Share via


WCF - Interop - Understanding Protection Level

WCF: Interop – Understanding Protection level

 

Protection level is a very important parameter to consider while working on WCF Introp scenarios.

Can be defined on (only via code)

  1.    Service contract level
  2.    Operation contract level

 

[OperationContract(ProtectionLevel = ProtectionLevel.Sign)]

string GetData(int value);

 

 

It controls how the incoming soap envelope is protected.

 

Can be set to

  1. None
  2. Sign (Sign the message on channel to detect the tampering)
  3. Encrypt and sign (We encrypt the message first and then sign on transport layer) - Default

 

 Protocol to monitor - Https

Setting the protection level has no effect because the message protection is done by transport SSL channel.

 

Protocol to monitor – Http (Message Level security)

Binding: wsHttpBinding

Security Mode: Message

Client credential type: Windows

 

None

 

<s:Envelope xmlns:s="**https://www.w3.org/2003/05/soap-envelope**" xmlns:a="**https://www.w3.org/2005/08/addressing**" xmlns:u="**https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd**"\>

<s:Header>

<a:Action s:mustUnderstand="1" u:Id=" _0">**https://tempuri.org/IService1/GetData**\</a:Action>

<a:MessageID u:Id=" _1">urn:uuid:9835df01-eacf-4de3-93da-ee499d2575bf</a:MessageID>

<ActivityId CorrelationId="125b3fb4-1648-45cf-8600-062791678ad9" xmlns="**https://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics**"\>**1bdb185e-8fab-4113-9b55-cb5f317263f3**\</ActivityId>

<a:ReplyTo u:Id=" _2">

<a:Address>**https://www.w3.org/2005/08/addressing/anonymous**\</a:Address>

</a:ReplyTo>

<VsDebuggerCausalityData xmlns="**https://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink**"\>**uIDPo2OvlvNYy9JFjwf6RzamZbUAAAAAs5kMW26yME+NYRCJyD0Lg3t9nmlMx8FEg7kRSQ6SYWQACQAA**\</VsDebuggerCausalityData>

<a:To s:mustUnderstand="1" u:Id=" _3">**https://saurabh.fareast.corp.microsoft.com/Basic-Win-Authentication/Service1.svc/ws**\</a:To>

<o:Security s:mustUnderstand="1" xmlns:o="**https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd**"\>

<u:Timestamp u:Id="uuid-d19e37cc-ed6d-4feb-ad77-ec3380b3fc23-11">

<u:Created>2012-05-14T15:31:16.821Z</u:Created>

<u:Expires>2012-05-14T15:36:16.821Z</u:Expires>

</u:Timestamp>

<c:SecurityContextToken u:Id="uuid-7c28e778-f95e-4ab4-8179-36bd09804f53-4" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<c:Identifier>urn:uuid:22d2445c-8631-47f1-a359-7d199c74791a</c:Identifier>

</c:SecurityContextToken>

<c:DerivedKeyToken u:Id="uuid-d19e37cc-ed6d-4feb-ad77-ec3380b3fc23-9" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<o:SecurityTokenReference>

<o:Reference ValueType="**https://schemas.xmlsoap.org/ws/2005/02/sc/sct**" URI=" #uuid-7c28e778-f95e-4ab4-8179-36bd09804f53-4"></o:Reference>

</o:SecurityTokenReference>

<c:Offset>0</c:Offset>

<c:Length>24</c:Length>

<c:Nonce>

<!-- Removed-->

</c:Nonce>

</c:DerivedKeyToken>

<Signature xmlns="https://www.w3.org/2000/09/xmldsig\# ">

<SignedInfo>

<CanonicalizationMethod Algorithm="https://www.w3.org/2001/10/xml-exc-c14n\# "></CanonicalizationMethod>

<SignatureMethod Algorithm="**https://www.w3.org/2000/09/xmldsig\#hmac-sha1**"\>\</SignatureMethod>

