WCF Security: Difference between TransportWithMessageCredential and Message Security Mode

Question

I would like to know the difference between TransportWithMessageCredential Vs Message in terms of WCF security.

What I know is:

Transport security: Is used to provide point-to-point security between the two endpoints.

Message security: It provides end-to-end security. Because message security directly encrypts and signs the message, having intermediaries does not break the security.

If we use TransportWithMessageCredential mode, is the SOAP message (Header and Body) encrypted?

My concern is that I want to have the application data to be encrypted between WCF server and my WinForms client.

Answer 1

If we use TransportWithMessageCredentials mode , Is SOAP message( Header and Body) encrypted?

Yes, since with TransportWithMessageCredential security mode it is transport security which is providing confidentiality and integrity protection for the messages that are transmitted over the wire. Transport security also provides service authentication in this case. For example, with HTTP, Secure Sockets Layer (SSL) is used for encrypting and signing the contents of the packets sent over Secure HTTP (HTTPS).

With TransportWithMessageCredential security mode, client authentication is provided by means of SOAP message security where the client credential is put directly in the message.

When the SOAP message leaves the client for the service it is encrypted. However, as with transport security it provides point-to-point ( not end-to-end) security between the two endpoints (service and client). So if there are intermediary systems between the client and the service, each intermediate point must forward the message over a new secure connection.

Update Per Comments

you said "When the SOAP message leaves the client for the service it is encrypted' Then it should be end -end security. why it is only point -to-point.

Transport security is point-to-point because a message is encrypted when it leaves one endpoint and remains so until it reaches the other endpoint of the secure transport where the message is then decrypted. In deployments where the client and server are talking directly to each other, then this provides encryption the whole way through. However, if your service endpoint is going to forward that message onto the intended recipient, then your message is no longer guaranteed to be encrypted from that point onward.

Message security directly encrypts and signs the message so that only the intended recipient can decrypt and read the actual contents of the message. Therefore security is guaranteed between sender and recipient and not just between endpoints. Therefore, message security provides end-to-end security.

Can i conclude TransportWithMessageCredential provide security point -to-point and message Level security provide End-to-End Security. then Why WCF security Guide is suggesting to use TransportWithMessageCredential with UserName When we are using WCF with Windows form client in internet.

Yes, that is correct. TransportWithMessageCredential security provides point-to-point and Message security provides end-to-end security. The WCF Security Guide is suggesting to set the client credential to UserName because this will be used to authenticate the client. In the UserName case, we have the username and password pair being put directly in the SOAP message. Unless the client provides some sort of credential such as a UserName or Certificate to authenticate themselves to the service you will have an anonymous client. An anonymous client means that anyone can access your service since the client is not being authenticated.

If message body is not encrypted with TransportWithMessageCredential then why Microsoft says TransportWithMessageCredential is a combination of both Transport and Message security

As with my original answer: The SOAP messages are encrypted and signed by the transport layer (eg HTTPS). TransportWithMessageCredential is a combination of both transport and message security since transport security encrypts and signs the messages as well as authenticates the service to the client and message security is used to authenticate the client to the service.