© 2007 Charteris plc20 June 2015 1 1 Extending Web Service Security with WS-* Presented by Chris Seary MVP Charteris plc, 39-40 Bartholomew Close, London.

© 2007 Charteris plc 18 April 20231

1

Extending Web Service Security with WS-*

Presented by Chris Seary MVP

Charteris plc, 39-40 Bartholomew Close, London EC1A 7JN

© 2007 Charteris plc 18 April 20232

2

Vision

• Secure communications– Confidentiality– Integrity– Availability

© 2007 Charteris plc 18 April 20233

3

Confusion

• Network protocol security

• Message layer security

???

??

© 2007 Charteris plc 18 April 20234

4

Coming up

• Clarification• What are the different types of security

provided by networking protocols?• What does message level security add?• Suggestions on which to choose• How to do it using WCF

© 2007 Charteris plc 18 April 20235

5

What is WS-Security?• Message layer security

• Standards based (OASIS)

• WS-*– WS-Security– WS-Addressing– Etc.

© 2007 Charteris plc 18 April 20236

6

How do we implement it?

• WCF provides a framework for programming WS-*– Authentication– Encryption– Non-repudiation– Digital signatures– Etc.

© 2007 Charteris plc 18 April 20237

7

Message security versus network protocol security

• What do we mean by– Message– Network protocol

• Confusion due to naming!

© 2007 Charteris plc 18 April 20238

8

Network protocols• TCP/IP stack

• Refers to network communications

© 2007 Charteris plc 18 April 20239

9

Network protocols

SecurityAppliedhere

• TCP/IP stack

• Refers to network communications

© 2007 Charteris plc 18 April 202310

10

Network protocols

SecurityAppliedhere

Unsecured data

Unsecured data

• TCP/IP stack

• Refers to network communications

© 2007 Charteris plc 18 April 202311

11

Network protocols• Data is only

protected during transit

SecurityAppliedhere

Unsecured data

Unsecured data

© 2007 Charteris plc 18 April 202312

12

Network protocols

SecurityAppliedhere

Unsecured data

Unsecured data

HTTPSFTPS

© 2007 Charteris plc 18 April 202313

13

Network protocols

SecurityAppliedhere

Unsecured data

Unsecured data

IPSec

© 2007 Charteris plc 18 April 202314

14

Network protocols

SecurityAppliedhere

Unsecured data

Unsecured data

PPP usesPAPCHAPMS-CHAPEAP

© 2007 Charteris plc 18 April 202315

15

Network protocols• SSL

– Confidentiality– Integrity– Authenticates USERS

• Basic• Windows• Etc.

– Various apps• FTP• SQL Server libraries

© 2007 Charteris plc 18 April 202316

16

Network protocols

• IPSec– Confidentiality– Integrity– Authenticates HOSTS

• Kerberos• Shared password (don’t do this in production!)• Certificates

– VPN with L2TP

© 2007 Charteris plc 18 April 202317

17

Demo

• SSL in IIS

• IPSec

© 2007 Charteris plc 18 April 202318

18

Message security• Protects data that is

sent

SecurityAppliedhere(encrypt)

Secure data

Secure data

SecurityAppliedhere(decrypt)

© 2007 Charteris plc 18 April 202319

19

Message security

• More granular

• Can use application level tools

• End to end

SecurityAppliedhere(encrypt)

Secure data

Secure data

SecurityAppliedhere(decrypt)

© 2007 Charteris plc 18 April 202320

20

Integrity

• Integrity– Message not altered in transit– WS-*, SSL, IPSec all give this

© 2007 Charteris plc 18 April 202321

21

Non-repudiation

• Digital signatures– Gives assurance that message was sent by the

signer– WS-* gives digital signature– SSL and IPSec do not

© 2007 Charteris plc 18 April 202322

22

Confidentiality• Encryption

– Only recipient can read message– Both SSL, IPSec and WSE provide this– WS-* provides more granular functionality

• Custom policy assertion can encrypt/sign specific parts of a message

• Intrusion Detection Systems may disallow SSL or IPSec

© 2007 Charteris plc 18 April 202323

23

Authentication

• IPSec– Kerberos, shared key, certificates

• SSL– Basic, Windows, Digest, Certs

• WS-*– Username/password, Certs, Custom, Kerberos

© 2007 Charteris plc 18 April 202324

24

Policy

• WS-* can be applied via

– Configuration– Code– A mixture of configuration and code

• Policy is configuration

© 2007 Charteris plc 18 April 202325

25

Policy

• WCF offers readymade policy objects– ‘turnkey’ approach that began with WSE 3.0

© 2007 Charteris plc 18 April 202326

26

Demo

• SOAP

• WS-Security

• Encryption

• Digital Signature

© 2007 Charteris plc 18 April 202327

27

Security and encryption

Message

Message

Jhbsx^8

Encrypt

Decrypt

© 2007 Charteris plc 18 April 202328

28

Security and encryption

Message

Message

Jhbsx^8

Encrypt

Decrypt

Public

Private

© 2007 Charteris plc 18 April 202329

29

Security and encryption

Message

Message

Jhbsx^8

Encrypt

Decrypt

Public

Private

Usually includes encryption of symmetric key!

© 2007 Charteris plc 18 April 202330

30

Certificates

Subject nameSerial numberIssuerPublic keyCA signatureAttribute 1Attribute 2Attribute 3..

