Secure Conversations and Secure Sessions

A feature of Windows Communication Foundation (WCF) is the ability to establish secure sessions between two endpoints that authenticate each other and agree upon an encryption and digital signature process. For example, the service endpoint might require a client endpoint to send a security token based upon an X.509 certificate for authentication. Once the client is authenticated, the service endpoint returns a security context token (SCT) back to the client that is then used to secure all subsequent messages within the session. Establishing this secure session enables the set of messages that are exchanged between the two endpoints to be more efficient, because the SCT has a symmetric key. Asymmetric keys, which X.509 certificates are based upon, require significantly more computational power than symmetric keys when generating a digital signature or encrypting a set of data.

The bootstrap policy (defined in section 6.2.7 of the WS-SecurityPolicy standard) contains the message security assertions used to secure the channel and authenticate the client prior to the RST/SCT and RSTR/SCT exchange. Certain WCF standard bindings have a Security.Message.EstablishSecurityContext property which controls whether secure conversation is used. When using custom bindings the bootstrap is indicated by nesting security binding elements, either through <secureConversationBootstrap> in the configuration file, or by calling CreateSecureConversationBindingElement in code.

For more information about sessions, see Using Sessions.

• Sessions, Instancing, and Concurrency
• How to: Create a Service That Requires Sessions