• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Petar Vucetin   Soa312   Building Secure Web Services Using Windows Communication Foundation   Tech Ed 2008 (Final)
 

Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)

on

  • 1,974 views

• Securing messages between clients and services is essential to protecting data. The Windows Communication Foundation (WCF) provides a versatile and interoperable platform for exchanging secure ...

• Securing messages between clients and services is essential to protecting data. The Windows Communication Foundation (WCF) provides a versatile and interoperable platform for exchanging secure messages based upon both the existing security infrastructure and the recognized security standards for SOAP messages. In this session learn how to use WCF for transfer security and access control using familiar technologies such as HTTPS, Windows integrated security, X.509 certificates, SAML, and usernames and passwords, and also new technologies such as Windows CardSpace. This session also discusses how to extend WCF security to support custom security tokens, custom authentication methods, claims-based authorization, claims transformation, and custom principals.

Statistics

Views

Total Views
1,974
Views on SlideShare
1,828
Embed Views
146

Actions

Likes
1
Downloads
0
Comments
0

4 Embeds 146

http://websecurity.com.ua 132
http://translate.googleusercontent.com 8
http://www.slideshare.net 5
http://websecurity.com.ua. 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Petar Vucetin   Soa312   Building Secure Web Services Using Windows Communication Foundation   Tech Ed 2008 (Final) Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final) Presentation Transcript

