Programming WCF Services : Security - Transfer Security

10/15/2013 7:33:16 PM

1. Authentication

Authentication is the act of verifying that the caller of a service is indeed who that caller claims to be. While authentication is typically referred to in the context of verification of the caller, from the client perspective there is also a need for service authentication; that is, assuring the client that the service it calls really is the service it intends to call. This is especially important with clients who call over the Internet, because if a malicious party subverts the client’s DNS service, it could hijack the client’s calls. WCF offers various authentication mechanisms:

No authentication

The service does not authenticate its callers, and virtually all callers are allowed.

Windows authentication

The service typically uses Kerberos when a Windows Domain Server is available, or NTLM when deployed in a workgroup configuration. The caller provides the service with its Windows credentials (such as a ticket or a token) and the service authenticates that against Windows.

Username and password

The caller provides the service with a username and a password. The service then uses these credentials against some kind of credentials store, such as Windows accounts or a custom credentials store (such as a dedicated database).

X509 certificate

The client identifies itself using a certificate. Typically, that certificate is known in advance to the service. The service looks up the certificate on the host side and validates it, thus authenticating the client. Alternatively, the service may implicitly trust the issuer of the certificate and hence the client presenting it.

Custom mechanism

WCF allows developers to replace the built-in authentication mechanisms with any protocol and credential type, such as using biometrics.

Issued token

The caller and the service can both rely on a secure token service to issue the client a token that the service recognizes and trusts. Such a service is typically federated and encapsulates the act of authenticating and securing the call. Windows CardSpace is an example of such a secure token service.

2. Authorization

Authorization is concerned with what the caller is allowed to do: typically, which operations the client is allowed to invoke on the service. Authorizing of the caller is done under the assumption that the caller is indeed who the caller claims to be—in other words, authorization is meaningless without authentication. For authorization, the service typically relies on some kind of credentials store, where callers are mapped to logical roles. When authorizing an operation, the operation declares or explicitly demands that only certain roles can access it, and the service needs to look up the caller’s role or roles from the store and verify that the caller is a member of the requested roles. Out of the box, WCF supports two credentials stores: the service can use Windows groups (and accounts) for authorization, or it can use an ASP.NET provider (such as the SQL Server provider) to store user accounts and roles. WCF also supports custom role repositories, but I have found that the easiest option by far for implementing a custom store is to implement a custom ASP.NET provider. 


WCF offers an elaborate and extensible infrastructure for authenticating and authorizing the caller based on a set of claims contained in the message.

3. Transfer Security

Both authentication and authorization deal with two local aspects of security—if (and to what extent) to grant access to the caller once the service has received the message. In this respect, WCF services are not much different from traditional client/server classes. However, both authentication and authorization are predicated on secure delivery of the message itself. The transfer of the message from the client to the service has to be secure, or both authentication and authorization are moot. There are three essential aspects to transfer security, and all three aspects must be enforced to provide for secure services. Message integrity deals with how to ensure that the message itself is not tampered with en route from the client to the service. A malicious party or intermediary could, in practice, intercept the message and modify its content; for example, altering the account numbers in the case of a transfer operation in a banking service. Message privacy deals with ensuring the confidentiality of the message, so that no third party can even read the contents of the message. Privacy complements integrity. Without it, even if the malicious party does not tamper with the message, that party can still cause harm by gleaning sensitive information (again, such as account numbers) from the message content. Finally, transfer security must provide for mutual authentication, which deals with assuring the client that only the proper service is able to read the content of its message—in other words, that the client connects to the correct service. Once the credentials in the message are received, the service must authenticate those credentials locally. The mutual authentication mechanism also needs to detect and eliminate replay attacks and denial of service (DOS) attacks. In a replay attack, a malicious party records a valid message from the wire and later sends that valid message back to the service. With a DOS attack, a malicious party floods the service with messages (either valid messages or bogus invalid messages) at such a frequency as to degrade the service’s availability.

3.1. Transfer Security Modes

WCF supports five different ways of accomplishing the three aspects of transfer security. Choosing the correct transfer security mode is perhaps the prime decision to be made in the context of securing a service. The five transfer security modes are None, Transport security, Message security, Mixed, and Both.

3.1.1. None transfer security mode

As its name implies, the None transfer security mode has transfer security completely turned off—in fact, all aspects of WCF security are turned off. No client credentials are provided to the service, and the message itself is wide open to any malicious party to do with it as it pleases. Obviously, setting transfer security to None is highly inadvisable.

