Is Transport Level Security Necessary When Using Message Level Security in WCF?

Question

I'm still in the process of trying to better understand WCF security.

One question that I can't seem to get a grip on is… if message level security is used, then the entire message can be signed/encrypted. If this is the case, would it ever make sense to use both message level security AND transport level security? In other words, if the message itself is secure, why would I need to use something like HTTPS for transport security?

Thanks.

Also see a similar question here: http://stackoverflow.com/questions/4586641/ws-security-and-trasport-security — Eugene Mayevski 'Callback, Jan 28 '11 at 19:54

score 7 · Accepted Answer · edited May 23 '17 at 12:34

HTTPS (SSL, TLS) offer point-to-point secuirty. I already explained what does it mean in one of my previous answers.

Term Security in WCF has 4 components:

Authentication - credentials passed to server to identify client
Authorization - selectively define which operations can be executed by authenticated client
Confidentality - encryption - only expected receiver is able to decrypt the message and read confidental data
Integrity - signing - expected receiver can validate that message is from declared client and it was not modified during transmission

Authorization is always part of WCF application itself. Authentication is part of WCF application or hosting system - transport protocol can be only used to transport credentials, not to validate them. Confidentality and Integrity is responsibility of transport protocol (transport security) or WCF application (message security). So if you are using encryption and signing on the message level you don't need transport security.

I agree with most of this answer, but I don't think it is true to say that transport security can only transport credentials, not validate them. For a number of the bindings, when Windows credentials are used, transport security implements an SSPI handshake which not only conveys the credentials but also validates them with the receiver's Windows authority. — Chris Dickson, Jan 28 '11 at 22:56
@Chris: Yes, transport security is combination of transport protocol and OS features. OS features are responsible for performing SSPI handshake - it is definitely not part of HTTPS. — Ladislav Mrnka, Jan 29 '11 at 00:24

score 0 · Answer 2 · answered Jan 28 '11 at 14:58

If you use message-level security in the form of encryption, then you should not need to also use transport-level encryption. However, doing so will certainly make your message more secure. If you only use message-level security to sign outgoing messages, then you will also want to use transport-level security if your message contains sensitive information.

It is important to use transport-level security when no message-level encryption is used. In fact, WCF requires you to use SSL when using UsernameToken plaintext, for example.

Edin Dazdarevic · Answer 3 · 2011-01-28T19:07:33.973

0

As far as I remember it's only possible to use both transport and message level security when using NetMsmqBinding.

edited Jan 28 '11 at 19:07

answered Jan 28 '11 at 18:38

Edin Dazdarevic

131
2
3

1

With custom binding you can also do that for HTTP based transport. – Ladislav Mrnka Jan 28 '11 at 18:41
Yes, that's true. But if you don't own the whole transport channel, transport security is not of much help. I'd say that message security is enough in most cases. – Edin Dazdarevic Jan 28 '11 at 19:07

Is Transport Level Security Necessary When Using Message Level Security in WCF?

3 Answers3

Linked