0

Using the configuration below we have implemented message security using WCF and WS-security. Note that we use clientCredentialType=Certificate.

Now my questions are:

  • Does the configuration below represent a cryptographically secure way to verify the identity of the client?
  • The client uses a certificate with a know private key as client credentials. In what manner can the server verify this certificate given that the server has the corresponding public key?
  • What happens when a WCF client uses a certificate as client credentials? Is information about the cert. included in the SOAP message? Or is there an element included signed with the cert.? Or what?

Server WCF configuration:

<system.serviceModel>    
    <behaviors>      
        <serviceBehaviors>
            <behavior name="srv">
                <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
                <serviceDebug includeExceptionDetailInFaults="false"/>
                <serviceCredentials>
                    <serviceCertificate x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" findValue="ServerCert"/>
                    <clientCertificate>
                        <authentication certificateValidationMode="Custom" customCertificateValidatorType="CertValidator, WcfService1"/>
                    </clientCertificate>
                </serviceCredentials>          
            </behavior>
        </serviceBehaviors>
    </behaviors>

    <bindings>
        <wsHttpBinding>
            <binding name="ServerBinding">
                <security mode="Message">
                    <message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false"/>
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>

    <services>
        <service name="WcfService1.Service1" behaviorConfiguration="srv">
            <endpoint address="" binding="wsHttpBinding" bindingConfiguration="ServerBinding" contract="WcfService1.IService1"/>
        </service>
    </services>
</system.serviceModel>

Client WCF configuration:

<system.serviceModel>
    <bindings>
        <wsHttpBinding>
            <binding name="WsHttpBinding_IService1">
                <security mode="Message">
                    <message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false"/>                  
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <client>
        <endpoint address="http://localhost.fiddler:49694/Service1.svc" binding="wsHttpBinding"
              bindingConfiguration="WsHttpBinding_IService1" contract="ServiceReference1.IService1"
              name="WsHttpBinding_IService1" behaviorConfiguration="endpBehavior">
            <identity>
                <certificateReference findValue="ServerCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
            </identity>
        </endpoint>
    </client>
    <behaviors>
        <endpointBehaviors>
            <behavior name="endpBehavior">
                <clientCredentials>
                    <clientCertificate findValue="ClientCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
                </clientCredentials>
            </behavior>
        </endpointBehaviors>
    </behaviors>
</system.serviceModel>

The server configuration results in the following policy element in the wsdl:

<wsp:Policy wsu:Id="WSHttpBinding_IService1_policy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:ProtectionToken>
                        <wsp:Policy>
                            <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
                                <wsp:Policy>
                                    <sp:RequireDerivedKeys/>
                                    <sp:RequireThumbprintReference/>
                                    <sp:WssX509V3Token10/>
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:ProtectionToken>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp:Basic256/>
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Strict/>
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp/>
                    <sp:EncryptSignature/>
                    <sp:OnlySignEntireHeadersAndBody/>
                </wsp:Policy>
            </sp:SymmetricBinding>
            <sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                        <wsp:Policy>
                            <sp:RequireThumbprintReference/>
                            <sp:WssX509V3Token10/>
                        </wsp:Policy>
                    </sp:X509Token>
                </wsp:Policy>
            </sp:EndorsingSupportingTokens>
            <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:MustSupportRefThumbprint/>
                    <sp:MustSupportRefEncryptedKey/>
                    <sp:RequireSignatureConfirmation/>
                </wsp:Policy>
            </sp:Wss11>
            <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:MustSupportIssuedTokens/>
                    <sp:RequireClientEntropy/>
                    <sp:RequireServerEntropy/>
                </wsp:Policy>
            </sp:Trust10>
            <wsaw:UsingAddressing/>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

Note that this question is also asked on Stack Overflow.

Community
  • 1
codeape
  • 181
  • 1
  • 5
  • Welcome on Security SE. Please be aware that asking the very same question on several SE websites is usually [bad perceived](http://meta.security.stackexchange.com/questions/284/cross-posting-is-it-encouraged). In case of doubt about which SE website would be the more appropriate to ask a question, it is recommended to ask first on the Meta websites. – WhiteWinterWolf Sep 25 '15 at 08:40
  • Yes, totally agree. Regarding the question above: In your opinion, what site is a better fit? Should I delete the question here or on stack overflow? I'm new to Security SE, would you say my question has a better chance of getting an answer here or on SO? – codeape Sep 25 '15 at 09:03
  • I am a pretty regular user on SO, but it seems a lot of security-related/web-services/ws-security questions there have low quality answers. – codeape Sep 25 '15 at 09:04
  • I know you're a regular SO user, I checked your profile ;). I'm not WCF expert in any way, that's why in case of such doubt a discussion on Meta allows to gather different opinions from different people. My feeling, but other may have different ones, is that questions here would be mostly focused on security architectural choices (could be either platform of application architecture), server configuration details would then go on [sf], and application coding details on [so]. *continuing...* – WhiteWinterWolf Sep 25 '15 at 09:33
  • Your question might be seen under two aspects: 1) How does WCF handles client certificate authentication in respect to applicable standards, such question would suit here (but it may gather more attention by removing the configuration details or store them on external service and link to them so the actual questions get more visibility), 2) Does your current configuration matches your needs, seeing the number of result for "WCF" I think people on SO would have more experience to check and confirm this. – WhiteWinterWolf Sep 25 '15 at 09:39

0 Answers0