Windows Communication Foundation Security Overview

Windows Communication Foundation (WCF) is a SOAP message-based distributed programming platform, and securing messages between clients and services is essential to protecting data. WCF provides a versatile and interoperable platform for exchanging secure messages based upon both the existing security infrastructure and the recognized security standards for SOAP messages.

For a comprehensive guide to WCF security, see WCF Security Guidance.

WCF uses concepts that are familiar if you have built secure, distributed applications with existing technologies such as HTTPS, Windows integrated security, or user names and passwords to authenticate users. WCF not only integrates with existing security infrastructures, but also extends distributed security beyond Windows-only domains by using secure SOAP messages. Consider WCF an implementation of existing security mechanisms with the major advantage of using SOAP as the protocol in addition to existing protocols. For example, credentials that identify a client or a service, such as user name and password or X.509 certificates, have interoperable XML-based SOAP profiles. Using these profiles, messages are exchanged securely by taking advantage of open specifications like XML digital signatures and XML encryption. For a list of specifications, see Web Services Protocols Supported by System-Provided Interoperability Bindings.

Another parallel is the Component Object Model (COM) on the Windows platform, which enables secure, distributed applications. COM has a comprehensive security mechanism whereby security context can be flowed between components; this mechanism enforces integrity, confidentiality, and authentication. However COM does not enable cross-platform, secure messaging like WCF does. Using WCF, you can build services and clients that span from Windows domains across the Internet. The interoperable messages of WCF are essential for building dynamic, business-driven services that help you feel confident in the security of your information.

Windows Communication Foundation Security Benefits

WCF is a distributed programming platform based on SOAP messages. Using WCF, you can create applications that function as both services and service clients, creating and processing messages from an unlimited number of other services and clients. In such a distributed application, messages can flow from node to node, through firewalls, onto the Internet, and through numerous SOAP intermediaries. This introduces a variety of message security threats. The following examples illustrate some common threats that WCF security can help mitigate when exchanging messages between entities:

Observation of network traffic to obtain sensitive information. For example, in an online-banking scenario, a client requests the transfer of funds from one account to another. A malicious user intercepts the message and, having the account number and password, later performs a transfer of funds from the compromised account.

Rogue entities acting as services without awareness of the client. In this scenario, a malicious user (the rogue) acts as an online service and intercepts messages from the client to obtain sensitive information. Then the rogue uses the stolen data to transfer funds from the compromised account. This attack is also known a phishing attack.

Alteration of messages to obtain a different result than the caller intended. For example, altering the account number to which a deposit is made allows the funds to go to a rogue account.

Hacker replays in which a nuisance hacker replays the same purchase order. For example, an online bookstore receives hundreds of orders and sends the books to a customer who has not ordered them.

Inability of a service to authenticate a client. In this case, the service cannot assure that the appropriate person performed the transaction.

In summary, transfer security provides the following assurances:

Service endpoint (respondent) authentication.

Client principal (initiator) authentication.

Integration with Existing Security Infrastructures

Often, Web service deployments have existing security solutions in place, for example, Secure Sockets Layer (SSL) or the Kerberos protocol. Some take advantage of a security infrastructure that has already been deployed, such as Windows domains using Active Directory. It is often necessary to integrate with these existing technologies while evaluating and adopting newer ones.

WCF security integrates with existing transport security models and can leverage existing infrastructure for newer transfer security models based on SOAP message security.

Integration with Existing Authentication Models

An important part of any communication security model is the ability to identify and authenticate entities in communication. These entities in communication use «digital identities,» or credentials, to authenticate themselves with the communicating peers. As distributed communication platforms evolved, various credential authentication and related security models have been implemented. For example, on the Internet, the use of a user name and password to identify users is common. On the intranet, the use of a Kerberos domain controller to back up user and service authentication is becoming common. In certain scenarios, such as between two business partners, certificates may be used to mutually authenticate the partners.

Thus, in the world of Web services, where the same service might be exposed to internal corporate customers as well as to external partners or Internet customers, it is important that the infrastructure provide for integration with these existing security authentication models. WCF security supports a wide variety of credential types (authentication models) including:

User name client credential.

Certificate client credential.

Windows (both Kerberos protocol and NT LanMan [NTLM]).

Standards and Interoperability

In a world with large existing deployments, homogeneity is rare. Distributed computing/communications platforms need to interoperate with the technologies different vendors offer. Likewise, security must also be interoperable.

To enable interoperable security systems, companies active in the Web services industry have authored a variety of standards. Specifically regarding security, a few notable standards have been proposed: WS-Security: SOAP Message Security (accepted by the OASIS standards body and formerly known as WS-Security), WS-Trust, WS-SecureConversation, and WS-SecurityPolicy.

WCF supports a wide variety of interoperability scenarios. The BasicHttpBinding class is targeted at the Basic Security Profile (BSP) and the WSHttpBinding class is targeted at the latest security standards, such as WS-Security 1.1 and WS-SecureConversation. By adhering to these standards, WCF security can interoperate and integrate with Web services that are hosted on operating systems and platforms other than Microsoft Windows.

