Applied WSE 2.0 Security Mike Shaw.NET Security Dude

Slides:



Advertisements
Similar presentations
OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.
Advertisements

Web Service Security CS409 Application Services Even Semester 2007.
WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation.
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WS-Security TC Christopher Kaler Kelvin Lawrence.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Core Web Service Security Patterns
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Web services security I
Prashanth Kumar Muthoju
CSCI 6962: Server-side Design and Programming
Security COMP6017 Topics on Web Services Dr Nicholas Gibbins –
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Web Service Standards, Security & Management Chris Peiris
Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
Harshavardhan Achrekar - Grad Student Umass Lowell presents 1 Scenarios Authentication Patterns Direct Authentication v/s Brokered Authentication Kerberos.
Random Logic l Forum.NET l Web Services Enhancements for Microsoft.NET (WSE) Forum.NET ● October 4th, 2006.
Developing Web Services Using ASP.NET and WSE That Interoperate with the Windows Communications Foundation ("Indigo") Mark Fussell COM432 Lead Program.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Web305 Security Practices for Web Services (Part 1) : Now I Understand Eric Schmidt Technical Evangelist Platform Strategy & Partner Group Microsoft Corporation.
January 19, 2005 Andrew Nash Chief Technology Officer, Reactivity xmlCoP Interoperable Trust Networks.
Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.
Mr. Abdelkrim Boujraf, Unisys Mr. Andreas Schaad, SAP Research Mr. Mohammad Ashiqur Rahaman, SAP Research funded by EU Integrated Project R4eGov R4eGov.
Web Services Security Patterns Alex Mackman CM Group Ltd
Leveraging Web Service Security Standards Richard Jacob WSRP F2F LA, March, 2004.
Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
Web Services Security INFOSYS 290, Section 3 Web Services: Concepts, Design and Implementation Adam Blum
Web Services Security Mike Shaw Architectural Engineer.
1 WS-Security Yosi Taguri Microsoft Israel
Security in OPC Unified Architecture (UA) Dick Oyen IndustrialSysDev, Inc.
August 3, 2004WSRP Technical Committee WSRP v2 leveraging WS-Security 1. Motivation 2. WS-Securtiy Roadmap and Status 3. WSRP Use Cases 4. Strawman/Issues.
© ETNIC l l Anne Noseda l WSGenCon 2.0 Presentation 1 WSGenCon /02/2010 E2SA – Equipe Support Standard Architecture.
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Integrate Applications Using Web Services and BizTalk
Web Services Enhancements 2.0
Presentation transcript:

Applied WSE 2.0 Security Mike Shaw.NET Security Dude

Background April Security in a Web Services World: A Proposed Architecture and Roadmap IBM and Microsoft March WS-Security standard OASIS ( released Web services Security April 2004 WS-I.org Basic Profile 1.0 Final (1.1 WGD) 16.html 16.html May 2004 WS-I.org Basic Security Profile 1.0 WG draft i.org/deliverables/workinggroup.aspx?wg=basicsecurity i.org/deliverables/workinggroup.aspx?wg=basicsecurity Other security standards in the pipeline Public Specifications WS-Trust, WS-Policy, WS-Federation, WS- SecureConversation, WS-SecurityPolicy Mike join the 125 people that made up Microsoft UK in October 1991.

Channel – point-to-point

Channel vs Message The channel is the ‘pipe’ or transport mechanism for data Could use standard approaches: SSL/TLS HTTP/S (Basic, digest, certs, etc) Only applies to point-to-point Need greater flexibility Eg send my credit card data to the retailer who passes it to the credit card authorisation company, but must not see my cc details

Secure Communication Protocol-level security Encrypts the entire message Sender must trust all intermediaries Restricts protocols that can be used SSL Security

A Message via intermediary Any Web service capable application. WS-Security for Encryption and Signing Secure SOAP message using WS-Security Channel doesn’t matter*. Could be HTTP, SSL, MIME/SMIME etc Authentication Message Validation Auditing/logging Confidentialmessageprocessing EncryptedAuthorizedmessage SignedMessage * WS-I basic profile specifies HTTP Intermediary Authorization Target Service Client

