Presentation is loading. Please wait.

Presentation is loading. Please wait.

Applied WSE 2.0 Security Mike Shaw.NET Security Dude

Published byCurtis Hancock Modified over 8 years ago

Similar presentations

Presentation on theme: "Applied WSE 2.0 Security Mike Shaw.NET Security Dude"— Presentation transcript:

1 Applied WSE 2.0 Security Mike Shaw.NET Security Dude DrSecurity@hotmail.co.uk mikeshaw@microsoft.com

2 Background April 2002 - Security in a Web Services World: A Proposed Architecture and Roadmap IBM and Microsoft March 2004 - WS-Security standard OASIS (http://www.oasis-open.org) released Web services Security 1.0 http://www.oasis-open.org April 2004 WS-I.org Basic Profile 1.0 Final (1.1 WGD) http://www.ws-i.org/Profiles/BasicProfile-1.0-2004-04- 16.html http://www.ws-i.org/Profiles/BasicProfile-1.0-2004-04- 16.html May 2004 WS-I.org Basic Security Profile 1.0 WG draft http://www.ws- i.org/deliverables/workinggroup.aspx?wg=basicsecurity http://www.ws- i.org/deliverables/workinggroup.aspx?wg=basicsecurity Other security standards in the pipeline Public Specifications WS-Trust, WS-Policy, WS-Federation, WS- SecureConversation, WS-SecurityPolicy Mike join the 125 people that made up Microsoft UK in October 1991.

3 Channel – point-to-point

4 Channel vs Message The channel is the ‘pipe’ or transport mechanism for data Could use standard approaches: SSL/TLS HTTP/S (Basic, digest, certs, etc) Only applies to point-to-point Need greater flexibility Eg send my credit card data to the retailer who passes it to the credit card authorisation company, but must not see my cc details

5 Secure Communication Protocol-level security Encrypts the entire message Sender must trust all intermediaries Restricts protocols that can be used SSL Security

6 A Message via intermediary Any Web service capable application. WS-Security for Encryption and Signing Secure SOAP message using WS-Security Channel doesn’t matter*. Could be HTTP, SSL, MIME/SMIME etc Authentication Message Validation Auditing/logging Confidentialmessageprocessing EncryptedAuthorizedmessage SignedMessage * WS-I basic profile specifies HTTP Intermediary Authorization Target Service Client

7 Secure Communication Message-level security End to end message security independent of transport Supports multiple protocols and multiple encryption technologies Encrypt only parts of the message Sender need only trust endpoint

8 Security of a Message Integrity – the message has not changed Open Standards algorithms, Hashing, XML Signature (Canonicalization C14N) Confidentiality – content only visible to Authorised entities XML Encryption Asymmetric and Symmetric Exchange Data More Securely with XML Signatures and Encryption http://msdn.microsoft.com/security/default.aspx?pull=/ msdnmag/issues/04/11/xmlsignatures/default.aspx http://msdn.microsoft.com/security/default.aspx?pull=/ msdnmag/issues/04/11/xmlsignatures/default.aspxTokens Claims and Assertions Authentication and Authorization information

9 Canonicalization Some text More text Some text More text

10 Web Services Enhancements 2.0 http://msdn.microsoft.com/webserv ices/building/wse/ http://msdn.microsoft.com/webserv ices/building/wse/WS-Security XML Signature XML Encryption TokensWS-SecureConversationWS-TrustWS-PolicyWS-SecurityPolicy

11 User Code How does WSE work? SoapContext TraceSecurity Referral Policy Custom Security Token Manager Custom Filters

12 User Code How does WSE work? SoapContext Custom Policy Referral Security Trace Security Token Manager Custom Filters

13 What are the security choices? Code or Policy Authentication Tokens User Name and Password x509v3 Certificate Kerberos Ticket Custom Security Token Security Context IntegrityConfidentiality

14 What is WS-Policy? A way to advertise and enforce the policies of your site Message Age Types of tokens Lifetime of tokens Which elements need to be signed XML Based Complex:, Complex:, Send-side and Receive-side Role-Based Authorisation For plain text UsernameTokens it gets windows identity

