Application-Encrypted Messages
Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server Technical Preview, Windows Vista
To encrypt a message body, the sending application must have an RC2 or RC4 symmetric key to encrypt the message body, as well as the public key of the receiving computer to encrypt the symmetric key. On the receiving side, the destination queue manager can decrypt the message only if the receiving computer is operating in domain mode.
Note
MSMQ 1.0 and 2.0 differences: MSMQ 1.0 does not provide the COM components needed to encrypt messages manually. When using the COM components provided by MSMQ 1.0, you must always allow Message Queuing to encrypt the message body for you. On the other hand, the MSMQ 2.0 COM components provide full encryption support. You can tell Message Queuing to encrypt the message body, or your application can encrypt the message body. MSMQ 3.0 includes equivalent COM objects for the cryptographic APIs, so that applications written in Visual Basic can send application-encrypted messages.
MSMQ 3.0 does not support sending application-encrypted messages to HTTP/HTTPS direct format names, multicast addresses, or distribution lists.
The following illustration shows the process needed to encrypt a message body.
.jpeg "<No Change>")
When your application is encrypting messages, the following message properties must be set accordingly:
PROPID_M_BODY or MSMQMessage.Body
This property contains encrypted message body while the message is sent.
PROPID_M_CONNECTOR_TYPE or MSMQMessage.ConnectorTypeGuid
In this case, this property tells Message Queuing on the sending computer that the destination symmetric key property was not set by Message Queuing.
PROPID_M_DEST_SYMM_KEY or MSMQMessage.DestinationSymmetricKey
This property contains the symmetric key needed to decrypt the message body.
PROPID_M_ENCRYPTION_ALG or MSMQMessage.EncryptAlgorithm
Message Queuing supports RC2 and RC4 encryption algorithms. The encryption algorithm must be specified when the symmetric key is created, used to encrypt the body of the message, then sent on to the receiving application.
PROPID_M_PRIV_LEVEL or MSMQMessage.PrivLevel
If your application is encrypting its messages with a 40-bit key, the privacy level property should be ignored. If your application is encrypting its messages with a 128-bit key, the privacy level property must be set to MQMSG_PRIV_LEVEL_BODY_ENHANCED.
More Information
| For information on | See |
|---|---|
| The security-related restrictions created by using direct format names | Direct Format Names |
| Sending Message Queuing-encrypted messages | Message Queuing-Encrypted Messages |
| Reading private messages from the destination queue | Reading Private Messages |