how to encrypt soap message in silverlight.. i am currently looking for ideas... as silverlight doesn't support WCF Message Security.. i have gone through a post by Peter Bromberg but it is also not discussing the idea about when how to exchange public/private keys or sort of...
The approach discussed in the post doesn't appear to do any asymmetric key exchange (as TLS does). Instead it relies on a symmetric key that is generated based on some assembly metadata. See the last paragraph of the article:
In closing, let me just address a couple of concerns: First, nowhere here do I say that this is "better" than SSL. I provide it only as an alternative. Second, the fact that the password or other component of the generated cryptographic key may be shown in plaintext in the code is not useful to a hacker, as both the password and the hash (both of which can be generated only at runtime) are required for a valid key. The download reflects the change to using the FullName property of the assembly to generate the salt value, and the ManifestModule.Name.GetHashCode() for the password, as discussed earlier.
It's not a very strong key generation mechanism as an attacker could simply download the same Silverlight application fire up a debugger and get the key. However it will protect any man-in-the-middle attacks where the attacker only has access to your HTTP traffic.
Personally I'd stick with SSL, with a self signed certificate if the goal is to have a free solution.