Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web305 Security Practices for Web Services (Part 1) : Now I Understand Eric Schmidt Technical Evangelist Platform Strategy & Partner Group Microsoft Corporation.

Published byBeverly Green Modified over 8 years ago

Similar presentations

Presentation on theme: "Web305 Security Practices for Web Services (Part 1) : Now I Understand Eric Schmidt Technical Evangelist Platform Strategy & Partner Group Microsoft Corporation."— Presentation transcript:

1 Web305 Security Practices for Web Services (Part 1) : Now I Understand Eric Schmidt Technical Evangelist Platform Strategy & Partner Group Microsoft Corporation

2 Agenda Web Services Roadmap Crypto Mini-Primer Review WS-Security Applying WS-Security

3 Roamap Where and why…

4 Web Services Architecture Foundation Applications & Application Structure Transports Connected Applications Management Business Process … SecurityReliabilityTransactions Messaging XML Metadata HTTP, TCP, UDP, SMTP…..

5 Security in a Web Services World – IBM/MSFT White Paper – IBM/MSFT White Paper WS-Security specification – At OASIS, broad industry support Security PrivacyAuthorizationFederation TrustPolicySecureConversation SOAP Foundation Today Web Services Security Architecture 5

6 Crypto Mini-Primer Crawl before walk…

7 Getting to Service and Message Based security Cryptography Ciphers (enable confidentiality) XML Signature Data Integrity Non-Repudiation XML Encryption Encryption WS-Security

8 Cryptography Ciphers Symmetric Cipher = 1 Key Used for encryption and decryption Key can be vulnerable if transmitted Exchange problems ½(n 2 -n) 1000 people = 499,500 exchanges Does not inherently support repudiation Examples Triple DES (64bit) AES (variable key size) A XX Text Ciphertext

9 Cryptography Ciphers Asymmetric Cipher = non-matching keys One key for encryption One key for decryption Does not necessarily require exchange of keys Examples RSA (variable key size) AXX Text Ciphertext A Text

10 Digital Signatures Enables integrity and non-repudiation E-Sign Act, June 2000 RSA, DSA or HMAC (symmetric key) Relies on Hashing InputRange(ADASADDAFA) = OutputRange(XSDAD) Examples Secure Hash Algorithm (SHA) SHA1 creates a 20 byte digest of any binary data (2 160 ) A Text Signed Digest SHA xsd…. Digest RSA Private Key xsd….A xsd…. Public Key

11 XML Signature http://www.w3.org/TR/xmldsig-core/ XML syntax used to represent a digital signature over any digital content Verified whether a message was altered during transit Enables non-repudiation Sign specific portions of the XML document or message One-way transformation via private key Defined schema

12 XML Signature Schema <Signature> ( ( ( )? ( )? )+ )+ ( )? ( )? ( )* ( )*</Signature> Root Signed Item Location (Enveloped or Detached) Hash Info Signature of Digest Public Key Source Data

13 XML Encryption http://www.w3.org/TR/xmlenc-core/ Encrypt specific portions of the XML document or message Supports symmetric and asymmetric key algorithms Defined schema

14 XML Encryption Schema ? ? ? ? ? ? ? ?</EncryptedData> Root Encrypted Info Driven by cryptography type Eric Schmidt X.509

15 Recap XWS is key Cryptography has implications XML Signature and XML Encryption are foundation

16 How does this materialize in a Web services model? Composition via SOAP Headers Processing via Web service that understand the header schema SOAP headers can be anything so we need a schema and processing rules to ensure interoperability across all implementations

17 WS-Security 1.0 A specification for proposed SOAP extensions to be used when building secure Web services. Supercedes the following specifications SOAP-SEC Microsoft’s WS-Security, WS-License IBM’s security token and encryption Dependent upon XML DIGSIG, XML Encryption, XML Schema, SOAP

18 WS-Security 1.0 What Enhancements to SOAP Quality of protection Integrity Confidentiality Authentication Token Association Token Encoding Designed to be composed with other Web service protocols Defined schema Is not a complete security solution

19 WS-Security 1.0 Goals Single message security language Flexible - does not define explicit security protocols Requirements Multiple security tokens for authentication and authorization Multiple trust domains Multiple encryption technologies End-to-end message-level security

20 WS-Security 1.0 Terms Claim: name, group, privilege, etc. Security Token: collection of claims e.g. Eric, Microsoft, Free Lunch Signed Security Token: token signed that is asserted and cryptographically endorsed by a specific authority Proof-of-Possession: data used in a proof process and only known by the sender e.g. private key Integrity: guarantee that information is not modified in transit

21 WS-Security 1.0 Terms continued Confidentiality: protection of data so that only authorized actors can view the data Digest: cryptographic check-sum Signature: cryptographic binding of a proof-of-possession, can provide non- repudiation Attachment : data that is not part of the SOAP envelope

22 WS-Security 1.0 Security Model Security Token + Digital Signature = Proof of Key Possession If you can sign you are authenticating that your possess the secret key Claims Public Key Secret Key + =

23 Authentication Definition Generic: The verification of the identity of a person or process In WS-Security Terms: Verifying claims and or tokens of a subject. This verification is dependant upon proving possession of the token.

