SYMMETRIC BINDING (WHEN ONLY SERVER HAS THE X509 CERT)
In case of derived key scenario –
2 keys are generated from symmetric key (derived keys). 1
key is used for encryption, while the other is used for signing. The client
encrypt both derived keys.
ASYMMETRIC BINDING ( BOTH CLIENT AND SERVER
HAVE X509 CERT)
Although Derived keys can be
used for Asymm binding as well, it will be of no use as Encryption and Signing
are already happening with different keys.
If you want to use Asymmetric binding,
you can ONLY do it via code. Only configuration will not suffice.
First create a custom binding
inheriting from Binding class. Then add a BindingExtension and use that
bindingextension in the endpoint binding configuration.
WCF by default uses SYMMETRIC KEY with DERIVED KEYS on. You
cannot switch to make DERIVED KEYS off UNLESS you make a ‘custom binding’.
Best of both worlds –
If negotiateServiceCredential=”true”, then the public key is
given to the Client in the beginning of the transaction, however note that IT
IS NOT INTEROPERABLE.
To make it interoperable, public key has to given to client
by out-of-band mechanism.
Since client has the public key part of the certificate, it
can verify the service (by the checking the trusted CA store). Client
authenticates the server by using the <identity> element inside
<client> element.
Note – Even if the ProtectionLevel of a operation is set to
None, its body will be in clear text BUT its message header will have an
encrypted section as client credentials are being passed.
Even if client has its own pvk key for authentication to
service, WCF defaults to Symmetric binding with DERIVED keys. If you want to
override this behavior (i.e use asymmetric binding), you have programmatically create
a custom binding and use it client and service end.
No comments:
Post a Comment