WCF: Observing Message ProtectionOrder

  • Article

WCF: Observing Message ProtectionOrder

  

Objective 1:

Impact of Protection Order

 

Objective 2:

How to observe/confirm that my request is signed and encrypted from WCF traces.

 

Objective 3:

Utilize the knowledge of reading WCF traces and apply the same for troubleshooting the INTEROPE scenarios.

 

 

Understanding:

https://msdn.microsoft.com/en-us/library/system.servicemodel.security.messageprotectionorder.aspx

 

Scope:

Via Protection Order, messages are secured using SOAP message security only (security mode=”Message” ).

Not available if we move to Transport Security (security mode=”TransportWithMessageCredentials” ).

However possible if we design a custom binding with Dual Layer of encryption - https://blogs.msdn.com/b/saurabs/archive/2013/05/03/wcf-dual-layer-encryption-message-transport.aspx .

 

 

 Available options:

 

 

 

Default:

SignBeforeEncryptAndEncryptSignature

 

 

 

Scenario 1:

Ignore the MessageProtection Order, let it be default :

Service:

 

   

Client Request:

  

   

 

Assessment:

To understand the Protection level on a soap envelope layer, refer this blog - https://blogs.msdn.com/b/saurabs/archive/2012/05/15/wcf-interop-understanding-protection-level.aspx

 

 Conclusion:

1. Request is Signed (with u:Id=”_0”) and Encrypted (with u:Id=”_1”)

2. To read them from traces, back trace this ID and identify the respective sections.

 

 

Queries:

1. I can’t find the Signature tag in Envelope, is my request signed .. ?

Yes, the request is signed but because of the default Protection order (SignBeforeEncryptAndEncryptSignature), the signature is Encrypted.

  

 

 

 

Scenario 2:

Let us try to play with default Protection Order so that we can

1. Observe WCF traces with proper Signing.  

2. Read the Signature Token

 

 Service:

 

 

 Client Request:

 

 

 

  

 

Assessment:

To understand the Protection level on a soap envelope layer, refer this blog - https://blogs.msdn.com/b/saurabs/archive/2012/05/15/wcf-interop-understanding-protection-level.aspx

 

 

Conclusion:

1. Request is Signed (with u:Id=”_2”) and Encrypted (with u:Id=”_3”)

2. To read them from traces, back trace this ID and identify the respective sections.

 

Queries:
I can’t find the Signature tag in Envelope, is my request signed .. ?

Yes, the request is signed but because of the default Protection order (SignBeforeEncryptAndEncryptSignature), the signature is Encrypted.

 

I hope this information helps us to review the WCF traces and identify the type of request being generated from client. The knowledge comes pretty handy in troubleshooting the INTEROP cases.