<Reference URI=" #_0">

<Transforms>

<Transform Algorithm="https://www.w3.org/2001/10/xml-exc-c14n\# "></Transform>

</Transforms>

<DigestMethod Algorithm="**https://www.w3.org/2000/09/xmldsig\#sha1**"\>\</DigestMethod>

<DigestValue>icP3uLduuYaZNB+XPxCuOjajXTY= </DigestValue>

</Reference>

<Reference URI=" #_1">

<Transforms>

<Transform Algorithm="https://www.w3.org/2001/10/xml-exc-c14n\# "></Transform>

</Transforms>

<DigestMethod Algorithm="**https://www.w3.org/2000/09/xmldsig\#sha1**"\>\</DigestMethod>

<DigestValue>KMBBbLR8BxTkZSK/GBLKP1Fpvbo= </DigestValue>

</Reference>

<Reference URI=" #_2">

<Transforms>

<Transform Algorithm="https://www.w3.org/2001/10/xml-exc-c14n\# "></Transform>

</Transforms>

<DigestMethod Algorithm="**https://www.w3.org/2000/09/xmldsig\#sha1**"\>\</DigestMethod>

<DigestValue>btTswQQ5Ejlht5cvs8HEPBxzwek= </DigestValue>

</Reference>

<Reference URI=" #_3">

<Transforms>

<Transform Algorithm="https://www.w3.org/2001/10/xml-exc-c14n\# "></Transform>

</Transforms>

<DigestMethod Algorithm="**https://www.w3.org/2000/09/xmldsig\#sha1**"\>\</DigestMethod>

<DigestValue>Idm7k0P/PtSijH2DQny429jUJQ8= </DigestValue>

</Reference>

<Reference URI=" #uuid-d19e37cc-ed6d-4feb-ad77-ec3380b3fc23-11">

<Transforms>

<Transform Algorithm="https://www.w3.org/2001/10/xml-exc-c14n\# "></Transform>

</Transforms>

<DigestMethod Algorithm="**https://www.w3.org/2000/09/xmldsig\#sha1**"\>\</DigestMethod>

<DigestValue>CkUmvMHHiiQGT+rw2v7bZnAzBZk= </DigestValue>

</Reference>

</SignedInfo>

<SignatureValue>U4Mux4cOh3iVU5vIljFxwDZV8WU= </SignatureValue>

<KeyInfo>

<o:SecurityTokenReference>

<o:Reference ValueType="**https://schemas.xmlsoap.org/ws/2005/02/sc/dk**" URI=" #uuid-d19e37cc-ed6d-4feb-ad77-ec3380b3fc23-9"></o:Reference>

</o:SecurityTokenReference>

</KeyInfo>

</Signature>

</o:Security>

</s:Header>

<s:Body>

<GetData xmlns="https://tempuri.org/ ">

<value>123</value>

</GetData>

</s:Body>

</s:Envelope>

 

We will start reading the request from bottom

<Body> , we don’t see any reference ID being set.

This request is neither signed, nor encrypted which demonstrate that service is set for Message Protection Level to None.

 

 

Sign

 

<s:Envelope xmlns:s="**https://www.w3.org/2003/05/soap-envelope**" xmlns:a="**https://www.w3.org/2005/08/addressing**" xmlns:u="**https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd**"\>

<s:Header>

<a:Action s:mustUnderstand="1" u:Id=" _1">**https://tempuri.org/IService1/GetData**\</a:Action>

<a:MessageID u:Id=" _2">urn:uuid:205c50bf-4c08-4072-b7c5-96692070e07c</a:MessageID>

<ActivityId CorrelationId="3178d209-e272-4695-9a04-dddfd7bb2321" xmlns="**https://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics**"\>**8da89058-9f4c-4b82-a3c9-59225740e8fa**\</ActivityId>

<a:ReplyTo u:Id=" _3">

<a:Address>**https://www.w3.org/2005/08/addressing/anonymous**\</a:Address>

</a:ReplyTo>

<VsDebuggerCausalityData xmlns="**https://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink**"\>**uIDPo7AtOAZmc2hJkz9L+T1ulSUAAAAAsnQgY8FC2EyK7b1lf2QRu0NoDNFdBTtNv19pMLwwUsoACQAA**\</VsDebuggerCausalityData>

