WCF is distributed programming platform . Using WCF, you can create applications that function as both services and service clients. Security in WCF provides Authentication, Authorization, Integrity, Confidentiality.
Why Security needed in WCF?
In distributed application or in the network there are malicious users, hackers always try to obtain sensitive information, phishing, alteration of messages etc. This gives way to a variety of message security threats.
Some example of security threats are mention below.
In this malicious user acts as online service and obtains user name, password etc. Then this malicious user transfers funds into his account. This is known as Phishing attack, which is very common now a days. Daily you must have received emails asking for username, password or you have won a lottery and asks for your Account number to credit the amount in your account .If you provide the information the malicious user transfers funds into his account .This is known as Phishing .
- Stealing sensitive information from Network Traffic
The spy of other country intercept Network Traffic to obtain sensitive defence related information and use it to their advantage or in online–banking, client transfers funds from one account to another. A malicious user intercepts the message and having account number and password transfers funds into his account.
- Alteration of messages to transfer funds in malicious user Account
Intercept messages sent through network and altering the account number to which deposit is made to transfer fund in malicious user Account.
- Malicious user or Hacker replays the purchase order
Eg. Online shopping website receives hundreds of orders and sends items to Customers who have not even ordered them.
The Service cannot assure that authorized person indeed performed the Transaction.
So after all this security is needed.
Windows Communication Foundation provides the basic security features that most distributed systems need. The big three protections— confidentiality, integrity, and authentication (or CIA as I like to think of them) are provided by most standard Windows® Communication Foundation bindings. If you don't want these protections, you'll have to turn them off, because they are on by default.
When you hear people say, "Windows Communication Foundation is secure by default," understand that they are probably talking about CIA.
2. Security Choices in Windows Communication Foundation
First step to secure WCF is to define security policy. When you expose a service endpoint you also select a binding for proper communication protocol and message encoding format.
Example-For intranet communications or systems behind the firewall, TCP protocol with binary message encoding is preferred. For Internet access, HTTP protocol is a typical choice using text or MTOM encoding (depending on the message size).
You don’t need to make just one choice. You can expose contract over many bindings.
A standard set of bindings satisfy these protocol and encoding choices.
· NetTcpBinding is the right choice for binary TCP communications that cross machine boundaries.
· BasicHttpBinding is the right choice for HTTP communications that must support legacy Web service protocols.
· WSHttpBinding orWSFederationHttpBinding are the right choice for Web services that can leverage a richer set of standards including those for secure communications.
Beyond bindings, behaviours also provide information about client and service credentials, and affect how authorization is handled.
You can configure bindings and behaviours declaratively or through the runtime object model.
Each binding provides default security settings. The two important knobs in security settings are security mode( transport versus message security) and Client Credential.
Transport Security
In Transport security transports available for use are HTTP, TCP, IP and MSMQ. All communication that takes place across the channel must be encrypted.
Advantage of using Transport security:
Less chances of Message Alteration, Sniffing network, Phishing and replay of message attack.
Transport level security provides
Authentication of the sender service, Message integrity, Confidentiality and Replay of message detection.
When you configure security for WCF binding, you'll need to decide whether you want CIA to be provided at the transport level or at the message level.
If you configure wsHttpBinding for transport security, WCF will not supply CIA for your messages. You need to run URI over HTTPS . If you're hosting inside IIS, you'll need to install an SSL certificate for the Web site. On the other hand, if you're hosting in your own process and using HTTP.SYS directly, you'll need to register a certificate with HTTP.SYS, either programmatically or via the command-line tool, HTTPCFG.EXE.
For Intranet where both client and service use WCF, netTcpBinding with transport security might be a better choice. It performs better due to its binary encoding.
Message Security
Message Security is applied at the message layer which is transport independent. It has maximum flexibility in terms of having the message routed over different transports. WS-Security defines different ways to secure a message and the tokens that can be used. Message Security is slowest in terms of performance.
You can provide CIA at the transport level, you can choose to push these details down into the SOAP messages themselves by using message security.
Eg wsHttpBinding
By default it uses message-level security, assuming the service and the client will identify and authenticate themselves using Windows credentials. Body and most headers are signed to maintain the integrity of the message and the body is encrypted. An attacker looking at a message trace would see the SOAP envelope in the clear, but the SOAP body would contain an EncryptedData element full of base64-encoded ciphertext.
Mixed Mode
WCF also allows you to mix transport and message security. At Transport level confidentiality, integrity and authentication are provided (therefore the entire bytestream is encrypted, not just the message body). Client authentication is performed at the message level. The client can then use WS-Security to send any shape of credential that she wants.
