Reputation: 40506
WCF Message Encryption without Authentication/Authorization or Certificates
I have a .NET 4.0 project with two modules that will communicate via WCF services and I'd like to implement a custom encryption mechanism.
My scenario:
I control both endpoints (client and server) but not the connection between them
Windows auth is out of question, since I do not know at this point where the modules will be deployed and most likely they'll be on different domains
I'd like to intercept the messages at some point and apply a custom encryption/decryption with a key that will be properly configured on both the server and the client, so if someone manages to intercept a message they wouldn't be able to decrypt it.
I'd like to exchange data using binary serialization
I don't want to deal with setting up certificates on either the client or server side
Can anyone point out what would be the most obvious solution to implement this scenario using WCF?
Upvotes: 1
Views: 1457
Answers (1)
Reputation: 364249
I would say that you don't want security - static key for encrypting messages with symmetric encryption algorithm is just a notion of security.
Anyway if you want to do that there are really extension points which will allow you to do that on many different levels.
- Encrypting the whole message - that would require custom message encoder which can be quite hard to write.
- Encrypting the body of the message - you can write custom
IMessageInspectorwhich will deal with encryption and decryption of message body. Headers will be still in plain text which is necessary unless you want to change many other things in WCF processing. You can wrap the inspector in customIEndpointBehaviorand use it either imperatively in the code or declaratively in the configuration (you will also need implementing customBehaviorExtenxionElement). - Encrypting only some operations marked with custom
IOperationBehavioror some data marked withIContractBehaviorbehavior and usingIParameterInspectorto decrypt and encrypt value.
You have control over both client and server - use certificates instead of fake security.
Upvotes: 2
Related Questions
- Encryption of WCF traffic without X.509 or Windows authentication
- encrypt/decrypt webservice/WCF message request
- Implementing WCF Service using HTTP protocol with encryption
- Add RSA based encryption to WCF service without certificates
- Encrypt WCF message password
- WCF message security without certificate and windows auth
- How can I encrypt, but not secure WCF messages?
- WCF - How do I encrypt messages?
- Protect communication between WCF client and service
- wcf authentication and encryption