The main difference between Transport and Message Security in WCF is that the transport security secures the actual transport (pipe) that sends the messages from client to a service while message security secures the messages that pass from the client to a service.
WCF, which stands for Windows Communication Foundation, allows the developers to create service-oriented applications. WCF supports various protocols such as SOAP, XML, HTTP, HTTPS, etc. The main advantage of WCF is that it helps to connect applications developed using different programming languages and technologies. There are two types of security levels associated with WCF: transport security and message security.
Key Areas Covered
1. What is Transport Security in WCF
– Definition, Features
2. What is Message Security in WCF
– Definition, Features
3. What is the Difference Between Transport Security and Message Security in WCF
– Comparison of Key Differences
Key Terms
HTTPS, Message Security, SOAP, SSL, Transport security, WCF
What is Transport Security in WCF
Transport security focuses on securing the transport medium in which the message passes from the client to service. It uses Secure Socket Layer (SSL) to establish the point to point protection. The most common method is to use SSL for encrypting and signing the contents of the packets to transmit using HTTPS.
As this security mechanism depends on the transport medium, it provides fewer authentication options when compared to message security. Furthermore, if there are multiple intermediary systems between client and service, there should be a new SSL connection at each intermediate point.
What is Message Security in WCF
Message security uses the WS Security specification to secure messages. The specification explains confidentiality, integrity, and authentication that should be included in SOAP messages. Moreover, it encapsulates the user credentials and ensures that every message is using the WS Security specification. In other words, this method applies security directly to the message. Therefore, message security is more secure than transport security.
However, encryption and decryption cause performance reduction in message security. Also, it is necessary for both client and service to understand WS security specification and there is no support for older technologies. Therefore, message security lacks interoperability.
Difference Between Transport and Message Security in WCF
Definition
Transport security is a mechanism in WCF that depends on the binding and transport/ transport medium being used while message security is a mechanism in WCF that uses the WS-Security specification to secure messages. Thus, this is the main difference between Transport and Message Security in WCF.
Authentication
Another difference between Transport and Message Security in WCF is that the message security provides more flexibility for authentication than transport security.
Intermediary Systems
Moreover, one other difference between Transport and Message Security in WCF is that, in transport security, a new SSL connection is created at every intermediary point. In message security, there is no impact on intermediate hops in the network because the messages are secured.
Security Options
Besides, available security options are higher in message security than transport security. It is also possible to implement custom security in message security. Hence, this is another difference between Transport and Message Security in WCF.
Interoperability
Also, interoperability is a difference between Transport and Message Security in WCF. In transport security, the client and service do not have to understand the WS Security specification. Therefore, it provides interoperability. On the other hand, it is necessary for both client and service to understand WS security specification. So, there is no interoperability.
Performance
The performance is lower in message security than in transport security because there are message encryption and decryption. So, performance is a major difference between Transport and Message Security in WCF.
Conclusion
The main difference between Transport and Message Security in WCF is that the transport security secure the actual transport (pipe) that sends the messages from client to a service while message security secures the message itself that passes from the client to a service. In brief, transport security is more suitable when the client and service are in the same network while message security work in both scenarios: the client and service in the same network or in different networks.
Reference:
1. “Message Security in WCF.” Microsoft Docs, Available here.
2. “Transport Security Overview.” Microsoft Docs, Available here.
Image Courtesy:
1. “DotNet” Af Soumyasch – Eget arbejde (CC BY-SA 3.0) via Commons Wikimedia
Leave a Reply