Secure Communication Message-level security End to end message security independent of transport Supports multiple protocols and multiple encryption technologies Encrypt only parts of the message Sender need only trust endpoint

Security of a Message Integrity – the message has not changed Open Standards algorithms, Hashing, XML Signature (Canonicalization C14N) Confidentiality – content only visible to Authorised entities XML Encryption Asymmetric and Symmetric Exchange Data More Securely with XML Signatures and Encryption msdnmag/issues/04/11/xmlsignatures/default.aspx msdnmag/issues/04/11/xmlsignatures/default.aspxTokens Claims and Assertions Authentication and Authorization information

Canonicalization Some text More text Some text More text

Web Services Enhancements ices/building/wse/ ices/building/wse/WS-Security XML Signature XML Encryption TokensWS-SecureConversationWS-TrustWS-PolicyWS-SecurityPolicy

User Code How does WSE work? SoapContext TraceSecurity Referral Policy Custom Security Token Manager Custom Filters

User Code How does WSE work? SoapContext Custom Policy Referral Security Trace Security Token Manager Custom Filters

What are the security choices? Code or Policy Authentication Tokens User Name and Password x509v3 Certificate Kerberos Ticket Custom Security Token Security Context IntegrityConfidentiality

What is WS-Policy? A way to advertise and enforce the policies of your site Message Age Types of tokens Lifetime of tokens Which elements need to be signed XML Based Complex:, Complex:, Send-side and Receive-side Role-Based Authorisation For plain text UsernameTokens it gets windows identity

Policy Driven Architecture Saying what you need, to do what you will do Compatible? Y’s InX’s Out send( ) Y’s InX’s Out To: Y ' receive( ) Y’s In ' To: Y Get Policy Policy used by X when sending a message out (often implicit) Yes Cache Y’s In XY Policy used by Y when receiving a message in

WS-SecurityPolicy wsse:Kerberosv5TGT wsse:UsernameToken

Simple WSE 2.0 App & Service using policy

WS-Policy, UDDI and WSE California Service WSE New York Service WSE Redmond Service WSE Policy SiliconValley Integrity: Username Encryption: x509 Policy NewYork Integrity: x509 Encryption: x509 Policy Redmond Integrity: Username Services SiliconValley New York Redmond UDDIServices ClientApp WSE PolicyCache Policy SiliconValley Policy NewYork Policy Redmond tModels Policy Encryption: x509 Policy Integrity: Username Policy Integrity: x509

Tokens Asserts Claims Username Public Keys Proof of Possession Passwords Private Keys Available Tokens UsernameTokenBinarySecurityTokenCustomXmlToken

Tokens Username Tokens Binary Security Tokens X509 Tokens Kerberos Tokens Custom XML Tokens SAML Tokens Gateway Tokens

Sending lots of messages The problem Asymmetric encryption is: Most secure Slow, bulky and inefficient Symmetric encryption is: Faster Faster Needs token issuing WS-Trust Security Token Service (STS) Request for Security Token (RST) Request for Security Token Response (RSTR) Security Context Token (SCT)

Client presents a username token and requests a custom token Scope of Trust STS returns a CustomToken Client presents custom token with each SOAP function call Scope of Trust

Derived Security Token The DerivedKeyToken creates a different key for each message Ensures a different key is used for each message Makes a cipher-only attack more difficult Use it wherever possible!

Managing Security Context Tokens in a Web Farm us/dnwebsrv/html/sctinfarm.asp us/dnwebsrv/html/sctinfarm.asp

Intranet – Behind the Firewall Problem Perceived to be ‘secure’ Latency usually an issue Systems need to work together SSO expected Windows world Kerberos WSE 2.0 gives you a WindowsPrincipal in the Service Limitations include: size, ‘single hop’, need KDC Heterogeneous x509v3, Username, custom

Internet – outside the Firewall The Problem All routes are potentially hostile Undoubtedly heterogeneous Lowest common denominator x509v3 certificates Offers best levels of security – AuthN, integrity, confidentiality Can be awkward to deal with – issue, trust, revocation Future – WS-Federation Active Directory Federation Server