<a:To s:mustUnderstand="1" u:Id=" _4">**https://saurabh.fareast.corp.microsoft.com/Basic-Win-Authentication/Service1.svc/ws**\</a:To>

<o:Security s:mustUnderstand="1" xmlns:o="**https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd**"\>

<u:Timestamp u:Id="uuid-01537433-f8d6-4e8c-9ea9-5e71e557aa4b-11">

<u:Created>2012-05-14T16:05:20.856Z</u:Created>

<u:Expires>2012-05-14T16:10:20.856Z</u:Expires>

</u:Timestamp>

<c:SecurityContextToken u:Id="uuid-02f743a8-cd08-41c6-a778-bf5585fa2d94-4" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<c:Identifier>urn:uuid:e8a39e0a-ec25-4ace-b5a7-2e5796b89b46</c:Identifier>

</c:SecurityContextToken>

<c:DerivedKeyToken u:Id="uuid-01537433-f8d6-4e8c-9ea9-5e71e557aa4b-9" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<o:SecurityTokenReference>

<o:Reference ValueType="**https://schemas.xmlsoap.org/ws/2005/02/sc/sct**" URI=" #uuid-02f743a8-cd08-41c6-a778-bf5585fa2d94-4"></o:Reference>

</o:SecurityTokenReference>

<c:Offset>0</c:Offset>

<c:Length>24</c:Length>

<c:Nonce>

<!-- Removed-->

</c:Nonce>

</c:DerivedKeyToken>

<Signature xmlns="https://www.w3.org/2000/09/xmldsig\# ">

<SignedInfo>

<CanonicalizationMethod Algorithm="https://www.w3.org/2001/10/xml-exc-c14n\# "></CanonicalizationMethod>

<SignatureMethod Algorithm="**https://www.w3.org/2000/09/xmldsig\#hmac-sha1**"\>\</SignatureMethod>

<Reference URI=" #_0">

<Transforms>

<Transform Algorithm="https://www.w3.org/2001/10/xml-exc-c14n\# "></Transform>

</Transforms>

<DigestMethod Algorithm="**https://www.w3.org/2000/09/xmldsig\#sha1**"\>\</DigestMethod>

<DigestValue>HbPwZxiVYvX3g2ynC2BUl/5wbEc= </DigestValue>

</Reference>

<Reference URI=" #_1">

<Transforms>

<Transform Algorithm="https://www.w3.org/2001/10/xml-exc-c14n\# "></Transform>

</Transforms>

<DigestMethod Algorithm="**https://www.w3.org/2000/09/xmldsig\#sha1**"\>\</DigestMethod>

<DigestValue>JZ+f8jpEmpZwUjAcmPbIYKZ7CY0= </DigestValue>

</Reference>

<Reference URI=" #_2">

<Transforms>

<Transform Algorithm="https://www.w3.org/2001/10/xml-exc-c14n\# "></Transform>

</Transforms>

<DigestMethod Algorithm="**https://www.w3.org/2000/09/xmldsig\#sha1**"\>\</DigestMethod>

<DigestValue>lnPYs9v5zGLC+kui+8f/TeCiCVw= </DigestValue>

</Reference>

<Reference URI=" #_3">

<Transforms>

<Transform Algorithm="https://www.w3.org/2001/10/xml-exc-c14n\# "></Transform>

</Transforms>

<DigestMethod Algorithm="**https://www.w3.org/2000/09/xmldsig\#sha1**"\>\</DigestMethod>

<DigestValue>o3ibE52LCPwycD7dwAsKtJa+WMw= </DigestValue>

</Reference>

<Reference URI=" #_4">

<Transforms>

<Transform Algorithm="https://www.w3.org/2001/10/xml-exc-c14n\# "></Transform>

</Transforms>

<DigestMethod Algorithm="**https://www.w3.org/2000/09/xmldsig\#sha1**"\>\</DigestMethod>

