WCF Security Basic: Part 1

By SonuKSingh Blogs | WCF with C# Oct 12, 2013
Security in WCF can be provided in two ways. A theoretical brief of both is explained.

WCF Security Basic: Part 1

WCF Security is a very wide topic. So it is better to break into multiple parts to understand it better. In this part, I will be covering very basic of it.

In WCF, We can apply security measures (authentication and Encryption) at two points when sending and receiving messages:
  1. At Transport Level.
  2. At Message Level.

Transport Level Security:

  • Transport Level Authentication is typically implemented at Operating System level.
  • Transport Level Encryption and Decryption are facilitated by underlying Communication Protocol.
  • For Example: HTTPS uses SSL (Secure Socket Layer), TCP uses TSL (Transport Layer Security).

Message Level Security: 

  • Message Level Authentication, user's credentials are passed to service and its responsibility of Service to Authenticate it.
  • Message Level Encryption and Decryption are done by Service and Client using agreed set of Encryption Key and Encryption Algorithm.
  • WS-Security recommendations should be followed to ensure interoperability between services developed using other technologies than WCF.

Comparison: 

  • Transport Level Security is very efficient because it often relies on underlying hardware and operating system support for encryption and decryption, which can be very resource intensive process.
  • Transport Level Authentication is enforced before client actually starts sending messages. This results in early detection of Authentication Failure with less Network Overhead.
  • Message Level Security operates End-To-End basis, While Transport Level Security Operates Point-to-Point basis.
  • Meaning if there is any intermediate service that passes message from and to, then using Message Level Security is more secure than Transport Level.
  • In Transport Level, by the time Service receives message it is already authenticated and decrypted and Intermediate Service has full access to the message.
  • While Since Message Level Security is implemented at Client and Service End, Intermediate Services cannot easily decrypt the message.

!! Happy Programming !!
COMMENT USING