none
Please compare Transport Security and Transport With Message Credentials ? RRS feed

  • Question

  • Hi,

    Plz. compare Transport Security and Transport With Message Credentials in terms of encrypted request, response, certificates setup and their options and results ?

    I mean to say, plz. specify wherther request and/or response will be encrypted or not, service certificates are used to encrypt response, client certificates are used to encrypt request etc.

    I am little bit confused on the available options in above two security modes and their outcome.

    Thanks in advance


    • Edited by SixtyNine Thursday, July 10, 2014 3:15 AM more specific
    Thursday, July 10, 2014 3:14 AM

Answers

  • Hi,

    Yes, you are right.

    When used the certificate authentication in the WCF Service, we will need to install the service certificate and the client certificate. Then in the client side, the client will use the service public key to encrypt the request message and send to the service, then the service will use the service private key to decrypt the request message. And in the service side, it will use the the client public key to encrypt the response message and send to the client. Then the client will use the client private key to decrypt the response message.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by SixtyNine Tuesday, July 15, 2014 4:49 AM
    Monday, July 14, 2014 6:52 AM
    Moderator

All replies

  • Hi,

    When using the Transport Security mode, it will secure the transport not the message itself. Then in this mode, if we use the username or certificate mode or https, the service certificate is needed.

    For the TransportWithMessageCredential Security mode, because by default the wsHttpBinding binding provides the HTTP communication. Then if we want to use the HTTPS communication, we need to configured for transport security which supports HTTPS communication. However the set of authentication mechanisms that can be used to authenticate the client to the service is limited to what the HTTPS transport supports. Then the WCF offers a TransportWithMessageCredential security mode that is designed to overcome this limitation. When this security mode is configured, client authentication is provided at the message level, and message protection and service authentication are provided at the transport level. And the service certificate is need for the username or certificate mode or https. This mode is applicable when the user is authenticating with a UserName or Certificate credential and there is an existing HTTPS deployment for securing message transfer.

    For more information, please try to refer to the following article:
    #Message and Transport Security:
    http://msdn.microsoft.com/en-us/library/ff648863.aspx .

    When we use the message security mode, it will secure the message itself, then in my mind the request and response will be encrypted.

    And we can use the fiddler to see if the request and response are encrypted or not.
    #Download Fiddler:
    http://www.telerik.com/fiddler

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Friday, July 11, 2014 9:20 AM
    Moderator
  • Hi,

    Thank you

    Plz. tell me if i am correct or not ?

    1) In Transport Security, service certificate will be installed on service side and will be propagated to the client side when negatiateServiceCredentials=true and is used to encrypt both request and response at transport level.

    2) In Transport With Message Credential Security, service certificate will serve as mentioned above in (1) and another client certificate on client side is used to encrypt client credentials at message level during request only.

    Q. What is used to encrypt the reponse side at message level in Transport With Message Credentials ?

    Thanks in advance

    
    Saturday, July 12, 2014 2:33 AM
  • Hi,

    Yes, you are right.

    When used the certificate authentication in the WCF Service, we will need to install the service certificate and the client certificate. Then in the client side, the client will use the service public key to encrypt the request message and send to the service, then the service will use the service private key to decrypt the request message. And in the service side, it will use the the client public key to encrypt the response message and send to the client. Then the client will use the client private key to decrypt the response message.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by SixtyNine Tuesday, July 15, 2014 4:49 AM
    Monday, July 14, 2014 6:52 AM
    Moderator