Saturday, November 26, 2011

End-to-end vs point-to-point security in WCF

Consider a scenario where a message needs to be send from A to D. The message goes from A to B and from B to C and finally reaches D (from C).

The whole chain of communication from A to D can be called end-to-end. For this to happen we should give protection at message level
in WCF this can be done as follows :-

BasicHttpBinding bind = new BasicHttpBinding();
bind.Security.Mode = BasicHttpSecurityMode.Message

Point-to-Point communcation is what happens from A to B and this is done using transport level security

BasicHttpBinding bind = new BasicHttpBinding();
bind.Security.Mode = BasicHttpSecurityMode.Transport

Alternatively in config files(using wsHttpBinding as example) :-
<wsHttpBinding>
<binding name="TransportSecurity">
    <security mode="Transport" />
       <transport clientCredentialType = "Windows" />
    </security>
</binding>
</wsHttpBinding >
Posted by at No comments:
Labels: , , , ,

Thursday, November 3, 2011

Are Digital Certificates Confusing?

Public key, hashing, signatures blah blah ..really confusing aren't they?

Here we go!
Foo wants to send Assange a letter, only to be read by Assange. Yes, a very secret document for his drop box! Foo decides to encrypt the message. But which algorithm will Foo use and how will Assange know about the algorithm(to decrypt)? More over Intelligence Agencies (IA) are spying, so Foo cannot call Assange and say "Hey, I am using XOR".

Assange has a public encryption key(key = complex mathematical formulas to make data unreadable). Anyone can encrypt with the key and only Assange can read it. How? Public key has a pair called private decryption key, which helps to decrypt the message. And Assange won't share his private key.

Foo gets Assange's public key. Encrypts the message and sends it to Assange.  IA got the message before Assange, but fortunately they could not read it. And we know why :)

Happy ending is it not? But Assange received the wrong message!
IA destroyed the message on it's way to Assange's inbox and replaced it with another message using Assange's public key. And Assange mistook it for Foo's message!

[to be continued .. but meat to bite on-> how can such situations be prevented?]
Clue: What if we make the decryption key public and encryption key private! Plus we need to do one more thing.. think layering :). Oh! is that what we call a signature? And could these certificate thingies be outsourced to an external agency? Well... can't call it confusing anymore.. can we? :D
Comment your thoughts please :)
Posted by at 3 comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)