<DigestValue>76WE+MS6o861k22454lBf6zwBfY= </DigestValue>

</Reference>

<Reference URI=" #uuid-01537433-f8d6-4e8c-9ea9-5e71e557aa4b-11">

<Transforms>

<Transform Algorithm="https://www.w3.org/2001/10/xml-exc-c14n\# "></Transform>

</Transforms>

<DigestMethod Algorithm="**https://www.w3.org/2000/09/xmldsig\#sha1**"\>\</DigestMethod>

<DigestValue>rQoBZCp4Rdgz1GOCUQ6tiqC5MGs= </DigestValue>

</Reference>

</SignedInfo>

<SignatureValue>nzCipxpr91tjuvTVtJk6rgHOsp0= </SignatureValue>

<KeyInfo>

<o:SecurityTokenReference>

<o:Reference ValueType="**https://schemas.xmlsoap.org/ws/2005/02/sc/dk**" URI=" #uuid-01537433-f8d6-4e8c-9ea9-5e71e557aa4b-9"></o:Reference>

</o:SecurityTokenReference>

</KeyInfo>

</Signature>

</o:Security>

</s:Header>

<s:Body u:Id=" _0">

<GetData xmlns="https://tempuri.org/ ">

<value>123</value>

</GetData>

</s:Body>

</s:Envelope>

 

Observing the <body> tag. There is a u:Id specified, which point us to the fact that request is getting signed, using the “<Reference URI=" #_0">”

<Reference URI=" #_0">

<Transforms>

<Transform Algorithm="https://www.w3.org/2001/10/xml-exc-c14n\# "></Transform>

</Transforms>

<DigestMethod Algorithm="**https://www.w3.org/2000/09/xmldsig\#sha1**"\>\</DigestMethod>

<DigestValue>HbPwZxiVYvX3g2ynC2BUl/5wbEc= </DigestValue>

</Reference>

 

The request indicates that the service is set for Protection Level – Sign.

 

  

Encrypt and Sign

<s:Envelope xmlns:s="**https://www.w3.org/2003/05/soap-envelope**" xmlns:a="**https://www.w3.org/2005/08/addressing**" xmlns:u="**https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd**"\>

<s:Header>

<a:Action s:mustUnderstand="1" u:Id=" _2">**https://tempuri.org/IService1/GetData**\</a:Action>

<a:MessageID u:Id=" _3">urn:uuid:57cadde0-3216-4645-9220-2d22c20bfce3</a:MessageID>

<ActivityId CorrelationId="3eb719d7-ef9b-4d37-87c0-8af2dc3ea872" xmlns="**https://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics**"\>**4680478f-fe9a-47fd-9f37-c7e1e40833d3**\</ActivityId>

<a:ReplyTo u:Id=" _4">

<a:Address>**https://www.w3.org/2005/08/addressing/anonymous**\</a:Address>

</a:ReplyTo>

<a:To s:mustUnderstand="1" u:Id=" _5">**https://saurabh.fareast.corp.microsoft.com/Basic-Win-Authentication/Service1.svc/ws**\</a:To>

<o:Security s:mustUnderstand="1" xmlns:o="**https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd**"\>

<u:Timestamp u:Id="uuid-eb82ae89-9305-49b5-a987-640415b2e3bb-11">

<u:Created>2012-05-14T15:59:16.018Z</u:Created>

<u:Expires>2012-05-14T16:04:16.018Z</u:Expires>

</u:Timestamp>

<c:SecurityContextToken u:Id="uuid-8a2ff1ad-4948-4c74-aac9-1810cf703ca1-4" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<c:Identifier>urn:uuid:1efe22cf-4fb4-417f-ac56-56b3efabd128</c:Identifier>

</c:SecurityContextToken>

<c:DerivedKeyToken u:Id="uuid-eb82ae89-9305-49b5-a987-640415b2e3bb-9" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<o:SecurityTokenReference>

