none
How does encryption work in case of NetTcpBinding+Transport security+Windows authentication RRS feed

  • Question

  • MSDN states that:

    The NetTcpBinding class uses TCP for message transport. Security for the transport mode is provided by implementing Transport Layer Security (TLS) over TCP. The TLS implementation is provided by the operating system.

    And also:

    If you are using Windows security, a certificate is not required.

    Does it mean that in case of using NetTcpBinding + Transport security + Windows authentication I don’t need to explicitly install any certificates (neither server, nor client side) and don't have to specify any certificates in binding?

    If I understand correctly TLS, it is based on public-key cryptography. That is - one party encrypts data with public key, and another decrypts it using it's private key.

    So, if my reasoning is correct, then where do those keys come from, using WCF in this configuration?


    • Edited by anthh Monday, March 16, 2015 12:48 PM
    Monday, March 16, 2015 12:47 PM

Answers

All replies

  • Hi,

    By default, netTcpBinding uses transport security, which means you will have to configure the client credentials to use a certificate. To provide message protection at the transport level, you will have to configure a service certificate as service credentials. The certificate will negotiate a session key and service public key during the handshake, which will allow you to encrypt the content with the service certificate public key and sign the content with the private session key.

    For more information about Message and Transport Security:

    https://msdn.microsoft.com/en-us/library/ff648863.aspx

    Add certificate to nettcpbinding:

    https://piaoca.wordpress.com/2012/05/11/add-certificate-to-nettcpbinding/

    How to: Use netTcpBinding with Windows Authentication and Message Security in WCF:

    https://msdn.microsoft.com/en-us/library/ff648534.aspx

    Regards

    Tuesday, March 17, 2015 6:39 AM
    Moderator
  • Hello.
    I'm talking about such WCF configuration:
     
    Binding: NetTCPBinding
    Security: Transport (only), Point-to-Point
    Authentication: Windows
    Network: Intranet only
     
    So I don't want to use Message security, only Transport.
     
    From your first link:
     
    "When using transport security, the user credentials and claims are passed by using the transport layer. In other words, user credentials are transport-dependent, which allows fewer authentication options compared to message security. Each transport protocol (TCP, IPC, MSMQ, or HTTP) has its own mechanism for passing credentials and handling message protection. The most common approach for this is to use Secure Sockets Layer (SSL) for encrypting and signing the contents of the packets sent over Secure HTTP (HTTPS)."
     
    and also
     
    "Transport Security - Mutual authentication and message protection are provided at the transport level."
     
    From other MSDN page (I’m not able to post a link...)
     
    "The NetTcpBinding class uses TCP for message transport. Security for the transport mode is provided by implementing Transport Layer Security (TLS) over TCP. The TLS implementation is provided by the operating system."
     
    and
     
    "If you are using Windows security, a certificate is not required."
     
    From these quotations, I draw conclusion that using NetTCPBinding+Transport(security)+Windows(authentication) WCF provides data encryption on Transport layer, so I don't understand why you entail in this Message protection.
     
    I know that messages are not encrypted themselves, but channel is (using e.g TLS), so I assume that in point-to-point communication my data are secure?
    Or maybe I misunderstand something fundamentally?
     
    So, since: "the NetTcpBinding class uses TCP for message transport (...) implementing Transport Layer Security (TLS) over TCP"
    and: "using Windows security, a certificate is not required"
    and (from Wikipedia) : "(TLS) use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating and to exchange a symmetric key"
    I would like to know how this encryption works in this case?
    Tuesday, March 17, 2015 8:26 AM
  • Since no one is eager to answer my question I will ask different one:
     
    Given such WCF configuration:
     
    Binding: NetTCPBinding
    Security: Transport (only), Point-to-Point
    Authentication: Windows
    Network: Intranet only
    (So, no certificate is explicitly defined...)
     
    Is transferred data secure and protected in this case?
    Thursday, March 19, 2015 8:42 AM
  • Hi,

    Here is a scenario shows a Windows Communication Foundation (WCF) client and service secured by Windows security with NetTCPBinding Security Mode as Transport.

    https://msdn.microsoft.com/en-us/library/ms733089(v=vs.110).aspx

    https://msdn.microsoft.com/en-us/library/ff647180.aspx?f=255&MSPPError=-2147217396

    Tuesday, March 24, 2015 2:52 AM
  • Thanks, but it is not answer to my question…

    I know how to use it, but I want to know is this scenario secure, and if it is, how is this security actually applied. I'm asking because MSDN is very vague about it.

    MSDN claims that "the NetTcpBinding class uses TCP for message transport (...) implementing Transport Layer Security (TLS) over TCP" and "using Windows security, a certificate is not required"

    but "(TLS) use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating and to exchange a symmetric key"

    So, it uses TLS but doesn't require certificate, which from definition is required in TLS. I'm guessing that Windows itself provides this certificate somehow, but I would like to learn some details.

    Friday, March 27, 2015 8:14 AM
  • Hello anthh,

    According to link below http://stackoverflow.com/questions/14694947/testing-tls-security-in-wcf-nettcpbinding

    TCP binding security element is set to Transport by default. This indicates requirement that transport session must be encypted. If you cannot establish TLS session service will reject the call.

    Hope this helps you.

    With regards,

    Shawn

    Friday, April 3, 2015 9:48 AM
    Moderator
  • This is not an answer to my question, though.

    So, I don't know why you marked it as accepted answer, but never mind.

    The real answer is here: http://stackoverflow.com/questions/4187604/how-does-nettcpbindingread-windowsstreamsecuritybindingelement-encrypt-sign-me if someone is interested.


    • Edited by anthh Tuesday, April 7, 2015 11:11 AM
    Tuesday, April 7, 2015 11:10 AM