0

I want to create new WCF service and client. The 2 parties will communicate using 2-way SSL.

I want to use the SSL only for the authentication phase. After this authentication, the encryption is not necessary. Can I configure my service (and client) to use SSL only for authentication and leave the connection unencrypted (performance issue)?

abatishchev
  • 98,240
  • 88
  • 296
  • 433
Matan
  • 680
  • 2
  • 14
  • 24

2 Answers2

1

Why would you want to leave the connection unencrypted after authentication?

The username and password will be passed via the network one way or another so you should consider encrypting the connection all the time to avoid leaking that information.

Edit: If you are using a certificate it has to be encrypted all the time, since I know you can't do authentication with a certificate and then get back to simple HTTP. WCF need to authenticate the client for every request (if it wasn't like that client could get a certificate for a moment then delete it and use your WCF service like nothing happened because authentication will not be needed anymore which is abnormal in your situation).

g t
  • 7,287
  • 7
  • 50
  • 85
Harry89pl
  • 2,415
  • 12
  • 42
  • 63
  • Why should I transfer the user and pass? We do not have this information at all. I just want the services (without users) to trust each other. – Matan Jun 18 '12 at 09:32
  • The certificates are the credentials. – Matan Jun 18 '12 at 09:32
  • @Mattan Why should the users continue to trust each other after the certificate exchange if the transport isn't encrypted? Where's the protection against MITM? – user207421 Jun 18 '12 at 10:43
  • Yes, I understand that it gives me much less security, but I think that because we have a performance issue, we cannot encrypt the transport layer. Anyway, I think that providing SSL authentication only is better than a simple HTTP. It is not protected against MITM but it is protected against other treats. – Matan Jun 18 '12 at 10:54
1

If you want to perform authentication with a client certificate (what I presume you mean with "2-way" SSL), you could use a cipher suite with NULL encryption, e.g. TLS_RSA_WITH_NULL_SHA.

Otherwise, if your authentication scheme is part of the application layer on top of SSL/TLS, you should certainly consider using encryption.

Note that using TLS_RSA_WITH_NULL_SHA will still proceed with the RSA key exchange in the handshake (even if no shared encryption key is actually used in the end). The SSL/TLS handshake is the most computationally intensive part of using SSL/TLS. The actual encryption shouldn't impact the performance nearly as much, so you might as well leave it on.

Bruno
  • 119,590
  • 31
  • 270
  • 376