  • Building Secure Web Services Using Windows Communication Foundation
    Petar Vucetin
    Senior Software Engineer
    Vertigo
    Session Code: SOA312
  • Agenda
    Learn how to use standard WCF security mechanisms correctly
    Understand appropriate scenarios for the various WCF security options
    Understand how to extend WCF security for custom applications
  • Threat Modeling
    CIA
    Confidentiality
    Integrity
    Availability
    STRIDE
    Spoofing
    Tampering
    Repudiation
    Information Disclosure
    DoS
    Elevation of Privilege
  • Security
    Confidentiality
    Content of the message is kept secret
    Integrity
    Confidence that message received is the same that sender sent
    Authentication
    Confidence that we know caller identity
    Confidentiality and Integrity useless without authenticity
  • WCF Out of the box experience
    Defaults to secure mode
    Claim-based
    Internet, Intranet and custom security scenarios
    Secure conversations
    Transfer
    Message integrity and protection
    Mutual Authentication
    (client->service, service-> client)
    Authorization
  • Service Identity
    Caller Identity
    Message (WS*)
    Host
    WCF
    Service
    A
    B
    C
    A
    B
    C
    Claims
    Policy
    Transport (TLS, SSL, IPSec)
    Caller
    Service
    Trust
    Address – Where?
    A
    Binding – How?
    B
    Contract – What?
    C
  • Transport Security
    Prevents eavesdropping, tampering, and message forgery
    Point-to-Point communication
    SSL over HTTP
    TLS over TCP
    Provides endpoint authentication and communications privacy using cryptography.
    IPSEC/L2TP
    Transport (TLS, SSL, IPSec)
    A
    B
    C
    A
    B
    C
    Caller
    Service
  • Message WS-Security
    SOAP Envelope
    Security Token
    SOAP Header
    Timestamp
    Misc. Headers
    Signature
    Security Header
    Encrypted Key
    Encrypted Data
    SOAP Body
    Data
  • Message Security
    Message (WS*)
    Caller
    Service
    Transport independent
    Uses SOAP / WS-Security
    Parts of the message can be signed or encrypted.
    All of the security information is encapsulated in the message
    Security credentials and claims with every message. Wide set of credentials and claims supported
    WCF requires X509 certificate
    A
    B
    C
    A
    B
    C
  • Authentication
    Caller identification
    Windows tokens
    Certificates
    User Name
    Tokens
    Custom
    Service identification (to caller)
    Windows tokens, X.509 certificates
  • AuthenticationWS-Security
    E
    S
    Contract &
    Policies
    X509
    Certificate
    Kerberos
    XrML
    Custom
    The service verifies that the user owns/is able to use a key that is never transmitted
    Private Key
    X509
    SAML
  • Authorization
    What is caller allowed to do
    WCF uses callers claims
    Can have many
    Windows token, SAML
    Windows groups, ASP.NET providers, Custom provider
    No good without authentication
  • Claims
    Claim
    is a declaration made by an entity about an entity (for example, a name, identity, group, key, group, or privilege). The entity that makes the claim is referred to as a claim issuer; the entity about which the claim is made is referred to as a claim subject.
    Defined by a triplet: type, right, resource
    Claim issuer
    can vouch for or endorse the claims in a security token by using its key to sign or encrypt the security token. This enables authentication of the claims in the security token.
  • Partners
    STS
    Browser
    WinClient
    DMZ
    IIS
    INTRANET
    Browser
    IIS
    WinClient
    Router
  • Scenarios
    Intranet
    Direct access to service (rare) – single machine
    Application servers – more common, distributed, maybe port restrictions and firewalls
    AD, Windows auth
    Internet
    Firewalled, DMZed
    Restricted ports and routes, custom identity store
    Maybe trusted subsystem down the line with AD/Windows auth
    Maybe multiple authentication systems involved
  • Scenarios (cont.)
    B2B
    Crossing multiple network topologies, firewalls, port restrictions
    Non Windows security topologies and implementations
    May require acquiring and using different identities
    Maybe multiple authentication systems involved
    Most likely service to service
  • Service and Client
    How does this stuff work?
    configuring
  • Security Modes
    None. Turns security off.
    Not recommended (default for BasicHttpBinding)
    Transport.
    Uses transport security for mutual authentication and message protection.
    Message.
    Uses message security for mutual authentication and message protection. WCF requires X509 certificate.
    Both.
    Allows you to supply settings for transport and message-level security (only MSMQ supports this).
  • Controlling security modes
    Name
    Title
    Company
    demo
  • Security Modes (cont.)
    TransportWithMessageCredential.
    Client credentials are passed with the message. Service authentication, confidentiality, data integrity is provided by the transport layer.
    TransportCredentialOnly.
    Client credentials are passed with the transport layer and no message protection is applied.
  • R Default
  • WCF Channel Stack
    Service Instance
    WCF Runtime
    Operation
    Operation
    Dispatcher
    Channel Stack
    Protocol
    Protocol
    Binding
    Protocol
    Encoding
    Transport
