WCF Security Basic: Part 1

WCF Security is a very wide topic. So it is better to break into multiple parts to understand it better. In this part, I will be covering very basic of it.

In WCF, We can apply security measures (authentication and Encryption) at two points when sending and receiving messages:

At Transport Level.
At Message Level.

Transport Level Security:

Transport Level Authentication is typically implemented at Operating System level.
Transport Level Encryption and Decryption are facilitated by underlying Communication Protocol.
For Example: HTTPS uses SSL (Secure Socket Layer), TCP uses TSL (Transport Layer Security).

Message Level Security:

Message Level Authentication, user's credentials are passed to service and its responsibility of Service to Authenticate it.
Message Level Encryption and Decryption are done by Service and Client using agreed set of Encryption Key and Encryption Algorithm.
WS-Security recommendations should be followed to ensure interoperability between services developed using other technologies than WCF.

Comparison:

Transport Level Security is very efficient because it often relies on underlying hardware and operating system support for encryption and decryption, which can be very resource intensive process.
Transport Level Authentication is enforced before client actually starts sending messages. This results in early detection of Authentication Failure with less Network Overhead.
Message Level Security operates End-To-End basis, While Transport Level Security Operates Point-to-Point basis.
Meaning if there is any intermediate service that passes message from and to, then using Message Level Security is more secure than Transport Level.
In Transport Level, by the time Service receives message it is already authenticated and decrypted and Intermediate Service has full access to the message.
While Since Message Level Security is implemented at Client and Service End, Intermediate Services cannot easily decrypt the message.

!! Happy Programming !!