Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)

2

Building Secure Web Services Using Windows Communication Foundation

Petar VucetinSenior Software EngineerVertigo

Session Code: SOA312

3

Agenda

Learn how to use standard WCF security mechanisms correctlyUnderstand appropriate scenarios for the various WCF security optionsUnderstand how to extend WCF security for custom applications

4

5

6

Threat Modeling

CIA ConfidentialityIntegrityAvailability

STRIDESpoofingTamperingRepudiationInformation DisclosureDoSElevation of Privilege

7

Security

ConfidentialityContent of the message is kept secret

IntegrityConfidence that message received is the same that sender sent

AuthenticationConfidence that we know caller identityConfidentiality and Integrity useless without authenticity

8

WCF Out of the box experience

Defaults to secure modeClaim-basedInternet, Intranet and custom security scenariosSecure conversations

TransferMessage integrity and protectionMutual Authentication

(client->service, service-> client)Authorization

9

Host

WCF Service

A B C

Caller Service

Caller Identity

Message (WS*)

Service Identity

A

B

C

Address – Where?Binding – How?Contract – What?

A B C

Transport (TLS, SSL, IPSec)

Trust

PolicyClaims

10

Transport Security

Prevents eavesdropping, tampering, and message forgeryPoint-to-Point communication SSL over HTTPTLS over TCPProvides endpoint authentication and communications privacy using cryptography.IPSEC/L2TP

ABC

Caller Service

ABC

Transport (TLS, SSL, IPSec)

11

Message WS-Security

SOAP Envelope

SOAP Header

SOAP Body

Misc. Headers

Data

Security Token

Timestamp

Signature

Encrypted Key

Encrypted Data

Security Header

12

Message Security

Transport independentUses SOAP / WS-SecurityParts of the message can be signed or encrypted. All of the security information is encapsulated in the messageSecurity credentials and claims with every message. Wide set of credentials and claims supportedWCF requires X509 certificate

ABC

Caller Service

Message (WS*)

ABC

13

Authentication

Caller identificationWindows tokensCertificatesUser Name TokensCustom

Service identification (to caller)Windows tokens, X.509 certificates

Microsoft Confidential

AuthenticationWS-Security

S

X509

KerberosSAML

XrML Custom

E

Contract &Policies

X509Certificate

Private KeyThe service verifies that the user owns/is able to use a key that is

never transmitted

15

Authorization

What is caller allowed to doWCF uses callers claims

Can have manyWindows token, SAML

Windows groups, ASP.NET providers, Custom providerNo good without authentication

18

Scenarios

IntranetDirect access to service (rare) – single machineApplication servers – more common, distributed, maybe port restrictions and firewallsAD, Windows auth

InternetFirewalled, DMZed Restricted ports and routes, custom identity storeMaybe trusted subsystem down the line with AD/Windows authMaybe multiple authentication systems involved

19

Scenarios (cont.)

B2BCrossing multiple network topologies, firewalls, port restrictionsNon Windows security topologies and implementationsMay require acquiring and using different identitiesMaybe multiple authentication systems involvedMost likely service to service

20

21

Service and Client

How does this stuff work?

configuring

22

Security ModesNone. Turns security off.

Not recommended (default for BasicHttpBinding)Transport.

Uses transport security for mutual authentication and message protection.

Message. Uses message security for mutual authentication and message protection. WCF requires X509 certificate.

Both. Allows you to supply settings for transport and message-level security (only MSMQ supports this).

23

Controlling security modes

NameTitleCompany

demo

24

Security Modes (cont.)

TransportWithMessageCredential. Client credentials are passed with the message. Service authentication, confidentiality, data integrity is provided by the transport layer.

TransportCredentialOnly. Client credentials are passed with the transport layer and no message protection is applied.

