WCF - How do I encrypt messages?

Question

My WCF service involves the sending of a dataset (in csv format) data between client and service. This dataset must be encrypted so that the data cannot be intercepted. I'm using wshttpbinding and trying to encrypt the message by using the following settings in web.config:

<wsHttpBinding>
  <binding name="wsHttp">
    <reliableSession enabled="true" /> 
    <security mode="Message">
      <message clientCredentialType="UserName" algorithmSuite="TripleDes" />
    </security>
  </binding>
</wsHttpBinding>

When I try and generate a client proxy I get a long error messagebox (which cannot be completely read because it goes off the bottom of the screen!). The error message does mention something about a "service certificate not being provided".

How do I encrypt a message? Do I need a certificate? I should mention that this service will be used over the internet from different domains so I'm not sure whether using "Username" security is the best option (?)

Basically I'm confused!

Answer 1

Yes, your service needs a certificate so that your encryption keys can be exchanged securely. You can create a test service authentication certificate with makecert.exe. See this entry in my blog for the details of that.

You also need to ensure that the account your service is running as is able to read the certificate's private key file. If you're on Windows Vista (or later) the Certificates MMC snap-in allows you to control permissions on that private-key, but for earlier versions of Windows it's a bit harder. I used to use a utility that came with WSE3, but someone else might be able to suggest a more direct way. Unless your service runs as an admin, you will most likely have to adjust these permissions.

Answer 2

@Martin is right, you need a certificate on the server. This link has a good overview of the communication flow for message based security and has sample code. This link has a good overview of working with certificates.

For your authenication requirements, this link reviews the various options available. If you're new to WCF, Learning WCF: A Hands-on Guide by Michele Bustamante is a good book and covers message based security.

Answer 3

I am still trying to find the solution this problem. I have it too but with signing an xml. Still to find the user IIS is running in WinXP Start > Right Click My Computer > Manage > Services And Applications > Services > IIS Admin > Double click and in the Log on tab it will usually say Local System.

EDIT

OK, this is how I solved my problem. I had a ceritificate that I used this article to make the cert. If the proyect is a ASPWebSite that is saved to your C Folder you may not have issues with this. But if its saved to IIS as an HTTP project then you will have issues.

The way to solve it after weeks of investigationg is not that hard. Microsoft has something called the Web Services Enhancements you will download the lastest but I am using the second one with the lastest service pack. When I installed I enabled everything.

Certificates can be in a physical file but they are usually in the Certificate Management Store to get to it use the tool X509 Certificate tool in WSE 2.0. Here open your certificate by looking for it in the diferent sections until you find it. Then open it and at the bottom there will be a View Private Key, in the security tab add LOCALHOST\ASPNET . And this should enable your website to read the certificate.

In short what happens is that when you create the public and private keys, althought you may see the private key just fine, it really its send to Timbuktu in the file system and you need to find it to add the ASPNET account for read access. I am reading than in Vista this is much easier but I am using XP.