C# WCF TCP Security vs Performance

Question

I'm currently developing a little server-client based game in my free time, using C# and WCF with net.TCP. To let you understand my circumstances, here what I did until now:

The server application hosts a WCF service and client applications connect to it. The clients register callback objects which the server stores in a list and calls methods to push messages to the clients.
The server service contains methods like Connect and Disconnect which start/terminate a session automatically. The server then uses the session id and callback object to identify the client and remember it for callbacks.
The client callback object contains methods like ObjectCreated, PropertyChanged and so on, which are called by the server when the according server event happens.
The WCF service has no security configured, which is fine until now. But soon I will extend the service in a way that a client can send control messages, maybe like "menu entry selected" or "moving right". The client can still be identified using the list of clients which called Connect and an illegal call could technically be noticed, but I don't know if that is the right way to go.

The next thing to think about is the login with an username and password. First I tried to refactor the Connect method to Connect(string UserName, string Password), but I don't think this is a good idea since the password is transfered unencrypted.

So I googled a lot about username / password authentication with WCF, thinking about using a custom UserNamePasswordValidator implementation to check if the credentials match an account on the server. But I read you have to use a certificate and per message authentication, which sounds like bad performance to me since there will be a lot of network interaction between the server and the clients.

Now my question: Is there any fast and safe way to log in with username / password (maybe per session) just like in other known client-server based games?

A detailed answer would be a great step for my little game and constructive changes to my strategy are appreciated, thanks a lot.

You can use a SSL connection to have a fully encrypted transport layer. Than would it be ok to have a `Login(string user, string pwd)`.. — CodeTherapist, Jan 30 '14 at 08:48
Thank you for the quick answer, how do I set up a SSL connection? I'm using a config file, do I need to specify it there? — justanothercoder, Jan 30 '14 at 09:00
Yes. http://stackoverflow.com/questions/425978/enable-ssl-for-my-wcf-service — CodeTherapist, Jan 30 '14 at 09:04

C# WCF TCP Security vs Performance

0 Answers0