WCF Encryption

Although WCF supports many different types of bindings, there are only three types of encryption that WCF supports.

WCF Encryption Types

  1. None – Bindings that use the “None” encryption has no encryption whatsoever
  2. Message – Bindings that use the “Message” encryption will encrypt the data that goes back and forth from the client and service
  3. Transport – Bindings that use the “Transport” encryption will NOT encrypt the messages, but will encrypt the TCP packets that go back forth from the client and service.

Here are three examples of the messages that go back and forth between a client and a WCF service that show you the None, Message, and Transport encryption. The bindings that we use for these examples are: 1. basicHttpBinding 2. wsHttpBinding and 3. netTcpBinding

BasicHttpBinding Message

The BasicHttpBinding does not use encryption. Take a look at the message below that was sent from the service to the client. You will notice that the service sent a list of customer information and that the list is readable and not secure.

<MessageLogTraceRecord>
xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none">http://tempuri.org/ICustomersService/ListCustomersResponse
</s:Header>
<s:Body>
<ListCustomersResponse xmlns="http://tempuri.org/">
<ListCustomersResult xmlns:d4p1="http://schemas.datacontract.org/2004/07/CustomersServiceLibrary" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<d4p1:Customer>
<d4p1:CompanyName>Alfreds Futterkiste
<d4p1:CustomerId>ALFKI
d4p1:Customer>
<d4p1:Customer>
<d4p1:CompanyName>Ana Trujillo Emparedados y helados
<d4p1:CustomerId>ANATR
d4p1:Customer>
<d4p1:CompanyName>Wolski  Zajazd
<d4p1:CustomerId>WOLZA
d4p1:Customer>
ListCustomersResult>
ListCustomersResponse>
</s:Body>
</s:Envelope>
</MessageLogTraceRecord>

WsHttpBinding Message

The WsHttpBinding does use encryption. Take a look at the message below that was sent from the service to the client. The first set of XML is the data that the service created prior to sending it to the client. The second set of XML is the encrypted message that the service sent over the wire to the client.

The message before encryption…

<MessageLogTraceRecord>
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<a:Action s:mustUnderstand="1">http://tempuri.org/ICustomersService/ListCustomersResponse</a:Action>
</s:Header>
<s:Body>
xmlns="http://tempuri.org/">
xmlns:d4p1="http://schemas.datacontract.org/2004/07/CustomersServiceLibrary" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<d4p1:Customer>
<d4p1:CompanyName>Alfreds Futterkiste
<d4p1:CustomerId>ALFKI
d4p1:Customer>
<d4p1:Customer>
<d4p1:CompanyName>Ana Trujillo Emparedados y helados
<d4p1:CustomerId>ANATR
d4p1:Customer>
<d4p1:Customer>
<d4p1:CompanyName>Antonio Moreno Taquería
<d4p1:CustomerId>ANTON
d4p1:Customer>
<d4p1:Customer>
<d4p1:CompanyName>Around the Horn
<d4p1:CustomerId>AROUT
d4p1:Customer>
<d4p1:Customer>
<d4p1:CompanyName>Berglunds snabbköp
<d4p1:CustomerId>BERGS
d4p1:Customer>
</ListCustomersResult>
</ListCustomersResponse>
</s:Body>
</s:Envelope>
</MessageLogTraceRecord>

The message after encryption…
Note the cipher values were truncated for brevity

<MessageLogTraceRecord>
xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1" u:Id="_2">http://tempuri.org/ICustomersService/ListCustomersResponse</a:Action>
RelatesTo u:Id="_3">urn:uuid:40e0f79c-4f0a-4b9d-8ecb-c92d589c867e
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-ec955797-de1d-4fad-87e5-0ab3e8987068-11">
2010-09-14T16:18:09.733Z
2010-09-14T16:23:09.733Z
</u:Timestamp>
DerivedKeyToken u:Id="uuid-ec955797-de1d-4fad-87e5-0ab3e8987068-7" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
SecurityTokenReference>
uuid:3085906f-ea5b-407d-8b71-fe606433748d" ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct">
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>24</c:Length>
<c:Nonce>
<!-- Removed-->
</c:Nonce>
DerivedKeyToken>
<c:DerivedKeyToken u:Id="uuid-ec955797-de1d-4fad-87e5-0ab3e8987068-8" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<o:SecurityTokenReference>
uuid:3085906f-ea5b-407d-8b71-fe606433748d" ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct">
</o:SecurityTokenReference>
<c:Nonce>
<!-- Removed-->
</c:Nonce>
</c:DerivedKeyToken>
ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
DataReference URI="#_1">
<e:DataReference URI="#_4"></e:DataReference>
</e:ReferenceList>
EncryptedData Id="_4" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk" URI="#uuid-ec955797-de1d-4fad-87e5-0ab3e8987068-8">
</o:SecurityTokenReference>
KeyInfo>
<e:CipherData>
V79JZafU+fAhkafqBOkZ0rdMwtqEqh
</e:CipherData>
EncryptedData>
</o:Security>
</s:Header>
<s:Body u:Id="_0">
xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></e:EncryptionMethod>
xmlns="http://www.w3.org/2000/09/xmldsig#">
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk" URI="#uuid-ec955797-de1d-4fad-87e5-0ab3e8987068-8">
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
Mg5F29dMPn5VEHva/H85KAB2K97pLXaqyOXdvFey2NcLTeQgNdMAS+JyOy4O52Oi3ECVVof3iM9q434E4gs=
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
</MessageLogTraceRecord>

NetTcpBinding Message

The NetTcpBinding uses encryption, but not on the message. The encryption occurs on the TCP packets when sent over the wire – known as Transport Security.

Since the messages aren’t encrypted, the message will look the same (in the .svclog file) as the BasicHttpBinding messages – So, there is no need to show you what a NetTcpBinding message looks like. To view the encrypted packet, we would need to use a tool such as WireShark – which I don’t have the time to do right now :)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s