- Web Services Security at Transport Level and Message Level
Web Services
There are two ways with which we can ensure security with Web Services:
Transport level security, such as HTTP Basic/Digest and SSL, is the usual "first line of defence", as securing the transport mechanism itself makes Web services inherently secure. The trade-off is transport dependency (Web services are more tightly coupled to the network transport layer).
Message level security, such as WS-Security, SAML, XML Digital Signatures, and XML
TRANSPORT LEVEL
Uses SSL
Point-to-Point: Protects the "pipe"
Does not work with Intermediaries
Ubiquitous
MESSAGE LEVEL
Dose not use SSL
Intended to work with Intermediaries
Standards still under development
Transport Level Security
Secure Sockets Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the Internet. The SSL is the Industry accepted standard protocol for secured encrypted communications over TCP/IP. The SSL protocol provides transport layer security: authenticity, integrity, and confidentiality, for a secure communication across the wire. SSL uses a cryptographic system that uses two keys to encrypt data − a public key known to everyone and a private or secret key known only to the recipient of the message.
Transport Layer Security (TLS) is a security protocol from the IETF that
Message Level Security
Message level security is an application layer service and facilitates the protection of message data between applications. Message level security is typically most useful for:
Solutions that
Solutions for which application level security is important; that is solutions whose normal message paths include flows over multiple nodes perhaps connected with different protocols. Message-level security manages trust at the application level, which means security in other layers becomes unnecessary.
There are some standards available for securing Web Services at XML level. They are:
XML Encryption
XML Digital signature API
XKMS (XML Key Management Specification)
SAML (Security Assertion Markup Language)
SSL Limitations
SSL secures communication at transport level rather than at message level. As a result,
SSL does not provide element-wise signing and encryption. For example, if you have a large purchase order XML document, yet you want to only sign or encrypt a credit card element, signing or encrypting only that element with SSL proves rather difficult. Again, that is
https://www.xyzws.com/scdjws/WSGEN/4
- Transport Level Security Vs Message Level Security in WCF
Transport Level Security
It secures the actual transport (i.e. the pipe) over which the message passes through from
Message Level Security
It secures the message itself that is being transported from
Recommended Scenarios for Transport and Message Level Security:
Transport Level Security doesn’t support scenarios when Intermediaries involved. It only support sending a message directly from client to WCF Service without an intermediate system. It’s suited when both client and service
Transport Level Security
Advantages:
As Transport Level Security secures the network protocol, so no extra coding required
Improved performance can
Disadvantages:
Lacks support for intermediate systems because it’s point to point and protects the “pipe” between a single client and a service.
Message Level Security
Advantages:
As
Supports
Disadvantages:
Every individual Message
Lacks Interoperability. It demands both client and service should support WS-Security specification,
http://www.topwcftutorials.net/2014/09/transport-level-security-vs-message-level-security-wcf.html