© 2007 Charteris plc20 June 2015 1 1 Extending Web Service Security with WS-* Presented by Chris...
-
date post
20-Dec-2015 -
Category
Documents
-
view
216 -
download
3
Transcript of © 2007 Charteris plc20 June 2015 1 1 Extending Web Service Security with WS-* Presented by Chris...
© 2007 Charteris plc 18 April 20231
1
Extending Web Service Security with WS-*
Presented by Chris Seary MVP
Charteris plc, 39-40 Bartholomew Close, London EC1A 7JN
© 2007 Charteris plc 18 April 20232
2
Vision
• Secure communications– Confidentiality– Integrity– Availability
© 2007 Charteris plc 18 April 20233
3
Confusion
• Network protocol security
• Message layer security
???
??
© 2007 Charteris plc 18 April 20234
4
Coming up
• Clarification• What are the different types of security
provided by networking protocols?• What does message level security add?• Suggestions on which to choose• How to do it using WCF
© 2007 Charteris plc 18 April 20235
5
What is WS-Security?• Message layer security
• Standards based (OASIS)
• WS-*– WS-Security– WS-Addressing– Etc.
© 2007 Charteris plc 18 April 20236
6
How do we implement it?
• WCF provides a framework for programming WS-*– Authentication– Encryption– Non-repudiation– Digital signatures– Etc.
© 2007 Charteris plc 18 April 20237
7
Message security versus network protocol security
• What do we mean by– Message– Network protocol
• Confusion due to naming!
© 2007 Charteris plc 18 April 20238
8
Network protocols• TCP/IP stack
• Refers to network communications
© 2007 Charteris plc 18 April 20239
9
Network protocols
SecurityAppliedhere
• TCP/IP stack
• Refers to network communications
© 2007 Charteris plc 18 April 202310
10
Network protocols
SecurityAppliedhere
Unsecured data
Unsecured data
• TCP/IP stack
• Refers to network communications
© 2007 Charteris plc 18 April 202311
11
Network protocols• Data is only
protected during transit
SecurityAppliedhere
Unsecured data
Unsecured data
© 2007 Charteris plc 18 April 202312
12
Network protocols
SecurityAppliedhere
Unsecured data
Unsecured data
HTTPSFTPS
© 2007 Charteris plc 18 April 202313
13
Network protocols
SecurityAppliedhere
Unsecured data
Unsecured data
IPSec
© 2007 Charteris plc 18 April 202314
14
Network protocols
SecurityAppliedhere
Unsecured data
Unsecured data
PPP usesPAPCHAPMS-CHAPEAP
© 2007 Charteris plc 18 April 202315
15
Network protocols• SSL
– Confidentiality– Integrity– Authenticates USERS
• Basic• Windows• Etc.
– Various apps• FTP• SQL Server libraries
© 2007 Charteris plc 18 April 202316
16
Network protocols
• IPSec– Confidentiality– Integrity– Authenticates HOSTS
• Kerberos• Shared password (don’t do this in production!)• Certificates
– VPN with L2TP
© 2007 Charteris plc 18 April 202317
17
Demo
• SSL in IIS
• IPSec
© 2007 Charteris plc 18 April 202318
18
Message security• Protects data that is
sent
SecurityAppliedhere(encrypt)
Secure data
Secure data
SecurityAppliedhere(decrypt)
© 2007 Charteris plc 18 April 202319
19
Message security
• More granular
• Can use application level tools
• End to end
SecurityAppliedhere(encrypt)
Secure data
Secure data
SecurityAppliedhere(decrypt)
© 2007 Charteris plc 18 April 202320
20
Integrity
• Integrity– Message not altered in transit– WS-*, SSL, IPSec all give this
© 2007 Charteris plc 18 April 202321
21
Non-repudiation
• Digital signatures– Gives assurance that message was sent by the
signer– WS-* gives digital signature– SSL and IPSec do not
© 2007 Charteris plc 18 April 202322
22
Confidentiality• Encryption
– Only recipient can read message– Both SSL, IPSec and WSE provide this– WS-* provides more granular functionality
• Custom policy assertion can encrypt/sign specific parts of a message
• Intrusion Detection Systems may disallow SSL or IPSec
© 2007 Charteris plc 18 April 202323
23
Authentication
• IPSec– Kerberos, shared key, certificates
• SSL– Basic, Windows, Digest, Certs
• WS-*– Username/password, Certs, Custom, Kerberos
© 2007 Charteris plc 18 April 202324
24
Policy
• WS-* can be applied via
– Configuration– Code– A mixture of configuration and code
• Policy is configuration
© 2007 Charteris plc 18 April 202325
25
Policy
• WCF offers readymade policy objects– ‘turnkey’ approach that began with WSE 3.0
© 2007 Charteris plc 18 April 202326
26
Demo
• SOAP
• WS-Security
• Encryption
• Digital Signature
© 2007 Charteris plc 18 April 202327
27
Security and encryption
Message
Message
Jhbsx^8
Encrypt
Decrypt
© 2007 Charteris plc 18 April 202328
28
Security and encryption
Message
Message
Jhbsx^8
Encrypt
Decrypt
Public
Private
© 2007 Charteris plc 18 April 202329
29
Security and encryption
Message
Message
Jhbsx^8
Encrypt
Decrypt
Public
Private
Usually includes encryption of symmetric key!
