none
Protection levels ( None, Signed, EncryptedAndSigned ) and authentication RRS feed

  • Question

  • hi

    The following questions all assume that service uses NetTcpBinding and Transport transfer security mode .

    Transport security has three protection levels: None , Signed and EncryptedAndSigned . I'm trying to figure out how are these three protection levels related to the type of credentials service uses to authenticate itself to the client. So:

    1) Assuming service uses SSL certificate to authenticate itself and assuming its protection level is set to None :

    a) will service use SSL encryption only during authentication process or

    b) will SSL be used for the entire duration of client/server conversation

     

    2) Assuming service uses SSL certificate to authenticate itself and assuming its protection level is set to EncryptedAndSigned :

    a) will service use SSL encryption only during authorization process ( and then some other   encryption mechanism will be used to encrypt and sign the messages ) or

    b) will SSL encryption be used for the entire client/server session ( thus messages will be encrypted and signed using SSL )

     

    3) Assuming service uses username/password to authenticate itself and assuming its protection level is set to EncryptedAndSigned :

    a) what encyption mechanism will it use during authentication process and

    b) what encryption mechanism will be used after the authentication process is finished?

     

    4) Assuming service doesn't authenticate itself to client ( thus it doesn't provide any service credentials )   and assuming its protection level is set to EncryptedAndSigned :

    a) what encryption mechanism will it use for encrypting and signing the messages?

     

    thank you

    Monday, November 29, 2010 9:17 PM

Answers

All replies

  • authentication level mostly affects message security.

    1 - 3: SSL be used for the entire duration of client/server conversation

    4: the service cannot use encrypt and sign mode w/o some authentication. note that if the server has ssl than it does authenticate - the x.509 ssl cert is a sort of authentication.


    http://webservices20.blogspot.com/
    WCF Security, Interoperability And Performance Blog
    Wednesday, December 1, 2010 9:10 PM
  • authentication level mostly affects message security.

    1 - 3: SSL be used for the entire duration of client/server conversation


    I thought when service uses NetTcpBinding with Transport transfer security mode   and with clientCredentialMode set to “Windows” , then service doesn’t use SSL, even if protectionLevel is set to EncryptedAndSigned ?

    Wednesday, December 1, 2010 10:38 PM
  • sorry, forgot it was on net tcp.

    my guess is that when you use transport security mode the service will require ssl certificate, but you will need to verify it.


    http://webservices20.blogspot.com/
    WCF Security, Interoperability And Performance Blog
    Wednesday, December 1, 2010 10:51 PM
  • <!-- [if gte mso 10]> <mce:style> "sorry, forgot it was on net tcp."

    a) So your initial answers are correct when talking about service using BasicHttpBinding with Transport transfer security mode?

     

    "my guess is that when you use transport security mode the service will require ssl certificate, but you will need to verify it."

    b) As far as I can tell, when service uses NetTcpBinding with transfer security mode and clientCredentialType to “Windows”, then service doesn't use SSL. See my last post/second question in the following thread to see why I suspect that:

    http://social.msdn.microsoft.com/Forums/en/wcf/thread/d6327def-3ba5-4080-8be7-2d2f4b639427

    Wednesday, December 1, 2010 11:03 PM
  • Here is very good explanation what is going on on SSL chanel http://en.wikipedia.org/wiki/Secure_Sockets_Layer

    I hope all answers are there.


    Leonid Ganeline [BizTalk MVP] Biztalkien blog
    • Marked as answer by Yi-Lun Luo Monday, December 6, 2010 9:51 AM
    Thursday, December 2, 2010 4:48 AM
    Moderator