15 Policy Driven Architecture Saying what you need, to do what you will do Compatible? Y’s InX’s Out send( ) Y’s InX’s Out To: Y ' receive( ) Y’s In ' To: Y Get Policy Policy used by X when sending a message out (often implicit) Yes Cache Y’s In XY Policy used by Y when receiving a message in

16 WS-SecurityPolicy wsse:Kerberosv5TGT wsse:UsernameToken

17 Simple WSE 2.0 App & Service using policy

18 WS-Policy, UDDI and WSE California Service WSE New York Service WSE Redmond Service WSE Policy SiliconValley Integrity: Username Encryption: x509 Policy NewYork Integrity: x509 Encryption: x509 Policy Redmond Integrity: Username Services SiliconValley New York Redmond UDDIServices ClientApp WSE PolicyCache Policy SiliconValley Policy NewYork Policy Redmond tModels Policy Encryption: x509 Policy Integrity: Username Policy Integrity: x509

19 Tokens Asserts Claims Username Public Keys Proof of Possession Passwords Private Keys Available Tokens UsernameTokenBinarySecurityTokenCustomXmlToken

20 Tokens Username Tokens Binary Security Tokens X509 Tokens Kerberos Tokens Custom XML Tokens SAML Tokens Gateway Tokens

21 Sending lots of messages The problem Asymmetric encryption is: Most secure Slow, bulky and inefficient Symmetric encryption is: Faster Faster Needs token issuing WS-Trust Security Token Service (STS) Request for Security Token (RST) Request for Security Token Response (RSTR) Security Context Token (SCT)

22 Client presents a username token and requests a custom token Scope of Trust STS returns a CustomToken Client presents custom token with each SOAP function call Scope of Trust

23 Derived Security Token The DerivedKeyToken creates a different key for each message Ensures a different key is used for each message Makes a cipher-only attack more difficult Use it wherever possible!

24 Managing Security Context Tokens in a Web Farm http://msdn.microsoft.com/library/en- us/dnwebsrv/html/sctinfarm.asp http://msdn.microsoft.com/library/en- us/dnwebsrv/html/sctinfarm.asp

25 Intranet – Behind the Firewall Problem Perceived to be ‘secure’ Latency usually an issue Systems need to work together SSO expected Windows world Kerberos WSE 2.0 gives you a WindowsPrincipal in the Service Limitations include: size, ‘single hop’, need KDC Heterogeneous x509v3, Username, custom

26 Internet – outside the Firewall The Problem All routes are potentially hostile Undoubtedly heterogeneous Lowest common denominator x509v3 certificates Offers best levels of security – AuthN, integrity, confidentiality Can be awkward to deal with – issue, trust, revocation Future – WS-Federation Active Directory Federation Server

27 BenefitsApplication BenefitsCompany My Employer WS-Federation Interop Scenario 1.User attempts to access My Employer’s Employee Portal 2.User is authenticated by My Employer’s Security Token Service (STS-IP) 3.User requests access to Benefits Company’s Benefits Application and obtains federation SAML token from STS-IP containing claims specific to the trust agreement between My Employer and Benefits Company 4.The Benefits Company’s STS (STS-RP) verifies the SAML token and gives user a security token containing claims specific to the Benefits Application IdentityProvider(STS-IP) ResourceProvider(STS-RP) Federation Claims Application Claims EmployeeBenefitsPortal 5.User signs out of the Benefits Application and returns to Employee Portal Client

28 Performance Use WS-SecureConversation for >2 messages Canonicalization process is complex and involves generation of multiple hashes (MD5 slightly quicker than SHA1) Payload size of tokens: Payload size of tokens: Kerberos v5 – 4k (3256 bytes) x509v3 Certificate – 1k (608 bytes) UsernameToken - <1k SecurityContextToken – 128bit (AES) Custom – up to you

29 http://www.fawcette.com/xmlmag/2002_10/online/webservices_rjennings_10_16_02/page4.aspx

30 Role-based AuthZ with Policy SecurityToken.Principal Implementation of IPrincipal Automatically set for UsernameToken and KerberosSecurityToken IPrincipal is the.NET interface for role-based authoriztion bool IsInRole(String str) Call method explicitly or use Policy AzMan can be used but need to write some code…