<o:Reference ValueType="**https://schemas.xmlsoap.org/ws/2005/02/sc/sct**" URI=" #uuid-8a2ff1ad-4948-4c74-aac9-1810cf703ca1-4"></o:Reference>

</o:SecurityTokenReference>

<c:Offset>0</c:Offset>

<c:Length>24</c:Length>

<c:Nonce>

<!-- Removed-->

</c:Nonce>

</c:DerivedKeyToken>

<c:DerivedKeyToken u:Id="uuid-eb82ae89-9305-49b5-a987-640415b2e3bb-10" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<o:SecurityTokenReference>

<o:Reference ValueType="**https://schemas.xmlsoap.org/ws/2005/02/sc/sct**" URI=" #uuid-8a2ff1ad-4948-4c74-aac9-1810cf703ca1-4"></o:Reference>

</o:SecurityTokenReference>

<c:Nonce>

<!-- Removed-->

</c:Nonce>

</c:DerivedKeyToken>

<e:ReferenceList xmlns:e="https://www.w3.org/2001/04/xmlenc\# ">

<e:DataReference URI=" #_1"></e:DataReference>

<e:DataReference URI=" #_6"></e:DataReference>

</e:ReferenceList>

<e:EncryptedData Id=" _6" Type="**https://www.w3.org/2001/04/xmlenc\#Element**" xmlns:e="https://www.w3.org/2001/04/xmlenc\# ">

<e:EncryptionMethod Algorithm="**https://www.w3.org/2001/04/xmlenc\#aes256-cbc**"\>\</e:EncryptionMethod>

<KeyInfo xmlns="https://www.w3.org/2000/09/xmldsig\# ">

<o:SecurityTokenReference>

<o:Reference ValueType="**https://schemas.xmlsoap.org/ws/2005/02/sc/dk**" URI=" #uuid-eb82ae89-9305-49b5-a987-640415b2e3bb-10"></o:Reference>

