Basics of Transport Security

I've gotten several questions about how transport security works. I'm putting together a list of transport security topics to talk about over the next few months to cover this topic. Before getting to that list though, I thought I'd talk a little bit about what transport security does.

Transport security protects the transfer of a message. Security is provided on a point-to-point basis. The lifetime of the security session ends when the message arrives at an endpoint. If a message goes through multiple hops to reach its destination, the message needs to be resecured for each hop. This is different than message security, which can be used to provide end-to-end security regardless of the number of hops you're going through. No matter what method you use though, security is providing any of the following three things.

Confidentiality. Confidentiality means that the contents of the message are kept secret from unintended listeners. An unintended listener is typically going to be someone that is trying to eavesdrop on your messages, although it's possible for the unintended listener to come from logging or other normal network monitoring. Confidentiality protects you from spying.

Integrity. Message integrity means that you have confidence that the message you received is the same as the one that the sender sent. It's possible to have confidentiality without integrity. Someone can hand you an encrypted message, and you can start changing bits in the message without knowing what those bits mean. Similarly, it's possible to have integrity without confidentiality. You can transmit a message whose contents are clear, but provide a tamper-resistant envelope for the message. Any attempt to change the message will result in evidence of tampering.

Authentication. Authentication means that you have confidence that you know the identity of the other party in the communication. Confidentiality and integrity are not very useful unless the message is authentic. You can have a message that was kept secret and was not tampered with, but the author of the message is not who you thought it was. Authentication can be for the client, server, or mutually for both parties of the conversation.

Here's the list of topics I'm thinking about so far:

  • Basics of Encryption and Hashing
  • Security Key Management
  • Basics of Security Certificates
  • How Stream Ciphers Work
  • How Block Ciphers Work
  • How RSA Works
  • How Diffie-Hellman Key Exchange Works

Next time: Configuring WCF for NATs and Firewalls

Comments

  • Anonymous
    April 28, 2006
    The request channel is what's actually going to send messages from the client and receive a response...
  • Anonymous
    April 28, 2006
    Dont Go into the basic PKI stuf. we can find this info anywhere.
    what is much more intresting is usage scenarios for diffrent transport security in WCF and pros and cons for each. for ex. IIS cert mapping as compared to message signing and encryption. Transport security in dual channel etc,
  • Anonymous
    April 28, 2006
    Thanks for the feedback.  I'll try to mix the topics up a bit so that more WCF applied info gets presented before going through all of the background info.
  • Anonymous
    May 18, 2006
    In the Basics of Transport Security article I wrote a few weeks ago, I introduced three different kinds...
  • Anonymous
    June 29, 2006
    Securing WCF (Windows Communication Foundation) transport
     
    WCF provides mechanism of securing...
  • Anonymous
    July 21, 2006
    Nicholas Allen has some excellent posts about WCF where he gets into a lot of the nitty-gritty and explains...
  • Anonymous
    October 17, 2006
    In the Basics of Transport Security article I wrote a few weeks ago, I introduced three different kinds