Encrypt Message with TCP-based in WCF
Encrypt Message with TCP-based in WCF
By : Kasim Wirama, MCDBA, MVP SQL Server
Messages transported from client to WCF service and vice versa need to be encrypted. There are several encryption algorithms available to protocols such as http or tcp. Whatever algorithm and protocol choice, both client and WCF service should use same one, otherwise message couldn’t be decrypted at destination.
There are 2 level of encrypting message, transport level and message level. Transport level relies on operating system to encrypt message, usually using SSL. SSL can be implemented over HTTPS or TCP. It is more efficient to use transport level security. But if there is message routing on intermediate point before it reaches the destination, you couldn’t rely on transport level, but message level security.
Through this article I would like to give you illustration how to implement message level security in windows environment on TCP protocol binding (netTcpBinding). You need to create WCF service and WCF client. You can see the process how to create them in my early WCF article in WCF section (http://geeks.netindonesia.net/blogs/kasim.wirama/archive/tags/Windows+Communication+Foundation+_2800_WCF_2900_/default.aspx).
WCF service
Open configuration file (web.config if it’s hosted on IIS or app.config if it isn’t), on create new netTcpBinding on binding folder, on security tab (right pane), set Mode to Message because I want to set it to message level security, algorithm suite to Basic 256 (by default, it is stronger than Basic128), and client need to supply its windows credential, so choose Windows at MessageClientCredentialType.
Create new endpoint on Endpoints folder of service item in Services folder, set Binding property to netTcpBinding, set also BindingConfiguration property to the new binding you just created above, specify Contract, Tcp address (for example: net.tcp://localhost:9000/Service/Service.svc, this address should be applied to WCF client otherwise WCF client couldn’t locate the service).
WCF client
Create TcpBinding configuration, steps similar to WCF service’s. and attach the binding to Client’s Tcp endpoint endpoints, similar to that of WCF service, except on WCF service, it is below Services/Endpoints folder, and on WCF client, it is below Client/Endpoints folder.
in Main program supply input parameter of proxy instantiation with name of Tcp endpoint above.
Trace configuration
To get idea that how the encryption look like, you can configure tracing on WCF service. Open application configuration file with service configuration editor, on Diagnostics folder, enable MessageLogging, in MessageLogging item set true on properties LogEntireMessage (because I would like to see body of message), LogMessagesAtServiceLevel, LogMessagesAtTransportLevel. On Sources folder, configure Trace Level property in System.ServiceModel.MessageLogging from Warning (default) to Verbose. In Listeners folder, configure properties of ServiceModelMessageLoggingListener, initData property set to file output trace. Uncheck all checkboxes on TraceOutputOptions (because I just run it on single machine), typeName property to XmlWriterTraceListener.
Save the configuration file and run your project, turn on WCF service, and run WCF client after WCF service has already run, after WCF client close its proxy, open trace file (that you define in initData property) with Microsoft Trace Viewer (it is on Tools folder in Microsoft Windows SDK v6.0A program folder), open Message tab on left pane, and see your Action (by default namespace to www.tempuri.org or your own defined namespace), click the first one, and see the XML content on lower right at Message tab, in Body section of XML message, you get encrypted content in </e:CipherData> element. It is encrypted data from transport to message level. You will find out unencrypted message on second one, it is from message level to service level.
It is easy to implement message level security with just configure in application configuration with almost no changes in coding.