tags:

views:

1266

answers:

3
Q: 

Is WCF Username Authentication without Transport Security a security risk?

I am trying to use username message security in WCF. I am trying to find out if using transport credential type of None/Anonymous will pose a definite security risk.

My concern is with the initial exchange where binary data is tunneled through using the WS-trust specification (TLS negotiation). Will this attempt to authenticate my username and password be susceptible to network sniffers, before the shared security context is established?

Any thoughts welcome.

Thanks.

<security mode="Message">
   <transport clientCredentialType="None" />
   <message clientCredentialType="UserName" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" />
</security>
A: 

Yes it will, the data will not be encrypted on the wire and as such the credentials will be exposed to anyone who cares to look.

Is there a particular reason you wish to do things this way? I would not recommend it.

Andrew Hare  2009-07-24 19:19:39
+2  A: 

Did some more research here. Essentially, there is no risk that a password is exposed to someone sniffing the network if you use password digests (default). Transport security is not required if you are not concerned about the confidentiality of the message body itself.

This is explained here: http://msdn.microsoft.com/en-us/library/ms977327.aspx

Long story short:

  1. Password digests are used to validate that the client knows the correct password. The password is never sent. Only a hash is computed.

  2. Replay attacks are prevented by the use of a nonce and a time window. The server remembers the nonce for the given time window and ensures that only one message with that nonce will be accepted. Sign the whole thing and you're safe.

Alex  2009-07-25 12:56:59
put a bounty on it. hopefully that will bring some resolution
mirezus  2009-07-27 16:21:46
+3  A: 

According to the specs for WS-Security, the UserName token could contain both the username and the password, unencrypted. This would see this information be transferred over the wire unencrypted in the clear. Binary formatting is not a deterrent. This is generally referred to as "security by obscurity" and not a security measure at all.

Coincidently, I ran across a lot of this information when reading an article by Scott Hanselman a little while back. It hints at the issues you are having. http://www.hanselman.com/blog/BreakingAllTheRulesWithWCF.aspx

You'll definitely want to enable some transport-level security here if you intend to enable this feature.

Here's the OASIS docs on WS-Security UsernameToken. It appears to allow several scenarios, but I'm not sure what scenario that WCF uses by default: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf

If you are curious, you'd want to enable message logging and inspect the message to see what's being sent. Enable message logging

Anderson Imes  2009-07-27 16:51:26
"the UserName token should contain both the username and the password, unencrypted." - this is incorrect. WS-Security defines that a password digest can be sent. This means effectively that the password itself is not sent anymore over the wire at all. It basically enables two parties who know the password to generate that hash. Replay attacks however remain a problem.
Alex  2009-08-30 00:30:39
Yes, I suppose I have said "can" rather than "should". I've corrected it. The OASIS standard still allows for username/password to be sent. As I mentioned, I'm not sure what WCF is actually doing in certain authentication scenarios (simple auth token, shared secret, etc).
Anderson Imes  2009-08-30 01:21:39

related questions

Entity diagrams in ASP.NET MVC
Aging Data Structure in C#
.NET 3.5 Service Pack 1 causes 404 pages on ASP.NET Web App
How do I make a custom .net client profile installer?
.NET 3.5 SP1 and aspnet_client Crystal Reports
Can I create a ListView with dynamic GroupItemCount?
N2 CMS
Conditional Linq Queries
LINQ query on a DataTable
Asynchronous Remoting calls
Using EF Entity as DTO Object
WPF: How to style or disable the default ContextMenu of a TextBox
C# 2.0 code consuming assemblies compiled with C# 3.0
Using C#/WIA version 2.0 on Vista to Scan
Has anyone run performance benchmarks comparing LINQ
Beginners Guide to LINQ
Extension interface patterns
C# 3.0 Where extension method with lambda vs LINQtoObjects to filter in memory collections.
Upgrade to ASP.NET 3.x
Where can I get the Windows Workflow "wca.exe" application?
LINQ on the .NET 2.0 Runtime
Is nAnt still supported and suitable for .net 3.5/VS2008?
How do you page a collection with LINQ?
How do I get a distinct, ordered list of names from a DataTable using Linq
How do I fill a DataSet or a DataTable from a LINQ query resultset ?