  • Security.Mode == None
    Service Instance
    WCF Runtime
    Operation
    Operation
    netTcpBinding
    Dispatcher
    Channel Stack
    TransactionFlowBinding
    Protocol
    Protocol
    Binding
    Protocol
    BinaryMessageEncodingBinding
    Encoding
    TcpTransportBinding
    Transport
  • Security.Mode == Transport
    Service Instance
    WCF Runtime
    Operation
    Operation
    netTcpBinding
    Dispatcher
    Channel Stack
    TransactionFlowBinding
    Protocol
    Protocol
    Binding
    BinaryMessageEncodingBinding
    Protocol
    WindowsStreamSecurityBinding
    Encoding
    TcpTransportBinding
    Transport
  • Security.Mode == Message
    Service Instance
    WCF Runtime
    Operation
    Operation
    netTcpBinding
    Dispatcher
    Channel Stack
    TransactionFlowBinding
    Protocol
    Protocol
    Binding
    SymmetricSecurityBinding
    Protocol
    BinaryMessageEncodingBinding
    Encoding
    TcpTransportBinding
    Transport
  • Security.Mode == TransportWithMessageCredentials
    Service Instance
    WCF Runtime
    Operation
    Operation
    netTcpBinding
    Dispatcher
    Channel Stack
    TransactionFlowBinding
    Protocol
    TransportSecurityBinding
    Protocol
    Binding
    BinaryMessageEncodingBinding
    Protocol
    SslStreamSecurityBinding
    Encoding
    TcpTransportBinding
    Transport
  • Controlling credentials at the transport level
    demo
  • R Default
  • Controlling Message Security and credentials
    Name
    Title
    Company
    demo
  • R Default
  • Choices
    Choices
    Choices
    You confused by now?
  • Out of the box bindingsIntranet
    NetNamedPipeBinding
    Limited reach – same machine, cross process
    Fast
    No SOAP support
    Defaults:
    Security Mode: Transport
    Credentials: Windows
    Message protection : Encrypt and Sign
  • Out of the box bindings (cont.)Intranet
    NetTCPBinding
    WCF-to-WCF scenarios
    Fast, can add WS* features – performance tradeoff
    If you used COM+/DCOM use this binding
    Load balancing – has server affinity, reduce lease timeout
    Defaults:
    Security Mode: Transport
    Credentials: Windows
    Message protection : Encrypt and Sign
  • Out of the box bindings (cont.) Intranet
    NetMsmqBinding
    Queued work / workload leveling / Disconnected scenarios
    Defaults:
    Security Mode: Transport
    Credentials: Windows
    Message protection: Sign
    MsmqIntegrationBinding
    Non WCF clients
  • Out of the box bindings (cont.) Internet
    BasicHttpBinding
    Interop for ASMX, support for WS-I Basic Profile 1.1
    Does not support WS* stack
    Works well with existing HTTP load balancing techniques
    Only binding supported in Silverlight 2.0
    Defaults:
    Security Mode: None
    Transport: None
    Credentials: User Name
    Message protection: None
  • Out of the box bindings (cont.) Internet
    WsHttpBinding
    Non Windows/WCF clients
    Restricted Ports, firewalls
    Can use HTTP load balancing – Can’t use reliable session, EstablishSecurityContext == off.
    Defaults:
    Security Mode: Message
    Transport: HTTP
    Credentials: Windows
    Message protection: Sign and Encrypt
  • Out of the box bindings (cont.) Internet
    WsFederationHttpBinding
    share identities across multiple systems
    Custom tokens
    Defaults:
    Security Mode: Message
    Transport: HTTP
    Credentials: Windows
    Message protection: Sign and Encrypt
  • Service and Client
    Security Extension Points
    customization
  • Customization Scenarios
    Custom security tokens
    Custom authentication methods
    Claims-based authorization
    Claims transformation
    Custom principals
  • WCF Security Extensible Points
    Credentials
    Custom Security Token Manager
    Custom Service Credentials
    Custom Client Credentials
    Authorization
    Service Authorization Manager
    External Authorization Policy
    Custom Endpoint Identity Verifier
    Authentication
    Security Token Authenticator
    Security Token Provider
    Custom Authorization Policy
    Serialization
    Security Token Serializer
    Security Key Identifier Clause
  • Custom Authentication
    <services>
    <servicename="CalculatorService"
    behaviorConfiguration="ServiceCredentials">
    <endpointaddress=""
    binding="wsFederationHttpBinding"
    bindingConfiguration="requireInfoCard"
    contract="ISecureCalculator" >
    <identity>
    <certificateReferencefindValue="fabrikam"
    x509FindType="FindBySubjectName"
    storeLocation="LocalMachine"
    storeName="My" />
    </identity>
    </endpoint>
    </service>
    </services>
    <bindings>
    <wsFederationHttpBinding>
    <bindingname="requireInfoCard"> ...</binding>
    </wsFederationHttpBinding>
    </bindings>
    <behaviors>
    <serviceBehaviors>
    <behaviorname="ServiceCredentials">...</behavior>
    </serviceBehaviors>
    </behaviors>
    ISecureCalculator
    SAML1.0
    CalculatorService
    http://schemas../givenname
    http://schemas../lastname
    <behaviorname="ServiceCredentials">
    <serviceAuthorizationserviceAuthorizationManagerType=
    “MyServiceAuthorizationManagers.SelfissuedServAuthMgr, MyServiceAuthorizationManagers" />
    <serviceCredentials>
    <serviceCertificate
    findValue="fabrikam"
    x509FindType="FindBySubjectName"
    storeLocation="LocalMachine"
    storeName="My" />
    <issuedTokenAuthentication
    allowUntrustedRsaIssuers="true" />
    </serviceCredentials>
