TSL vs MLS

• Web Services Security at Transport Level and Message Level

Web Services currently revolves around three important protocols: SOAP, WSDL and UDDI.
There are two ways with which we can ensure security with Web Services:

    Transport level security, such as HTTP Basic/Digest and SSL, is the usual "first line of defence", as securing the transport mechanism itself makes Web services inherently secure.  The trade-off is transport dependency (Web services are more tightly coupled to the network transport layer).
   
    Message level security, such as WS-Security, SAML, XML Digital Signatures, and XML Encrypttion,  can be more effective and has the added flexibility that the message can be sent over any transport.

TRANSPORT LEVEL

    Uses SSL
    Point-to-Point: Protects the "pipe"
    Does not work with Intermediaries
    Ubiquitous


MESSAGE LEVEL

    Dose not use SSL
    Data Chunks are protected
    Intended to work with Intermediaries
    Standards still under development

Transport Level Security
Transport level security is based on Secure Sockets Layer (SSL) or Transport Layer Security (TLS) that runs beneath HTTP. SSL and TLS provide security features including authentication, data protection, and cryptographic token support for secure HTTP connections. To run with HTTPS, the service endpoint address must be in the form https://. The integrity and confidentiality of transport data, including SOAP messages and HTTP basic authentication, is confirmed when you use SSL and TLS. Web services applications can also use Federal Information Processing Standard (FIPS) approved ciphers for more secure TLS connections.

Secure Sockets Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the Internet. The SSL is the Industry accepted standard protocol for secured encrypted communications over TCP/IP. The SSL protocol provides transport layer security: authenticity, integrity, and confidentiality, for a secure communication across the wire.  SSL uses a cryptographic system that uses two keys to encrypt data − a public key known to everyone and a private or secret key known only to the recipient of the message.

Transport Layer Security (TLS) is a security protocol from the IETF that is based on the Secure Sockets Layer (SSL) 3.0 protocol developed by Netscape. TLS uses digital certificates to authenticate the user as well as authenticate the network (in a wireless network, the user could be logging on to a rogue access point). The TLS client uses the public key from the server to encrypt a random number and send it back to the server. The random number, combined with additional random numbers previously sent to each other, is used to generate a secret session key to encrypt the subsequent message exchang

Message Level Security

Message level security is an application layer service and facilitates the protection of message data between applications. Message level security is typically most useful for:

    Solutions that are designed to use predominantly asynchronous queues.
    Solutions for which application level security is important; that is solutions whose normal message paths include flows over multiple nodes perhaps connected with different protocols. Message-level security manages trust at the application level, which means security in other layers becomes unnecessary.

For this reason, message-level security is also sometimes referred to as end-to-end security.

There are some standards available for securing Web Services at XML level. They are:

    XML Encryption
    XML Digital signature API
    XKMS (XML Key Management Specification)
    SAML (Security Assertion Markup Language)

SSL Limitations

    SSL is designed to provide point-to-point security, which falls short for Web services because we need end-to-end security, where multiple intermediary nodes could exist between the two endpoints. In a typical Web services environment where XML-based business documents rout through multiple intermediary nodes, it proves difficult for those intermediary nodes to participate in security operations in an integrated fashion.

    SSL secures communication at transport level rather than at message level. As a result, messages are protected only while in transit on the wire. For example, sensitive data on your hard disk drive is not generally protected unless you apply a proprietary encryption technology.

SSL does not provide element-wise signing and encryption. For example, if you have a large purchase order XML document, yet you want to only sign or encrypt a credit card element, signing or encrypting only that element with SSL proves rather difficult. Again, that is due to the fact that SSL is a transport-level security scheme as opposed to a message-level scheme.

https://www.xyzws.com/scdjws/WSGEN/4

• Transport Level Security Vs Message Level Security in WCF

    Transport Level Security
    It secures the actual transport (i.e. the pipe) over which the message passes through from client to a service. For example it uses SSL (Secure Socket Layer) to ensure point-to-point protection.
    Message Level Security
    It secures the message itself that is being transported from client to a service and vice versa.

Recommended Scenarios for Transport and Message Level Security:

Transport Level Security doesn’t support scenarios when Intermediaries involved. It only support sending a message directly from client to WCF Service without an intermediate system. It’s suited when both client and service resides on same intranet.

On the other hand, actual message is secured in Message Level Security, it support intermediaries. No problem at all in scenarios even if message routed through multiple intermediate systems.

Transport Level Security
Advantages:
As Transport Level Security secures the network protocol, so no extra coding required
Improved performance can be achieved by using hardware accelerators.
Disadvantages:
Lacks support for intermediate systems because it’s point to point and protects the “pipe” between a single client and a service.

Message Level Security
Advantages:
As the message is secured (signed and encrypted) while transmitting through the network, any intermediate hop in the network has no impact on security.
Supports wide range of security options, even we can implement custom security.
Disadvantages:
Every individual Message is secured means there is a cost to encrypt a message at one side and decrypt on the other resulting in reduced performance.
Lacks Interoperability. It demands both client and service should support WS-Security specification,
http://www.topwcftutorials.net/2014/09/transport-level-security-vs-message-level-security-wcf.html