Selecting Security Mode Levels for WCF Services
The binding determines which security protocol is used to protect communications. The properties that are available depend on which binding you are using.
The specific protocol that is used to deliver transport-level security depends on the binding that you choose. For example, if you select basicHttpBinding and choose transport-level security, the binding will use HTTPS. However, if you are using netTcpBinding, setting the security mode to Transport will cause WCF to use Transport Layer Security (TLS) over TCP or the Simple and Protected GSS-API Negotiation (SPNEGO). In some cases, you may have to make configuration changes to the system on which the client application or service is running, such as installing an SSL certificate.
When you select message-level protection, WCF uses the WS-Security protocols to protect the message contents that are inside the SOAP message. By default, WCF signs and encrypts message contents when you select the Message security mode.
You must assess the advantages and disadvantages of choosing message-level security or transport-level security when you design your application. For example, message-level security requires more resources and is usually slower than transport-level security, but it does secure the message end to end.
There are various algorithms that you can use to encrypt messages and create digital signatures. Each one has its own set of properties in terms of level of security and speed of execution. You can use the algorithmSuite property to set the message encryption and key-wrap algorithms. The properties of the SecurityAlgorithmSuite class expose the possible algorithms. These algorithms correspond to those that are specified in the WS-SecurityPolicy specification. The default algorithm is Basic256
The following code examples show two ways in which you can set the security mode levels for a binding.
Dim binding As New BasicHttpBinding(SecurityMode.Transport)
' Alternatively, set the mode property.
binding.Security.Mode = BasicHttpSecurityMode.Transport
BasicHttpBinding binding =
// Alternatively, set the mode property.
binding.Security.Mode = BasicHttpSecurityMode.Transport;
The following code example shows how to set message-level security by using a configuration file.
The following code examples show how to set message-level security by using a configuration file.
Dim binding As New BasicHttpBinding(SecurityMode.Message)
' or alternatively
binding.Security.Mode = BasicHttpSecurityMode.Message
' and then
binding.Security.Message.AlgorithmSuite = _
binding.Security.Message.ClientCredentialType = _
BasicHttpBinding binding =
// or alternatively
binding.Security.Mode = BasicHttpSecurityMode.Message;
// and then