24 Authentication Claims My username is: Eric My password is: PaSsWorD I am a member of the Redmond domain I am a scratch golfer Claims are represented as Security Tokens This is private. Only I possess the password.

25 Authentication Security Tokens Contain security related claims Can contain or relate to keys that drive cryptographic operations Can be endorsed or signed

26 Common Token Types Username X509 Kerberos XML Custom Binary

27 Authentication Claims and subjects are normally tied to “Applications” Windows (redmond\eschmidt) Passport (eschmidt99@nospam.com) Homegrown (00200312:AAbBFD) Spiritual Applications require claims to be represented in their format

28 Authentication Claims are represented as Security Tokens <wsse:Username>eric</wsse:Username> PasSwoRD PasSwoRD <wsse:Nonce>oC3uV0j4knlV9WgZQGqJWg==</wsse:Nonce><wsu:Created>2003-05-15T18:15:53Z</wsu:Created></wsse:UsernameToken>

29 Authentication Remember: presenting tokens without signing may do nothing – you must sign to authenticate*

30 Authentication Service A Service B <SOAP></SOAP Authenticate Claim Encode Token & Sign

31 Username Token What does it do? Provides a way to encode username and password claims Supports symmetric signing symmetric encryption (future) Drawbacks Both sender and receiver must have knowledge about the secret key

32 Say Hello To My Little Friend… WSE a.k.a. Web Services Enhancements for Microsoft.NET WS-Security Support in V1

33 Authenticating via Username Token demo demo

34 Username Token Notables Use the Username Token in scenarios that restrict you to basic username/password credentials Requires that receiver have access to the password unless sent over a secure channel

35 Kerberos Token What does it do? Provides a way to encode Kerberos service tickets Supports symmetric signing symmetric encryption

36 Authenticating via Kerberos Token demo demo

37 Kerberos Token Notables Kerberos/WS-Security implementations are still developing Addendums to WS-Security to address interop issues forthcoming WSE v2 : Requires run-time access to a KDC and that machines are joined to the realm

38 X509Security Token What does it do? Provides a way to encode X509 certificates Supports asymmetric signing asymmetric encryption Drawbacks

39 Authenticating via x509 Token demo demo

40 X509Security Token Notables Great for B2B scenarios and bootstrapping secure conversations Requires certificate management Requires more processing resources

41 Additional Tokens Implement BinarySecurityToken XmlToken Type in V2

42 Authentication Summary Different tokens for different situations Tokens will determine keys Signing is key

43 Authorization The act of giving authority; sanction or warrant. Authorization is dependant upon authentication.

44 Authorization You control the scoping Service Process Method Code

45 Authorization Common Model Services drive processes Processes have roles Roles have rights Users belong to roles

46 Authorization Three Solutions Custom database Windows Roles Authorization Manager

47 Demo Authorization Manager

48 Conclusion WS-Security is the foundation for securing Web Services WSE is the.NET programming model for WS-Security Building common services for authentication and authorization will help you in the long run Go build something secure

49 Things You Should Read/Do Application Architecture for.NET : Designing Applications And Services Building Secure Microsoft ASP.NET Applications (Authentication, Authorization and Secure Communication) WS-Security, WS-SecureConversation, WS-Trust WS-Security Roadmap WEB401 : Security Practices for Web Services (Part 2) : Now My Brain Hurts

50 Ask The Experts Get Your Questions Answered I will be available in the ATE area after this session

51 Suggested Reading And Resources The tools you need to put technology to work! TITLE Available Writing Secure Code, Second Edition:0-7356-1722-8 Today Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt

52 evaluations evaluations

53 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "Web305 Security Practices for Web Services (Part 1) : Now I Understand Eric Schmidt Technical Evangelist Platform Strategy & Partner Group Microsoft Corporation."

Similar presentations

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation.

WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation.
Information Security & Cryptographic Principles. Infosec and Cryptography Subjects / Topics : 1. Introduction to computer cryptography 1. Introduction.

Information Security & Cryptographic Principles. Infosec and Cryptography Subjects / Topics : 1. Introduction to computer cryptography 1. Introduction.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Lecture 5: Email security: PGP Anish Arora CIS694K Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Core Web Service Security Patterns

Core Web Service Security Patterns
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.

Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Cryptographic Technologies

Cryptographic Technologies
© 2007 Charteris plc20 June 2015 1 1 Extending Web Service Security with WS-* Presented by Chris Seary MVP Charteris plc, 39-40 Bartholomew Close, London.

© 2007 Charteris plc20 June Extending Web Service Security with WS-* Presented by Chris Seary MVP Charteris plc, Bartholomew Close, London.

Similar presentations

Ads by Google