Wednesday, December 10, 2008

WCF 101 - Understanding Transfer Security Visually

by bartczernicki.nospam@nospam.gmail.com (Bart Czernicki) via Silverlight Hack on 12/10/2008 4:27:00 PM

Overview 

WCF includes a variety of security settings and design options.  One of the security options the service architect has to worry about is transfer security.  Transfer security deals with ensuring safe and secure communication between a client and service host. 

Transfer security is very important for several reasons.  Even the best authorization and authentication service design means nothing if the messages are not secure.  Unsecure messages can lead to a variety of problems like:

• exposing the message contents to the outside world including hackers
• exposing other security mechanisms on how to compromise your service (authentication or authorization)
• spoofed messages (By mimicking certain message patterns, hackers can create fake messages that can cause your service to end up corrupted.)
• DOS attacks

WCF Transfer Security Implementation

WCF provides a variety of ways to secure the communication channel between the service and the client.  Using these options properly can lead to highly secure communication with a very low probability of your messages being compromised.  Conversely,  even missing a small setting in the transfer security configuration can lead to messages that can have compromised privacy or integrity.

Generally speaking, WCF supports four different ways to secure your service transfer mechanism:

• Transport - This secures the messages by using a secure protocol that encrypts the entire channel that the messages are flowing over.
• Message - This secures the messages by encrypting the messages themselves.
• Both - This method combines both Transport and Message security.  This secures the messages by encrypting the messages themselves and encrypting the channel.
• Mixed - This method uses Transport security to protect the message contents.   However, message security is used to protect the credentials of the user.

A developer who is not experienced with WCF might have a hard time comprehending these concepts initially.  Therefore, I decided to show at a very high level how you can understand these transfer security modes visually.

Unsecure (None) Transfer Security

Messages are unencrypted over a channel stack that is unsecure

• Messages are are unencrypted and the channel is unencrypted as well.
  
• Unsecure transfer security is obviously not recommended.
• Services DO NOT have to have content you want to protect in order to provide message security.   Without properly protecting your messages, your service can be exposed to hackers and it could cause unwanted performance problems as well attacks like relay or DOS attacks can bring the entire service down.

Message Transfer Security

Messages are encyrpted over a channel stack that is unsecure

• Individual messages are encrypted.
  
• Message transfer adds the most overhead and latency to the WCF service (other than the Both/Mixed option)
  • Each message needs to be properly encrypted and encoded as it leaves the client or service.
  • Each message needs to verified that it was not tampered with when it is received.

Transport Transfer Security

Messages are unencyrpted over a channel stack that is secure (If the channel were unsecure, you could see the messages in clear text.)

• The messages are not encrypted; however, the channel is secure through using a secure protocol.
• The communication channel is set up intially and transport security can take advantage of hardware acceleration and thus, can be further optomized.
• Transport security is point to point.  Since the messages themselves are not encrypted, once they go to another point, they can be potentially exposed to integrity/privacy attacks as if they were unsecure.

Message Transfer Security (mulitple hops)

Messages are encyrpted over an unsecure channel between the client and the service endpoint (1st hop).  Notice the messages remain encrypted between the first service and second service (2nd hop).

• The big advantage of message security is that it provides end to end security.
  • Messages leaving intermediary services retain their security.
• Message security is not provided by all bindings and it is considered the best practice when designing enterprise services organized in a "matrix".

Transport Transfer Security (multiple hops)

Messages are unencyrpted over an secure channel between the client and the service endpoint (1st hop).  Notice the messages DO NOT remain encrypted between the first service and second service (2nd hop).

• The big disadvantage of transport security is that it is only guaranteed to be point to point.
• Message leaving and the intermediate service are not secure (by default).
• Messages can be secured in the 2nd hop; however, it requires additional work.

Silverlight supports Transport level security natively out of the box with WCF configuration.  Message security is possible inside Silverlight; however, it does require additional advanced programming beyond setting simple binding/behavior settings.  However, message security is not 100% supported with all the different options like securing Messages with credentials.

Summary

In this article, I introduced the basics of WCF transfer security design scenarios.  I decided to show the differences visually so that this concept is easier to understand for those new to WCF.