Transport Encryption and Signing

How do I control whether the transport signs and encrypts messages?

This answer ties into the article I wrote a few weeks ago on describing channel security capabilities. If you don't remember about protection levels and security capabilities, then you should read that article first.

The service and operation contract attributes include a field, called ProtectionLevel, for describing the minimal level of protection that should be applied to messages. If you have security in the channel stack and don't specify any settings, then the default is to both sign and encrypt messages. If the channel stack does not support the requested protection level, for instance HTTP supports neither encryption nor signing, then you'll get an exception saying that the binding you've chosen is incompatible with the specified security settings. If the channel stack does support that protection level, then you are guaranteed to receive at least the minimum level of protection on messages. What does that mean?

Message security and transport channels are going to combine to provide at least the minimum level of protection. Let's make the picture simpler by saying that message security is not being used at all. We have a channel stack that just provides transport security. The transport security binding element has an additional configuration knob that lets you specify the target protection level, also labeled ProtectionLevel. Assume that we're being reasonable here and say that the transport protection level is at least the contract protection level. Then, the transport channel will attempt to provide a protection level that is no greater than the target protection level.

Some transports do not have flexibility in the protection level that they provide. SSL security, such as with HTTPS, always provides encryption and signing. There's no way to throttle that security method back and so the transport protection level knob is ignored. Windows security, such as with TCP, does permit throttling the protection level. If the service contract specifies signing only, you're using TCP with Windows security, and you've set the transport protection level to signing only as well, then everything aligns for you to get signing only.

Note that if you want neither signing nor encryption, then the easiest way to do this is to simply replace your transport with one that does not supply security.

Next time: You Can't Fake Correlation

Comments

• Anonymous
  February 06, 2007
  What should I set the action parameter to when creating a FaultException? There is indeed a pair of overloads

• Anonymous
  July 30, 2007
  Brent Sheets 整理了一系列关于 WCF security的资源并做了分类

• Anonymous
  April 10, 2008
  Previously I've described how messages are protected by using the ProtectionLevel attribute to specify