windows - How does NetTcpBinding(read WindowsStreamSecurityBindingElement) encrypt/sign messages? -


i wanted understand mechanism of message encryption , signing used nettcpbinding when 'windows' credentials being used transport security. if ad uses ntlm instead of kerberos? messages still signed , encrypted?if so, how?

thanks in advance,

akshat

the short answer that, yes, ntlm authentication messages still signed , encrypted if have set transport security protectionlevel encryptandsign (the default).

here's outline of how works:

  • selecting transport security configures windowsstreamsecuritybindingelement in channel stack. inserts stream upgrade provider (see below)
  • in nettcpbinding, message exchange between client , service happens within .net message framing protocol, provides both message framing , mechanism client , service negotiate stream upgrades, principal use of establish transport security. if there stream upgrade provider configured in channel stack, invoked during preamble stage of framing protocol when client opens channel.
  • the upgrade provider windowsstreamsecuritybindingelement invokes sspi handshake between client , server using spnego security package: in nettcpbinding result in kerberos being selected underlying security provider if available, choose ntlm if not.
  • if ntlm resulting authentication provider, sspi handshake involve three-leg ntlm challenge-response exchange of tokens described in the ntlm specification. protocol includes mechanism exchanging keys message signing , encryption. once sspi handshake has generated appropriate security context, thereafter messages exchanged signed , encrypted in sending channel stack's stream upgrade provider, , decrypted , verified in receiving channel stack's stream upgrade provider, in each case using calls ntlm security provider via abstracted sspi message support functions.

Comments

Popular posts from this blog

SAP Web Service from .NET via WCF -

Optimized Line drawing in QT -

datetime - str to time in python -