</o:SecurityTokenReference>

</KeyInfo>

<e:CipherData>

<e:CipherValue>t77fNahVJ+3G65Ja74PyiHP7KmpjogwuGS3k5QyPTTe6SiNn1/ONlsTqP577WUPA3fscZ4adHseBtndZdE2o63FHwkcczNJLvD0BNeCaSJP1Jff8DcG7k0yQt2HHHvoyXdjBjDODFW/Vt770srqgl9sibcCE/WgM1pEhL+NmxyUGd9NR9sQEVw5Tt2QbWWsD1MPF/82NnuzO7LidFEXadaYmrqOYqWzSjqUui35YqqU/B16Z4v15+9QaMdGCCR8vGS9fPMI6wVSadrrXYyownFjaJmcN7gN4WTHva7NQ/zMxtxCnJMFJo5O/Con5Xp9vM6/FnlEzLwgHITzrhllVqgGgqp3GCw8ITPBuckUnrLb8hoNNp0jamnwbl5iSJ7XAjjck6YL1zwFrAHoQ0nfLY2BgeUh1rP0LMtrUsbRAwvsVyMpFl/dma9cAjorhjf8AqeWglfgdruUFD60xiajeQJUBw7w4lw0Tht4bGMMwyaDqOaZauNtNWRYrC69sog4exhBNmX5OkrKBDKiBwdQpwOGjkhUCWzwIkzPvJFLFI39O7XNg5kUZ84Zp6Uqha+NkuN18FFaQHHKYHjwLV7PzgPeswqLPG3rjwMiuED/s4hjNRvFbnVgQnnc8sN2nBhump4J6ZwX+M81iws2p+FaOAxXSPbTJFSZU6L9I4PyY4eItNsYMwP4rrQ+Vs/9hjhnYv7jTWl4pugdabmjlIalBO/ROTrq8PsvXke6dy2h5K/fdWbI5Kya5/E0J68G/OaE+WpF6Q75nauCWk2PzVBI4P/ETBb0fAPlsLVKidPcEcqPEsRoQeX17COZtk2PejEZkMFMXAh77VLgOI28Oo6epYPHBi4Ce+H4IReiP/Fw7qDVu/ljBJ9wwshpYAkRTKVvLhA9hi5djXEl5dNuzj2bArXTBjBKUbX0qe75YKhg3zWRaPvBDSMguSb0iNVr88ROMjCM1PUGY9407gole3hDX68WxOSALqNdVo3KNne34Y+iF7j8sQp0pfhGHOu7f+4eRVqqxHkNp9PTdtA4L8q0/WLoF++UIKFwQcRnELv79xhhC06MVV9GqVUJlRXozcQMvtusdlcXnSENVw7GRYvdRyGYziW0VIEpPvn1yjDGmMtL/WkYjLDRAbqYxeqbcMzvBb3cTg4VFBKZ815y8BL6gA4P+c7M/Ywx56UlWH4XByh/UrmhpXpOl5WrfIb5xNlpn3mTf/4PAXvjdWzfNzm0e5rcL7e+J1nXBB78spw2Bs01zCoSmXEvkHsWBDgjFAe7RTZH4gch3tP4GbglmWTl6uqQGgfztHfg4KgxNIBAgK13IPb4tOetPJ7WzRukT7R1GgIrsnFQj10EUdYnge0P3ma7XrwsEsu+4O398gfqSHZ/1ke+DBcSAHSltSTGUzbCWglaKz4Bmbf6tFHSyTwvBTYwZ515tqPxnSQD4KjG82CSLm/Vsfs585rRxEwpuQt1B7TSfAZl0/05leVVsYdYtxyGkDtIt9SHzE6uq9L8LmSFrrKRPrPXjCTlrQa3F6R4ThCrD9pfTt+8M56Av3ZMRJa+GuB8tPjSRltI5kfQ62BzMq+A8c0RDmtdGYZw+rK75uy3t5jye9X2U8ELkEPHfSWL8fk22D1tYEhroTT5hu2DPZdY4QNRAli4UP5WYP48p/fEekC4Q+RhXj0WmJVaYPg/ZkMvWaxWUa1gjZQ8bkK1bRo0R5+L+lTYMVbHi+jf7PjffYRPCVxH0J9oJUo7wedKnrAGOK064fNM0lGBkUMys0SPV1rf1RSteCXGWCHiD1w/0USatk+3s5OkYK3hjbt2Y0niNYNi2F4T/Qkg8of7zo0wzsQQKjrZJgkQdH29+9ADRSIVZUA564CfD6dhHLyiRV7gDSgN+wScJEyp+w6m0e690K5RgXpFvaUkO5V7FlT7HW/WckH/3XKH86gynWwzUzwycuObE9G/SDRB1RdmvgAP3eDtqfElwOxMQzDFC+OT7lpnXo2PsEreUSmy42fi8Qz9S1v8/Y1yBbobbXVowhftBrX4EthmgdJtIhOxLFEFLbZHSkcycFzZWZ7L1yvexsMXmZ3YMqp/oGGNfl0xWLM2cajTtgnAKjVIPWcs7vLcCmNwG/PLQ7zdWkP+EwHK01zkK7XextgEyfLTYWrjCGb0DHDZhh+PveU3pYksoStzGhJ0YDBZNRau3gVZ6x/JU99VVZdCP7Q7r/vb2Mxa+aJwR7WOVdZcYuNkjGfhheE2Cc6p5BuQ4hQQehk45U6Iwd9XfCm+2geeAQ9cVwx7aBqWwkOPgKOyxdWIM+exdRd/wXceQYEjPv2IfT3G9YLxHeoxIkTmDsJzMUXbMW1halqOy3ffPnEav/XXvjmGLCNlzM2o88ZLVccAmNvSMD0f0+Txjh/VYR9yfXte+/8gnaow4Ekg0bA9Ku7TgKsgaD0vfpr71SN/Cih2yp2l56RYiP/pDUtxvgGkPISEf69FUqSeXm3TWwA5EYSWn+q7izQAINc2Y+gjjfA/s57RkJ+ov2dfyntvDdUwqFpHPDB+aOJ10FMfCLDE4nH6z60LK8ke65S8NTaP38bfkZXDUKrjInvmBsMaYdF/ILg8cVUgrFNSAPGgYiosBcj5WF24YAFrVmNWg0jDf6hm0crtBCpQO4DNr5SRQQ6BzqRd8gjvyWxEcjSfeaUy9Wva6pZ1zFDeMT30q5CCIE3UjUM8LrQCJlE1I2EFyos5I1811vIRcmhm3okQAdyWjR8aFn4pwgZHS76mRkHxeYzyijGU/stXrabQVD+BUyBU+W/R6GEeAnYWqmjla54JMdB4Lh2aY</e:CipherValue>

