WCF Message Security related question
I have a web service with Message security mode, and UserName client credential type. At client side in the endpoint config i have
<endpoint ...>
<identity>
<certificate encodedValue="VeryVeryBigRsaKey" />
<identity>
</endpoint>
I generated my key using pluralsight self cert, and exported it into a *.cer file with Base 64 encoding. And opened generated *.cer with notepad, and that gave me the rsa key (VeryVeryBigRsaKey)
My questions are:- What role have x.509 certificate in securing the communication?
- How the keys for encryption are sent from server to client (if there are)?
- Can someone sniff the credentials transmitted to server if he also have that
VeryVeryBigRsaKey
, if yes how to prevent it, if no what are securing mechanisms in wcf to prevent it? But if someone will explain in开发者_C百科 details how the communication is secured it will be very grateful or give the link to a article.
Most of your questions are answered in another question. Details of the description doesn't have to be exactly correct but the idea and mechanism is correct.
- Certificate ensures secure transmission of shared secret (derived key) from client to service
- Derived key is used from symmetric encryption between client and server
- No if service certificate with private key is not stolen. The private key is what makes your communication secured. If only server hosting the service has a private key and only service has permission to access it in certificate store, nobody else can decrypt the message to get derived key and decipher the communication.
You don't have to be afraid.
精彩评论