WCF Message Encryption without Authentication/Authorization or Certificates

Question

I have a .NET 4.0 project with two modules that will communicate via WCF services and I'd like to implement a custom encryption mechanism.

My scenario:

I control both endpoints (client and server) but not the connection between them
Windows auth is out of question, since I do not know at this point where the modules will be deployed and most likely they'll be on different domains
I'd like to intercept the messages at some point and apply a custom encryption/decryption with a key that will be properly configured on both the server and the client, so if someone manages to intercept a message they wouldn't be able to decrypt it.
I'd like to exchange data using binary serialization
I don't want to deal with setting up certificates on either the client or server side

Can anyone point out what would be the most obvious solution to implement this scenario using WCF?

score 2 · Accepted Answer · answered Jun 06 '11 at 13:35

I would say that you don't want security - static key for encrypting messages with symmetric encryption algorithm is just a notion of security.

Anyway if you want to do that there are really extension points which will allow you to do that on many different levels.

Encrypting the whole message - that would require custom message encoder which can be quite hard to write.
Encrypting the body of the message - you can write custom IMessageInspector which will deal with encryption and decryption of message body. Headers will be still in plain text which is necessary unless you want to change many other things in WCF processing. You can wrap the inspector in custom IEndpointBehavior and use it either imperatively in the code or declaratively in the configuration (you will also need implementing custom BehaviorExtenxionElement).
Encrypting only some operations marked with custom IOperationBehavior or some data marked with IContractBehavior behavior and using IParameterInspector to decrypt and encrypt value.

You have control over both client and server - use certificates instead of fake security.

Regarding the solution your recommend (using certificates) - do you refer to having transport level security and certs configured in IIS? — Cristian Lupascu, Jun 06 '11 at 15:03
That's not about what you can or not but about do you want security or not. — Ladislav Mrnka, Jun 06 '11 at 15:06

1 Answers1