© 2007 Charteris plc 18 April 202330
30
Certificates
Subject nameSerial numberIssuerPublic keyCA signatureAttribute 1Attribute 2Attribute 3..
Certificate
© 2007 Charteris plc 18 April 202331
31
Certificate store
Certificate store
Subject nameSerial numberIssuerPublic keyCA signatureAttribute 1Attribute 2Attribute 3..
Certificate
Private key
© 2007 Charteris plc 18 April 202332
32
Certificate store
• Local machine– Certificates used by system
• Demo uses Network Service
• Current user– Logged on user – Windows test harness
• X509 Certificate Tool– Grants permissions for accessing private keys
© 2007 Charteris plc 18 April 202333
33
demo
• Certificate store
© 2007 Charteris plc 18 April 202334
34
WCF
• Windows Communication Foundation
© 2007 Charteris plc 18 April 202335
35
WCF
• Address
• Binding
• Contract
© 2007 Charteris plc 18 April 202336
36
WCF
• Address– Endpoint– URL
• http://localhost/site/service
© 2007 Charteris plc 18 April 202337
37
WCF
• Binding– How do we communicate?
• WS-*• HTTP• HTTPS• Etc.
© 2007 Charteris plc 18 April 202338
38
WCF
• Contract– What have we agreed?
• Methods• Parameters
– Interface
© 2007 Charteris plc 18 April 202339
39
WCF
Client ServiceCBA
CBA
CBA
ABC
AddressWhere?
ContractWhat?
BindingHow?
Behavior Behavior
Endpoints:
© 2007 Charteris plc 18 April 202340
40
demo
• Wcf and ws-*
© 2007 Charteris plc 18 April 202341
41
WS-* Evolution
• WSE– Tactical– WSE 2.0 - .Net 1.x– WSE 3.0 - .Net 2.0
• WCF– Future of communications for Microsoft
technologies
© 2007 Charteris plc 18 April 202342
42
WS-* Interoperability
• WSE 3.0 WCF
• WSE 2.0 WCF
© 2007 Charteris plc 18 April 202343
43
WCF
• http://www.netfx3.com/
• http://msdn2.microsoft.com/en-us/netframework/aa663324.asp
© 2007 Charteris plc 18 April 202344
44
WS-Federation
• Single Sign On
• Identity Providers
• 7 laws of identity – Kim Cameron– http://www.microsoft.com/technet/technetmag/
issues/2006/07/7Laws/default.aspx
© 2007 Charteris plc 18 April 202345
45
WS-Federation
www.site1.com www.IdentityProvider.com www.site2.com
1
2
3
LogInLogIn
4 Server sees that no cookie is presented
Server sees that no cookie is presented
5
User attempts to access site 1
Site 1 serverRedirects userTo IP
IP supplies User withLogin form To entercredentials
© 2007 Charteris plc 18 April 202346
46
WS-Federation
www.site1.com www.IdentityProvider.com www.site2.com
6
7 Credentialsvalidated
8
User submitscredentials
IP supplies User withForm containingSigned Security Token.Cookie is includedWith response
HIDDENFIELD
8
IP cookie
© 2007 Charteris plc 18 April 202347
47
WS-Federation
www.site1.com www.IdentityProvider.com www.site2.com
JavaScript submitsForm with hidden fieldto site 1
HIDDENFIELD
IP cookie
9
10 Site 1 assesseswhether the user inthe Signed SecurityToken should beallowed access
WelcomeWelcome
11Site 1 responds witha welcome page, and a cookie is included in the response
Site 1cookie
11
© 2007 Charteris plc 18 April 202348
48
WS-Federation
www.site1.com www.IdentityProvider.com www.site2.com
IP cookie
User navigates to site 2
Site 1cookie
1
2 No cookie forSite 2
3 User redirectedto IP, thussending IPcookie
4IP picks upIP cookiefrom user
© 2007 Charteris plc 18 April 202349
49
WS-Federation
www.site1.com www.IdentityProvider.com www.site2.com
IP cookie
JavaScript submitsthe form to site 2
Site 1cookie
6
5 IP respondswith a form containing aSigned SecurityToken
HIDDENFIELD
HIDDENFIELD
© 2007 Charteris plc 18 April 202350
50
WS-Federation
www.site1.com www.IdentityProvider.com www.site2.com
IP cookie Site 1cookie
7
Site 2 checksSigned SecurityToken and chooseswhether to grant access
WelcomeWelcome
8 Site 2 respondswith a welcome page and a cookie
Site 2cookie
© 2007 Charteris plc 18 April 202351
51
WS-Federation
www.site1.com www.IdentityProvider.com www.site2.com
IP cookie Site 1cookie
Previous PagePrevious Page
1User navigates back to site 1,Including site 1 cookie in the request
Site 2cookie
2 Site 1 application checks validity of cookie
3 Site 1 responds with page fromprevious transaction
© 2007 Charteris plc 18 April 202352
52
WS-Federation
© 2007 Charteris plc 18 April 202353
53
WS-Federation
• http://technet2.microsoft.com/WindowsServer/en/Library/b0f029cb-65ab-44fb-bcfc-5aa02314e06e1033.mspx?mfr=true
© 2007 Charteris plc 18 April 202354
54
Summary
• Protocol – TCP/IP
• Message – WS-Security
• Single Sign On – WS-Federation
• Rapidly advancing technology
© 2007 Charteris plc 18 April 202355
55
Thank you
• Presentation and slides– http://blog.searyblog.com/