• Securing messages between clients and services is essential to protecting data. The Windows Communication Foundation (WCF) provides a versatile and interoperable platform for exchanging secure messages based upon both the existing security infrastructure and the recognized security standards for SOAP messages. In this session learn how to use WCF for transfer security and access control using familiar technologies such as HTTPS, Windows integrated security, X.509 certificates, SAML, and usernames and passwords, and also new technologies such as Windows CardSpace. This session also discusses how to extend WCF security to support custom security tokens, custom authentication methods, claims-based authorization, claims transformation, and custom principals.
SQL Database Design For Developers at php[tek] 2024
Secure Web Services Using WCF
1.
2. Building Secure Web Services Using Windows Communication Foundation Petar Vucetin Senior Software Engineer Vertigo Session Code: SOA312
3. Agenda Learn how to use standard WCF security mechanisms correctly Understand appropriate scenarios for the various WCF security options Understand how to extend WCF security for custom applications
4.
5.
6. Threat Modeling CIA Confidentiality Integrity Availability STRIDE Spoofing Tampering Repudiation Information Disclosure DoS Elevation of Privilege
7. Security Confidentiality Content of the message is kept secret Integrity Confidence that message received is the same that sender sent Authentication Confidence that we know caller identity Confidentiality and Integrity useless without authenticity
8. WCF Out of the box experience Defaults to secure mode Claim-based Internet, Intranet and custom security scenarios Secure conversations Transfer Message integrity and protection Mutual Authentication (client->service, service-> client) Authorization
9. Service Identity Caller Identity Message (WS*) Host WCF Service A B C A B C Claims Policy Transport (TLS, SSL, IPSec) Caller Service Trust Address – Where? A Binding – How? B Contract – What? C
10. Transport Security Prevents eavesdropping, tampering, and message forgery Point-to-Point communication SSL over HTTP TLS over TCP Provides endpoint authentication and communications privacy using cryptography. IPSEC/L2TP Transport (TLS, SSL, IPSec) A B C A B C Caller Service
11. Message WS-Security SOAP Envelope Security Token SOAP Header Timestamp Misc. Headers Signature Security Header Encrypted Key Encrypted Data SOAP Body Data
12. Message Security Message (WS*) Caller Service Transport independent Uses SOAP / WS-Security Parts of the message can be signed or encrypted. All of the security information is encapsulated in the message Security credentials and claims with every message. Wide set of credentials and claims supported WCF requires X509 certificate A B C A B C
13. Authentication Caller identification Windows tokens Certificates User Name Tokens Custom Service identification (to caller) Windows tokens, X.509 certificates
14. AuthenticationWS-Security E S Contract & Policies X509 Certificate Kerberos XrML Custom The service verifies that the user owns/is able to use a key that is never transmitted Private Key X509 SAML
15. Authorization What is caller allowed to do WCF uses callers claims Can have many Windows token, SAML Windows groups, ASP.NET providers, Custom provider No good without authentication
16. Claims Claim is a declaration made by an entity about an entity (for example, a name, identity, group, key, group, or privilege). The entity that makes the claim is referred to as a claim issuer; the entity about which the claim is made is referred to as a claim subject. Defined by a triplet: type, right, resource Claim issuer can vouch for or endorse the claims in a security token by using its key to sign or encrypt the security token. This enables authentication of the claims in the security token.
18. Scenarios Intranet Direct access to service (rare) – single machine Application servers – more common, distributed, maybe port restrictions and firewalls AD, Windows auth Internet Firewalled, DMZed Restricted ports and routes, custom identity store Maybe trusted subsystem down the line with AD/Windows auth Maybe multiple authentication systems involved
19. Scenarios (cont.) B2B Crossing multiple network topologies, firewalls, port restrictions Non Windows security topologies and implementations May require acquiring and using different identities Maybe multiple authentication systems involved Most likely service to service
22. Security Modes None. Turns security off. Not recommended (default for BasicHttpBinding) Transport. Uses transport security for mutual authentication and message protection. Message. Uses message security for mutual authentication and message protection. WCF requires X509 certificate. Both. Allows you to supply settings for transport and message-level security (only MSMQ supports this).
24. Security Modes (cont.) TransportWithMessageCredential. Client credentials are passed with the message. Service authentication, confidentiality, data integrity is provided by the transport layer. TransportCredentialOnly. Client credentials are passed with the transport layer and no message protection is applied.
37. Out of the box bindingsIntranet NetNamedPipeBinding Limited reach – same machine, cross process Fast No SOAP support Defaults: Security Mode: Transport Credentials: Windows Message protection : Encrypt and Sign
38. Out of the box bindings (cont.)Intranet NetTCPBinding WCF-to-WCF scenarios Fast, can add WS* features – performance tradeoff If you used COM+/DCOM use this binding Load balancing – has server affinity, reduce lease timeout Defaults: Security Mode: Transport Credentials: Windows Message protection : Encrypt and Sign
39. Out of the box bindings (cont.) Intranet NetMsmqBinding Queued work / workload leveling / Disconnected scenarios Defaults: Security Mode: Transport Credentials: Windows Message protection: Sign MsmqIntegrationBinding Non WCF clients
40. Out of the box bindings (cont.) Internet BasicHttpBinding Interop for ASMX, support for WS-I Basic Profile 1.1 Does not support WS* stack Works well with existing HTTP load balancing techniques Only binding supported in Silverlight 2.0 Defaults: Security Mode: None Transport: None Credentials: User Name Message protection: None
41. Out of the box bindings (cont.) Internet WsHttpBinding Non Windows/WCF clients Restricted Ports, firewalls Can use HTTP load balancing – Can’t use reliable session, EstablishSecurityContext == off. Defaults: Security Mode: Message Transport: HTTP Credentials: Windows Message protection: Sign and Encrypt
42. Out of the box bindings (cont.) Internet WsFederationHttpBinding share identities across multiple systems Custom tokens Defaults: Security Mode: Message Transport: HTTP Credentials: Windows Message protection: Sign and Encrypt
53. New Services NetMsmqActivator (Net.Msmq Listener Adapter) Receives activation requests over the net.msmq and msmq.formatname protocols and passes them to the Windows Process Activation Service. NetPipeActivator (Net.Pipe Listener Adapter) Receives activation requests over the net.pipe protocol and passes them to the Windows Process Activation Service.
54. New Services NetTcpActivator (Net.Tcp Listener Adapter) Receives activation requests over the net.tcp protocol and passes them to the Windows Process Activation Service. NetTcpPortSharing (Net.Tcp Port Sharing Service) Provides ability to share TCP ports over the net.tcp protocol.
57. Notes In addition to the Walk-in and Title slides, the following slides are required Please add your content and include these in your final presentation NEXT: <next slide title>
58.
59. CodePlex WCF Secruity Guidance - http://www.codeplex.com/WCFSecurity IDesign code library - http://www.idesign.net/ MSDN WCF demos and examples - http://wcf.netfx3.com/ (WCF), (WF) and Windows CardSpace Samples - MSDN http://tinyurl.com/4zvppt Track Resources Bloggers: Ron Jacobs, Vittorio Bertocci, Michelle Bustamante, Aaron Skonnard, etc.
63. Idenity Types DNS - Use this element with X.509 certificates or Windows accounts. Certificate - This element specifies a Base64-encoded X.509 certificate value to compare with the client. Also use this element when using a CardSpace as a credential to authenticate the service.