WCF Security Functional Areas

WCF security is divided into three functional areas: transfer security, access control, and auditing. The following sections briefly discuss these areas and provide links for more information.

Transfer Security

Transfer security encompasses three major security functions: integrity, confidentiality, and authentication. Integrity is the ability to detect whether a message has been tampered with. Confidentiality is the ability to keep a message unreadable by anyone other than the intended recipient; this is achieved through cryptography. Authentication is the ability to verify a claimed identity. Together, these three functions help to ensure that messages securely arrive from one point to another.

Transport and Message Security Modes

Two main mechanisms are used to implement transfer security in WCF: transport security mode and message security mode.

Transport security mode uses a transport-level protocol, such as HTTPS, to achieve transfer security. Transport mode has the advantage of being widely adopted, available on many platforms, and less computationally complex. However, it has the disadvantage of securing messages only from point-to-point.

Message security mode, on the other hand, uses WS-Security (and other specifications) to implement transfer security. Because the message security is applied directly to the SOAP messages and is contained inside the SOAP envelopes, together with the application data, it has the advantage of being transport protocol-independent, more extensible, and ensuring end-to-end security (versus point-to-point); it has the disadvantage of being several times slower than transport security mode because it has to deal with the XML nature of the SOAP messages.

For more information about these differences, see Securing Services and Clients.

A third security mode uses both previous modes and brings advantages of both. This mode is called TransportWithMessageCredential . In this mode, message security is used to authenticate the client and transport security is used to authenticate the server and provide message confidentiality and integrity. Thanks to this, the TransportWithMessageCredential security mode is almost as fast as transport security mode and provides client authentication extensibility in the same way as message security. However, unlike message security mode, it does not provide complete end-to-end security.

Access Control

Access control is also known as authorization. Authorization allows different users to have different privileges to view data. For example, because a company’s human resources files contain sensitive employee data, only managers are allowed to view employee data. Further, managers can view only data for their direct reports. In this case, access control is based on both the role («manager») as well as the specific identity of the manager (to prevent one manager from looking at another manager’s employee records).

In WCF, access control features are provided through integration with the common language runtime (CLR) PrincipalPermissionAttribute and through a set of APIs known as the identity model. For details about access control and claims-based authorization, see Extending Security.

Auditing

Auditing is the logging of security events to the Windows event log. You can log security-related events, such as authentication failures (or successes). For more information, see Auditing. For programming details, see How to: Audit Security Events.

Программирование безопасности WCF Programming WCF Security

В этом разделе описываются фундаментальные задачи программирования, используемые для создания безопасного Windows Communication Foundation (WCF) приложения. This topic describes the fundamental programming tasks used to create a secure Windows Communication Foundation (WCF) application. В этом разделе рассматриваются только проверка подлинности, конфиденциальность и целостность, называемая безопасностью перемещения. This topic covers only authentication, confidentiality, and integrity, collectively known as transfer security. В этом разделе не рассматривается авторизация (Управление доступом к ресурсам или службам). сведения об авторизации см. в разделе авторизация. This topic does not cover authorization (the control of access to resources or services); for information on authorization, see Authorization.

Чтобы получить ценные сведения о концепциях безопасности, особенно в отношении WCF, ознакомьтесь с набором руководств по работе с шаблонами и практическими рекомендациями на MSDN в сценариях, шаблонах и руководствах по реализации усовершенствований веб-служб (WSE) 3,0. For a valuable introduction to security concepts, especially in regard to WCF, see the set of patterns and practices tutorials on MSDN at Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0.

Программирование безопасности WCF основывается на трех шагах: режим безопасности, тип учетных данных клиента и значения учетных данных. Programming WCF security is based on three steps setting the following: the security mode, a client credential type, and the credential values. Эти действия можно выполнить с помощью кода или конфигурации. You can perform these steps either through code or configuration.

Задание режима безопасности Setting the Security Mode

Ниже описаны общие шаги для программирования с использованием режима безопасности в WCF. The following explains the general steps for programming with the security mode in WCF:

Выберите одну из предопределенных привязок, отвечающих требованиям приложения. Select one of the predefined bindings appropriate to your application requirements. Список вариантов привязки см. в разделе привязки, предоставляемые системой. For a list of the binding choices, see System-Provided Bindings. По умолчанию практически во всех привязках включены функции безопасности. By default, nearly every binding has security enabled. Единственным исключением является BasicHttpBinding класс (с использованием конфигурации, ). The one exception is the BasicHttpBinding class (using configuration, the ).

Выбранная привязка определяет транспорт. The binding you select determines the transport. Например, привязка WSHttpBinding использует протокол HTTP в качестве транспорта; привязка NetTcpBinding использует протокол TCP. For example, WSHttpBinding uses HTTP as the transport; NetTcpBinding uses TCP.

