In general When working with WCF Service we are going to find majorly following threats from the security point of view.
1.Objectivation of network traffic to obtain the sensitive information:In this method, client is interacting with service. Hacker will keep on observing network data whenever network data is containing Sensitive information.The hacker can receive and can perform the transaction on half of original customer or client.
2.Rug entities created by the hacker:
In this method, hacker can create dummy sites and dummy web pages. Instead of original, site hacker will send this dummy sites and dummy pages to the customer or client (This dummy site and dummy pages will look same as the original site and web pages ). By the original and dummy pages, a hacker will get customer original information and will perform transactions of a customer.
3.Alteration of message:
In this method, when data has to transfer over the network, hacker can modify the original message.
Consider an example of bank.Customer sending a request to transfer the balance from the customer account to some X account. When requested this transforming from client to service, hacker may modify X account to some Y account, then the amount will not transfer for original beneficiary rather to other beneficiary.
Hacker replies:
In this method, the hacker can send same requests many times to the service or server application which creates problems to both parties. Example, if considered online invoices hacker can send the same invoice again and again to the company service or server on behalf of a client without knowing to a client. In this case, client and company both are going to suffer.
4.Inability of service to identify the client:
In this method, sometimes service will fail to identify which client is sending the request and to which client responds to be delivered.
Resolving the security problems
Description
To resolve all the above problems.
WCF Completely divide into 3 function areas:
Transfer Security
Access Contol
Auditing
1. Transfer security
Description
Transfer security includes three major security functions.
Integrity - is the ability to deflect either original messages delivered or temporal message delivered.
Confidentiality - is the ability to keep the message unreadable by others than the original user. In general, this is avoided by using Cryptography.Authentication - is the ability to identify the original user performing transactions.
Transfer security is implemented using following modes:
Transfer security mode:
Transfer security mode is used to transport layer protocol, such as HTTPS to achieve the transfer security.
The advantage of transfer security mode is it supports in all platforms.
The disadvantage is it doesn't support all types of protocols.
Message security mode:
In this method, message security is applied to the SOAP (Simple object access protocol) envelopes i.e. SOAP data will be encrypted while sending and decrypted at the time of receiving.
The advantage of this is transported protocol independent and also supports all kinds of platforms.
The disadvantage is, it is much slower compared with transport security mode.
2. Access control
Description
It is same as authorization. Authorization is the process of whether authentication users has the write to access the required resources or not.
3. Auditing:
Description
In auditing, an "Even leg" is maintained at the WCF Service side which records the identity of the client, Log in and Log Out times of the client and what operation performed by the client etc.
Authentication Patterns
Description
WCF Service will support two types of authentications.
Direct authentication
Broker authentication
Direct Authentication
Conceptual
figure
Description
The client sends the request to the WCF Service with client identity (UserID, Password).
WCF Service will cross verified by a client with this identity and will generate a security token if client identity is valid.
WCF service's while responds to the client with this service token.
The disadvantage of direct authentication is for every interaction, WCF service needs to cross-verify user credentials and should generate the security token.
Broken Authentication
Description
In this method, WCF Service will not check the client identity and is not responsible for the security token rather and uses other application known as Broker Application.
Conceptual
figure
The client sends the request to the broker application along with client identity (Uid, PWD).
Broker application will cross verify this client identity if client identity is valid or not.
This security token is delivered to the client.
This security token along with client identity is delivered to WCF Service.
The client will send to request to service along with security token valid by broker application.
WCF Service will validate this security token.
Responds to deliver to the client and checks security token is valid or not.