WCF安全性:TransportWithMessageCredential和消息安全模式之间的区别
[英]WCF Security: Difference between TransportWithMessageCredential and Message Security Mode
问题描述
I would like to know the difference between TransportWithMessageCredential Vs Message in terms of WCF security. 
我想知道TransportWithMessageCredential Vs Message在WCF安全性方面的区别。
What I know is: 我所知道的是:
Transport security: Is used to provide point-to-point security between the two endpoints. 传输安全性:用于在两个端点之间提供点对点安全性。
Message security: It provides end-to-end security. 消息安全性:它提供端到端的安全性。 Because message security directly encrypts and signs the message, having intermediaries does not break the security. 因为消息安全性直接加密和签署消息,所以拥有中介不会破坏安全性。
If we use TransportWithMessageCredential mode, is the SOAP message (Header and Body) encrypted? 如果我们使用TransportWithMessageCredential模式,SOAP消息(Header和Body)是否加密?
My concern is that I want to have the application data to be encrypted between WCF server and my WinForms client. 我担心的是我希望在WCF服务器和我的WinForms客户端之间加密应用程序数据。
1 个解决方案
解决方案1
8 2015-01-29 02:45:59
If we use TransportWithMessageCredentials mode , Is SOAP message( Header and Body) encrypted?
Yes, since with TransportWithMessageCredential security mode it is transport security which is providing confidentiality and integrity protection for the messages that are transmitted over the wire. 是的,因为对于TransportWithMessageCredential安全模式,它是传输安全性,它为通过线路传输的消息提供机密性和完整性保护。 Transport security also provides service authentication in this case. 在这种情况下,传输安全性还提供服务认证。 For example, with HTTP, Secure Sockets Layer (SSL) is used for encrypting and signing the contents of the packets sent over Secure HTTP (HTTPS). 例如,使用HTTP,安全套接字层(SSL)用于加密和签名通过安全HTTP(HTTPS)发送的数据包的内容。
With TransportWithMessageCredential security mode, client authentication is provided by means of SOAP message security where the client credential is put directly in the message. 使用TransportWithMessageCredential安全模式,客户端身份验证通过SOAP消息安全性提供,其中客户端凭据直接放在消息中。
When the SOAP message leaves the client for the service it is encrypted. 当SOAP消息离开客户端进行服务时,它会被加密。 However, as with transport security it provides point-to-point ( not end-to-end) security between the two endpoints (service and client). 但是,与传输安全性一样,它在两个端点(服务和客户端)之间提供点对点( 而非端到端)安全性。 So if there are intermediary systems between the client and the service, each intermediate point must forward the message over a new secure connection. 因此,如果客户端和服务之间存在中间系统,则每个中间点必须通过新的安全连接转发消息。
Update Per Comments 每条评论更新
you said "When the SOAP message leaves the client for the service it is encrypted' Then it should be end -end security. why it is only point -to-point.
Transport security is point-to-point because a message is encrypted when it leaves one endpoint and remains so until it reaches the other endpoint of the secure transport where the message is then decrypted. 传输安全性是点对点的,因为消息在离开一个端点时会被加密并保持不变,直到它到达安全传输的另一个端点,然后消息被解密。 In deployments where the client and server are talking directly to each other, then this provides encryption the whole way through. 在客户端和服务器直接相互通信的部署中,这会在整个过程中提供加密。 However, if your service endpoint is going to forward that message onto the intended recipient, then your message is no longer guaranteed to be encrypted from that point onward. 但是,如果您的服务端点要将该邮件转发到目标收件人,则不再保证您的邮件从该点开始加密。
Message security directly encrypts and signs the message so that only the intended recipient can decrypt and read the actual contents of the message. 消息安全性直接对消息进行加密和签名,以便只有预期的接收者才能解密和读取消息的实际内容。 Therefore security is guaranteed between sender and recipient and not just between endpoints. 因此,发件人和收件人之间保证安全,而不仅仅是端点之间。 Therefore, message security provides end-to-end security. 因此,消息安全性提供了端到端的安全性。
Can i conclude TransportWithMessageCredential provide security point -to-point and message Level security provide End-to-End Security.
Yes, that is correct. 对,那是正确的。 TransportWithMessageCredential security provides point-to-point and Message security provides end-to-end security. TransportWithMessageCredential安全性提供点对点, Message安全性提供端到端安全性。 The WCF Security Guide is suggesting to set the client credential to UserName because this will be used to authenticate the client. WCF安全指南建议将客户端凭据设置为UserName因为这将用于对客户端进行身份验证。 In the UserName case, we have the username and password pair being put directly in the SOAP message. 在UserName案例中,我们将用户名和密码对直接放在SOAP消息中。 Unless the client provides some sort of credential such as a UserName or Certificate to authenticate themselves to the service you will have an anonymous client. 除非客户端提供某种凭证(例如UserName或Certificate来对服务进行身份验证,否则您将拥有匿名客户端。 An anonymous client means that anyone can access your service since the client is not being authenticated. 匿名客户端意味着任何人都可以访问您的服务,因为客户端未经过身份验证。
If message body is not encrypted with TransportWithMessageCredential then why Microsoft says TransportWithMessageCredential is a combination of both Transport and Message security
As with my original answer: The SOAP messages are encrypted and signed by the transport layer (eg HTTPS). 与我原来的答案一样:SOAP消息由传输层加密和签名(例如HTTPS)。 TransportWithMessageCredential is a combination of both transport and message security since transport security encrypts and signs the messages as well as authenticates the service to the client and message security is used to authenticate the client to the service. TransportWithMessageCredential是传输和消息安全性的组合,因为传输安全性对消息进行加密和签名以及向客户端验证服务,并且消息安全性用于向服务验证客户端。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.