    </behavior>
    http://schemas../self
    http://localhost/serv.svc
  • Custom Authentication
    demo
  • Service Config
    <services>
    <servicename="CalculatorService"
    behaviorConfiguration="ServiceCredentials">
    <endpointaddress=""
    binding="wsFederationHttpBinding"
    bindingConfiguration="requireInfoCard"
    contract="ISecureCalculator" >
    <identity>
    <certificateReferencefindValue="fabrikam"
    x509FindType="FindBySubjectName"
    storeLocation="LocalMachine"
    storeName="My" />
    </identity>
    </endpoint>
    </service>
    </services>
    <bindings>
    <wsFederationHttpBinding>
    <bindingname="requireInfoCard"> ...</binding>
    </wsFederationHttpBinding>
    </bindings>
    <behaviors>
    <serviceBehaviors>
    <behaviorname="ServiceCredentials">...</behavior>
    </serviceBehaviors>
    </behaviors>
    ISecureCalculator
    SAML1.0
    <bindingname="requireInfoCard">
    <securitymode="Message">
    <message
    issuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion">
    <claimTypeRequirements>
    <addclaimType ="http://schemas../givenname"/>
    <addclaimType =" schemas../lastname "/>
    </claimTypeRequirements>
    <issueraddress="http://schemas.../self"/>
    </message>
    </security>
    </binding>
    </wsFederationHttpBinding>
    CalculatorService
    http://schemas../givenname
    http://schemas../lastname
    http://localhost/serv.svc
    http://schemas../self
    <behaviorname="ServiceCredentials">
    <serviceCredentials>
    <serviceCertificate
    findValue="fabrikam"
    x509FindType="FindBySubjectName"
    storeLocation="LocalMachine"
    storeName="My" />
    <issuedTokenAuthentication
    allowUntrustedRsaIssuers="true" />
    </serviceCredentials>
    </behavior>
  • Client Config
    <client>
    <endpointaddress="http://localhost/serv.svc/"
    bindingConfiguration="requireInfoCard"
    binding="wsFederationHttpBinding"
    contract="ISecureCalculator"
    behaviorConfiguration="ClientCredentials">
    <identity>
    <certificateReference
    findValue="fabrikam"
    x509FindType="FindBySubjectName"
    storeLocation="CurrentUser"
    storeName="TrustedPeople" />
    </identity>
    </endpoint>
    </client>
    <bindings>
    <wsFederationHttpBinding>
    <bindingname="requireInfoCard">…</binding>
    </wsFederationHttpBinding>
    </bindings>
    <behaviors>
    <endpointBehaviors>
    <behaviorname="ClientCredentials" >…</behavior>
    </endpointBehaviors>
    </behaviors>
    ISecureCalculator
    CalculatorService
    SAML1.0
    http://localhost/serv.svc
    http://scheams../givenname
    <behaviorname="ClientCredentials" >
    <clientCredentials>
    <serviceCertificate>
    <defaultCertificate
    findValue="fabrikam"
    x509FindType="FindBySubjectName"
    storeLocation="CurrentUser"
    storeName="TrustedPeople" />
    <authenticationrevocationMode="NoCheck“ certificateValidationMode="PeerOrChainTrust" />
    </serviceCertificate>
    </clientCredentials>
    </behavior>
    http://schemas../lastname
    <bindingname="requireInfoCard">
    <securitymode="Message">
    <messageissuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion">
    <claimTypeRequirements>
    <addclaimType ="http://schemas../emailaddress"/>
    <addclaimType ="http://schemas../givenname"/>
    </claimTypeRequirements>
    <issueraddress="http://schemas../self"/>
    </message>
    </security>
    </binding>
    http://madSTS.org/sts
  • Tips & Tricks
    VS2008 SP1
  • Tips & Tricks (cont.)
  • New Services
    NetMsmqActivator (Net.Msmq Listener Adapter)
    Receives activation requests over the net.msmq and msmq.formatname protocols and passes them to the Windows Process Activation Service.
    NetPipeActivator (Net.Pipe Listener Adapter)
    Receives activation requests over the net.pipe protocol and passes them to the Windows Process Activation Service.
  • New Services
    NetTcpActivator (Net.Tcp Listener Adapter)
    Receives activation requests over the net.tcp protocol and passes them to the Windows Process Activation Service.
    NetTcpPortSharing (Net.Tcp Port Sharing Service)
    Provides ability to share TCP ports over the net.tcp protocol.
  • Q & A
  • Notes
    In addition to the Walk-in and Title slides, the following slides are required
    Please add your content and include these in your final presentation
    NEXT: <next slide title>
  • CodePlex WCF Secruity Guidance - http://www.codeplex.com/WCFSecurity
    IDesign code library - http://www.idesign.net/
    MSDN WCF demos and examples - http://wcf.netfx3.com/
    (WCF), (WF) and Windows CardSpace Samples - MSDN http://tinyurl.com/4zvppt
    Track Resources
    Bloggers:
    Ron Jacobs, Vittorio Bertocci, Michelle Bustamante, Aaron Skonnard, etc.
  • © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
    The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
  • Valid?
    Client Claims
    Authority
    Service Claims
    Valid?
    Authority
  • Idenity Types
    DNS - Use this element with X.509 certificates or Windows accounts.
    Certificate - This element specifies a Base64-encoded X.509 certificate value to compare with the client. Also use this element when using a CardSpace as a credential to authenticate the service.
  • Certificate Reference
    RSA
    User Principal Name
    Service Principal Name
  • Topology
    Partners
    STS
    Browser
    WinClient
    DMZ
    IIS
    INTRANET
    Browser
    IIS
    S2
    WinClient
    Router
    S1