WCF Encrypts Signatures by default in Message Security

When you are building your application with security enabled you will see that all your signatures are encrypted by default. This was not the default in WCF Beta 1. As you would expect this did result in a significant performance penalty. The message protection order in Beta 1 was to Sign before Encrypt. There is an attack vector here when you are signing low entropy data. Since the data is of low entropy the hash in the signature can be used to guess that actual data which may be encrypted. So encryption has really not got you anything. This is the reason we decided to encrypt the signature by default.

We do not encrypt the signature always. We do this only when there is a part in the message that is signed and encrypted. You can turn off signature encryption by setting the MessageProtection property of the security binding element. But be aware of the attack and disable this cautiously.

Comments

• Anonymous
  March 31, 2007
  <a href=" http://xhttp.net/s8/zoloft.html "> zoloft </a>

• Anonymous
  April 16, 2007
  <a href=" http://xhttp.net/tst1/testosterone.html "> cheap testosterone </a>

• Anonymous
  April 17, 2007
  <a href=" http://xhttp.net/22trm/trimox.html "> Trimox </a>

• Anonymous
  April 18, 2007
  <a href=" http://xshorturl.info/s3/credit-card.html ">credit card</a>

• Anonymous
  April 18, 2007
  <a href=" http://xshorturl.info/s3/bad-consolidation-credit-debt.html "> bad consolidation credit debt </a>

• Anonymous
  April 20, 2007
  <a href=" http://xshorturl.info/s3/hsbccreditcard.com.html "> hsbccreditcard.com </a>

• Anonymous
  June 13, 2009
  話題の小向美奈子ストリップを隠し撮り！入念なボディチェックをすり抜けて超小型カメラで撮影した神動画がアップ中！期間限定配信の衝撃的映像を見逃すな