Does WCF message security actually encrypt message contents?

Asked 10/7, 2012 at 22:4 Answered 22/7, 2015 at 19:41

Solved c#wcf security certificate nettcpbinding

I have read the documentation provided at MSDN, and some other posts on this site. However, its still a bit unclear whether WCF (specifically, NetTcpBinding) will actually encrypt message contents when using message security w/ certificates. Does anyone know for sure?

For instance you can specify both transport and message credentials in your config:

       <security mode="TransportWithMessageCredential">
          <transport clientCredentialType="Certificate"/>
          <message clientCredentialType="Certificate"
                   negotiateServiceCredential="true" />
       </security>

As far as I can tell the MSDN documentation implies that message security simply relies on either username/password or certificate-based authentication (negotiation), but doesn't specifically state that the message themselves are actually encrypted at the message level.

For instance if I use ONLY message security, with certificate-based negotiation, I don't think message contents are actually encrypted (ie. a packet sniffer could intercept the raw message contents -- even if the service enforces authentication)?

If true message-level encryption is possible (using NetTcpBinding) how is it done in code? I believe this is related to the AlgorithmSuite, though I'm not sure,

binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
binding.Security.Message.AlgorithmSuite = new System.ServiceModel.Security.TripleDesSecurityAlgorithmSuite();

Grater answered 10/7, 2012 at 22:4 Comment(0)

Not sure if this fully answers your question, but according to this article TCP encrypts by default.

NetTcpBinding is secure by default. Specifically, callers must provide Windows credentials for authentication and all message packets are signed and encrypted over TCP protocol.

In other words, if you customise the configuration but use a security mode other than 'None',

By default, all secure WCF bindings will encrypt and sign messages. You cannot disable this for transport security, however, for message security you may wish to disable this for debugging purposes, or when an alternate method of protection is used such as IPSec.

Phosgenite answered 10/7, 2012 at 22:50 Comment(1)

I decided to just sniff the packets myself using Wireshark, and I can confirm that this is true. Apparently windows takes care of the encryption itself for domain / trusted domain communication. Thanks! – Grater 11/7, 2012 at 21:8

WCF can encrypt message contents with a netTcpBinding. The easiest way to see this is to add diagnostics to your .config file and output an svclog file. You can actually see the encrypted message with the svctraceviewer.exe tool

Here's some more info (which you may have already read) WCF NetTcpBinding Security - how does it work?

Stockade answered 10/7, 2012 at 22:47 Comment(0)

Maybe a late answer. But here is something i stumbled upon on MSDN.

Message security makes the message secure regardless of what transport you use to transmit the message, and the security context is directly embedded inside the message.

MSDN Article

Dede answered 22/7, 2015 at 19:41 Comment(0)

Recommended topics

Hot tags