Credentials
After deciding whether to use either transport or message security (or mixed mode), and assuming you've not chosen a security mode of None, the next major decision is the shape of credential that the client and service will use.
Credential is used to provide verification of identity.
WCF GIVES client credential type. There are at least five options for client credentials, although some options may not be available in certain contexts
3. Default Security in Standard Bindings
The three most popular standard bindings are basicHttpBinding, wsHttpBinding, and netTcpBinding.
The simplest is basicHttpBinding.This doesn't provide CIA by default.
This type of binding is secured by running over HTTPS. For this you'll need to change the binding to let WCF know you'll be using transport security:
i). basicHttpBinding
Now deploy this in IIS and turn on SSL support for your virtual directory. Install a certificate for the Web site. If you're deploying in IIS and plan to require client certificates, change the clientCredentialType to Certificate.
ii). wsHttpBinding
The next binding, wsHttpBinding, uses message security by default.
The default client credential type is Windows. You can use this binding to switch it to use TransportWithMessageCredential. Here you'll use an HTTPS endpoint to provide authentication, integrity, and confidentiality, while the client credential remains in the SOAP Security header for flexibility. SOAP envelope with header is encrypted by the transport.
There are some disadvantages, however, such as the lack of end-to-end security at the message level.
iii). netTcpBinding
If you want raw speed for Web services intranet use netTcpBinding .
This binding uses transport security with Windows credentials. The default binding uses transport security.
binding="netTcpBinding" contract="IFoo" >
iv). Implement Transport security
SAMPLE WCF SERVICE
Step 1:
Click on new project and select WCF service project.
public class Service1 : IService1
{
public string GetData(int value)
{
return string.Format("The Value entered: {0}", value);
}
public CompositeType GetDataUsingDataContract(CompositeType composite)
{
if (composite.BoolValue)
{
composite.StringValue += "Add";
}
return composite;
}
}
Step 2:
To enable transport security in WsHttp binding. This is done using the ‘Security’ XML tag as shown in the below code snippet.
Step 3: Tie up the Binding and specify HTTPS Configuration
Now use the ‘bindingConfiguration’ tag to specify the binding name. We also need to specify the address where the service is hosted. HTTS in the address tag.
Change ‘mexHttpBinding’ to ‘mexHttpsBinding’ in the second end point
In the ‘serviceMetadata’ we also need to change ‘httpGetEnabled’ to ‘httpsGetEnabled’.
........
.........
.........
.........
Step 4: Make the Application HTTPS enabled
Compile the WCF service project and host the same in IIS application with HTTPS enabled.
Code for consuming Service-
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using WebApplicationConsumer.ServiceReference1;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
namespace WebApplicationConsumer
{
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(IgnoreCertificateErrorHandler);
Service1Client obj = new Service1Client();
Response.Write(obj.GetData(007));
}
public static bool IgnoreCertificateErrorHandler(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return true;
}
}
}
Step 5: Now compile the Application.
v). Implement Message Level Security
Step 1: Create Client and Server Certificates using makecert.
Step 2:
In the web.config file of the WCF service.
storeLocation="CurrentUser"
storeName="MyArticle"
x509FindType="FindBySubjectName" />
Step 3. Define Bindings
I have defined the ‘WsHttpBinding’ with message attribute specifying that the WCF client needs to send a certificate for validation.
Step 4 :Tie the Bindings with the End point
Use ‘bindingConfiguration’ tag as shown in the below code snippet.
bindingConfiguration"BACKGROUND-COLOR: #ffff00">="wsHttpEndpointBinding" contract="WCFServiceCertificate.IService1">
Step 5 : Make Application to Consume the Web Service
Compile the WCF service and reference the same in the ASP.NET web application using ‘Service reference’. Below is the code snippet where we have referenced the service and called the ‘GetData’ function of the service.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
"BACKGROUND-COLOR: #ffff00">using WebConsumer.ServiceReference1;
namespace WebConsumer
{
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
"BACKGROUND-COLOR: #ffff00">Service1Client obj = new Service1Client();
"BACKGROUND-COLOR: #ffff00">Response.Write(obj.GetData(12));
}
}
}
Step 6 : Define Certificates in WCF Client
I have set authentication mode as ‘peertrust’ and we have specified the client certificate name as ‘WcfClient’.
Step7 : Tie up the behavior with end point on WCF client
Now bound the behavior using ‘behaviorConfiguration’ property. We also need to specify that the DNS value .
bindingConfiguration="WSHttpBinding_IService1" contract="ServiceReference1.IService1"
name="WSHttpBinding_IService1"
"BACKGROUND-COLOR: #ffff00">behaviorConfiguration="CustomBehavior">
"BACKGROUND-COLOR: #ffff00">
Step 8 : Now run the Application.