Certificate

© 2007 Charteris plc 18 April 202331

31

Certificate store

Certificate store

Subject nameSerial numberIssuerPublic keyCA signatureAttribute 1Attribute 2Attribute 3..

Certificate

Private key

© 2007 Charteris plc 18 April 202332

32

Certificate store

• Local machine– Certificates used by system

• Demo uses Network Service

• Current user– Logged on user – Windows test harness

• X509 Certificate Tool– Grants permissions for accessing private keys

© 2007 Charteris plc 18 April 202333

33

demo

• Certificate store

© 2007 Charteris plc 18 April 202334

34

WCF

• Windows Communication Foundation

© 2007 Charteris plc 18 April 202335

35

WCF

• Address

• Binding

• Contract

© 2007 Charteris plc 18 April 202336

36

WCF

• Address– Endpoint– URL

• http://localhost/site/service

© 2007 Charteris plc 18 April 202337

37

WCF

• Binding– How do we communicate?

• WS-*• HTTP• HTTPS• Etc.

© 2007 Charteris plc 18 April 202338

38

WCF

• Contract– What have we agreed?

• Methods• Parameters

– Interface

© 2007 Charteris plc 18 April 202339

39

WCF

Client ServiceCBA

CBA

CBA

ABC

AddressWhere?

ContractWhat?

BindingHow?

Behavior Behavior

Endpoints:

© 2007 Charteris plc 18 April 202340

40

demo

• Wcf and ws-*

© 2007 Charteris plc 18 April 202341

41

WS-* Evolution

• WSE– Tactical– WSE 2.0 - .Net 1.x– WSE 3.0 - .Net 2.0

• WCF– Future of communications for Microsoft

technologies

© 2007 Charteris plc 18 April 202342

42

WS-* Interoperability

• WSE 3.0 WCF

• WSE 2.0 WCF

© 2007 Charteris plc 18 April 202343

43

WCF

• http://www.netfx3.com/

• http://msdn2.microsoft.com/en-us/netframework/aa663324.asp

© 2007 Charteris plc 18 April 202344

44

WS-Federation

• Single Sign On

• Identity Providers

• 7 laws of identity – Kim Cameron– http://www.microsoft.com/technet/technetmag/

issues/2006/07/7Laws/default.aspx

© 2007 Charteris plc 18 April 202345

45

WS-Federation

www.site1.com www.IdentityProvider.com www.site2.com

1

2

3

LogInLogIn

4 Server sees that no cookie is presented

Server sees that no cookie is presented

5

User attempts to access site 1

Site 1 serverRedirects userTo IP

IP supplies User withLogin form To entercredentials

© 2007 Charteris plc 18 April 202346

46

WS-Federation

www.site1.com www.IdentityProvider.com www.site2.com

6

7 Credentialsvalidated

8

User submitscredentials

IP supplies User withForm containingSigned Security Token.Cookie is includedWith response

HIDDENFIELD

8

IP cookie

© 2007 Charteris plc 18 April 202347

47

WS-Federation

www.site1.com www.IdentityProvider.com www.site2.com

JavaScript submitsForm with hidden fieldto site 1

HIDDENFIELD

IP cookie

9

10 Site 1 assesseswhether the user inthe Signed SecurityToken should beallowed access

WelcomeWelcome

11Site 1 responds witha welcome page, and a cookie is included in the response

Site 1cookie

11

© 2007 Charteris plc 18 April 202348

48

WS-Federation

www.site1.com www.IdentityProvider.com www.site2.com

IP cookie

User navigates to site 2

Site 1cookie

1

2 No cookie forSite 2

3 User redirectedto IP, thussending IPcookie

4IP picks upIP cookiefrom user

© 2007 Charteris plc 18 April 202349

49

WS-Federation

www.site1.com www.IdentityProvider.com www.site2.com

IP cookie

JavaScript submitsthe form to site 2

Site 1cookie

6

5 IP respondswith a form containing aSigned SecurityToken

HIDDENFIELD

HIDDENFIELD

© 2007 Charteris plc 18 April 202350

50

WS-Federation

www.site1.com www.IdentityProvider.com www.site2.com

IP cookie Site 1cookie

7

Site 2 checksSigned SecurityToken and chooseswhether to grant access

WelcomeWelcome

8 Site 2 respondswith a welcome page and a cookie

Site 2cookie

© 2007 Charteris plc 18 April 202351

51

WS-Federation

www.site1.com www.IdentityProvider.com www.site2.com

IP cookie Site 1cookie

Previous PagePrevious Page

1User navigates back to site 1,Including site 1 cookie in the request

Site 2cookie

2 Site 1 application checks validity of cookie

3 Site 1 responds with page fromprevious transaction

© 2007 Charteris plc 18 April 202352

52

WS-Federation

© 2007 Charteris plc 18 April 202353

53

WS-Federation

• http://technet2.microsoft.com/WindowsServer/en/Library/b0f029cb-65ab-44fb-bcfc-5aa02314e06e1033.mspx?mfr=true

© 2007 Charteris plc 18 April 202354

54

Summary

• Protocol – TCP/IP

• Message – WS-Security

• Single Sign On – WS-Federation

• Rapidly advancing technology

© 2007 Charteris plc 18 April 202355

55

Thank you

• Presentation and slides– http://blog.searyblog.com/