Applied WSE 2.0 Security Mike Shaw.NET Security Dude

Background April Security in a Web Services World: A Proposed Architecture and Roadmap IBM and Microsoft March WS-Security standard OASIS ( released Web services Security April 2004 WS-I.org Basic Profile 1.0 Final (1.1 WGD) 16.html 16.html May 2004 WS-I.org Basic Security Profile 1.0 WG draft i.org/deliverables/workinggroup.aspx?wg=basicsecurity i.org/deliverables/workinggroup.aspx?wg=basicsecurity Other security standards in the pipeline Public Specifications WS-Trust, WS-Policy, WS-Federation, WS- SecureConversation, WS-SecurityPolicy Mike join the 125 people that made up Microsoft UK in October 1991.

Channel – point-to-point

Channel vs Message The channel is the ‘pipe’ or transport mechanism for data Could use standard approaches: SSL/TLS HTTP/S (Basic, digest, certs, etc) Only applies to point-to-point Need greater flexibility Eg send my credit card data to the retailer who passes it to the credit card authorisation company, but must not see my cc details

Secure Communication Protocol-level security Encrypts the entire message Sender must trust all intermediaries Restricts protocols that can be used SSL Security

A Message via intermediary Any Web service capable application. WS-Security for Encryption and Signing Secure SOAP message using WS-Security Channel doesn’t matter*. Could be HTTP, SSL, MIME/SMIME etc Authentication Message Validation Auditing/logging Confidentialmessageprocessing EncryptedAuthorizedmessage SignedMessage * WS-I basic profile specifies HTTP Intermediary Authorization Target Service Client

Secure Communication Message-level security End to end message security independent of transport Supports multiple protocols and multiple encryption technologies Encrypt only parts of the message Sender need only trust endpoint

Security of a Message Integrity – the message has not changed Open Standards algorithms, Hashing, XML Signature (Canonicalization C14N) Confidentiality – content only visible to Authorised entities XML Encryption Asymmetric and Symmetric Exchange Data More Securely with XML Signatures and Encryption msdnmag/issues/04/11/xmlsignatures/default.aspx msdnmag/issues/04/11/xmlsignatures/default.aspxTokens Claims and Assertions Authentication and Authorization information

Canonicalization Some text More text Some text More text

Web Services Enhancements ices/building/wse/ ices/building/wse/WS-Security XML Signature XML Encryption TokensWS-SecureConversationWS-TrustWS-PolicyWS-SecurityPolicy

User Code How does WSE work? SoapContext TraceSecurity Referral Policy Custom Security Token Manager Custom Filters

User Code How does WSE work? SoapContext Custom Policy Referral Security Trace Security Token Manager Custom Filters

What are the security choices? Code or Policy Authentication Tokens User Name and Password x509v3 Certificate Kerberos Ticket Custom Security Token Security Context IntegrityConfidentiality

What is WS-Policy? A way to advertise and enforce the policies of your site Message Age Types of tokens Lifetime of tokens Which elements need to be signed XML Based Complex:, Complex:, Send-side and Receive-side Role-Based Authorisation For plain text UsernameTokens it gets windows identity

Policy Driven Architecture Saying what you need, to do what you will do Compatible? Y’s InX’s Out send( ) Y’s InX’s Out To: Y ' receive( ) Y’s In ' To: Y Get Policy Policy used by X when sending a message out (often implicit) Yes Cache Y’s In XY Policy used by Y when receiving a message in

WS-SecurityPolicy wsse:Kerberosv5TGT wsse:UsernameToken

Simple WSE 2.0 App & Service using policy

WS-Policy, UDDI and WSE California Service WSE New York Service WSE Redmond Service WSE Policy SiliconValley Integrity: Username Encryption: x509 Policy NewYork Integrity: x509 Encryption: x509 Policy Redmond Integrity: Username Services SiliconValley New York Redmond UDDIServices ClientApp WSE PolicyCache Policy SiliconValley Policy NewYork Policy Redmond tModels Policy Encryption: x509 Policy Integrity: Username Policy Integrity: x509

Tokens Asserts Claims Username Public Keys Proof of Possession Passwords Private Keys Available Tokens UsernameTokenBinarySecurityTokenCustomXmlToken

Tokens Username Tokens Binary Security Tokens X509 Tokens Kerberos Tokens Custom XML Tokens SAML Tokens Gateway Tokens

Sending lots of messages The problem Asymmetric encryption is: Most secure Slow, bulky and inefficient Symmetric encryption is: Faster Faster Needs token issuing WS-Trust Security Token Service (STS) Request for Security Token (RST) Request for Security Token Response (RSTR) Security Context Token (SCT)

Client presents a username token and requests a custom token Scope of Trust STS returns a CustomToken Client presents custom token with each SOAP function call Scope of Trust

Derived Security Token The DerivedKeyToken creates a different key for each message Ensures a different key is used for each message Makes a cipher-only attack more difficult Use it wherever possible!

