Encryption of WCF traffic without X.509 or Windows authentication

Question

I'm looking at how to set up a secure connection between a WCF service, and a non-.NET client running on RHEL, so I expect Windows authentication is not feasible. This is just for an internal network, so I'm hoping to avoid the management headaches of X.509 (eg needing to closely monitor certificate expiry dates), but I'm not clear on whether it's technically possible to do so.

Is it possible to configure a WCF service with eg BasicHttpBinding or WsHttpBinding so that it has encryption (either transport or message layer, I'm not picky), but without using Windows authentication support or X.509 certificates?

Every scenario I've read for secured WCF services seems to use one of those two technologies. The only ones which don't require any X.509 certificates all use Windows authentication. I'm not sure if this is a fundamental consequence of the underlying technologies or if it's just a property of the "common scenarios" that Microsoft has chosen to document. At the moment I'm assuming that if Windows authentication isn't available, then X.509 is the only way to deploy public/private key pairs for the non-Windows-specific message encryption algorithms to use. Is this understanding correct?

Answer 1

well ... it's just that "common" property ...

x.509 is the common way to do this in your scenario, since the most things needed for this are already there ...

but you are not limited to either windows auth or x.509 ...

take a look here: http://www.codeproject.com/Articles/165844/WCF-Client-Server-Application-with-Custom-Authenti

the article describes how you can introduce your own authentication and encryption schema ...

i've already done that (simple AES encryption, one key among all clients), but i don't have the code at hand ... it wasn't that hard, but if you really run into trouble here, i'll have a look if i still have that stuff somewhere...