By default, a message is signed and the signature is digitally encrypted. This is controlled by creating a custom binding with an instance of the AsymmetricSecurityBindingElement or the SymmetricSecurityBindingElement and setting the
MessageProtectionOrder property of either class to a MessageProtectionOrder enumeration value. The default is SignBeforeEncryptAndEncryptSignature. This process consumes up to 30 percent more time than simply signing and encrypting based on the overall message size (the smaller the message, the greater the performance impact). Disabling encryption of the signature, however, might allow an attacker to guess the content of the message. This is possible because the signature element contains the hash code of the plain text of every signed part in the message. For example, although the message body is encrypted by default, the unencrypted signature contains the hash code of the message body before the encryption. If the set of possible values for the signed and encrypted part is small, an attacker might be able to deduce the contents by looking at the hash value. Encrypting the signature mitigates this attack vector.
Therefore, disable encryption of the signature only when the value of the content is low or the set of possible content values is large and nondeterministic, and the performance gain is more important than mitigating the attack described above.
If there is nothing in the message that is encrypted, the signature element is not encrypted, even when the System.ServiceModel.Channels.AsymmetricSecurityBindingElement.MessageProtectionOrder or System.ServiceModel.Channels.SymmetricSecurityBindingElement.MessageProtectionOrder property is set to SignBeforeEncryptAndEncryptSignature. This behavior occurs even with system-provided bindings; all system-provided bindings have the message protection order set to
SignBeforeEncryptAndEncryptSignature. However, the Web Services Description Language (WSDL) WCF generates will still contain the
To disable digital signing
Create a CustomBinding. For more information, seeHow to: Create a Custom Binding Using the SecurityBindingElement.
Set the System.ServiceModel.Channels.AsymmetricSecurityBindingElement.MessageProtectionOrder property to SignBeforeEncrypt, or set the System.ServiceModel.Channels.SymmetricSecurityBindingElement.MessageProtectionOrder property to SignBeforeEncrypt.