WCF NetTcpBinding 安全性 - 它是如何工作的? [英] WCF NetTcpBinding Security - how does it work?
问题描述
我在尝试解决 WCF 中设置的泥潭时遇到以下问题...
I am encountering the following problems trying to work through the quagmire of settings in WCF...
我使用 NetTcp 绑定创建了 WCF 客户端-服务器服务.我没有对安全设置进行任何更改,当在一台机器上运行时,它运行得非常好.但是,当我从另一台机器上运行我的客户端时,它抱怨服务器不喜欢发送的安全凭证.
I created a WCF client-server service using a NetTcp binding. I didn't make any changes to the security settings and when running on one machine it works very nicely. However, when I ran my client from another machine it complained that the server didn't like the security credentials that were sent.
我明白现在默认情况下 NetTCP 是安全的",并且我的客户端会传递错误的安全详细信息 - 即 Windows 用户名和密码(或某种形式的域身份验证)到我的服务器,因为它们不在它不喜欢的同一个域上运行.
I understand now that NetTCP is "secured" by default and that my client would have been passing the wrong security details - namely the Windows user name and password (or some form of domain authentication) to my server which as they are not running on the same domain it would not have liked.
但是,我不明白的是:
我没有在绑定中指定任何安全性 - 标准设置是否需要发送 Windows 用户名或密码?
I haven't specified any security in my binding - does the standard settings expect a Windows user name or password to be sent?
我的服务器上没有安装任何证书 - 我知道 NetTCP 绑定需要某种形式的公共私钥来保护凭据 - 但是当客户端和服务器在同一台机器上时这似乎有效 - 是怎么回事数据被加密?或者想要它,因为 WCF 知道它在同一台机器上并且不需要加密?
I don't have any certificate installed on my server - I understand that NetTCP bindings need some form of public private key to protect the credentials - yet this seemed to work when both client and server were on the same machine - how was the data getting encrypted? Or wants it as WCF knew it was on the same machine and encryption isn't needed?
我现在不得不将我的客户端和服务器上的安全模式设置为无",并且它们连接得很好.但是,有没有办法在没有证书的情况下加密我的数据?
I have had to set my security mode on my client and server to "none" now and they connect nicely. However is there a way to encrypt my data without a certificate?
最后...传输和消息安全有什么区别?
Finally... what is the difference between Transport and Message security?
为了检查我的理解(请原谅这种情况!)消息安全性就像我从人 A 向人 B 发送一封信并且我对我的手写内容进行编码以确保如果有人截获它他们无法阅读它?运输安全是指我是否决定通过武装运输方式寄出我的信件,这样一路上没人能拿到它?
To check my understanding (excuse the scenario!) message security is like if I sent a letter from person A to person B and I encode my hand writing to ensure that if anyone intercepts it they cannot read it? Transport Security is if I decide to have my letter sent by armed transport so that no one can get at it along the way?
是否可以在没有证书的情况下在 WCF 中进行任何形式的加密?我的项目是私人项目,我不想购买证书,而且数据也不是那么敏感,所以仅供我自己了解.
Is it possible to have any form of encryption in WCF without a certificate? My project is a private project and I don't want to purchase a certificate and the data isn't that sensitive anyway so it's just for my own knowledge.
推荐答案
NetTcpBinding 的默认客户端凭据类型是 Windows 身份验证.要使 Windows 身份验证工作,客户端和服务器必须在同一个域中,或者相互信任的域中(在您的情况下,您没有).
The default client credential type for NetTcpBinding is Windows Authentication. For Windows Authentication to work both client and server must be in the same domain, or mutually trusting domains (which in your case you do not have).
如果客户端和服务器都在同一个域中,WCF 将在幕后"处理 Windows 身份验证机制.当客户端和服务器在同一台机器上时,它们实际上处于同一域内,因此 Windows 可以使用自己的机制来处理加密和解密.不过,它只会在相互信任的域中执行此操作.
If both client and server were on the same domain, WCF would handle the mechanics of Windows Authentication "behind the scenes". And when both client and server are on the same machine they are effectively within the same domain, so Windows can use its own mechanisms to handle the encryption and decryption. It will only do this within mutually trusting domains, though.
如果您没有相互信任的客户端和服务器域,那么客户端和服务器必须有其他方法来确定它们是否通过密钥相互信任.这就是证书的用武之地.客户端和服务器都有自己的证书(或者服务器可以向客户端颁发证书).
If you don't have mutually trusting client and server domains, then the client and server must have some other way to determine if they trust each other with their keys. That's where certificates come in. The client and the server have their own certificates (or the server can issue the client a certificate).
传输安全就像加密信封的外部和内部.不利的一面是,如果您必须将信封传递给您自己组织之外的某个人,他们需要解密密钥才能知道信封应该去哪里——现在他们也可以阅读信封中的消息.另一方面,传输安全性更快——它需要更少的安全开销数据与您的信封一起传递.
Transport security is like encrypting the outside of the envelope as well as the inside. The downside is if you have to pass the envelope to someone outside your own organization, they need a decryption key just to know where the envelope is supposed to go--now they can read the message in the envelope also. On the other hand, transport security is faster--it requires less security overhead data getting passed along with your envelope.
邮件安全性会对您的邮件进行加密,但邮政工作人员(互联网及其路由器)可以读取信封.只有源和目的地拥有解密消息的密钥,但中介可以正确路由您的消息.
Message security encrypts your message, but the envelope can be read by the postal workers (the internet and its routers). Only the source and the destination have the keys to decrypt the message, but the intermediaries can properly route your message.
总结:要在 NetTcpBinding 上使用加密,客户端和服务器必须在一个域(或相互信任的域)内,或者您必须有一个密钥交换证书.
To summarize: to use encryption over the NetTcpBinding both client and server must be within a domain (or mutually trusting domains) or you must have a key exchanging certificate.
我被要求提供一些示例代码——这里是 XAML 中的一个绑定元素.它通常放置在 netTcpBinding 元素中.
I was asked for some example code--here is a binding element in XAML. It would normally be placed within a netTcpBinding element.
<binding name="Secure" listenBacklog="4000" receiveTimeout="00:20:00" sendTimeout="00:20:01"
maxReceivedMessageSize="2147483647" maxConnections="200" portSharingEnabled="true">
<!-- ~2 GB -->
<readerQuotas maxStringContentLength="2147483647"/>
<!-- ~2 GB max string content length -->
<security mode="Message">
<transport clientCredentialType="None" protectionLevel="EncryptAndSign"/>
<message clientCredentialType="None"/>
</security>
</binding>
重要的部分是安全元素.为了传输安全,可以将模式属性更改为传输".根据上下文,clientCredentialType 很可能不是None",而是Certificate"、Ntlm"或Windows".
The important part is the security element. For transport security one would change the mode attribute to "Transport". More than likely the clientCredentialType would not be "None" but rather "Certificate", "Ntlm", or "Windows" depending on the context.
这篇关于WCF NetTcpBinding 安全性 - 它是如何工作的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
