X509 Certificate for WCF Security

Overview

Windows Communication Foundation (WCF) is a service-oriented application built by Microsoft.ProgramThe unified programming model provided (from msdn) is especially important for security issues in a distributed environment. If you think that using the default security measures of WCF can leave you unconcerned, tomorrow, you will be going home to farm. Of course, it is enough for study ~, However, we are talking about real project applications. The security provision and guarantee of WCF under various protocols are different.

 X509 Certificate Introduction

X.509 is a digital certificate standard developed by the International Telecommunications Union (ITU-T), I believe this is well known, at present X.509 certificates as far as I know there are three versions ,. net is X.509-2, the X.509-2 version introduces the subject and the issuer Unique Identifier concept, in order to solve the problem that the subject and/or issuer name may be used repeatedly after a period of time, the x509-2 (X509) Certificate consists of two keys, usually called key pair, public key encryption, private Key decryption. Today, I want to give an in-depth introduction and understanding of X509, because X509 Certificate applications are very frequent or indispensable in the WCF security system.

1. How to generate a certificate?

Test the certificate generation tool of makecert.exe in Microsoft to help us get an X509 standard certificate. The specific method is as follows: Download makecert.exe or locate your computer directory: C: \ Program Files \ microsoft sdks \ windows \ v6.0a \ bin, you can find it. I strongly recommend that you copy makecert.exe to a separate directory, such as copy to D: \ CERs.

Click Start Menu-run-Enter cmd, run the console application, locate D :\\ CERs, and enter:Makecert-R-PE-$Individual-N "cn = mailsecurity"-sky exchange-SRCurrentuser-SS my mailsecurity. CER: generate an X509 Certificate named mailsecurityr in the personal area of the current user certificate storage area, and output the Certificate file in the current directory.Mailsecurity. CerFor more complex parameters, see the certificate creation tool help.

Bytes ---------------------------------------------------------------------------------------------

Makecert certificate Tool Name

-R indicates that the certificate to be generated is self-Signed and you will be given a prize (here mainly refers to the issuing authority)

-PE indicates that the generated private key is marked as exported. In this way, the private key can be included in the certificate.

-$ Whether the certificate is for personal use or commercial use (Individual/Commercial) laomei is doing this. It's really a pretty good image with the dollar sign.

-N indicates the certificate topic. You can use it as the title. No matter what name you use, it must contain the CN = prefix.

-Sky specifies the key type of the topic, which must beSignature,ExchangeOr an integer that represents the provider type. By default1Indicates the exchange key, passed in2Indicates the signature key.

-Sr specifies the certificate storage location for the topic.LocationYesCurrentuser(Default) OrLocalmachine(The actual value must be one of the two values)

-SS specifies the certificate storage name of the topic. The output certificate is stored there.

 Mailsecurity. CerThe Certificate Name, which does not have to be consistent with the topic. However, it is recommended that you make a good decision.

Bytes ----------------------------------------------------------------------------------------------

The idea is in the same directory, which is quite simple to use. Double-click it. Of course, you can run it in command line mode, this is well reflected in many of Microsoft's batch processing files. For details, refer to: Certificate Manager tool.

2. What are the secrets in the certificate?

First, we must know that the certificate generation tool provided by Microsoft has prepared two keys for us.Algorithm(MD5/sha1) We can specify it when generating the certificate. If it is not specified, the MD5 algorithm is used by default. But when I used the sha1 algorithm to generate a certificate, something strange happened.

 

Public key encryption strength: 1024

Algorithm Signature: sha1rsa

Version: v3

3. See hereI think we all want to know, why? Isn't the sha1 algorithm used? Why is the algorithm signature sha1rsa?

It seems that we have to mention the RSA algorithm provider here. Let's take a look at Microsoft's official instructions: If Microsoft enhanced cryptographic provider is installed, rsacryptoserviceprovider supports keys with a length from 384 bits to 16384 bits (an increment of 8 bits. If Microsoft base cryptographic provider is installed, a key with a length from 384 bits to 512 bits (8 bits in increments) is supported.

Microsoft enhanced cryptographic provider must have been installed on the local machine, because I have just tested it today and used the longest key length to generate a key. You may not want to think about it for a long time.

It takes nearly 7 minutes and has a length of 16384 characters.

