  • Question

  • I have a WCF service that has the following requirements:

    • Sent over SSL (HTTPS Transport)
    • Reliable Messaging On
    • WS-* message security using a X.509 certificate.
    • Replay Detection On

    Here is the binding that I have:

    <customBinding>
        <binding name="replayDetectionBinding">
          <reliableSession />
          <security authenticationMode="SecureConversation">
            <secureConversationBootstrap authenticationMode="CertificateOverTransport"
              protectTokens="true">
              <issuedTokenParameters keyType="AsymmetricKey" />
            </secureConversationBootstrap>
            <localServiceSettings maxClockSkew="00:01:00"
              replayWindow="00:01:00" />
          </security>
          <textMessageEncoding />
          <httpsTransport maxReceivedMessageSize="5242880" maxBufferSize="5242880" />
        </binding>
      </customBinding>

    The service is hosted in IIS and I have a test client to make a request to the service. I have Fiddler up and running to catch all messages coming to and from the test client and the WCF service.

    Everything is working but replay detection.  Even though the replay window says one minute, I am able to send messages outside of the window.  Really, what I want/need is to have the replay detection use the nonce cache so that an identical message is rejected no matter what (as long as that message signature is in the nonce cache and the message was processed successfully). This is not happening.

    I send a message using the test client, it is received by the WCF service and a response is returned, I do not close the connection. I then use Fiddler to reissue/replay the message that was sent. In this case, it is accepted by the service - even if I issue it from another machine.

    If I close the connection, no messages are accepted (desired and understandable effect).

    I've done so much searching and have read just about everything I can find, but cannot get this to work.

    How do you enable the nonce cache in this case or do you have to code your own or am I completely missing a concept here?




    • Edited by jay.d Wednesday, February 26, 2014 7:29 PM
    Wednesday, February 26, 2014 7:20 PM

All replies

  • Hi,

    WCF implements a replay detection mechanism and provides a bunch of configuration options to tune the Timestamping and nonce tracking procedures (i.e: ReplayWindow, ReplayCacheSize for the nonce cache).

    However, because WCF uses the class NonceCache (declared as Internal and Sealed) which is a in-memory cache. If you’re using IIS to host your services, you can imagine what happens to the cache when IIS pool is recycled!

    So please try to check the following:
    http://msdn.microsoft.com/en-us/library/ff647945.aspx .

    you’ll see that for that sample, they used back then a DB table as a nonce cache.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, February 27, 2014 3:11 AM
    Moderator
  • I have come across that post (I've read just about everything on the internet about this subject).  From my readings, I thought the WSE was an outdated technology and replaced entirely by WCF?

    Also, according to the following post, as of .NET 4.5 I should be able to, if I want to, override the default nonce cache and implement my own.

    http://msdn.microsoft.com/en-us/library/hh598927(v=vs.110).aspx

    If I didn't want to, which I don't at this point because we'll only be running on one server for the time being, I still want WCF to store the requests in the nonce cache.  The recycle of the IIS pool is fine for us (99% of the time any replays would be outside of the replay window).

    And what I've seen so far, is that there is no replay/nonce cache - since I can actually replay any successful request up to the time limit + the clock slew.  To me, that tells me the nonce cache isn't actually being used.  

    So, is the recommended option is to use WSE (and is it deprecated/replaced by WCF), and if so, can I actually enable the nonce cache in this case?


    • Edited by jay.d Thursday, February 27, 2014 4:39 PM
    Thursday, February 27, 2014 4:26 PM