是传输层安全性的必要WCF中使用消息级安全什么时候? [英] Is Transport Level Security Necessary When Using Message Level Security in WCF?
问题描述
我仍然在试图更好地理解WCF安全的进程。
I'm still in the process of trying to better understand WCF security.
有一个问题,我似乎无法得到一握的是......如果消息级安全性时,那么整个消息进行签名/加密。如果是这样的话,将它曾经是有意义的使用这两个消息级安全性和传输级安全性?换句话说,如果消息本身是安全的,为什么我需要用的东西,如HTTPS传输安全性?
One question that I can't seem to get a grip on is… if message level security is used, then the entire message can be signed/encrypted. If this is the case, would it ever make sense to use both message level security AND transport level security? In other words, if the message itself is secure, why would I need to use something like HTTPS for transport security?
感谢。
推荐答案
HTTPS(SSL,TLS)提供点至点secuirty。我已经解释了它在我的<一个意思href="http://stackoverflow.com/questions/4679235/wcf-service-certificates-and-message-security-with-username-authentication/4679924#4679924">$p$pvious答案的。
HTTPS (SSL, TLS) offer point-to-point secuirty. I already explained what does it mean in one of my previous answers.
期限安全有4个组成部分:
Term Security in WCF has 4 components:
- 验证 - 传递给服务器,以确定客户端证书
- 授权 - 有选择地确定哪些业务可以通过验证的客户端执行
- Confidentality - 加密 - 只有预期的接收器能够保密的数据进行解密的消息,读
- 完整性 - 签约 - 预期接收者可以验证消息来自客户端的声明,并在传输过程中不修改
- Authentication - credentials passed to server to identify client
- Authorization - selectively define which operations can be executed by authenticated client
- Confidentality - encryption - only expected receiver is able to decrypt the message and read confidental data
- Integrity - signing - expected receiver can validate that message is from declared client and it was not modified during transmission
授权总是WCF应用程序本身的一部分。认证是WCF应用程序或主机系统的一部分 - 的传输协议可以被仅用于运输凭证,而不是对其进行验证。 Confidentality诚信是传输协议(运输安全)或WCF应用程序(信息安全)的责任。所以,如果您使用的是加密和签名的消息级别,你不需要运输的安全性。
Authorization is always part of WCF application itself. Authentication is part of WCF application or hosting system - transport protocol can be only used to transport credentials, not to validate them. Confidentality and Integrity is responsibility of transport protocol (transport security) or WCF application (message security). So if you are using encryption and signing on the message level you don't need transport security.
这篇关于是传输层安全性的必要WCF中使用消息级安全什么时候?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
