I think this can help; last year we used this to compress the webservices and it performed very well, I believe it could be enhanced with encryption classes;

我认为这会有所帮助；去年我们用它来压缩webservices，它表现得非常好，我相信它可以通过加密类来增强；

Creating Custom SOAP Extensions - Compression Extension

创建自定义 SOAP 扩展 - 压缩扩展

Perhaps I'm being naive, but would forcing the communication to be via https be acceptable? I develop web services that run on 2.0 and have had success with just getting IIS to enforce https on the virtual directory.

也许我很天真，但是强制通过 https 进行通信是否可以接受？我开发了在 2.0 上运行的 Web 服务，并且仅通过让 IIS 在虚拟目录上强制执行 https 就取得了成功。

Alternatively, or in addition, you can check the HttpRequest.IsSecureConnection property.

或者，您可以检查HttpRequest.IsSecureConnection 属性。

Perhaps I'm being naive, but would forcing the communication to be via https be acceptable? I develop web services that run on 2.0 and have had success with just getting IIS to enforce https on the virtual directory.

That would be the simplest way to go probably, but unfortunately I don't have control over the IIS configuration, and can't guarantee that it can run https.

也许我很天真，但是强制通过 https 进行通信是否可以接受？我开发了在 2.0 上运行的 Web 服务，并且仅通过让 IIS 在虚拟目录上强制执行 https 就取得了成功。

这可能是最简单的方法，但不幸的是我无法控制 IIS 配置，也不能保证它可以运行 https。

In that case, perhaps the best bet is to either case-by-case encrypt portions of the SOAP messages (after all, you may not need the entire message to be encrypted - just certain sensitive fields?), or you could opt to use an HttpModule to intercept all the messages and operate on the contents. In either case you're probably going to have to provide custom proxies.

在这种情况下，也许最好的办法是逐个加密部分 SOAP 消息（毕竟，您可能不需要加密整个消息——只需要加密某些敏感字段？），或者您可以选择使用一个 HttpModule 来拦截所有消息并对内容进行操作。无论哪种情况，您都可能不得不提供自定义代理。

We actually use WSE 3.0 in our web services, which were originally developed pre-WCF. For security, we use a SAML token based system built on the Cryptography classes in System.Security.

我们实际上在我们的 Web 服务中使用了 WSE 3.0，它们最初是在 WCF 之前开发的。为了安全起见，我们使用基于 SAML 令牌的系统构建在 System.Security 中的 Cryptography 类上。

It works very well. However, this method is by no means "simple".

它运作良好。然而，这种方法绝非“简单”。

Anything you do to provide "encryption" that isn't using SSL/TLS is likely to be vulnerable. Now you have to ask yourself, is it worth burning dev hours you could be spending on features on a rubber-chicken security measure? Maybe it is.

您为提供不使用 SSL/TLS 的“加密”所做的任何事情都可能容易受到攻击。现在您必须问自己，是否值得在橡胶鸡安全措施的功能上花费开发时间？也许是。

.NET APIs like DPAPI and the Win32 crypt32 API make it easy to encrypt blobs of data with static keys. But how will your clients receive the keys? Any installed SOAP client will have to either have the key burned into its configuration, or receive it over the insecure Internet.

DPAPI 和 Win32 crypt32 API 等 .NET API 使使用静态密钥加密数据块变得容易。但是您的客户将如何收到密钥？任何已安装的 SOAP 客户端都必须将密钥刻录到其配置中，或者通过不安全的 Internet 接收密钥。

This is the problem SSL/TLS solves for you; the dance you do with TLS certificates is what solves the problem of communicating public keys over untrusted channels.

这是 SSL/TLS 为您解决的问题；您使用 TLS 证书所做的工作解决了通过不受信任的渠道传递公钥的问题。

You can use parameters encryption in C# using the System.Security.Cryptography extension.

您可以使用 System.Security.Cryptography 扩展在 C# 中使用参数加密。

Encrypting your parameters and decrypting them would be harder but much more secure.

加密您的参数并解密它们会更难，但更安全。

How To: Encrypt and Decrypt Data Using a Symmetric (Rijndael) Key (C#/VB.NET)

如何：使用对称 (Rijndael) 密钥加密和解密数据 (C#/VB.NET)

I'm using this aproach for an OTP (one time password) web service, and it works fine for me.

我将这种方法用于 OTP（一次性密码）Web 服务，对我来说效果很好。