3.1.2. Transport transfer security mode

When configured for Transport security, WCF uses a secure communication protocol. The available secure transports are HTTPS, TCP, IPC, and MSMQ. Transport security encrypts all communication on the channel and thus provides for integrity, privacy, and mutual authentication. Integrity is provided because without knowing the encryption key, any attempt to modify the message will corrupt it so that it will become useless. Privacy is provided because no party other than the recipient can see the content of the message. Mutual authentication is supported because only the intended recipient of the message can read it; the client need not be concerned with message rerouting to malicious endpoints, as those will not be able to use the message. Once the message is decrypted, the service can read the client’s credentials and authenticate the client.

Transport security requires the client and the service to negotiate the details of the encryption, but that is done automatically as part of the communication protocol in the respective binding. Transport security can benefit from hardware acceleration done on the network card so as to avoid burdening the host machine’s CPU with the encryption and decryption of the messages. Hardware acceleration obviously caters to high throughput, and it may even make the security overhead unnoticeable. Transport security is the simplest way of achieving transfer security, and the most performant option. Its main downside is that it can only guarantee transfer security point-to-point, meaning when the client connects directly to the service. Having multiple intermediaries between the client and the service renders Transport security questionable, as those intermediaries may not be secure. Consequently, Transport security is typically used only by intranet applications, where you can ensure a single hop between the client and the service in a controlled environment.


When configuring any of the HTTP bindings for Transport security, WCF verifies at the service load time that the corresponding address on the endpoint uses HTTPS rather than mere HTTP.

3.1.3. Message transfer security mode

The Message transfer security mode simply encrypts the message itself. By encrypting the message, you gain integrity and privacy and enable mutual authentication, for the same reason that Transport security provides these features when the communication channel is encrypted. However, encrypting the message rather than the transport enables the service to communicate securely over nonsecure transports, such as HTTP. Because of that, Message security provides for end-to-end security, regardless of the number of intermediaries involved in transferring the message and regardless of whether or not the transport is secure. In addition, Message security is based on a set of industry standards designed both for interoperability and for thwarting common attacks such as replay and DOS attacks, and the support WCF offers for it is both rich and extensible. The downside of Message security is that it may introduce call latency due to its inherent overhead. Message security is typically used by Internet applications, where the call patterns are less chatty and the transport is not necessarily secure.

3.1.4. Mixed transfer security mode

The Mixed transfer security mode uses Transport security for message integrity and privacy as well as service authentication, and it uses Message security for securing the client’s credentials. The Mixed mode tries to combine the advantages of both Transport and Message security by benefiting from the secure transport and even hardware acceleration offered by Transport security to cater to high throughput, and from the extensibility and richer types of client credentials offered by Message security. The downside of the Mixed mode is that it is only secure point-to-point, as a result of the use of Transport security. Application developers rarely need to use the Mixed mode, but it is available for advanced cases.

3.1.5. Both transfer security mode

As its name implies, the Both transfer security mode uses both Transport security and Message security. The message itself is secured using Message security, and then it is transferred to the service over a secure transport. The Both mode maximizes security, yet it may be overkill for most applications (with the exception perhaps of disconnected applications, where the additional latency it introduces will go unnoticed).

3.2. Transfer Security Mode Configuration

Configuring the transfer security mode is done in the binding, and both the client and the service must use the same transfer security mode and, of course, comply with its requirements. Like any other binding configuration, you can configure transfer security either programmatically or administratively, in a config file. All the common bindings offer a construction parameter indicating the transfer security mode, and all bindings offer a Security property with a Mode property identifying the configured mode using a dedicated enumeration. As shown in Table 1, not all bindings support all transfer security modes: the supported modes are driven by the target scenarios for the binding.

Table 1. Bindings and transfer security modes
BasicHttpBindingYes (default)YesYesYesNo
NetTcpBindingYesYes (default)YesYesNo
NetNamedPipeBindingYesYes (default)NoNoNo
WSHttpBindingYesYesYes (default)YesNo
NetMsmqBindingYesYes (default)YesNoYes

The intranet bindings (NetTcpBinding, NetNamedPipeBinding, and NetMsmqBinding) all default to Transport security. Thus, no special programming is required on behalf of the service or client developer. The reason is that on the intranet calls are typically point-to-point, and Transport security yields the best performance. However, the intranet bindings can also be configured for the None transfer mode; that is, they can be used on the same transport protocol, only without security. The NetNamedPipeBinding supports only None and Transport security—there is no sense in using Message security over IPC, since with IPC there is always exactly one hop from the client to the service. Also note that only the NetMsmqBinding supports the Both mode.

The Internet bindings all default to Message security, to enable them to be used over nonsecure transports (that is, HTTP) and to accommodate multiple hops and intermediaries.

With one noticeable exception, all of the WCF bindings are configured with some kind of transfer security and are therefore secure by default. Only the BasicHttpBinding defaults to having no security. The reason is that the basic binding is designed to make a WCF service look like a legacy ASMX service, and ASMX is unsecured by default. That said, you can and should configure the BasicHttpBinding to use a different transfer security mode, such as Message security.

