WCF Transport-Level Security

In WCF, the secure transports available for use are HTTP, Transmission Control Protocol (TCP), Internet Protocol (IP), and Microsoft Message Queuing (MSMQ). For a transport to be secure, all the communications that take place across the channel must be encrypted.

The goals of transport-level security are to provide integrity, privacy, and authentication. Integrity is provided by ensuring that the encryption key is shared between only the two parties involved in the communications. Privacy is guaranteed through the encryption process the contents are not readable by anyone other than the parties involved. Mutual authentication of sender and receiver is provided because the credentials of the sender are encrypted as part of the message.

 

For transport security to be effective, the sender and receiver must negotiate the details at the outset. Fortunately, from a development perspective, this step is handled automatically by the secure protocol. In fact, much about the transport security layer is automatically handled. This means that, in terms of simplicity, transport-layer security is the easiest to implement, and because it covers the entirety of the communications, nothing in the message is left exposed. Finally, the protocols used are well understood and accepted by the community. They are not individually developed but rather are standards based on years of effort and scrutiny, so you can be confident of their ability to secure the communications.

 

A number of benefits accrue by using transport security. The following list enumerates some of the common threats that can be mitigated by security at the transport layer.

-        Sniffing network traffic to obtain sensitive information

-        Phishing attacks in which rogue services impersonate a service to intercept messages

-        Message alteration while in transit

-        Replay attacks in which the same message is sent multiple times to the same service

In general, the transport-layer security found in WCF, regardless of the type of binding, provides the following guarantees.

 

-        Authentication of the sender

-        Authentication of the service

-        Message integrity

-        Message confidentiality

-        Replay detection

 

As has already been mentioned, transport-layer security is directly related to the bindings. The types of transport security that are available depend on the binding used.

Notas tomadas del libro: MCTS Self-Paced Training KIT (Exam 70-503)