Securing WCF

Securing a WCF service is quite easy but several methods with different fields of applications exist. This post describes the different available securing mechanisms and how they are set up.

Securing your network service is important because if a service is not secured every peer on your communication way can read your communication.

Basically two different approaches of securing a service exist:

  • Message security: This approach encrypts the contents of a message, therefore the security is delegated to the protocol. If a well-known and tested standard for the protocol in use is available this approach has the advantage that the encryption is transparent to all peers and no speacial treatment is required. But not all protocols provide a payload encryption. Developing your own message security scheme is dangerous and requires special security skills. SOAP with the WS-Security extension is an example for a message-security scheme, but the WS-Security extension is not supported by many frameworks, especially it is not supported on Android out of the box.
  • Transport security: Transport layer security is independent of the protocol and is supported by far more applications. A well-known transport security mechanism is SSL/TLS which is used for HTTPS, SSH and many others. It establishes an end-to-end encryption based on X509-Certificates and associated private keys. The disadvantage of this approach is that non-end-to-end connections are not supported. The communication needs to be decrypted and encrypted on every hop.

WCF and Message Security

To enable service security for your service add the following to your binding configuration:

<security mode="Message">
 <message clientCredentialType="Certificate/IssuedToken/None/UserName/Windows" />

For a detailed explanation of the mesasge security tag look at msdn.

WCF and Transport Security

Because of my affinity to mobile devices and mobile services i prefer transport security over message security because it has far less overhead , is supported out of the box and can be applied to multiple technologies (SOAP, REST,...)

To enable transport security add the following to your binding configuration and adjust your urls from http to https:

<security mode="Transport">

To generate a self-signed test certificate for your service use the makecert tool and import the certificate into your local certificate storage. To associate the certificate with your service you can use the netsh tool as shown:

http add sslcert ipport=<host>:<port> certhash=<certhash from certstore> appid=<chosen appid guid>

Appendix: Enable WCF logging

To get more information out of a service and to discover why it is not working as expected, it is always a good idea to enable logging. Put the following snippet in your app.config to enable logging to the specified file. A log viewer should be available on your system.

  <source name="System.ServiceModel" 
          switchValue="Information, ActivityTracing"
    <add name="traceListener" 
         initializeData= "c:\log\Traces.svclog" />