25

Security ModesName None Transport Message Mixed Both

NetTcpBinding + R + + -

NetNamedPipeBinding + R - - -

NetMsmqBinding + R + - -

BasicHttpBinding R + + + -

WSHttpBinding + + R + -

WSDualHttpBinding + - R - +

R Default

26

WCF Channel StackWCF Runtime

Channel StackProtocol

Protocol

Protocol

Encoding

Transport

Dispatcher

Service Instance

Operation Operation

Bind

ing

27

netTcpBinding

Security.Mode == None

TcpTransportBinding

BinaryMessageEncodingBinding

TransactionFlowBinding

WCF Runtime

Channel StackProtocolProtocolProtocolEncodingTransport

Dispatcher

Service InstanceOperation Operation

Bind

ing

28

netTcpBinding

Security.Mode == Transport

TcpTransportBinding

WindowsStreamSecurityBinding

BinaryMessageEncodingBinding

TransactionFlowBinding

WCF Runtime

Channel StackProtocolProtocolProtocolEncodingTransport

Dispatcher

Service InstanceOperation Operation

Bind

ing

29

netTcpBinding

Security.Mode == Message

TcpTransportBinding

BinaryMessageEncodingBinding

SymmetricSecurityBinding

TransactionFlowBinding

WCF Runtime

Channel StackProtocolProtocolProtocolEncodingTransport

Dispatcher

Service InstanceOperation Operation

Bind

ing

30

netTcpBinding

Security.Mode == TransportWithMessageCredentials

TcpTransportBinding

WCF Runtime

Channel StackProtocolProtocolProtocolEncodingTransport

Dispatcher

Service InstanceOperation Operation

Bind

ingBinaryMessageEncodingBinding

SslStreamSecurityBinding

TransactionFlowBinding

TransportSecurityBinding

31

Controlling credentials at the transport level

demo

32

Transport Security and CredentialsName None Windows User Name Certificate

NetTcpBinding+ R - +

NetNamedPipeBinding- R - -

NetMsmqBinding+ R - +

BasicHttpBinding R + + +

WSHttpBinding+ R + +

WSDualHttpBinding n/a n/a n/a n/a

R Default

33

Controlling Message Security and credentials

NameTitleCompany

demo

34

Message Security and CredentialsName None Windows User Name Certificate Issued

TokenNetTcpBinding

+ R + + +

NetNamedPipeBinding n/a n/a n/a n/a n/a

NetMsmqBinding+ R - + +

BasicHttpBinding - - - + -

WSHttpBinding+ R + + +

WSDualHttpBinding+ R + + +

R Default

35

36

Choices

ChoicesChoicesYou confused by now?

37

Out of the box bindingsIntranet

NetNamedPipeBindingLimited reach – same machine, cross processFastNo SOAP supportDefaults:

Security Mode: TransportCredentials: WindowsMessage protection : Encrypt and Sign

38

Out of the box bindings (cont.)Intranet

NetTCPBindingWCF-to-WCF scenariosFast, can add WS* features – performance tradeoffIf you used COM+/DCOM use this bindingLoad balancing – has server affinity, reduce lease timeoutDefaults:

Security Mode: TransportCredentials: WindowsMessage protection : Encrypt and Sign

39

Out of the box bindings (cont.) Intranet

NetMsmqBindingQueued work / workload leveling / Disconnected scenariosDefaults:

Security Mode: TransportCredentials: WindowsMessage protection: Sign

MsmqIntegrationBinding Non WCF clients

40

Out of the box bindings (cont.) Internet

BasicHttpBindingInterop for ASMX, support for WS-I Basic Profile 1.1Does not support WS* stackWorks well with existing HTTP load balancing techniquesOnly binding supported in Silverlight 2.0Defaults:

Security Mode: NoneTransport: NoneCredentials: User NameMessage protection: None

41

Out of the box bindings (cont.) Internet

WsHttpBindingNon Windows/WCF clientsRestricted Ports, firewallsCan use HTTP load balancing – Can’t use reliable session, EstablishSecurityContext == off.Defaults:

Security Mode: MessageTransport: HTTPCredentials: WindowsMessage protection: Sign and Encrypt

42

Out of the box bindings (cont.) Internet

WsFederationHttpBindingshare identities across multiple systemsCustom tokensDefaults:

Security Mode: MessageTransport: HTTPCredentials: WindowsMessage protection: Sign and Encrypt

43

44

Service and Client

Security Extension Points

customization

45

Customization Scenarios

Custom security tokensCustom authentication methodsClaims-based authorizationClaims transformationCustom principals

46

WCF Security Extensible PointsCredentials

Authorization

Service Authorization Manager

External Authorization Policy

Custom Endpoint Identity Verifier

Authentication

Security Token Authenticator Security Token Provider Custom Authorization

Policy

Serialization

Security Token Serializer

Security Key Identifier Clause

Custom Security Token Manager

Custom Service Credentials

Custom Client Credentials

Microsoft Confidential

Custom Authentication

ISecureCalculator

CalculatorService

SAML1.0

http://schemas../givennamehttp://schemas../lastname

http://schemas../self

http://localhost/serv.svc

<services> <service name="CalculatorService" behaviorConfiguration="ServiceCredentials"> <endpoint address="" binding="wsFederationHttpBinding" bindingConfiguration="requireInfoCard" contract="ISecureCalculator" > <identity> <certificateReference findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> </identity> </endpoint> </service> </services> <bindings> <wsFederationHttpBinding> <binding name="requireInfoCard"> ...</binding> </wsFederationHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="ServiceCredentials">...</behavior> </serviceBehaviors> </behaviors>

