WCF NetTcpBinding 安全性 - 它是如何工作的?

发布于 2024-08-26 12:41:53 字数 764 浏览 16 评论 0原文

我在尝试解决 WCF 中的设置困境时遇到以下问题...

我使用 NetTcp 绑定创建了 WCF 客户端-服务器服务。我没有对安全设置进行任何更改,并且在一台计算机上运行时它运行得非常好。但是,当我从另一台计算机运行客户端时,它抱怨服务器不喜欢发送的安全凭证。

我现在明白 NetTCP 默认情况下是“安全的”,并且我的客户端会向我的服务器传递错误的安全详细信息 - 即 Windows 用户名和密码(或某种形式的域身份验证)因为它们不在同一个域上运行,所以它不会喜欢。

但是,我不明白的是:

我没有在绑定中指定任何安全性 - 标准设置是否期望发送 Windows 用户名或密码?

我的服务器上没有安装任何证书 - 我知道 NetTCP 绑定需要某种形式的公共私钥来保护凭据 - 但这似乎在客户端和服务器位于同一台计算机上时有效 - 数据如何获取加密的?或者想要它,因为 WCF 知道它在同一台计算机上并且不需要加密?

我现在必须将客户端和服务器上的安全模式设置为“无”,并且它们连接良好。但是有没有一种方法可以在没有证书的情况下加密我的数据?

最后...传输安全和消息安全之间有什么区别?

为了检查我的理解(请原谅这个场景!)消息安全就像我从 A 发给 B 的一封信,然后我对我的手写内容进行编码,以确保如果有人拦截它,他们就无法阅读它?运输安全是指如果我决定通过武装运输工具寄出信件,这样沿途就没有人能拿到它了?

是否可以在没有证书的情况下在 WCF 中进行任何形式的加密?我的项目是一个私人项目,我不想购买证书,而且数据也不是那么敏感,所以这只是为了我自己的知识。

I am encountering the following problems trying to work through the quagmire of settings in WCF...

I created a WCF client-server service using a NetTcp binding. I didn't make any changes to the security settings and when running on one machine it works very nicely. However, when I ran my client from another machine it complained that the server didn't like the security credentials that were sent.

I understand now that NetTCP is "secured" by default and that my client would have been passing the wrong security details - namely the Windows user name and password (or some form of domain authentication) to my server which as they are not running on the same domain it would not have liked.

However, what I don't understand is as follows:

I haven't specified any security in my binding - does the standard settings expect a Windows user name or password to be sent?

I don't have any certificate installed on my server - I understand that NetTCP bindings need some form of public private key to protect the credentials - yet this seemed to work when both client and server were on the same machine - how was the data getting encrypted? Or wants it as WCF knew it was on the same machine and encryption isn't needed?

I have had to set my security mode on my client and server to "none" now and they connect nicely. However is there a way to encrypt my data without a certificate?

Finally... what is the difference between Transport and Message security?

To check my understanding (excuse the scenario!) message security is like if I sent a letter from person A to person B and I encode my hand writing to ensure that if anyone intercepts it they cannot read it? Transport Security is if I decide to have my letter sent by armed transport so that no one can get at it along the way?

Is it possible to have any form of encryption in WCF without a certificate? My project is a private project and I don't want to purchase a certificate and the data isn't that sensitive anyway so it's just for my own knowledge.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

怀里藏娇 2024-09-02 12:41:54

NetTcpBinding 的默认客户端凭据类型是 Windows 身份验证。要使 Windows 身份验证正常工作,客户端和服务器必须位于同一域或相互信任的域中(在您的情况下您没有)。

如果客户端和服务器位于同一域中,WCF 将在“幕后”处理 Windows 身份验证机制。当客户端和服务器位于同一台计算机上时,它们实际上位于同一域中,因此 Windows 可以使用自己的机制来处理加密和解密。不过,它只会在相互信任的域内执行此操作。

如果您没有相互信任的客户端和服务器域,则客户端和服务器必须有其他方式来确定它们是否信任对方的密钥。这就是证书的用武之地。客户端和服务器都有自己的证书(或者服务器可以向客户端颁发证书)。

传输安全就像对信封的外部和内部进行加密。缺点是,如果您必须将信封传递给您自己组织之外的某人,他们需要解密密钥才能知道信封应该去哪里 - 现在他们也可以读取信封中的消息。另一方面,传输安全性更快——它需要更少的安全开销数据与信封一起传递。

消息安全会对您的消息进行加密,但邮政工作人员(互联网及其路由器)可以读取信封。只有源和目的地拥有解密消息的密钥,但中介可以正确路由您的消息。

总结一下:要通过 NetTcpBinding 使用加密,客户端和服务器必须位于一个域(或相互信任的域)内,或者您必须拥有密钥交换证书。


编辑:有人要求我提供一些示例代码——这里是 XAML 中的绑定元素。它通常放置在 netTcpBinding 元素内。

<binding name="Secure" listenBacklog="4000" receiveTimeout="00:20:00" sendTimeout="00:20:01" 
   maxReceivedMessageSize="2147483647" maxConnections="200" portSharingEnabled="true">
   <!-- ~2 GB -->
   <readerQuotas maxStringContentLength="2147483647"/>
   <!-- ~2 GB max string content length -->
   <security mode="Message">
      <transport clientCredentialType="None" protectionLevel="EncryptAndSign"/>
      <message clientCredentialType="None"/>
   </security>
</binding>

重要的部分是安全元素。为了传输安全,可以将模式属性更改为“传输”。 clientCredentialType 很可能不是“None”,而是“Certificate”、“Ntlm”或“Windows”,具体取决于上下文。

The default client credential type for NetTcpBinding is Windows Authentication. For Windows Authentication to work both client and server must be in the same domain, or mutually trusting domains (which in your case you do not have).

If both client and server were on the same domain, WCF would handle the mechanics of Windows Authentication "behind the scenes". And when both client and server are on the same machine they are effectively within the same domain, so Windows can use its own mechanisms to handle the encryption and decryption. It will only do this within mutually trusting domains, though.

If you don't have mutually trusting client and server domains, then the client and server must have some other way to determine if they trust each other with their keys. That's where certificates come in. The client and the server have their own certificates (or the server can issue the client a certificate).

Transport security is like encrypting the outside of the envelope as well as the inside. The downside is if you have to pass the envelope to someone outside your own organization, they need a decryption key just to know where the envelope is supposed to go--now they can read the message in the envelope also. On the other hand, transport security is faster--it requires less security overhead data getting passed along with your envelope.

Message security encrypts your message, but the envelope can be read by the postal workers (the internet and its routers). Only the source and the destination have the keys to decrypt the message, but the intermediaries can properly route your message.

To summarize: to use encryption over the NetTcpBinding both client and server must be within a domain (or mutually trusting domains) or you must have a key exchanging certificate.


Edit: I was asked for some example code--here is a binding element in XAML. It would normally be placed within a netTcpBinding element.

<binding name="Secure" listenBacklog="4000" receiveTimeout="00:20:00" sendTimeout="00:20:01" 
   maxReceivedMessageSize="2147483647" maxConnections="200" portSharingEnabled="true">
   <!-- ~2 GB -->
   <readerQuotas maxStringContentLength="2147483647"/>
   <!-- ~2 GB max string content length -->
   <security mode="Message">
      <transport clientCredentialType="None" protectionLevel="EncryptAndSign"/>
      <message clientCredentialType="None"/>
   </security>
</binding>

The important part is the security element. For transport security one would change the mode attribute to "Transport". More than likely the clientCredentialType would not be "None" but rather "Certificate", "Ntlm", or "Windows" depending on the context.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文