What is the Difference Between Transport and Message Security in WCF

The main difference between Transport and Message Security in WCF is that the transport security secures the actual transport (pipe) that sends the messages from client to a service while message security secures the messages that pass from the client to a service.

WCF, which stands for Windows Communication Foundation, allows the developers to create service-oriented applications. WCF supports various protocols such as SOAP, XML, HTTP, HTTPS, etc. The main advantage of WCF is that it helps to connect applications developed using different programming languages and technologies. There are two types of security levels associated with WCF: transport security and message security.

Key Areas Covered

1. What is Transport Security in WCF
     – Definition, Features
2. What is Message Security in WCF
     – Definition, Features
3. What is the Difference Between Transport Security and Message Security in WCF
     – Comparison of Key Differences

Key Terms

HTTPS, Message Security, SOAP, SSL, Transport security, WCF

Difference Between Transport and Message Security in WCF - Comparison Summary

What is Transport Security in WCF

Transport security focuses on securing the transport medium in which the message passes from the client to service. It uses Secure Socket Layer (SSL) to establish the point to point protection. The most common method is to use SSL for encrypting and signing the contents of the packets to transmit using HTTPS.

Difference Between Transport Security and Message Security in WCF

As this security mechanism depends on the transport medium, it provides fewer authentication options when compared to message security. Furthermore, if there are multiple intermediary systems between client and service, there should be a new SSL connection at each intermediate point.

What is Message Security in WCF

Message security uses the WS Security specification to secure messages. The specification explains confidentiality, integrity, and authentication that should be included in SOAP messages. Moreover, it encapsulates the user credentials and ensures that every message is using the WS Security specification. In other words, this method applies security directly to the message. Therefore, message security is more secure than transport security.

However, encryption and decryption cause performance reduction in message security. Also, it is necessary for both client and service to understand WS security specification and there is no support for older technologies. Therefore, message security lacks interoperability.

Difference Between Transport and Message Security in WCF

Definition

Transport security is a mechanism in WCF that depends on the binding and transport/ transport medium being used while message security is a mechanism in WCF that uses the WS-Security specification to secure messages. Thus, this is the main difference between Transport and Message Security in WCF.

Authentication

Another difference between Transport and Message Security in WCF is that the message security provides more flexibility for authentication than transport security.

Intermediary Systems

Moreover, one other difference between Transport and Message Security in WCF is that, in transport security, a new SSL connection is created at every intermediary point. In message security, there is no impact on intermediate hops in the network because the messages are secured.

Security Options

Besides, available security options are higher in message security than transport security. It is also possible to implement custom security in message security. Hence, this is another difference between Transport and Message Security in WCF.

Interoperability

Also, interoperability is a difference between Transport and Message Security in WCF. In transport security, the client and service do not have to understand the WS Security specification. Therefore, it provides interoperability. On the other hand, it is necessary for both client and service to understand WS security specification. So, there is no interoperability.

Performance

The performance is lower in message security than in transport security because there are message encryption and decryption. So, performance is a major difference between Transport and Message Security in WCF.

Conclusion

The main difference between Transport and Message Security in WCF is that the transport security secure the actual transport (pipe) that sends the messages from client to a service while message security secures the message itself that passes from the client to a service. In brief, transport security is more suitable when the client and service are in the same network while message security work in both scenarios: the client and service in the same network or in different networks.

Reference:

1. “Message Security in WCF.” Microsoft Docs, Available here.
2. “Transport Security Overview.” Microsoft Docs, Available here.

Image Courtesy:

1. “DotNet” Af Soumyasch – Eget arbejde (CC BY-SA 3.0) via Commons Wikimedia

About the Author: Lithmee

Lithmee holds a Bachelor of Science degree in Computer Systems Engineering and is reading for her Master’s degree in Computer Science. She is passionate about sharing her knowldge in the areas of programming, data science, and computer systems.

Leave a Reply