WCF SECURITYANIL KUMAR M

04/12/20232

Obje

ctiv

es

Golden History Guess where is the path Define a Policy Who are you? WCF ways to identify

Are you allowed to do!

A big Prediction

04/12/20233

Gold

en H

isto

ry

General Scenarios of

Security in a normal Client

and Service Application A Client calls a Service, i.e

A Client calls a Method in

Service

Considering Our focused

topic of the day Security in

terms of Service

04/12/2023

4

Guess where can we Improve Security?

04/12/2023

5

Just think not RequiredA scenario

Now an authenticated and authorized Client

calling the service don’t you think the message that

transferred from Client to Service should be secured means the

membrane that transfers message from client to service should

be secured

This defines the term Transfer Security

04/12/2023

6

If we recapSecurity Policy is AuthenticationAuthorizationTransfer Security

04/12/20237

Who a

re y

ou?

Auth

enti

cati

on

Two Contexts In Service view point

In Client prospectiveHijack Client Calls

04/12/2023

8

6 ways of

Authentication

Mechanisms

offered by WCF

04/12/20239

1.N

o A

uth

entica

tion

Service allows

everyone to access its

methods

04/12/202310

2.W

indow

s

Auth

entica

tion

Kerberos when

domain server

NTLM in workgroup

Service allows who provide

their windows credentials

and authenticate against

Windows

04/12/2023

113.U

serN

am

e a

nd

Pass

word

Service allows

who provide username

and password and authenticate against its

user store

04/12/2023

12

4.X

509

Cert

ifica

te

The Service

allows who in advance

known to service i.e.

Client is a certificate

already registered with

service host, so if a request comes from that

certificate they are valid

users

04/12/2023

13

5.C

ust

om

M

ech

anis

m

Bio Metrics

04/12/2023

14

6.Iss

ued T

oke

n

Security Token ServiceRelated to Federated

SecurityLike Authentication with

GOOGLE, HOTMAIL,YAHOO using

in any Application CARD SPACE

04/12/2023

15

Auth

ori

zati

on

After authentication,

service relies on some

user store where users

are mapped to some

logical roles When accessing

a method it demands

only certain roles can

access

04/12/2023

16

Auth

ori

zati

on

Off

ere

d b

y W

CF

Windows AccountsASP.NET Provider

Custom role Repositories

04/12/202317

Transfe

r Secu

rity

Challe

nges

Read or Write

Message integrity

Message Privacy

Mutual Authentication

04/12/202318

Message integrity

Altering account

number in case of

amount transfer

04/12/202319

Message Privacy

No altering only reading

the info and using it

whenever needed

04/12/202320

Mutu

al A

uth

entica

tion

Two Challenges Polite way and cruel

way

Eliminate Replay attacks

Read secure info from the wire and

send that info to Service

Denial of service attacks

Flood the service with correct and

bogus at such a frequency so that it

will become unavailable