RSA encryption process:

Rsacryptoserviceprovider RSA =   New Rsacryptoserviceprovider ( 16384 );
Unicodeencoding UE =   New Unicodeencoding ();
Byte [] Encryptdata = UE. getbytes ( " Hello, glad to meet you ~. " );
RSA. importparameters (RSA. exportparameters ( True ));
Byte [] Data = RSA. Encrypt (encryptdata, False );
Byte [] Dedata = RSA. decrypt (data, False );
String Dstr = UE. getstring (dedata );

 

4. We can see from here that,The length of the key generated by the certificate can be very long. When you use the sha1 algorithm to generate the certificate, the default encryption strength of makecert is 1024 bits, and the encrypted content length is 128 bits, very standard. Of course, you can also use the followingCodeTest other lengths, but note that each Length Increment is 8 bits, for example, 1024 bits, And the next length is 1024 + 8 = 1032. The specified key length must comply with the increment specification.

5. Select the certificate storage location

Some friends may think that the certificate storage location is generally not the same as Microsoft's. In fact, the following situations cannot be ignored in real project applications.

Development Mode:In development mode, for convenience, the console is generally used as the host of the WCF Service. This means that the account currently running has the permission of the current account. It is estimated that most of the accounts have the Administrator permission, at this time, you don't have to worry about where your certificate is stored. As long as your certificate is generated, this is actually the case. When you change your WCF security configuration, read the Code:

 

< Servicecredentials >
< Clientcertificate >
< Authentication certificatevalidationmode = " Peertrust " />
</ Clientcertificate >
</ Servicecredentials >

If your certificate is not trusted now, and you still have the service, you will be awesome. CertificateAuthenticationThere are four types of servers and clients:

None = no certificate verification performed

Peertrust = valid if the certificate is in the bucket of the trusted person

Chaintrust = if the chain generates a Certificate Authority in the Trusted Root store, the certificate is valid

Peerorchaintrust = if the certificate is located in the store of the trusted person or the chain generates a Certificate Authority in the Trusted Root store, the certificate is valid

Custom = the user must insert a custom To verify the certificate (this mode is very interesting and will be mentioned later)

In fact, as long as you change the trust mode to none, it doesn't matter where the certificate is stored.

2. deployment mode

I strongly recommend using Windows service as the WCF host. In terms of efficiency, security, and stability, Windows service is the best, in particular, when your WCF Service uses the TCP naming pipeline as the main means of communication, Windows servcie is worth your consideration. Do not say that iis6.0 does not support TCP first.

When running the WCF host in Windows servcie mode, you will first encounter the first problem. If you cannot find the certificate, you will be prompted. You cannot search for the standard certificate in the following column, this process must have access to the private key, buddy. Listen to me. At this time, you should never trust Alibaba Cloud to find the Certificate file through Microsoft's findprivatekey tool, give the local service access permission. If you don't believe it, try it. the problem persists.

In fact, the cause of this problem is very funny, just because you always use the same certificate during development. For example, you only use one certificate during deployment. If you use two certificates at the beginning, when the client and server use certificates for mutual authentication and encryption, you should be fine. The following is a very serious principle.

(1) Use Windows servcie as the WCF host. If the message encryption policy is adopted and X509 Certificate security is enabled, the installation location of the X509 Certificate must be localmachine, the certificate should be in the trustedpeople location.

(2) This is only the most basic requirement. Do not treat it as a dogma. In fact, it is true that certificates must be stored in localmacnine, but the location should be based on your <Authentication certificatevalidationmode="Peertrust"/>The policy is adjusted. If you place the Certificate in: Root (Trusted Root Certificate Authority), it is no problem where you place the certificate, it can even be stored in my (personal.

(3) At the same time, you should also copy the client certificate to the trusted Certificate Holder area. The most basic thing is, of course, this is still related to the security policy.

(4) the client and server use certificates for mutual authentication and use asymmetric encryption in the real sense. I think it will take a long time for clients and services to authenticate each other.

 3. thinking when you enable security policies

Remember, security policies determine the security level of your service. Of course, the higher the security level, the better. You just saw that it took 7 minutes to generate a key, it's hard to get rid of it ~~, Yes?

========================================================== ======================================

Remarks

1. There are no drafts I have just mentioned. If there are any omissions, I must point them out to me. For the WCF security issue, I just want to get deeper into some details ~, Even more, you must know why ~

2, the next article is more exciting, welcome to reprint, but please indicate the source-lsotcode blog (http://www.cnblogs.com/viter )!

You are welcome to make a brick!