WCF security considerations

By | July 17, 2015

When it comes to securing WCF security it comes down to Message security or Transport security. There are hybrid approaches of the two but they are not often used. The type of security to use can also be influenced by the binding that will be used.

ApplicationOverviewSecurity

 

So what does the different types of security options provide you with and where to use them?

ChannelMessageSecured

Message security

Provides
Integrity – All communications over the channel is encrypted.
Privacy – Nobody other than recipient can read the message.
Mutual Authentication – Only the intended recipient can read the message.

Where to use?
1. Internet Application
2. Where transport security is not secure or provided.
3. Where number of intermediaries (hops) are not known. (Internet traffic)

Pros
1. End-to-end Security (Multiple hops)
2. Can be used to secure messages over non-secured transport layers.

Cons
1. May introduce call latency

ChannelTransportSecured

Transport security

Provides
Integrity – All communications over the channel is encrypted.
Privacy – Nobody other than recipient can read the message.
Mutual Authentication – Only the intended recipient can read the message.

Where to use?
1. Typically for Intranet applications.
2. Used where there is a single hop between Client and Service.
3. A controlled environment.
4. Point to Point Security.

Pros

1.Best Performance
2.Use hardware acceleration.
|3.Easiest to setup

Cons

Can only guarantee security point-to-point.

ChannelTransportAndMessageSecured

Both (Transfer + Message Security)

Provides
Integrity – All communications over the channel is encrypted.
Privacy – Nobody other than recipient can read the message.
Mutual Authentication – Only the intended recipient can read the message.

Where to use?
Only support by MSMQ

Pros
Overkill security

Cons
Overkill for most applications
Latency

Mixed transfer security mode

Uses transport security mode to do message integrity and privacy. Uses message security to secure client credentials.

Provides
Integrity – All communications over the channel is encrypted.
Privacy – Nobody other than recipient can read the message.
Mutual Authentication – Only the intended recipient can read the message.

Where to use?
Rarely used

Pros
Combines the benefits of both Transport and Message security.

Cons
Only secure point-to-point – same as transport security.

The decision to take between which type of security to use is easy as demonstrated by the diagram below.

SecurityTypeDecision

Related articles:

WCF transport security with delegation

WCF transport security with impersonation

WCF Multi-Domain certificate bug

Leave a Reply

Your email address will not be published.