Protection Level in WCF


Rameshkartik. RS

  1. Introduction
  2. Available Parameters to Protect Data
  3. Protection Level
  4. Configuring Protection Level
    1. Declaration
    2. ProtectionLevel.None
    3. ProtectionLevel.Sign
    4. ProtectionLevel.EncryptedAndSign
  5. Summary


In the modern world, we are about to communicate with different persons, firms in our day to day life to get our business done, in which we are always concerned about the confidentiality and integrity of the information we send. Often we send information which is highly secure for the business,In few cases ,we send information which is not to be a secured one or it might be irrelevant to the business. Ok, Let’s talk about it in detail with the WCF technology.

Available Parameters for Protecting Data

Sign – It confirms the message has not been tampered or changed by anyone. It signs all the messages on the wire to provide the message integrity

Encrypt and Sign – It confirms the message we send is confidential and it has not been tampered anywhere by anyone.

Protection Level

Protection Level  = Throttle (Control) Message Protection

By default , WCF protects all the message on the wire to provide the data confidentiality and message integrity. If the developer wants to control the flow of message protection, Protection Level will  be an ideal option. Yes,  In Few scenarios, messages are not required to be secured one since it doesn’t have any sensitive information, In few scenarios messages should transmit only in a secure mode. For these set of things, WCF provides the flexible approach called ‘Protection Level’ . The developer can set their messages which require  message integrity or message confidentiality or Both

If the data is not sensitive over the wire,  then I will recommend you to set the ProtectionLevel as None because it produces a greater performance. Of course,  Encryption or Sign will definitely take an additional time in every request and response. Message contracts also support a way to override the protection level for the operation.

Configuring Protection Level

The supported message protection level in the WCF are

  • None
  • Sign
  • EncryptAndSign

The Protection levels can be done at all the levels

  • Service Contract
    • Operation Contract
      • Message Contract
        • Message Header
          • Message Body

If we are defining our protection level  at the top level, it is applicable till the root level unless otherwise if we are overriding it in the root level . You can define it like ProtectionLevel is EncryptAndSign in the top level (Service Contract) and override it in the bottom level (Operation Contract) like ProtectionLevel is None.  The developer has a flexible approach for controlling the message protection across all the levels.



In the above snapshot you can find out the protection level has to be declared over the service method .For the method GetStringData i have made it as a Sign,because I don’t care about the confidentiality here , but I care for the message integrity, That’s why I have chosen Protection Level.Sign.

For the GetDetailedData method I have set the Protection Level as  ProtectionLevel.None , though my service contract Protection Level configured as ProtectionLevel.EncryptAndSign because i don’t want to protect this method’s message on the wire.

For the GetIntData method, I didn’t say anything about the Protection Level, Then What will be the Message Protection Level? Of course, it will take the Protection level,  we said in the Service contract level.


The following is the snapshot of the message flow if we set the ProtectionLevel.None.


You can find that the values are transmitted over the wire as a plain text. There is no encryption or Sign. Because we have mentioned the Protection Level is None, Kindly refer App.config of the Service Library which is enclosed ,  you can determine the ways to generate the logs. Once it is generated have a look on the messages.svclog .


The following is the snapshot of the message flow if we set the ProtectionLevel.Sign.



You can find that Data Integrity is maintained,  but the confidentiality is not maintained. Signature information in the above snapshot  will take care of the Data Integrity related things, In the body of the message in the above snapshot you can determine the messages were plain and not encrypted.


The following is the snapshot of the message flow if we set the ProtectionLevel.EncryptedAndSign.


If you find the body of the message, you can find that messages  were encrypted and signed. By setting the different ProtectionLevel in different levels , we can make our service more efficient and responsive.



If the messages sending over the wire is not an important one, Then you can set the protection level  as  None for all your service messages,  it increases the performance. Protection levels can be set at the Service Level,  Operation Level, Message Level,  Header Level and Body Level