WCF消息安全，无证书和Windows身份验证 [英] WCF message security without certificate and windows auth

问题描述

我有一个WCF服务和客户端，将部署到几个公司（数百）。一些公司将在其网络中运行软件，一些将通过因特网（WCF服务器在办公室，WCF客户端在另一个）运行。

我们要加密WCF服务器和客户端之间的通信。我们没有任何需要使用WCF安全验证cient /订户，因为我们有自己的用户名/密码登录，客户端将使用它来登录服务器。

• 我们不能依赖Windows身份验证，因为一些用户将通过Internet运行它，并且WCF服务器可能不在与WCF客户端相同的域中。


• 如果我们使用真实证书*，运行软件的公司必须从CA购买证书并安装它，然后配置我们的软件来使用它，但这对于大多数


• 我们可以在安装WCF服务器期间自动创建证书，但是我们必须自动将其安装到证书存储中，并以某种方式自动授予IIS读取证书的权限。这比我们想要的更复杂。

总之，我们想要一个简单的解决方案，加密只是基于共享秘密，在我们的例子是用户登录的用户名/密码。我明白，这不会提供最好的可用加密，但我们愿意交易一些安全，使软件更容易部署。

这是可能？

*对于真实证书，我指的是从证书颁发机构购买的证书，而不是我自己创建/自签名的证书。

解决方案

如果你想对传输上的消息加密（这是一个很好的主意！），发送方（客户端）和服务器。这可以是硬编码，但这真的不是一个好主意 - 如果共同共享知识被破坏，攻击者可以破译和阅读所有的消息。

此外，由于它是绝对的不推荐做法，没有任何形式的支持WCF简化使用共享的秘密。你自己 - 你必须自己滚动100％的方式。

要以安全的方式交换公共共享密钥的唯一可行的方法是使用证书。没有办法在这边，对不起。该证书甚至不必用于用户认证或任何东西 - 但是它在呼叫者和服务之间建立共享秘密，并且因此允许呼叫者以这样的方式加密消息，使得只有预期的接收者实际上可以解密和使用他们。

所以我真的没有看到任何方法可以在你的服务器上获得证书 - 不需要在每个客户端，但在每个服务器上服务运行。

Marc

PS：如果你真的想调查硬编码共享秘密您需要考虑这一点：

• 如何在每个客户端上安全地存储共享密钥？ / li>
  
• 如何使用存储的共享密钥中的信息来加密您的邮件？

该方法将是双重的：

1. 交换某种形式的私钥/公钥对;服务器生成密钥对并且将私钥保持其自身并且使用该私钥/公钥对与客户端（例如，通过WCF消息）共享公钥


2. 交换共同的共享秘密，例如（对称的，服务器可以使用相同的密钥解密消息）


3. 在您的客户端上设置基础设施（例如WCF扩展称为行为）在邮件退出前使用您的共享密钥对其进行加密。

全部总之，它真的不是微不足道 - 比这更简单不值得称为安全。

如果你看看所有的工作你将不得不做 - 只是使用WCF内置证书机制不是更容易

体面的安全价值是很难 - 所以为什么不利用现有的东西，而不是自己做所有的工作，或更糟：提出一个半烤解决方案，这么容易破解你可以轻松地发送一切在cleartext .....不要估计复杂性和所需的代码需要处理即使最基本的安全方案 - WCF做到这一切为你 - 免费并在可靠和安全的方式 - 使用它！你不会后悔的！

I have a WCF service and client which is going to be deployed to several companies (hundreds). Some companies will run the software in their network and some will run it over the Internet (WCF server at on office, WCF client at another).

We want to encrypt the communication between the WCF server and client. We don't have any need to authenticate the cient / subscriber using WCF security, because we have our own username/password log-in which the clients will use to log on the server.

• We can't rely on Windows auth because some of the users will run it over the Internet, and the WCF server may not be on the same domain as the WCF client.
• If we use "real" certificates*, companies running the software would have to purchase certificates from a CA and install it, and then configure our software to use it, but this is too complicated for most of them.
• We could auto-create certificates during installation of the WCF server, but then we would have to automatically install it into a certificate store and somehow automatically grant IIS permissions to read the certificate. This is more complicated than we would like.

In short, we want a simple solution where the encryption is just based upon a shared secret, in our case the username / password the user is logging on with. I do understand that this won't give the best available encryption, but we're willing to trade some of the security to make the software easier to deploy.

Is this possible?

*With "real" certificates, I mean certificates purchased from a certificate authority, and not one I've created myself / self-signed.

解决方案

If you want to encrypt the messages on the transport (which is a really good idea!), there has to be some shared knowledge between the sender (the client) and the server. This can be hardcoded, but that's really not a good idea at all - if that "common shared" knowledge is ever compromised, an attacker could decipher and read all your messages.

Also, since it's definitely not recommended practice, there's no support of any kind in WCF to simplify using a shared secret. You're on your own - you have to roll your own 100% of the way.

The only viable way to have a common shared secret exchanged in a safe way is to use a certificate. No way around this, sorry. The certificate doesn't even have to be used for user authentication or anything - but it establishes a shared secret between the caller and the service and thus allows the caller to encrypt the messages in such a way only the intended recipient can actually decrypt and use them.

So I really don't see any way you can get around having certificates on your servers - doesn't need to be on every client, but on every server where your service runs.

Marc

PS: if you really want to investigate the "hardcoded shared secret" approach, you'll need to think about this:

• how do you store a shared secret safely on each and every single one of your clients?
• how do you use information from that stored shared secret to encrypt your messages?

Typically, the approach would be two-fold:

1. exchange some form of a private/public key pair; the server generates a key pair and keeps the private key to itself and shares the public key with the client (e.g. over a WCF message, for instance)
2. using that private/public key pair, exchange a common shared secret, e.g. an "encryption key" that will symmetrically encrypt your messages (and since it's symmetrical, the server can use the same key to decrypt the messages)
3. setup infrastructure on your client (e.g. a WCF extension called a behavior) to inspect the message before it goes out and encrypt it with your shared secret

All in all, it's really not trivial - anything simpler than that is not worth being called "security" at all.

If you look at all that work you will have to do - wouldn't it be easier to just use the WCF built-in certificate mechanisms??

Decent security worth its salt is hard - so why not leverage what's available instead of doing all the work yourself, or worse: come up with a half-baked solution that's so easy to crack you could just as easily send everything in cleartext..... don't under estimate the complexity and amount of code needed to handle even the most basic security scenarios - WCF does this all for you - for free and in a reliable and safe manner - use it! You won't regret it!

这篇关于WCF消息安全，无证书和Windows身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！