Share via


WCF: Dual Layer Encryption (Message + Transport)

WCF: Dual Layer Encryption (Message + Transport)

What I want to do ?

I want to encrypt the Message body via server cert and client cert negotiation at Message level.

Plus I would like to send complete stuff in an SSL encrypted Transport channel, by using a SSL cert on IIS.

 

Step 1: Secure the body/data on Message level security

SERVER

Security:

Message Level

 

Behavior:

Adding Server cert for encryption

  

CLIENT

Request:

Sign and Encrypted

  

 

What happens if I switch to Transport layer security with credential at Message layer… ?

Step 2: Trying to add Transport security..

SERVER

Security:

Transport layer encryption and credential at Message layer

 

Behavior:

Server cert no longer required, because the task of encryption is migrated to Transport layer.,..

 

CLIENT

Request:

Nor Sign neither encrypted …..

 

Probably because everything is outsources to the Transport level security …

Thus WCF takes no pain in signing and encrypted the body at Message level….

What should we do… I want to make sure my request is still encrypted and singed… along with SSL encryption,.,, ?

Step 3: Exploring the custom binding without transport security .

SERVER

Security:

 

Behavior:

 

CLIENT

End Point:

 

The identity tag is the encoded value of server cert used for encryption …..

 

 

Request created:

 

 

 

Step 4: Custom Binding + Transport Security

Now we want to have the SSL channel …..

My custom binding becomes……

Security:

 

Case 1:

If the SSL cert and server cert are same…..

Then the identity received on client side … will be based on server cert used…..

And it will work.. because during SSL negotiation.. client end point present the same identity…

 

 

Case 2:

If the SSL cert and server cert are different…..

Now the identity received on the client side inside the WSDL will be related to Server cert… which will not match with the SSL cert identity…. .

And we get SSL negotiation exception …..

 

 How to over- come this problem ..,. ?

Step 5: Exploring the <identity> and DNS values ….

On Client side:

Specify a default server cert on client side…

this will be same as used on server side inside service behavior attribute

Behavior:

 

 

 Client End Point:

 

 

 This way works if both the server cert and SSL cert are issued with same DNS or Subject Name…

 

https://msdn.microsoft.com/en-us/library/ms733130.aspx

 

 

 

 

 

 If I use server cert (Subject name: saurabh21.fareast.corp.microsoft.com ) and ssl cert (Subject name: saurabh.fareast.corp.microsoft.com) with different subject name….

 

Then I get below error…..

 

 

 

  

 

So what we understand from this error is <identity> from client side should always be one related to server cert used inside the service behavior … not the one related to SSL cert…

 Can I resolve this error ?

 

 

 Yes, we can resolve this error….

 

Client End Point:

 

 Behavior:

 

 

 

But still it asks me to specify the default server cert in the end point behavior….

 Can I avoid that .. ?

 

 

Yes,… we need to negotiate the server cert…..

Step 6: Final configuration…

On Server Side:

 Security:

 

 

 

Behavior:

 

 

 

 On Client Side:

 End Point:

 

 

 Behavior:

 

 

 

 

MutualSslNegotiated make sure, that I don’t have to specify the server cert on client end point behavior…

It would be now negotiated….

  

 

New Request from client side (Sign and Encrypted)

 

 

 

So in this way we can achieve dual layer of encryption in WCF service by using the custom binding….

Comments

  • Anonymous
    April 23, 2014
    Hi, It will be helpful if you have complete example i.e. end-to-end client server, for authenticationMode="MutualSslNegotiated" or authenticationMode="MutualCertificate" . Or atleast some more detail information about it. Thanks, Shekhar

  • Anonymous
    May 06, 2014
    Hi, in wcf is it possible the below scenario ... I want to use single certificate to validate client,server and also want to sign-n-encrypt the message. Please forward any good example you have. Thanks, Shekhar