Web Services Security Mike Shaw Architectural Engineer

Agenda Trust Worthy Computing Trust Worthy Computing What are Web Services? What are Web Services? XML Signatures XML Signatures XML Encryption XML Encryption What is WS-Security? What is WS-Security? Links Links

Trustworthy Computing Microsoft is committed to Trustworthy Computing: Microsoft is committed to Trustworthy Computing:  Security  Privacy  Reliability  Business Integrity Trustworthy computing can only be achieved through partnership & teamwork Trustworthy computing can only be achieved through partnership & teamwork Trustworthy Computing is a journey with a long term vision and highlights and obstacles along the road Trustworthy Computing is a journey with a long term vision and highlights and obstacles along the road

Trustworthy Computing Security Privacy Reliability Business Integrity Resilient to attack Protects confidentiality, integrity, availability and data Dependable Available when needed Performs at expected levels Individuals control personal data Products and Online Services adhere to fair information principles Vendors provide quality products Product support is appropriate

Goals Understand the goals and application of WS-Security Understand the goals and application of WS-Security Provide you a roadmap on how to implement secure Web services Provide you a roadmap on how to implement secure Web services

Today: Point to Point Service SSL/TLS

C Service A End to End Messaging Service B Any Web service capable application. WS-Security for Encryption and Signing Secure SOAP message using WS-Security Channel doesn’t matter. Could be HTTP, SSL, MIME/SMIME Authentication Message Validation Maybe ISA Server Auditing/logging Confidentialmessageprocessing Encryptedmessage SignedMessage

End-to-End Security Cons Cons  Standards are evolving and will be delivered incrementally Pros Pros  Is implemented at the messaging layer  Enables heterogeneous architecture  Supports non-repudiation  Can be independent of transport

How is security implemented today? Point-to-Point Point-to-Point  Channel  SSL, IPSec  Entry Point  ACLs and Roles, IP Restriction End-to-End End-to-End  Message Based  Web Services

Web Services Industry standards for interoperability Based on Internet standards Based on Internet standards Not wedded to any platform Not wedded to any platform Loosely coupled programming Loosely coupled programming Preserve and connect existing systems Preserve and connect existing systems Integrate inside and outside the firewall Integrate inside and outside the firewall Broad industry support Broad industry support Enable End-to-End messaging systems Enable End-to-End messaging systems

What is a Web Service today? Message processor Message processor Standards based Standards based  SOAP 1.1  Language and transport neutral  WSDL 1.1 Predominantly participate in point-to- point scenarios due to lack of additional standards Predominantly participate in point-to- point scenarios due to lack of additional standards Inherently insecure Inherently insecure Web Service SOAP 1.1 WSDL 1.1 Implementation

Industry initiative for Web services Industry initiative for Web services  Over 150 members  Facilitates customer adoption  Ensures interoperability Broad alignment around Web services Broad alignment around Web services  First testing tools this year More info: More info:

WSA Core Services WSA WSA Internet Transports Metadata & DiscoveryMessagingSecurityTransactions SOAP and XML

Security Model Policy Services have policies Policies require claims Security tokens assert claims ? Security Engine

Enable End-to-End message Security Flexible message-level security Flexible message-level security Maintain core tenets Maintain core tenets  Integrity (XML Digital Signatures)  Confidentiality (XML Encryption)  Authentication Tokens Leverage existing infrastructure and standards Leverage existing infrastructure and standards  Kerberos  PKI  SAML  Custom …  SSL/TLS  XML Signature  XML Encryption  …

XML Signature  XML syntax used to represent a digital signature over any digital content  Verified whether a message was altered during transit  Enables non-repudiation  Sign specific portions of the XML document or message  One-way transformation via private key  Defined schema

XML Signature Schema <Signature> ( ( ( )? ( )? )+ )+ ( )? ( )? ( )* ( )*</Signature> Root Signed Item Location (Enveloped or Detached) Hash Info Signature of Digest Public Key Source Data

XML Encryption  Encrypt specific portions of the XML document or message  Supports symmetric and asymmetric key algorithms  Defined schema

XML Encryption Schema ? ? ? ? ? ? ? ?</EncryptedData> Root Encrypted Info Driven by cryptography type Arjun Mitra X.509

How does this materialize in a Web services model? Composition via SOAP Headers Composition via SOAP Headers SOAP headers can be anything so we need a schema to ensure interoperability across all implementations SOAP headers can be anything so we need a schema to ensure interoperability across all implementations WS-Security 1.0 a specification with OASIS WS-Security 1.0 a specification with OASIS  Joint proposal from IBM, VeriSign & Microsoft

WS-Security 1.0 Security Model Security Model  Security Token + Digital Signature = Proof of Key Possession Claims Public Key Proof of possession Of Private Key + =

WS-Security 1.0 Trust Model Trust Model  Security Token  Unendorsed = Not signed by an authority  Proof-of-Possession = claim that can be mutually verified  Endorsed = Signed by an authority ? Signing Authority

WS-Security 1.0 Protection Protection  Integrity = XML Signature + Security Tokens  Confidentiality = XML Encryption + Security Tokens

Demo WS-Security Using WS-Security prototype Code Using WS-Security prototype Code  Request a Signed Security Token for authentication (X.509)  Request a Signed Security Token for authorization (X.509)  Call Web service with authorization token Notables Notables  The Certificate Authority in.NET Server is a huge improvement over Windows 2000  I could have used a Kerberos model  Certificate lifetime and management is tough issue that requires planning

Non-Goals of WS-Security Establishing a security context that requires multiple exchanges (WS- SecureConversation) Establishing a security context that requires multiple exchanges (WS- SecureConversation) Key exchange and derived keys Key exchange and derived keys How trust is established (WS-Trust) How trust is established (WS-Trust) Policy Definition (WS-Policy) Policy Definition (WS-Policy) Provisioning of certificates (XKMS) Provisioning of certificates (XKMS) Rights (XrML) Rights (XrML) etc etc

Security Roadmap SOAP WS-Security WS-PolicyWS-Trust WS-Federation WS-Privacy WS-Authorization WS-Secure Conversation Refer to Security Roadmap – Today

Your tasks at hand… Think big, start small Think big, start small  Understand your security topology  What does the end-to-end messaging path look like for your scenarios? Understand Understand  XML Signature  XML Encryption  WS Security  System.Security.Cryptography namespace Create a threat model for your Web service environment Create a threat model for your Web service environment Blend point-to-point security with end-to-end security Blend point-to-point security with end-to-end security  Leverage the.NET Framework base classes, Windows Crypto API, CAPICOM,.NET Server Certificate Authority

Call to action 1. For a copy of this presentation visit: 2. For regular information subscribe at: register.microsoft.com/subscription/subscribeMe.asp?lcid=1033&id= For the Microsoft security resource toolkit visit:

Microsoft - Stand 670 Firewall and VPN Firewall and VPN Identity Management Identity Management Securing Windows Securing Windows Windows Server 2003 Security Windows Server 2003 Security Wireless Security Wireless Security

Microsoft Security Seminars

Questions? Visit the Microsoft stand. We’ll be there for 1 hour after this session. Thank You!

Trustworthy Computing Mike Shaw Architectural Engineer