MessageProtectionOrder Enumeration

.NET Framework Class Library

Specifies the order of operations that protect a message.

Namespace:  System.ServiceModel.Security
Assembly:  System.ServiceModel (in System.ServiceModel.dll)

 Syntax

Visual Basic (Declaration)

Public Enumeration MessageProtectionOrder

Visual Basic (Usage)

Dim instance As MessageProtectionOrder

C#

public enum MessageProtectionOrder

Visual C++

public enum class MessageProtectionOrder

JScript

public enum MessageProtectionOrder

 Members

	Member name	Description
	SignBeforeEncrypt	Specifies that a digital signature is generated for the SOAP message before any portion of the SOAP message is encrypted, but the digital signature is not encrypted.
	SignBeforeEncryptAndEncryptSignature	Specifies that a digital signature is generated for the SOAP message before any portion of the SOAP message is encrypted, and the digital signature is encrypted.
	EncryptBeforeSign	Specifies that the SOAP message is encrypted before a digital signature is generated for the SOAP message.

 Remarks

This enumeration is used with the AsymmetricSecurityBindingElement..::.MessageProtectionOrder property of the AsymmetricSecurityBindingElement and the SymmetricSecurityBindingElement..::.MessageProtectionOrder property of the SymmetricSecurityBindingElement classes.

If a message is vulnerable to a digest attack (for example, if the message is short or the entropy is low), you should use the SignBeforeEncryptAndEncryptSignature or EncryptBeforeSign option. (Entropy is random data provided by a server, a client, or both, and is used to create a shared key for encrypting and decrypting data.)

What Is Ordered?

WCF offers three different protection levels that determine how messages are secured using SOAP message security. The default is SignBeforeEncryptAndEncryptSignature. This setting first signs the message, encrypts the message body, and then encrypts the XML signature. This reduces the likelihood of a successful cryptographic guessing attack against the signature.

However, using the default has performance implications. In effect, there is a tradeoff of performance for increased security. Encrypting the signature can decrease performance between 10 percent and 40 percent. If the data content of the message is of low value, and performance throughput is more significant, use SignBeforeEncrypt. With this setting, the signature digest is sent in clear text, and thus the message is more vulnerable to guess-and-verify attacks on low entropy.

Custom Bindings Only

To change the MessageProtectionOrder property requires the creation of a custom security binding. For more information about creating custom bindings, see Creating User-defined Bindings and Binding Elements. For more information about creating a custom binding for a specific authentication mode, see How To: Create a SecurityBindingElement for a Specified Authentication Mode.

 Examples

The following example creates a SymmetricSecurityBindingElement element and sets its MessageProtectionOrder property to SignBeforeEncrypt.

Visual Basic

Public Shared Function CreateCustomBinding() As Binding 
    ' Create an empty BindingElementCollection to populate, 
    ' then create a custom binding from it.
    Dim outputBec As New BindingElementCollection()

    ' Create a SymmetricSecurityBindingElement.
    Dim ssbe As New SymmetricSecurityBindingElement()

    ' Set the algorithm suite to one that uses 128-bit keys.
    ssbe.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128

    ' Set MessageProtectionOrder to SignBeforeEncrypt.
    ssbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt

    ' Use a Kerberos token as the protection token.
    ssbe.ProtectionTokenParameters = New KerberosSecurityTokenParameters()

    ' Add the SymmetricSecurityBindingElement to the BindingElementCollection.
    outputBec.Add(ssbe)
    outputBec.Add(New TextMessageEncodingBindingElement())
    outputBec.Add(New HttpTransportBindingElement())

    ' Create a CustomBinding and return it; otherwise, return null.
    Return New CustomBinding(outputBec)

End Function 

C#

public static Binding CreateCustomBinding()
{
    // Create an empty BindingElementCollection to populate, 
    // then create a custom binding from it.
    BindingElementCollection outputBec = new BindingElementCollection();

    // Create a SymmetricSecurityBindingElement.
    SymmetricSecurityBindingElement ssbe = 
        new SymmetricSecurityBindingElement();

    // Set the algorithm suite to one that uses 128-bit keys.
    ssbe.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128;

       // Set MessageProtectionOrder to SignBeforeEncrypt.
    ssbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;

    // Use a Kerberos token as the protection token.
    ssbe.ProtectionTokenParameters = new KerberosSecurityTokenParameters();

    // Add the SymmetricSecurityBindingElement to the BindingElementCollection.
    outputBec.Add ( ssbe );
    outputBec.Add(new TextMessageEncodingBindingElement());
    outputBec.Add(new HttpTransportBindingElement());

    // Create a CustomBinding and return it; otherwise, return null.
    return new CustomBinding(outputBec);
}

 Platforms

Windows 7, Windows Vista, Windows XP SP2, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows CE, Windows Mobile for Smartphone, Windows Mobile for Pocket PC

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

 Version Information

.NET Framework

Supported in: 3.5, 3.0

.NET Compact Framework

Supported in: 3.5

 See Also

Reference

System.ServiceModel.Security Namespace

MessageProtectionOrder

AsymmetricSecurityBindingElement

SymmetricSecurityBindingElement

Other Resources

How To: Create a Custom Binding Using the SecurityBindingElement

Creating User-defined Bindings and Binding Elements

How To: Create a SecurityBindingElement for a Specified Authentication Mode

Encryption of Digital Signatures