stackoom
  简体   繁体   中英

Is Transport Level Security Necessary When Using Message Level Security in WCF?

 原文  2011-01-28 14:50:11       .net/ wcf/ security

Question

I'm still in the process of trying to better understand WCF security.

One question that I can't seem to get a grip on is… if message level security is used, then the entire message can be signed/encrypted. If this is the case, would it ever make sense to use both message level security AND transport level security? In other words, if the message itself is secure, why would I need to use something like HTTPS for transport security?

Thanks.

3 answers

solution1
 7 ACCPTED  2011-01-28 17:29:24

HTTPS (SSL, TLS) offer point-to-point secuirty. I already explained what does it mean in one of my previous answers .

Term Security in WCF has 4 components:

  • Authentication - credentials passed to server to identify client
  • Authorization - selectively define which operations can be executed by authenticated client
  • Confidentality - encryption - only expected receiver is able to decrypt the message and read confidental data
  • Integrity - signing - expected receiver can validate that message is from declared client and it was not modified during transmission

Authorization is always part of WCF application itself. Authentication is part of WCF application or hosting system - transport protocol can be only used to transport credentials, not to validate them. Confidentality and Integrity is responsibility of transport protocol (transport security) or WCF application (message security). So if you are using encryption and signing on the message level you don't need transport security.

solution2
 0  2011-01-28 14:58:36

If you use message-level security in the form of encryption, then you should not need to also use transport-level encryption. However, doing so will certainly make your message more secure. If you only use message-level security to sign outgoing messages, then you will also want to use transport-level security if your message contains sensitive information.

It is important to use transport-level security when no message-level encryption is used. In fact, WCF requires you to use SSL when using UsernameToken plaintext, for example.

solution3
 0  2011-01-28 18:38:49

据我所知,在使用NetMsmqBinding时,只能使用传输和消息级安全性。

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question WCF Message Level Security Is SSL for WCF needed when using Transport Security? Does WCF message level security mean I can ignore SSL? Allowing a User to access .Net WCF service using Windows Authentication mode and Message Level security Configuring transport security for WCF Set transport security on WCF binding using IEndpointBehavior? Transport security vs Message security wsHttpBinding message-level security without using certificates? WCF Message security using certificates - Is there any benefit to using wsHttpBinding SSL Transport Security in conjunction with Message Security?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM