WCF - Interop - Understanding Protection Level

Article
05/14/2012

WCF: Interop – Understanding Protection level

Protection level is a very important parameter to consider while working on WCF Introp scenarios.

Can be defined on (only via code)

Service contract level
Operation contract level

[OperationContract(ProtectionLevel = ProtectionLevel.Sign)]

string GetData(int value);

It controls how the incoming soap envelope is protected.

Can be set to

None
Sign (Sign the message on channel to detect the tampering)
Encrypt and sign (We encrypt the message first and then sign on transport layer) - Default

Protocol to monitor - Https

Setting the protection level has no effect because the message protection is done by transport SSL channel.

Protocol to monitor – Http (Message Level security)

Binding: wsHttpBinding

Security Mode: Message

Client credential type: Windows

None

<s:Envelope xmlns:s="**https://www.w3.org/2003/05/soap-envelope**" xmlns:a="**https://www.w3.org/2005/08/addressing**" xmlns:u="**https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd**"\>

<s:Header>

<a:Action s:mustUnderstand="1" u:Id=" _0">**https://tempuri.org/IService1/GetData**\</a:Action>

<a:MessageID u:Id=" _1">urn:uuid:9835df01-eacf-4de3-93da-ee499d2575bf</a:MessageID>

<a:ReplyTo u:Id=" _2">

<a:Address>**https://www.w3.org/2005/08/addressing/anonymous**\</a:Address>

</a:ReplyTo>

<VsDebuggerCausalityData xmlns="**https://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink**"\>**uIDPo2OvlvNYy9JFjwf6RzamZbUAAAAAs5kMW26yME+NYRCJyD0Lg3t9nmlMx8FEg7kRSQ6SYWQACQAA**\</VsDebuggerCausalityData>

<a:To s:mustUnderstand="1" u:Id=" _3">**https://saurabh.fareast.corp.microsoft.com/Basic-Win-Authentication/Service1.svc/ws**\</a:To>

<o:Security s:mustUnderstand="1" xmlns:o="**https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd**"\>

<u:Timestamp u:Id="uuid-d19e37cc-ed6d-4feb-ad77-ec3380b3fc23-11">

<u:Created>2012-05-14T15:31:16.821Z</u:Created>

<u:Expires>2012-05-14T15:36:16.821Z</u:Expires>

</u:Timestamp>

<c:SecurityContextToken u:Id="uuid-7c28e778-f95e-4ab4-8179-36bd09804f53-4" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<c:Identifier>urn:uuid:22d2445c-8631-47f1-a359-7d199c74791a</c:Identifier>

</c:SecurityContextToken>

<c:DerivedKeyToken u:Id="uuid-d19e37cc-ed6d-4feb-ad77-ec3380b3fc23-9" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<o:SecurityTokenReference>

<o:Reference ValueType="**https://schemas.xmlsoap.org/ws/2005/02/sc/sct**" URI=" #uuid-7c28e778-f95e-4ab4-8179-36bd09804f53-4"></o:Reference>

</o:SecurityTokenReference>

<c:Offset>0</c:Offset>

<c:Length>24</c:Length>

<c:Nonce>

</c:Nonce>

</c:DerivedKeyToken>

</Transforms>

<DigestValue>icP3uLduuYaZNB+XPxCuOjajXTY= </DigestValue>

</Reference>

</Transforms>

<DigestValue>KMBBbLR8BxTkZSK/GBLKP1Fpvbo= </DigestValue>

</Reference>

</Transforms>

<DigestValue>btTswQQ5Ejlht5cvs8HEPBxzwek= </DigestValue>

</Reference>

</Transforms>

<DigestValue>Idm7k0P/PtSijH2DQny429jUJQ8= </DigestValue>

</Reference>

</Transforms>

<DigestValue>CkUmvMHHiiQGT+rw2v7bZnAzBZk= </DigestValue>

</Reference>

</SignedInfo>

<SignatureValue>U4Mux4cOh3iVU5vIljFxwDZV8WU= </SignatureValue>

<o:SecurityTokenReference>

<o:Reference ValueType="**https://schemas.xmlsoap.org/ws/2005/02/sc/dk**" URI=" #uuid-d19e37cc-ed6d-4feb-ad77-ec3380b3fc23-9"></o:Reference>

</o:SecurityTokenReference>

</KeyInfo>

</Signature>

</o:Security>

</s:Header>

<s:Body>

</GetData>

</s:Body>

</s:Envelope>

We will start reading the request from bottom

<Body> , we don’t see any reference ID being set.

This request is neither signed, nor encrypted which demonstrate that service is set for Message Protection Level to None.

Sign

<s:Header>

<a:Action s:mustUnderstand="1" u:Id=" _1">**https://tempuri.org/IService1/GetData**\</a:Action>

<a:MessageID u:Id=" _2">urn:uuid:205c50bf-4c08-4072-b7c5-96692070e07c</a:MessageID>

<a:ReplyTo u:Id=" _3">

<a:Address>**https://www.w3.org/2005/08/addressing/anonymous**\</a:Address>

</a:ReplyTo>

<VsDebuggerCausalityData xmlns="**https://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink**"\>**uIDPo7AtOAZmc2hJkz9L+T1ulSUAAAAAsnQgY8FC2EyK7b1lf2QRu0NoDNFdBTtNv19pMLwwUsoACQAA**\</VsDebuggerCausalityData>

<a:To s:mustUnderstand="1" u:Id=" _4">**https://saurabh.fareast.corp.microsoft.com/Basic-Win-Authentication/Service1.svc/ws**\</a:To>

<o:Security s:mustUnderstand="1" xmlns:o="**https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd**"\>

<u:Timestamp u:Id="uuid-01537433-f8d6-4e8c-9ea9-5e71e557aa4b-11">

<u:Created>2012-05-14T16:05:20.856Z</u:Created>

<u:Expires>2012-05-14T16:10:20.856Z</u:Expires>

</u:Timestamp>

<c:SecurityContextToken u:Id="uuid-02f743a8-cd08-41c6-a778-bf5585fa2d94-4" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<c:Identifier>urn:uuid:e8a39e0a-ec25-4ace-b5a7-2e5796b89b46</c:Identifier>

</c:SecurityContextToken>

<c:DerivedKeyToken u:Id="uuid-01537433-f8d6-4e8c-9ea9-5e71e557aa4b-9" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<o:SecurityTokenReference>

<o:Reference ValueType="**https://schemas.xmlsoap.org/ws/2005/02/sc/sct**" URI=" #uuid-02f743a8-cd08-41c6-a778-bf5585fa2d94-4"></o:Reference>

</o:SecurityTokenReference>

<c:Offset>0</c:Offset>

<c:Length>24</c:Length>

<c:Nonce>

</c:Nonce>

</c:DerivedKeyToken>

</Transforms>

<DigestValue>HbPwZxiVYvX3g2ynC2BUl/5wbEc= </DigestValue>

</Reference>

</Transforms>

<DigestValue>JZ+f8jpEmpZwUjAcmPbIYKZ7CY0= </DigestValue>

</Reference>

</Transforms>

<DigestValue>lnPYs9v5zGLC+kui+8f/TeCiCVw= </DigestValue>

</Reference>

</Transforms>

<DigestValue>o3ibE52LCPwycD7dwAsKtJa+WMw= </DigestValue>

</Reference>

</Transforms>

<DigestValue>76WE+MS6o861k22454lBf6zwBfY= </DigestValue>

</Reference>

</Transforms>

<DigestValue>rQoBZCp4Rdgz1GOCUQ6tiqC5MGs= </DigestValue>

</Reference>

</SignedInfo>

<SignatureValue>nzCipxpr91tjuvTVtJk6rgHOsp0= </SignatureValue>

<o:SecurityTokenReference>

<o:Reference ValueType="**https://schemas.xmlsoap.org/ws/2005/02/sc/dk**" URI=" #uuid-01537433-f8d6-4e8c-9ea9-5e71e557aa4b-9"></o:Reference>

</o:SecurityTokenReference>

</KeyInfo>

</Signature>

</o:Security>

</s:Header>

<s:Body u:Id=" _0">

</GetData>

</s:Body>

</s:Envelope>

Observing the <body> tag. There is a u:Id specified, which point us to the fact that request is getting signed, using the “<Reference URI=" #_0">”

</Transforms>

<DigestValue>HbPwZxiVYvX3g2ynC2BUl/5wbEc= </DigestValue>

</Reference>

The request indicates that the service is set for Protection Level – Sign.

Encrypt and Sign

<s:Header>

<a:Action s:mustUnderstand="1" u:Id=" _2">**https://tempuri.org/IService1/GetData**\</a:Action>

<a:MessageID u:Id=" _3">urn:uuid:57cadde0-3216-4645-9220-2d22c20bfce3</a:MessageID>

<a:ReplyTo u:Id=" _4">

<a:Address>**https://www.w3.org/2005/08/addressing/anonymous**\</a:Address>

</a:ReplyTo>

<a:To s:mustUnderstand="1" u:Id=" _5">**https://saurabh.fareast.corp.microsoft.com/Basic-Win-Authentication/Service1.svc/ws**\</a:To>

<o:Security s:mustUnderstand="1" xmlns:o="**https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd**"\>

<u:Timestamp u:Id="uuid-eb82ae89-9305-49b5-a987-640415b2e3bb-11">

<u:Created>2012-05-14T15:59:16.018Z</u:Created>

<u:Expires>2012-05-14T16:04:16.018Z</u:Expires>

</u:Timestamp>

<c:SecurityContextToken u:Id="uuid-8a2ff1ad-4948-4c74-aac9-1810cf703ca1-4" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<c:Identifier>urn:uuid:1efe22cf-4fb4-417f-ac56-56b3efabd128</c:Identifier>

</c:SecurityContextToken>

<c:DerivedKeyToken u:Id="uuid-eb82ae89-9305-49b5-a987-640415b2e3bb-9" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<o:SecurityTokenReference>

<o:Reference ValueType="**https://schemas.xmlsoap.org/ws/2005/02/sc/sct**" URI=" #uuid-8a2ff1ad-4948-4c74-aac9-1810cf703ca1-4"></o:Reference>

</o:SecurityTokenReference>

<c:Offset>0</c:Offset>

<c:Length>24</c:Length>

<c:Nonce>

</c:Nonce>

</c:DerivedKeyToken>

<c:DerivedKeyToken u:Id="uuid-eb82ae89-9305-49b5-a987-640415b2e3bb-10" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<o:SecurityTokenReference>

<o:Reference ValueType="**https://schemas.xmlsoap.org/ws/2005/02/sc/sct**" URI=" #uuid-8a2ff1ad-4948-4c74-aac9-1810cf703ca1-4"></o:Reference>

</o:SecurityTokenReference>

<c:Nonce>

</c:Nonce>

</c:DerivedKeyToken>

<e:ReferenceList xmlns:e="https://www.w3.org/2001/04/xmlenc\# ">

<e:DataReference URI=" #_1"></e:DataReference>

<e:DataReference URI=" #_6"></e:DataReference>

</e:ReferenceList>

<e:EncryptedData Id=" _6" Type="**https://www.w3.org/2001/04/xmlenc\#Element**" xmlns:e="https://www.w3.org/2001/04/xmlenc\# ">

<e:EncryptionMethod Algorithm="**https://www.w3.org/2001/04/xmlenc\#aes256-cbc**"\>\</e:EncryptionMethod>

<o:SecurityTokenReference>

<o:Reference ValueType="**https://schemas.xmlsoap.org/ws/2005/02/sc/dk**" URI=" #uuid-eb82ae89-9305-49b5-a987-640415b2e3bb-10"></o:Reference>

</o:SecurityTokenReference>

</KeyInfo>

<e:CipherData>

<e:CipherValue>t77fNahVJ+3G65Ja74PyiHP7KmpjogwuGS3k5QyPTTe6SiNn1/ONlsTqP577WUPA3fscZ4adHseBtndZdE2o63FHwkcczNJLvD0BNeCaSJP1Jff8DcG7k0yQt2HHHvoyXdjBjDODFW/Vt770srqgl9sibcCE/WgM1pEhL+NmxyUGd9NR9sQEVw5Tt2QbWWsD1MPF/82NnuzO7LidFEXadaYmrqOYqWzSjqUui35YqqU/B16Z4v15+9QaMdGCCR8vGS9fPMI6wVSadrrXYyownFjaJmcN7gN4WTHva7NQ/zMxtxCnJMFJo5O/Con5Xp9vM6/FnlEzLwgHITzrhllVqgGgqp3GCw8ITPBuckUnrLb8hoNNp0jamnwbl5iSJ7XAjjck6YL1zwFrAHoQ0nfLY2BgeUh1rP0LMtrUsbRAwvsVyMpFl/dma9cAjorhjf8AqeWglfgdruUFD60xiajeQJUBw7w4lw0Tht4bGMMwyaDqOaZauNtNWRYrC69sog4exhBNmX5OkrKBDKiBwdQpwOGjkhUCWzwIkzPvJFLFI39O7XNg5kUZ84Zp6Uqha+NkuN18FFaQHHKYHjwLV7PzgPeswqLPG3rjwMiuED/s4hjNRvFbnVgQnnc8sN2nBhump4J6ZwX+M81iws2p+FaOAxXSPbTJFSZU6L9I4PyY4eItNsYMwP4rrQ+Vs/9hjhnYv7jTWl4pugdabmjlIalBO/ROTrq8PsvXke6dy2h5K/fdWbI5Kya5/E0J68G/OaE+WpF6Q75nauCWk2PzVBI4P/ETBb0fAPlsLVKidPcEcqPEsRoQeX17COZtk2PejEZkMFMXAh77VLgOI28Oo6epYPHBi4Ce+H4IReiP/Fw7qDVu/ljBJ9wwshpYAkRTKVvLhA9hi5djXEl5dNuzj2bArXTBjBKUbX0qe75YKhg3zWRaPvBDSMguSb0iNVr88ROMjCM1PUGY9407gole3hDX68WxOSALqNdVo3KNne34Y+iF7j8sQp0pfhGHOu7f+4eRVqqxHkNp9PTdtA4L8q0/WLoF++UIKFwQcRnELv79xhhC06MVV9GqVUJlRXozcQMvtusdlcXnSENVw7GRYvdRyGYziW0VIEpPvn1yjDGmMtL/WkYjLDRAbqYxeqbcMzvBb3cTg4VFBKZ815y8BL6gA4P+c7M/Ywx56UlWH4XByh/UrmhpXpOl5WrfIb5xNlpn3mTf/4PAXvjdWzfNzm0e5rcL7e+J1nXBB78spw2Bs01zCoSmXEvkHsWBDgjFAe7RTZH4gch3tP4GbglmWTl6uqQGgfztHfg4KgxNIBAgK13IPb4tOetPJ7WzRukT7R1GgIrsnFQj10EUdYnge0P3ma7XrwsEsu+4O398gfqSHZ/1ke+DBcSAHSltSTGUzbCWglaKz4Bmbf6tFHSyTwvBTYwZ515tqPxnSQD4KjG82CSLm/Vsfs585rRxEwpuQt1B7TSfAZl0/05leVVsYdYtxyGkDtIt9SHzE6uq9L8LmSFrrKRPrPXjCTlrQa3F6R4ThCrD9pfTt+8M56Av3ZMRJa+GuB8tPjSRltI5kfQ62BzMq+A8c0RDmtdGYZw+rK75uy3t5jye9X2U8ELkEPHfSWL8fk22D1tYEhroTT5hu2DPZdY4QNRAli4UP5WYP48p/fEekC4Q+RhXj0WmJVaYPg/ZkMvWaxWUa1gjZQ8bkK1bRo0R5+L+lTYMVbHi+jf7PjffYRPCVxH0J9oJUo7wedKnrAGOK064fNM0lGBkUMys0SPV1rf1RSteCXGWCHiD1w/0USatk+3s5OkYK3hjbt2Y0niNYNi2F4T/Qkg8of7zo0wzsQQKjrZJgkQdH29+9ADRSIVZUA564CfD6dhHLyiRV7gDSgN+wScJEyp+w6m0e690K5RgXpFvaUkO5V7FlT7HW/WckH/3XKH86gynWwzUzwycuObE9G/SDRB1RdmvgAP3eDtqfElwOxMQzDFC+OT7lpnXo2PsEreUSmy42fi8Qz9S1v8/Y1yBbobbXVowhftBrX4EthmgdJtIhOxLFEFLbZHSkcycFzZWZ7L1yvexsMXmZ3YMqp/oGGNfl0xWLM2cajTtgnAKjVIPWcs7vLcCmNwG/PLQ7zdWkP+EwHK01zkK7XextgEyfLTYWrjCGb0DHDZhh+PveU3pYksoStzGhJ0YDBZNRau3gVZ6x/JU99VVZdCP7Q7r/vb2Mxa+aJwR7WOVdZcYuNkjGfhheE2Cc6p5BuQ4hQQehk45U6Iwd9XfCm+2geeAQ9cVwx7aBqWwkOPgKOyxdWIM+exdRd/wXceQYEjPv2IfT3G9YLxHeoxIkTmDsJzMUXbMW1halqOy3ffPnEav/XXvjmGLCNlzM2o88ZLVccAmNvSMD0f0+Txjh/VYR9yfXte+/8gnaow4Ekg0bA9Ku7TgKsgaD0vfpr71SN/Cih2yp2l56RYiP/pDUtxvgGkPISEf69FUqSeXm3TWwA5EYSWn+q7izQAINc2Y+gjjfA/s57RkJ+ov2dfyntvDdUwqFpHPDB+aOJ10FMfCLDE4nH6z60LK8ke65S8NTaP38bfkZXDUKrjInvmBsMaYdF/ILg8cVUgrFNSAPGgYiosBcj5WF24YAFrVmNWg0jDf6hm0crtBCpQO4DNr5SRQQ6BzqRd8gjvyWxEcjSfeaUy9Wva6pZ1zFDeMT30q5CCIE3UjUM8LrQCJlE1I2EFyos5I1811vIRcmhm3okQAdyWjR8aFn4pwgZHS76mRkHxeYzyijGU/stXrabQVD+BUyBU+W/R6GEeAnYWqmjla54JMdB4Lh2aY</e:CipherValue>

</e:CipherData>

</e:EncryptedData>

</o:Security>

</s:Header>

<s:Body u:Id=" _0">

<e:EncryptedData Id=" _1" Type="**https://www.w3.org/2001/04/xmlenc\#Content**" xmlns:e="https://www.w3.org/2001/04/xmlenc\# ">

<e:EncryptionMethod Algorithm="**https://www.w3.org/2001/04/xmlenc\#aes256-cbc**"\>\</e:EncryptionMethod>

<o:SecurityTokenReference xmlns:o="**https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd**"\>

<o:Reference ValueType="https://schemas.xmlsoap.org/ws/2005/02/sc/dk" URI="#uuid-eb82ae89-9305-49b5-a987-640415b2e3bb-10"></o:Reference>

</o:SecurityTokenReference>

</KeyInfo>

<e:CipherData>

<e:CipherValue>1Sd5I5+oBJo+TlEsYBkahlG7RRN2+XzumVPbjCTWYYi7DXFk8tJh3oEGXD8uv4VOD0OvFuBZTopgikHaFf+MmysoZ1R3NfaGneUZIUfBRUXgG9FiOdanXP+pSS161CRY</e:CipherValue>

</e:CipherData>

</e:EncryptedData>

</s:Body>

</s:Envelope>

Observing <body> tag.

The request clearly contain two Id’s

u:Id=" _0"
e:EncryptedData Id=" _1"

The first u:Id indicates the request is getting signed

The second e:Id indicates the reference used for encryption.

<e:ReferenceList xmlns:e="https://www.w3.org/2001/04/xmlenc\# ">

<e:DataReference URI=" #_1"></e:DataReference>

<e:DataReference URI=" #_6"></e:DataReference>

</e:ReferenceList>

<KeyInfo> tag point us to “Security Token Reference” and then to specific UUID - eb82ae89-9305-49b5-a987-640415b2e3bb-10 .

<c:DerivedKeyToken u:Id="uuid-eb82ae89-9305-49b5-a987-640415b2e3bb-10" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<o:SecurityTokenReference>

<o:Reference ValueType="**https://schemas.xmlsoap.org/ws/2005/02/sc/sct**" URI=" #uuid-8a2ff1ad-4948-4c74-aac9-1810cf703ca1-4"></o:Reference>

</o:SecurityTokenReference>

<c:Nonce>

</c:Nonce>

</c:DerivedKeyToken>

This derived security token pointing to another URI URI=" #uuid-8a2ff1ad-4948-4c74-aac9-1810cf703ca1-4".

Which is nothing but our main security context token.

<c:SecurityContextToken u:Id="uuid-8a2ff1ad-4948-4c74-aac9-1810cf703ca1-4" xmlns:c="**https://schemas.xmlsoap.org/ws/2005/02/sc**"\>

<c:Identifier>urn:uuid:1efe22cf-4fb4-417f-ac56-56b3efabd128</c:Identifier>

</c:SecurityContextToken>

Clearly, Last request is created for a WCF service running with default Protection level (i.e. Encrypt and Sign)

Understanding the soap request can really help in working on WCF introp scenarios.

WCF - Interop - Understanding Protection Level

Additional resources