在 WCF 中使用消息级安全性时是否需要传输级安全性? [英] Is Transport Level Security Necessary When Using Message Level Security in WCF?
问题描述
我仍在努力更好地了解 WCF 安全性.
I'm still in the process of trying to better understand WCF security.
我似乎无法解决的一个问题是……如果使用消息级安全性,则可以对整个消息进行签名/加密.如果是这种情况,同时使用消息级安全性和传输级安全性是否有意义?换句话说,如果消息本身是安全的,为什么我需要使用 HTTPS 之类的东西来保证传输安全?
One question that I can't seem to get a grip on is… if message level security is used, then the entire message can be signed/encrypted. If this is the case, would it ever make sense to use both message level security AND transport level security? In other words, if the message itself is secure, why would I need to use something like HTTPS for transport security?
谢谢.
推荐答案
HTTPS(SSL、TLS)提供点对点安全.我已经在我的 以前的答案.
HTTPS (SSL, TLS) offer point-to-point secuirty. I already explained what does it mean in one of my previous answers.
WCF 中的术语安全有 4 个组件:
Term Security in WCF has 4 components:
- 身份验证 - 传递给服务器以识别客户端的凭据
- 授权 - 有选择地定义经过身份验证的客户端可以执行哪些操作
- 机密性 - 加密 - 只有预期的接收者才能解密消息并读取机密数据
- 完整性 - 签名 - 预期接收者可以验证消息来自声明的客户端并且在传输过程中未被修改
- Authentication - credentials passed to server to identify client
- Authorization - selectively define which operations can be executed by authenticated client
- Confidentality - encryption - only expected receiver is able to decrypt the message and read confidental data
- Integrity - signing - expected receiver can validate that message is from declared client and it was not modified during transmission
授权始终是 WCF 应用程序本身的一部分.身份验证是 WCF 应用程序或托管系统的一部分 - 传输协议只能用于传输凭据,不能验证它们.机密性和完整性是传输协议(传输安全)或 WCF 应用程序(消息安全)的责任.因此,如果您在消息级别使用加密和签名,则不需要传输安全性.
Authorization is always part of WCF application itself. Authentication is part of WCF application or hosting system - transport protocol can be only used to transport credentials, not to validate them. Confidentality and Integrity is responsibility of transport protocol (transport security) or WCF application (message security). So if you are using encryption and signing on the message level you don't need transport security.
这篇关于在 WCF 中使用消息级安全性时是否需要传输级安全性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