31 Long Lived messages Scenario example Send a message signed with Kerberos token to BizTalk where it is waits for 2 days before being sent on to final destination. When it finally arrives, the token causes an exception. Messages retained for auditing Messages have TTL Messages have TTL Tokens have TTL Kerberos default in Windows is 10 hours X509 certificate – controlled by Certificate Authority

32 Non-Repudiation How to you ensure that a transaction was at the request of a particular sender? CertificatesAuditing The cipher text and key Possibly hole messages signed by auditing service

33 WSE 2.0 and Interop InfoPath………  BizTalk ………  Office ………  Cross Platform…… (http://msdn.microsoft.com/webservices/building/in terop/ ) http://msdn.microsoft.com/webservices/building/in terop/http://msdn.microsoft.com/webservices/building/in terop/ Sun JWSDP (Java Web services Developer Pack) 1.4 http://msdn.microsoft.com/library/en- us/dnbda/html/interopsun.asp http://msdn.microsoft.com/library/en- us/dnbda/html/interopsun.asp IBM WebSphere Application Developer 5.1.2 http://msdn.microsoft.com/library/en- us/dnbda/html/wsinteroprecsibm-final.asp http://msdn.microsoft.com/library/en- us/dnbda/html/wsinteroprecsibm-final.asp BEA WebLogic 8.1 SP3 (8.1.3) http://msdn.microsoft.com/library/en- us/dnbda/html/wsinteroprecsbea.asp http://msdn.microsoft.com/library/en- us/dnbda/html/wsinteroprecsbea.asp SAML or XrML… 

34 A Glance at the Past

35 Summary Policy will get you going quickest User Name and Password Good for boot strapping Security Context or integration with other AuthN mechanisms, WindowPrincipal x509v3 Certificate Good for interop,, Internet Kerberos Ticket Big, offers integrated security (getting better), AuthN/Z data, road to federation Custom Security Token Can implement SAML or XrML Security Context Great for lots of messages, small, fast

36 Links WSE Info http://msdn.microsoft.com/webservices/building/wse/de fault.aspx http://msdn.microsoft.com/webservices/building/wse/de fault.aspx Hands on Lab: Web Services Security and Policy with Web Services Enhancements 2.0 http://download.microsoft.com/download/7/A/A/7AA99 4A0-98E1-42CC-A527-0FE1B49DEB40/HOL-WSE- Security.EXE http://download.microsoft.com/download/7/A/A/7AA99 4A0-98E1-42CC-A527-0FE1B49DEB40/HOL-WSE- Security.EXE WS-Security Drilldown http://msdn.microsoft.com/library/en- us/dnwse/html/wssecdrill.asp http://msdn.microsoft.com/library/en- us/dnwse/html/wssecdrill.asp Build Security Into Your Web Services with WSE 2.0 and ISA Server 2004 http://msdn.microsoft.com/msdnmag/issues/04/11/We bServiceSecurity/default.aspx http://msdn.microsoft.com/msdnmag/issues/04/11/We bServiceSecurity/default.aspx

37 © 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

38 Government Gateway and WSE Custom Filters Enterprise Instrumentation Framework Tracing CustomSecurityTokenService Distributes GatewayTokens UsernameTokenManager Validates Username/Password against database X509TokenManager Validates signature and certificate CustomTokenManager Used to validate GatewayTokens Policy files

39 Lessons Learnt… WSE Config files No room for error Mainly an issue early on in the project CertificatesPermissionsPerformance WSE comes with a Certificate tool ISA Time difference between servers Server on a domain do not sync accurately enough

40 Lessons Learnt… Interoperability Design WSDL first Avoid Complex types Cultural issues Specifications Still evolving Not all are ratified Start-up times Easy to miss in testing Web farms make it worse

Download ppt "Applied WSE 2.0 Security Mike Shaw.NET Security Dude"

Similar presentations

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation.

WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation.
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Core Web Service Security Patterns

Core Web Service Security Patterns
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.

Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Web services security I

Web services security I
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming
Security COMP6017 Topics on Web Services Dr Nicholas Gibbins – 2012-2013.

Security COMP6017 Topics on Web Services Dr Nicholas Gibbins –
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Web Service Standards, Security & Management Chris Peiris www.ChrisPeiris.com.

Web Service Standards, Security & Management Chris Peiris
Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

Similar presentations

Ads by Google