Выберите один из режимов безопасности привязки. Select one of the security modes for the binding. Обратите внимание, что выбранная привязка определяет выбор доступных режимов. Note that the binding you select determines the available mode choices. Например, привязка WSDualHttpBinding не позволяет обеспечить безопасность транспорта (это изменить нельзя). For example, the WSDualHttpBinding does not allow transport security (it is not an option). Аналогично, привязки MsmqIntegrationBinding и NetNamedPipeBinding не обеспечивают безопасность сообщений. Similarly, neither the MsmqIntegrationBinding nor the NetNamedPipeBinding allows message security.

Доступны три варианта. You have three choices:

Безопасность транспорта зависит от механизма, используемого в выбранной привязке. Transport security depends on the mechanism that the binding you have selected uses. Например, при использовании привязки WSHttpBinding в качестве механизма безопасности выступает протокол SSL (который также служит механизмом для протокола HTTPS). For example, if you are using WSHttpBinding then the security mechanism is Secure Sockets Layer (SSL) (also the mechanism for the HTTPS protocol). Основное преимущество безопасности транспорта заключается в обеспечении большой пропускной способности независимо от используемого типа транспорта. Generally speaking, the main advantage of transport security is that it delivers good throughput no matter which transport you are using. Однако имеются два ограничения. Первое ограничение — транспортный механизм определяет тип учетных данных, используемых для проверки подлинности пользователя. However, it does have two limitations: The first is that the transport mechanism dictates the credential type used to authenticate a user. Этот недостаток проявляется, только если служба взаимодействует с другими службами, которым требуются другие типы учетных данных. This is a drawback only if a service needs to interoperate with other services that demand different types of credentials. Второе ограничение заключается в том, что безопасность применяется не на уровне сообщений, поэтому безопасность реализуется последовательным, а не сквозным способом. The second is that, because the security is not applied at the message level, security is implemented in a hop-by-hop manner rather than end-to-end. Это ограничение представляет проблему только в том случае, если на пути сообщения между клиентом и службой имеются посредники. This latter limitation is an issue only if the message path between client and service includes intermediaries. Дополнительные сведения о том, какой транспорт использовать, см. в разделе Выбор транспорта. For more information about which transport to use, see Choosing a Transport. Дополнительные сведения об использовании безопасности транспорта см. в статье Общие сведения о безопасности транспорта. For more information about using transport security, see Transport Security Overview.

Под безопасностью сообщений понимается наличие в каждом сообщении необходимых заголовок и данных для обеспечения безопасности сообщения. Message security means that every message includes the necessary headers and data to keep the message secure. Поскольку состав заголовков не является фиксированным, можно включать любое количество учетных данных. Because the composition of the headers varies, you can include any number of credentials. Это становится важным в случае взаимодействия с другими службами, которым требуются учетные данные определенного типа, которые невозможно предоставить с помощью транспортного механизма, или если сообщение необходимо использовать для нескольких служб, которым требуются различные учетные данные. This becomes a factor if you are interoperating with other services that demand a specific credential type that a transport mechanism can’t supply, or if the message must be used with more than one service, where each service demands a different credential type.

Дополнительные сведения см. в разделе безопасность сообщений. For more information, see Message Security.

В этом случае транспортный уровень используется для защиты передачи сообщений. При этом каждое сообщение включает расширенные учетные данные, необходимые другим службам. This choice uses the transport layer to secure the message transfer, while every message includes the rich credentials other services need. Этот способ сочетает повышение производительности механизма безопасности транспорта с наличием различных учетных данных механизма безопасности сообщений. This combines the performance advantage of transport security with the rich credentials advantage of message security. Его можно использовать со следующими привязками: BasicHttpBinding, WSFederationHttpBinding, NetPeerTcpBinding и WSHttpBinding. This is available with the following bindings: BasicHttpBinding, WSFederationHttpBinding, NetPeerTcpBinding, and WSHttpBinding.

Если принято решение использовать безопасность транспорта для протокола HTTP (т.е. протокол HTTPS), необходимо настроить узел с сертификатом SSL и включить SSL для порта. If you decide to use transport security for HTTP (in other words, HTTPS), you must also configure the host with an SSL certificate and enable SSL on a port. Дополнительные сведения см. в разделе Безопасность транспорта HTTP. For more information, see HTTP Transport Security.

Если используется привязка WSHttpBinding и при этом не требуется устанавливать безопасный сеанс, следует присвоить свойству EstablishSecurityContext значение false . If you are using the WSHttpBinding and do not need to establish a secure session, set the EstablishSecurityContext property to false .

Безопасный сеанс создается, когда клиент и служба создают канал с использованием симметричного ключа (клиент и служба используют один и тот же ключ в течение всего диалога вплоть до его завершения). A secure session occurs when a client and service create a channel using a symmetric key (both client and server use the same key for the length of a conversation, until the dialog is closed).

Задание типа учетных данных клиента Setting the Client Credential Type

Выберите необходимый тип учетных данных клиента. Select a client credential type as appropriate. Дополнительные сведения см. в разделе Выбор типа учетных данных. For more information, see Selecting a Credential Type. Доступны следующие типы учетных данных клиента: The following client credential types are available: