5

I have read the documentation provided at MSDN, and some other posts on this site. However, its still a bit unclear whether WCF (specifically, NetTcpBinding) will actually encrypt message contents when using message security w/ certificates. Does anyone know for sure?

For instance you can specify both transport and message credentials in your config: 

       <security mode="TransportWithMessageCredential">
          <transport clientCredentialType="Certificate"/>
          <message clientCredentialType="Certificate"
                   negotiateServiceCredential="true" />
       </security>

As far as I can tell the MSDN documentation implies that message security simply relies on either username/password or certificate-based authentication (negotiation), but doesn't specifically state that the message themselves are actually encrypted at the message level.

For instance if I use ONLY message security, with certificate-based negotiation, I don't think message contents are actually encrypted (ie. a packet sniffer could intercept the raw message contents -- even if the service enforces authentication)?

If true message-level encryption is possible (using NetTcpBinding) how is it done in code? I believe this is related to the AlgorithmSuite, though I'm not sure, 

binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
binding.Security.Message.AlgorithmSuite = new System.ServiceModel.Security.TripleDesSecurityAlgorithmSuite();
Sean Thoman
  • 7,429
  • 6
  • 56
  • 103

3 Answers3

5

Not sure if this fully answers your question, but according to this article TCP encrypts by default.

NetTcpBinding is secure by default. Specifically, callers must provide Windows credentials for authentication and all message packets are signed and encrypted over TCP protocol.

In other words, if you customise the configuration but use a security mode other than 'None',

By default, all secure WCF bindings will encrypt and sign messages. You cannot disable this for transport security, however, for message security you may wish to disable this for debugging purposes, or when an alternate method of protection is used such as IPSec.

Community
  • 1
  • 1
Phil Degenhardt
  • 7,215
  • 3
  • 35
  • 46
  • I decided to just sniff the packets myself using Wireshark, and I can confirm that this is true. Apparently windows takes care of the encryption itself for domain / trusted domain communication. Thanks! – Sean Thoman Jul 11 '12 at 21:08
4

WCF can encrypt message contents with a netTcpBinding. The easiest way to see this is to add diagnostics to your .config file and output an svclog file. You can actually see the encrypted message with the svctraceviewer.exe tool

Here's some more info (which you may have already read) WCF NetTcpBinding Security - how does it work?

Community
  • 1
  • 1
Mark B
  • 1,166
  • 1
  • 19
  • 31
0

Maybe a late answer. But here is something i stumbled upon on MSDN.

Message security makes the message secure regardless of what transport you use to transmit the message, and the security context is directly embedded inside the message.

MSDN Article

David Sherret
  • 101,669
  • 28
  • 188
  • 178
Sunil Johnson
  • 1,059
  • 8
  • 6