Encrypting one parameter on a WebMethod with WSE

One of the attendees here at TechEd asked me how to encrypt only one of the parameters on a WebMethod with WSE.  I figured others might be curious too so here is some code that does this.

Web Service code:

public string HelloWorld(string UnsecureParam, SecureString SecureParam)
    return "Secured string: "
        + SecureParam.SecureData
        + " UnsecureParam: "
        + UnsecureParam;
public class SecureString
// Set the Oasis Id that our security reference will
// point to
    [XmlAttribute("Id", Namespace="")]
    public string ID;
    public string SecureData;

My client code looks like this:

localhost.Service1Wse proxy = new localhost.Service1Wse();
X509CertificateStore store =
X509CertificateCollection certs =
X509SecurityToken tok = new X509SecurityToken(certs[0]);
// The “#SecureParam“ matches the Id attribute value
// on our secure parameter. This tells WSE to encrypt
// that particular piece
EncryptedData enc = new EncryptedData(tok, "#SecureParam");
localhost.SecureString secStr = new localhost.SecureString();
// Set the attribute to match the Ref in the
// encrypteddata object. Don't include the '#'.
secStr.Id = "SecureParam";
secStr.Value = "This should be encrypted.";
string ret = proxy.HelloWorld("This is not encrypted.",

And as proof that this's the message that I pulled from the WSE trace.  Note that the second param is encrypted!  (Both params are bold below).  Sorry about the formatting but I couldn't handle trying to pretty format it after cleaning up all the code above.

<soap:Envelope xmlns:soap="" xmlns:xsi="" xmlns:xsd="" xmlns:wsa="" xmlns:wsse="" xmlns:wsu="">

<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-f90df3d5-10db-447a-961a-a7638fc010c9">
<wsse:BinarySecurityToken ValueType="" EncodingType="" xmlns:wsu="" wsu:Id="SecurityToken-d00793c5-ec61-418a-99ad-e345a0332bff">MIIBxDCCAW6gAwIBAgIQYpjr4FOk3IFNSd3lJj6ItzANBgkqhkiG9w0BAQQFADAWMRQwEgYDVQQDEwtSb290IEFnZW5jeTAeFw0wMzA3MDgxODQ4MTBaFw0zOTEyMzEyMzU5NTlaMB8xHTAbBgNVBAMTFFdTRTJRdWlja1N0YXJ0U2VydmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLkqglArInukRlDwXbcjN3zxfsjeaLd+IvfyD5o35pUjpTkPwPXmApScr8UVQxB5JDRSVlMz1lUQ6CBLFLGIAQOpbPKn2oul3VmKAf9nRQf9PLU+biWozZXkhebIya43D75r5+5NUq1RbQiCC4qIobRqUdg6adujBY333wJy4YgwIDAQABo0swSTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRjoRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwDQYJKoZIhvcNAQEEBQADQQAGSGNKz1gZqbXN8JYl0PQM7ngkHfW1mQ88NRYADmoHw5A/rUZDHAPs5HLSn3i5iXlRwT91v3SU6iuaAid+Mwyq</wsse:BinarySecurityToken>
<xenc:EncryptedKey xmlns:xenc="">
<xenc:EncryptionMethod Algorithm="" />
<KeyInfo xmlns="">
<wsse:Reference URI="#SecurityToken-d00793c5-ec61-418a-99ad-e345a0332bff" ValueType="" />
<xenc:DataReference URI="#EncryptedContent-3d793117-f020-4236-a0a0-0ed545d9bf1a" />
<HelloWorld xmlns="">
<UnsecureParam>This is not encrypted.</UnsecureParam>
<SecureParam d4p1:Id="SecureParam" xmlns:d4p1="">
<xenc:EncryptedData Id="EncryptedContent-3d793117-f020-4236-a0a0-0ed545d9bf1a" Type="" xmlns:xenc="">
<xenc:EncryptionMethod Algorithm="" />