3.2.1. Specific binding configurations

The BasicHttpBinding uses the BasicHttpSecurityMode enum for transfer mode configuration. The enum is available via the Mode property of the Security property of the binding:

public enum BasicHttpSecurityMode
public sealed class BasicHttpSecurity
public BasicHttpSecurityMode Mode
//More members
public class BasicHttpBinding : Binding,...
public BasicHttpBinding();
public BasicHttpBinding(BasicHttpSecurityMode securityMode);
public BasicHttpSecurity Security
//More members

Security is of the type BasicHttpSecurity. One of the constructors of BasicHttpBinding takes the BasicHttpSecurityMode enum as a parameter. To secure the basic binding for Message security, you can either construct it secured or set the security mode post-construction. Consequently, in Example 1, binding1 and binding2 are equivalent.

Example 1. Programmatically securing the basic binding
BasicHttpBinding binding1 = new BasicHttpBinding(BasicHttpSecurityMode.Message);

BasicHttpBinding binding2 = new BasicHttpBinding();
binding2.Security.Mode = BasicHttpSecurityMode.Message;

Instead of programmatic settings, you can use a config file, as in Example 2.

Example 2. Administratively securing the basic binding
<binding name = "SecuredBasic">
<security mode = "Message"/>

The rest of the bindings all use their own enumerations and dedicated security classes, yet they are configured just as in Example 1 and Example 2. For example, the NetTcpBinding and the WSHttpBinding use the SecurityMode enum, defined as:

public enum SecurityMode
TransportWithMessageCredential //Mixed

These bindings offer a matching construction parameter and a matching Security property.

The NetNamedPipeBinding uses the NetNamedPipeSecurityMode enum, which supports only the None and Transport security modes:

public enum NetNamedPipeSecurityMode

The NetMsmqBinding uses the NetMsmqSecurityMode enum:

public enum NetMsmqSecurityMode

NetMsmqSecurityMode is the only enum that offers the Both transfer mode.

The reason that almost every common binding has its own dedicated enum for the security mode is that the designers of WCF security opted for increased safety at the expense of overall complexity. They could have defined just a single all-inclusive enum with values corresponding to the five possible transfer security modes, but then it would have been possible at compile time to assign invalid values, such as Message security for the NetNamedPipeBinding. Opting for specialized enums makes configuring security less error-prone, yet there are more moving parts to come to terms with.

3.3. Transport Security and Credentials

WCF lets you select from a number of possible client credential types. For example, the client can identify itself using a classic username and password, or a Windows security token. Windows credentials can then be authenticated using NTLM or Kerberos, when available. Alternatively, the client can use an X509 certificate, or choose to provide no credentials at all and be anonymous. When configuring transfer security for Transport security, however, not all bindings support all client credential types, as shown in Table 2.

Table 2. Bindings and Transport security client credentials
BasicHttpBindingYes (default)YesYesYes
NetTcpBindingYesYes (default)NoYes
NetNamedPipeBindingNoYes (default)NoNo
WSHttpBindingYesYes (default)YesYes
NetMsmqBindingYesYes (default)NoYes

Which types of credentials a binding supports is largely a product of the target scenario for which the binding is designed. For example, all of the intranet bindings default to Windows credentials since they are used in a Windows environment, and the BasicHttpBinding defaults to no credentials, just like a classic ASMX web service. The odd default is that of the WSHttpBinding, which defaults to Windows credentials to enable the binding to be used over Transport security with minimum effort out of the box.

3.4. Message Security and Credentials

When it comes to using Message transfer security, WCF lets applications use the same types of credentials as with Transport security, with the addition of the issued token credential type. Again, when configured for Message security not all bindings support all client credential types, as shown in Table 3.

Table 3. Bindings and Message security client credentials
NameNoneWindowsUsernameCertificateIssued token
NetTcpBindingYesYes (default)YesYesYes
WSHttpBindingYesYes (default)YesYesYes
NetMsmqBindingYesYes (default)YesYesYes

While it makes sense that all intranet bindings that support Message security default to Windows credentials, it is interesting to note that the WSHttpBinding as Internet binding also defaults to Windows credentials, even though (as discussed later) Internet applications rarely use Windows credentials over HTTP. The reason for this default is to enable developers to securely use the WS binding out of the box, in its correct transfer security mode without resorting first to custom credentials stores.


The BasicHttpBinding supports username client credentials for Message security only when configured for Mixed mode. This may be a source of runtime validation errors, since the BasicHttpMessageCredentialType enum contains the BasicHttpMessageCredentialType.UserName value.

Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8