This post discusses about transport and message security. In Transport Security user credentials and claims are passed using transport layer. The transport protocols are TCP, HTTP, MSMQ and IPC. Each of these protocols have their own mechanism for passing user credentials. The most common approach is using secure socket layer(SSL) for encrypting the details which sent over HTTPS.
Scenarios where you can use the Transport Security
- Use the Transport Security model when you want to send the message from your application to WCF service. Assume there are no intermediate systems while sending the message from your application.
- Use the Transport Security model when your service and the client in intranet.
Transport Security Advantages
- It provides interoperability where communicating parties do not need to understand WS-Security options.
- It may result in better performance and hardware accelerators can be used to further improve performance.
Transport Security Disadvantages
- Security applied on point-to-point basis.
- It supports limited set of credentials and claims.
- It is transport-dependent such as NTLM or Kerberos.
In Message Security, Credentials and Claims are encapsulated in every message by using the WS-Security specification. It is most flexible authentication mechanism and independent of transport.
Scenarios where you can use the Message Security
- Use Message security, when you are sending a message to WCF which in-turn passed to the other WCF Services or may be routed through intermediate systems.
- When your applications accessing the WCF service over internet.
Message Security Advantages
- It provides end-to-end security. Message Security directly encrypts and signs the message.
- It allows selective encryption message which improves overall application performance.
- Message Security is transport-independent and can be used with any transport protocol.
- It supports wide set of credentials and claims
Message Security Disadvantages
- It may reduce performance because each individual message is encrypted and signed.
- It does not support old ASMX clients as it requires to support WS-Security specifications.
Transport level security model is simple and adequate for many scenarios(intranet based). Message level security model enables heterogeneous security architecture.