Encryption of Digital Signatures

By default, a message is signed and encrypted, and the signature is digitally encrypted. You can control this by creating a custom binding with an instance of the AsymmetricSecurityBindingElement or the SymmetricSecurityBindingElement and then setting the MessageProtectionOrder property of either class to a MessageProtectionOrder enumeration value. The default is SignBeforeEncryptAndEncryptSignature. This process takes 10 to 40 percent longer than simply signing and encrypting. Disabling encryption of the signature, however, might allow an attacker to guess the contents of the message. This is possible because the signature element contains the hash code of the plain text of every signed part in the message. For example, although the message body is encrypted by default, the unencrypted signature contains the hash code of the message body. If the message is small, an attacker might be able to deduce the contents. Encrypting the signature reduces or eliminates this possibility.

Therefore, disable encryption of the signature only when the value of the content is low, and the performance gain will be significant, for example, when sending large binary files that have no security implications.

To disable digital signing

  1. Create a CustomBinding. For more information, see How to: Create a Custom Binding Using the SecurityBindingElement.

  2. Add either an AsymmetricSecurityBindingElement or a SymmetricSecurityBindingElement to the binding collection.

  3. Set the AsymmetricSecurityBindingElement.MessageProtectionOrder property to SignBeforeEncrypt, or set the SymmetricSecurityBindingElement.MessageProtectionOrder property to SignBeforeEncrypt.

For more information about creating custom bindings, see Creating User-Defined Bindings. For more information about creating a custom binding for a specific authentication mode, see How to: Create a SecurityBindingElement for a Specified Authentication Mode.

See also