Managing Security Context Tokens in a Web Farm us/dnwebsrv/html/sctinfarm.asp us/dnwebsrv/html/sctinfarm.asp

Intranet – Behind the Firewall Problem Perceived to be ‘secure’ Latency usually an issue Systems need to work together SSO expected Windows world Kerberos WSE 2.0 gives you a WindowsPrincipal in the Service Limitations include: size, ‘single hop’, need KDC Heterogeneous x509v3, Username, custom

Internet – outside the Firewall The Problem All routes are potentially hostile Undoubtedly heterogeneous Lowest common denominator x509v3 certificates Offers best levels of security – AuthN, integrity, confidentiality Can be awkward to deal with – issue, trust, revocation Future – WS-Federation Active Directory Federation Server

BenefitsApplication BenefitsCompany My Employer WS-Federation Interop Scenario 1.User attempts to access My Employer’s Employee Portal 2.User is authenticated by My Employer’s Security Token Service (STS-IP) 3.User requests access to Benefits Company’s Benefits Application and obtains federation SAML token from STS-IP containing claims specific to the trust agreement between My Employer and Benefits Company 4.The Benefits Company’s STS (STS-RP) verifies the SAML token and gives user a security token containing claims specific to the Benefits Application IdentityProvider(STS-IP) ResourceProvider(STS-RP) Federation Claims Application Claims EmployeeBenefitsPortal 5.User signs out of the Benefits Application and returns to Employee Portal Client

Performance Use WS-SecureConversation for >2 messages Canonicalization process is complex and involves generation of multiple hashes (MD5 slightly quicker than SHA1) Payload size of tokens: Payload size of tokens: Kerberos v5 – 4k (3256 bytes) x509v3 Certificate – 1k (608 bytes) UsernameToken - <1k SecurityContextToken – 128bit (AES) Custom – up to you

Role-based AuthZ with Policy SecurityToken.Principal Implementation of IPrincipal Automatically set for UsernameToken and KerberosSecurityToken IPrincipal is the.NET interface for role-based authoriztion bool IsInRole(String str) Call method explicitly or use Policy AzMan can be used but need to write some code…

Long Lived messages Scenario example Send a message signed with Kerberos token to BizTalk where it is waits for 2 days before being sent on to final destination. When it finally arrives, the token causes an exception. Messages retained for auditing Messages have TTL Messages have TTL Tokens have TTL Kerberos default in Windows is 10 hours X509 certificate – controlled by Certificate Authority

Non-Repudiation How to you ensure that a transaction was at the request of a particular sender? CertificatesAuditing The cipher text and key Possibly hole messages signed by auditing service

WSE 2.0 and Interop InfoPath………  BizTalk ………  Office ………  Cross Platform…… ( terop/ ) terop/ terop/ Sun JWSDP (Java Web services Developer Pack) us/dnbda/html/interopsun.asp us/dnbda/html/interopsun.asp IBM WebSphere Application Developer us/dnbda/html/wsinteroprecsibm-final.asp us/dnbda/html/wsinteroprecsibm-final.asp BEA WebLogic 8.1 SP3 (8.1.3) us/dnbda/html/wsinteroprecsbea.asp us/dnbda/html/wsinteroprecsbea.asp SAML or XrML… 

A Glance at the Past

Summary Policy will get you going quickest User Name and Password Good for boot strapping Security Context or integration with other AuthN mechanisms, WindowPrincipal x509v3 Certificate Good for interop,, Internet Kerberos Ticket Big, offers integrated security (getting better), AuthN/Z data, road to federation Custom Security Token Can implement SAML or XrML Security Context Great for lots of messages, small, fast

Links WSE Info fault.aspx fault.aspx Hands on Lab: Web Services Security and Policy with Web Services Enhancements A0-98E1-42CC-A527-0FE1B49DEB40/HOL-WSE- Security.EXE 4A0-98E1-42CC-A527-0FE1B49DEB40/HOL-WSE- Security.EXE WS-Security Drilldown us/dnwse/html/wssecdrill.asp us/dnwse/html/wssecdrill.asp Build Security Into Your Web Services with WSE 2.0 and ISA Server bServiceSecurity/default.aspx bServiceSecurity/default.aspx

© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Government Gateway and WSE Custom Filters Enterprise Instrumentation Framework Tracing CustomSecurityTokenService Distributes GatewayTokens UsernameTokenManager Validates Username/Password against database X509TokenManager Validates signature and certificate CustomTokenManager Used to validate GatewayTokens Policy files

Lessons Learnt… WSE Config files No room for error Mainly an issue early on in the project CertificatesPermissionsPerformance WSE comes with a Certificate tool ISA Time difference between servers Server on a domain do not sync accurately enough

Lessons Learnt… Interoperability Design WSDL first Avoid Complex types Cultural issues Specifications Still evolving Not all are ratified Start-up times Easy to miss in testing Web farms make it worse