BenefitsApplication BenefitsCompany My Employer WS-Federation Interop Scenario 1.User attempts to access My Employer’s Employee Portal 2.User is authenticated by My Employer’s Security Token Service (STS-IP) 3.User requests access to Benefits Company’s Benefits Application and obtains federation SAML token from STS-IP containing claims specific to the trust agreement between My Employer and Benefits Company 4.The Benefits Company’s STS (STS-RP) verifies the SAML token and gives user a security token containing claims specific to the Benefits Application IdentityProvider(STS-IP) ResourceProvider(STS-RP) Federation Claims Application Claims EmployeeBenefitsPortal 5.User signs out of the Benefits Application and returns to Employee Portal Client

Performance Use WS-SecureConversation for >2 messages Canonicalization process is complex and involves generation of multiple hashes (MD5 slightly quicker than SHA1) Payload size of tokens: Payload size of tokens: Kerberos v5 – 4k (3256 bytes) x509v3 Certificate – 1k (608 bytes) UsernameToken - <1k SecurityContextToken – 128bit (AES) Custom – up to you

Role-based AuthZ with Policy SecurityToken.Principal Implementation of IPrincipal Automatically set for UsernameToken and KerberosSecurityToken IPrincipal is the.NET interface for role-based authoriztion bool IsInRole(String str) Call method explicitly or use Policy AzMan can be used but need to write some code…

Long Lived messages Scenario example Send a message signed with Kerberos token to BizTalk where it is waits for 2 days before being sent on to final destination. When it finally arrives, the token causes an exception. Messages retained for auditing Messages have TTL Messages have TTL Tokens have TTL Kerberos default in Windows is 10 hours X509 certificate – controlled by Certificate Authority

Non-Repudiation How to you ensure that a transaction was at the request of a particular sender? CertificatesAuditing The cipher text and key Possibly hole messages signed by auditing service

WSE 2.0 and Interop InfoPath………  BizTalk ………  Office ………  Cross Platform…… ( terop/ ) terop/ terop/ Sun JWSDP (Java Web services Developer Pack) us/dnbda/html/interopsun.asp us/dnbda/html/interopsun.asp IBM WebSphere Application Developer us/dnbda/html/wsinteroprecsibm-final.asp us/dnbda/html/wsinteroprecsibm-final.asp BEA WebLogic 8.1 SP3 (8.1.3) us/dnbda/html/wsinteroprecsbea.asp us/dnbda/html/wsinteroprecsbea.asp SAML or XrML… 

A Glance at the Past

Summary Policy will get you going quickest User Name and Password Good for boot strapping Security Context or integration with other AuthN mechanisms, WindowPrincipal x509v3 Certificate Good for interop,, Internet Kerberos Ticket Big, offers integrated security (getting better), AuthN/Z data, road to federation Custom Security Token Can implement SAML or XrML Security Context Great for lots of messages, small, fast

Links WSE Info fault.aspx fault.aspx Hands on Lab: Web Services Security and Policy with Web Services Enhancements A0-98E1-42CC-A527-0FE1B49DEB40/HOL-WSE- Security.EXE 4A0-98E1-42CC-A527-0FE1B49DEB40/HOL-WSE- Security.EXE WS-Security Drilldown us/dnwse/html/wssecdrill.asp us/dnwse/html/wssecdrill.asp Build Security Into Your Web Services with WSE 2.0 and ISA Server bServiceSecurity/default.aspx bServiceSecurity/default.aspx

© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Government Gateway and WSE Custom Filters Enterprise Instrumentation Framework Tracing CustomSecurityTokenService Distributes GatewayTokens UsernameTokenManager Validates Username/Password against database X509TokenManager Validates signature and certificate CustomTokenManager Used to validate GatewayTokens Policy files

Lessons Learnt… WSE Config files No room for error Mainly an issue early on in the project CertificatesPermissionsPerformance WSE comes with a Certificate tool ISA Time difference between servers Server on a domain do not sync accurately enough

Lessons Learnt… Interoperability Design WSDL first Avoid Complex types Cultural issues Specifications Still evolving Not all are ratified Start-up times Easy to miss in testing Web farms make it worse