MessageProtectionOrder MessageProtectionOrder MessageProtectionOrder MessageProtectionOrder Enum

定义

指定保护消息的运算顺序。Specifies the order of operations that protect a message.

public enum class MessageProtectionOrder
public enum MessageProtectionOrder
type MessageProtectionOrder = 
Public Enum MessageProtectionOrder
继承
MessageProtectionOrderMessageProtectionOrderMessageProtectionOrderMessageProtectionOrder

字段

EncryptBeforeSign EncryptBeforeSign EncryptBeforeSign EncryptBeforeSign 2

指定先加密 SOAP 消息,再为其生成数字签名。Specifies that the SOAP message is encrypted before a digital signature is generated for the SOAP message.

SignBeforeEncrypt SignBeforeEncrypt SignBeforeEncrypt SignBeforeEncrypt 0

指定先为 SOAP 消息生成数字签名,再加密 SOAP 消息的所有部分,但不加密数字签名。Specifies that a digital signature is generated for the SOAP message before any portion of the SOAP message is encrypted, but the digital signature is not encrypted.

SignBeforeEncryptAndEncryptSignature SignBeforeEncryptAndEncryptSignature SignBeforeEncryptAndEncryptSignature SignBeforeEncryptAndEncryptSignature 1

指定先为 SOAP 消息生成数字签名,再加密 SOAP 消息的所有部分,并且加密数字签名。Specifies that a digital signature is generated for the SOAP message before any portion of the SOAP message is encrypted, and the digital signature is encrypted.

示例

下面的示例创建一个SymmetricSecurityBindingElement元素, 并将MessageProtectionOrder其属性设置为 SignBeforeEncrypt。The following example creates a SymmetricSecurityBindingElement element and sets its MessageProtectionOrder property to SignBeforeEncrypt.

public static Binding CreateCustomBinding()
{
    // Create an empty BindingElementCollection to populate, 
    // then create a custom binding from it.
    BindingElementCollection outputBec = new BindingElementCollection();

    // Create a SymmetricSecurityBindingElement.
    SymmetricSecurityBindingElement ssbe = 
        new SymmetricSecurityBindingElement();

    // Set the algorithm suite to one that uses 128-bit keys.
    ssbe.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128;

       // Set MessageProtectionOrder to SignBeforeEncrypt.
    ssbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;

    // Use a Kerberos token as the protection token.
    ssbe.ProtectionTokenParameters = new KerberosSecurityTokenParameters();
    
    // Add the SymmetricSecurityBindingElement to the BindingElementCollection.
    outputBec.Add ( ssbe );
    outputBec.Add(new TextMessageEncodingBindingElement());
    outputBec.Add(new HttpTransportBindingElement());

    // Create a CustomBinding and return it; otherwise, return null.
    return new CustomBinding(outputBec);
}
Public Shared Function CreateCustomBinding() As Binding 
    ' Create an empty BindingElementCollection to populate, 
    ' then create a custom binding from it.
    Dim outputBec As New BindingElementCollection()
    
    ' Create a SymmetricSecurityBindingElement.
    Dim ssbe As New SymmetricSecurityBindingElement()
    
    ' Set the algorithm suite to one that uses 128-bit keys.
    ssbe.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128
    
    ' Set MessageProtectionOrder to SignBeforeEncrypt.
    ssbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt
    
    ' Use a Kerberos token as the protection token.
    ssbe.ProtectionTokenParameters = New KerberosSecurityTokenParameters()
    
    ' Add the SymmetricSecurityBindingElement to the BindingElementCollection.
    outputBec.Add(ssbe)
    outputBec.Add(New TextMessageEncodingBindingElement())
    outputBec.Add(New HttpTransportBindingElement())
    
    ' Create a CustomBinding and return it; otherwise, return null.
    Return New CustomBinding(outputBec)

End Function 

注解

此枚举与 AsymmetricSecurityBindingElement.MessageProtectionOrderAsymmetricSecurityBindingElement 属性和 SymmetricSecurityBindingElement.MessageProtectionOrder 类的 SymmetricSecurityBindingElement 属性一起使用。This enumeration is used with the AsymmetricSecurityBindingElement.MessageProtectionOrder property of the AsymmetricSecurityBindingElement and the SymmetricSecurityBindingElement.MessageProtectionOrder property of the SymmetricSecurityBindingElement classes.

如果消息容易遭受摘要式攻击 (例如, 如果消息较短或平均信息量较低), 则应使用 SignBeforeEncryptAndEncryptSignature 或 EncryptBeforeSign 选项。If a message is vulnerable to a digest attack (for example, if the message is short or the entropy is low), you should use the SignBeforeEncryptAndEncryptSignature or EncryptBeforeSign option. (为服务器和/或客户端提供的随机数据, 用于创建用于加密和解密数据的共享密钥。)(Entropy is random data provided by a server, a client, or both, and is used to create a shared key for encrypting and decrypting data.)

已对哪些内容进行排序?What Is Ordered?

WCF 提供了三种不同的保护级别, 它们确定如何使用 SOAP 消息安全保护消息。WCF offers three different protection levels that determine how messages are secured using SOAP message security. 默认值为 SignBeforeEncryptAndEncryptSignature。The default is SignBeforeEncryptAndEncryptSignature. 此设置首先签名消息,加密消息正文,然后加密 XML 签名。This setting first signs the message, encrypts the message body, and then encrypts the XML signature. 这就降低了成功加密猜测攻击签名的可能性。This reduces the likelihood of a successful cryptographic guessing attack against the signature.

但是,使用默认值会影响性能。However, using the default has performance implications. 实际上,增加了安全性就会使性能打折扣。In effect, there is a tradeoff of performance for increased security. 加密签名可能会降低 10% 到 40% 的性能。Encrypting the signature can decrease performance between 10 percent and 40 percent. 如果消息的数据内容的值较低, 并且性能吞吐量更重要, 请使用 SignBeforeEncrypt。If the data content of the message is of low value, and performance throughput is more significant, use SignBeforeEncrypt. 使用此设置,签名摘要将以明文形式发送,因此该消息更易受到低平均信息量的猜测和验证攻击。With this setting, the signature digest is sent in clear text, and thus the message is more vulnerable to guess-and-verify attacks on low entropy.

仅自定义绑定Custom Bindings Only

若要更改 MessageProtectionOrder 属性,则需要创建自定义安全绑定。To change the MessageProtectionOrder property requires the creation of a custom security binding. 有关创建自定义绑定的详细信息, 请参阅创建用户定义的绑定For more information about creating custom bindings, see Creating User-Defined Bindings. 有关为特定身份验证模式创建自定义绑定的详细信息, 请参阅如何:为指定的身份验证模式创建 SecurityBindingElement。For more information about creating a custom binding for a specific authentication mode, see How to: Create a SecurityBindingElement for a Specified Authentication Mode.

适用于

另请参阅