使用UserNameOverTransport绑定时，如何让WCF以摘要模式发送密码？ （将WSE3.0代码转换为WCF）

Question

I'm trying to convert this WSE3.0 code to WCF:

// we use Microsoft WSE 3.0 to insert the username token in the soap header.
// This strategy takes care of creating and inserting the Nonce and Created elements 
// for us, as well as creating a password digest based on Nonce, Created, and 
// the password itself.  Refer to the WS-Secutiry UsernameToken Profile 1.1
// specification at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss.

Microsoft.Web.Services3.Security.Tokens.UsernameToken nametoken;
nametoken = new Microsoft.Web.Services3.Security.Tokens.UsernameToken(username, password, Microsoft.Web.Services3.Security.Tokens.PasswordOption.SendHashed);
Microsoft.Web.Services3.Design.Policy ClientPolicy = new Microsoft.Web.Services3.Design.Policy();

ClientPolicy.Assertions.Add(new UsernameOverTransportAssertion());
this._proxy.SetPolicy(ClientPolicy);
this._proxy.SetClientCredential<UsernameToken>(nametoken);

I have gotten pretty close except for sending the password in digest mode ( Microsoft.Web.Services3.Security.Tokens.PasswordOption.SendHashed in the above code`):

TransportSecurityBindingElement transportBindingElement =
    SecurityBindingElement.CreateUserNameOverTransportBindingElement();
transportBindingElement.AllowInsecureTransport = true;
transportBindingElement.EnableUnsecuredResponse = true;
transportBindingElement.IncludeTimestamp = true;
var binding = new CustomBinding(new BindingElement[] { //
    transportBindingElement, //
    new TextMessageEncodingBindingElement() {
        MessageVersion = MessageVersion.Soap11
    }, //
    new HttpTransportBindingElement() {
        AuthenticationScheme = AuthenticationSchemes.Digest,
    }, //
});

The above still sends the password in plain text (unhashed). I found this link to somebody trying to convert similar code with somebody stating that it was not possible to set up WCF to do this without writing a custom token serializer.

Is this statement accurate?

If it is, what do I need to do to create and use this custom serializer?

It looks like this link might be a good starting place when combined with the PDF from the site linked in the comments that gives the following formula Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) ) but if anybody has a better explanation of exactly what I need to derive from and how to get WCF to use my new serializer I'd love to hear it.

Answer 1

You found my question :)

This is very interesting problem. MS was often blamed that they produce insecure systems and APIs and because of that some engineers in MS became incorporating some ideas about what is secure and what is not to new APIs. UserNameToken profile with digested password is exactly result of this effort. It is considered as not secure enough and because of that it is completely omitted from WCF. Well, it should not be a problem if WCF would not be an API for interoperability with other platforms and frameworks where UserNameToken profile with digested password is very popular.

Yes we did custom token serializer when we solved the problem. It is not only about token serializer. You actually have to implement quite lot of classes to make it work. I will not share our implementation because it wasn't my code but you can try this one .