</e:CipherData>

</e:EncryptedData>

</o:Security>

</s:Header>

<s:Body u:Id=" _0">

<e:EncryptedData Id=" _1" Type="**https://www.w3.org/2001/04/xmlenc\#Content**" xmlns:e="https://www.w3.org/2001/04/xmlenc\# ">

<e:EncryptionMethod Algorithm="**https://www.w3.org/2001/04/xmlenc\#aes256-cbc**"\>\</e:EncryptionMethod>

<KeyInfo xmlns="https://www.w3.org/2000/09/xmldsig\# ">

<o:SecurityTokenReference xmlns:o="**https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd**"\>

<o:Reference ValueType="https://schemas.xmlsoap.org/ws/2005/02/sc/dk" URI="#uuid-eb82ae89-9305-49b5-a987-640415b2e3bb-10"></o:Reference>

</o:SecurityTokenReference>

</KeyInfo>

<e:CipherData>

<e:CipherValue>1Sd5I5+oBJo+TlEsYBkahlG7RRN2+XzumVPbjCTWYYi7DXFk8tJh3oEGXD8uv4VOD0OvFuBZTopgikHaFf+MmysoZ1R3NfaGneUZIUfBRUXgG9FiOdanXP+pSS161CRY</e:CipherValue>

</e:CipherData>

</e:EncryptedData>

</s:Body>

</s:Envelope>

 

Observing <body> tag.

The request clearly contain two Id’s

  1. u:Id=" _0"
  2. e:EncryptedData Id=" _1"

 

The first u:Id indicates the request is getting signed

The second e:Id indicates the reference used for encryption.

  

<e:ReferenceList xmlns:e="https://www.w3.org/2001/04/xmlenc\# ">

<e:DataReference URI=" #_1"></e:DataReference>

<e:DataReference URI=" #_6"></e:DataReference>

</e:ReferenceList>

 

<KeyInfo> tag point us to “Security Token Reference” and then to specific UUID - eb82ae89-9305-49b5-a987-640415b2e3bb-10 .

 

<c:DerivedKeyToken u:Id="uuid-eb82ae89-9305-49b5-a987-640415b2e3bb-10" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<o:SecurityTokenReference>

<o:Reference ValueType="**https://schemas.xmlsoap.org/ws/2005/02/sc/sct**" URI=" #uuid-8a2ff1ad-4948-4c74-aac9-1810cf703ca1-4"></o:Reference>

</o:SecurityTokenReference>

<c:Nonce>

<!-- Removed-->

</c:Nonce>

</c:DerivedKeyToken>

 

This derived security token pointing to another URI URI=" #uuid-8a2ff1ad-4948-4c74-aac9-1810cf703ca1-4".

 

Which is nothing but our main security context token.

<c:SecurityContextToken u:Id="uuid-8a2ff1ad-4948-4c74-aac9-1810cf703ca1-4" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<c:Identifier>urn:uuid:1efe22cf-4fb4-417f-ac56-56b3efabd128</c:Identifier>

</c:SecurityContextToken>

 

 Clearly, Last request is created for a WCF service running with default Protection level (i.e. Encrypt and Sign)

 

 Understanding the soap request can really help in working on WCF introp scenarios.

Comments

  • Anonymous
    June 22, 2014
    Hi Saurabh. Great article to understand the difference between None/Sign/Encrypt. Could you please upload the sample for the same. Thanks