Encryption for Message Queuing
Updated: June 25, 2007
Applies To: Windows Server 2008
Encryption for Message Queuing
In the context of Message Queuing, encryption is the process for encoding and decoding messages, ensuring they cannot be read or used by unauthorized persons. Message Queuing implements message encryption through the use of symmetric and asymmetric (public/private) key encryption algorithms. The encryption implementation used is based on the CryptoAPI (Microsoft Cryptographic Application Program Interface), which in turn uses a cryptographic service provider (CSP) installed on the computer.
The use of message encryption is optional. Message Queuing applications are not required to use encryption when sending or receiving messages. Note that the use of message encryption slows the transfer of messages. When used, however, Message Queuing applications that send or receive encrypted messages must use the CSP installed by default with Windows 7 and the Windows Server 2008 R2 family, which is needed for both message authentication and encryption. For more information about message authentication, see Authentication for Message Queuing.
Although other CSPs can be used for the encryption of data that does not involve Message Queuing, the CSP provided with Windows 7 and the Windows Server 2008 R2 family must be used for any Message Queuing application that sends or receives encrypted messages. Non-Message Queuing applications can continue to use other CSPs for encryption.
How message encryption works
Messages are encrypted by the Message Queuing service on the source computer and decrypted by the Message Queuing service on the destination computer. Decrypted messages are stored in the destination queue as plaintext. Message encryption is designed to prevent unauthorized viewing of messages in transit.
When message encryption is used, performance is reduced, although typically not as much as when using message authentication. Performance losses due to encryption are most significant when you send encrypted messages to many different computers. However, when you send multiple messages to the same destination computer, only the first message sent takes significantly longer than usual to send.
To see why message throughput is reduced, it is important to understand the encryption mechanism that Message Queuing uses. On the source computer, Message Queuing does the following:
Creates a secret key.
Encrypts the message body by using the secret key.
Encrypts the secret key by using the public key of the destination computer.
Attaches the encrypted secret key to the encrypted message.
On the destination computer, Message Queuing does the following:
Decrypts the secret key by using its private key (of the key pair).
Decrypts the message body using the secret key.
Secret keys can be used for both encryption and decryption, hence they are called symmetric. Public keys can be used for encryption only, while private keys can be used for decryption only.
Asymmetric key encryption has more overhead than symmetric key encryption. Sending the first message incurs the most overhead because the secret key is encrypted with the public key of the destination computer. By default, Message Queuing stores the encrypted secret key on the source computer for 10 minutes. If you send additional messages to the same computer within 10 minutes after sending the first message, Message Queuing reuses the same secret key. Consequently, the overhead for each subsequent message will be just the overhead needed to encrypt the message body using the secret key. In this case, Message Queuing does not need to encrypt the secret key with the public key of the destination computer again. The same performance results are realized on the destination computer. Upon receiving the first message, Message Queuing decrypts the secret key by using its own private key. Message Queuing then stores the decrypted secret key and can reuse it later for subsequent messages without any additional overhead.
You can specify whether a queue accepts encrypted messages, unencrypted messages, or both by selecting the privacy level for the queue. If the queue privacy level is set to None, the queue accepts only unencrypted messages. If the queue privacy level is set to Body, the queue accepts only encrypted messages. If the queue privacy level is set to Optional, the queue accepts both unencrypted and encrypted messages. You can check whether a message sent to the queue was encrypted or unencrypted using Active Directory Users and Computers, Computer Management, or programmatically by checking the PROPID_M_PRIV_LEVEL message property. To use Active Directory Users and Computers or Computer Management to see encryption details, navigate to the message, select Properties, and click the Sender tab of the message properties dialog box. For more information about how to view message properties see View Message Properties.
For information about how to set the privacy level for a queue, see Change the Privacy Level for Queues.
When messaging across different messaging platforms, encrypted messages sent to foreign computers stay encrypted on the intermediary Message Queuing server running the connector application. The connector application can forward the encrypted messages to the foreign computer or can decrypt the messages first before forwarding.
Because encryption requires queries to Active Directory Domain Services, it cannot be used in workgroup or offline mode.
Public/private cryptographic key pairs for a computer are created for you during Message Queuing Setup and can be renewed using the Message Queuing Properties dialog box, which can be opened from Computer Management. All Message Queuing computers except dependent clients use cryptographic keys.
Cryptographic key renewal is a security feature used by Message Queuing. It is a good idea to renew your cryptographic keys periodically, such as once a year. It is also recommended that you renew your cryptographic keys any time you suspect they have been compromised. In particular, this will reduce the chance that your private key has been compromised.
When you renew the cryptographic keys for a Message Queuing computer, any messages that were encrypted using the previous public keys cannot be decrypted. This occurs only until the new public keys are replicated in Active Directory Domain Services to all Message Queuing servers and the source computers can start using the new public keys.
For information about how to renew your cryptographic keys, see Renew Cryptographic Keys for Message Queuing.