<behavior name="ServiceCredentials"> <serviceAuthorization serviceAuthorizationManagerType=“MyServiceAuthorizationManagers.SelfissuedServAuthMgr, MyServiceAuthorizationManagers" /> <serviceCredentials> <serviceCertificate findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> <issuedTokenAuthentication allowUntrustedRsaIssuers="true" /> </serviceCredentials> </behavior>

48

Custom Authentication

demo

Microsoft Confidential

Service Config

ISecureCalculator

CalculatorService

SAML1.0

http://schemas../givennamehttp://schemas../lastname

http://schemas../self

http://localhost/serv.svc

<services> <service name="CalculatorService" behaviorConfiguration="ServiceCredentials"> <endpoint address="" binding="wsFederationHttpBinding" bindingConfiguration="requireInfoCard" contract="ISecureCalculator" > <identity> <certificateReference findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> </identity> </endpoint> </service> </services> <bindings> <wsFederationHttpBinding> <binding name="requireInfoCard"> ...</binding> </wsFederationHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="ServiceCredentials">...</behavior> </serviceBehaviors> </behaviors>

<binding name="requireInfoCard"> <security mode="Message"> <message issuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion"> <claimTypeRequirements> <add claimType ="http://schemas../givenname"/> <add claimType =" schemas../lastname "/> </claimTypeRequirements> <issuer address="http://schemas.../self"/> </message> </security> </binding> </wsFederationHttpBinding>

<behavior name="ServiceCredentials"> <serviceCredentials> <serviceCertificate findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> <issuedTokenAuthentication allowUntrustedRsaIssuers="true" /> </serviceCredentials> </behavior>

Microsoft Confidential

Client Config

SAML1.0

http://scheams../givennamehttp://schemas../lastname

http://madSTS.org/sts

ISecureCalculator

CalculatorService

http://localhost/serv.svc

<client> <endpoint address="http://localhost/serv.svc/" bindingConfiguration="requireInfoCard" binding="wsFederationHttpBinding" contract="ISecureCalculator" behaviorConfiguration="ClientCredentials"> <identity> <certificateReference findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" /> </identity> </endpoint> </client> <bindings> <wsFederationHttpBinding> <binding name="requireInfoCard">…</binding> </wsFederationHttpBinding> </bindings> <behaviors> <endpointBehaviors> <behavior name="ClientCredentials" >…</behavior> </endpointBehaviors> </behaviors>

<binding name="requireInfoCard"> <security mode="Message"> <message issuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion"> <claimTypeRequirements> <add claimType ="http://schemas../emailaddress"/> <add claimType ="http://schemas../givenname"/> </claimTypeRequirements> <issuer address="http://schemas../self"/> </message> </security> </binding>

<behavior name="ClientCredentials" > <clientCredentials> <serviceCertificate> <defaultCertificate findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" /> <authentication revocationMode="NoCheck“ certificateValidationMode="PeerOrChainTrust" /> </serviceCertificate> </clientCredentials> </behavior>

Microsoft Confidential

Tips & Tricks

VS2008 SP1

Microsoft Confidential

Tips & Tricks (cont.)

53

New Services

NetMsmqActivator (Net.Msmq Listener Adapter)

Receives activation requests over the net.msmq and msmq.formatname protocols and passes them to the Windows Process Activation Service.

NetPipeActivator (Net.Pipe Listener Adapter)Receives activation requests over the net.pipe protocol and passes them to the Windows Process Activation Service.

54

New Services

NetTcpActivator (Net.Tcp Listener Adapter)Receives activation requests over the net.tcp protocol and passes them to the Windows Process Activation Service.

NetTcpPortSharing (Net.Tcp Port Sharing Service)

Provides ability to share TCP ports over the net.tcp protocol.

55

56

Q & A

www.microsoft.com/teched Tech·Talks Tech·Ed BloggersLive Simulcasts Virtual Labs

http://microsoft.com/msdn

Developer’s Kit, Licenses, and MORE!

Resources for Developers

CodePlex WCF Secruity Guidance - http://www.codeplex.com/WCFSecurity

IDesign code library - http://www.idesign.net/

MSDN WCF demos and examples - http://wcf.netfx3.com/

(WCF), (WF) and Windows CardSpace Samples - MSDN http://tinyurl.com/4zvppt

Track Resources

Bloggers:Ron Jacobs, Vittorio Bertocci, Michelle Bustamante, Aaron Skonnard, etc.

Complete anevaluation onCommNet andenter to win!

1 Year Subscription!

61

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED

OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

62

Client Claims

Service Claims

Authority

Authority

Valid?

Valid?

63

Idenity Types

DNS - Use this element with X.509 certificates or Windows accounts.

Certificate - This element specifies a Base64-encoded X.509 certificate value to compare with the client. Also use this element when using a CardSpace as a credential to authenticate the service.

64

Certificate ReferenceRSAUser Principal NameService Principal Name

65

Topology

INTRANETIIS

RouterS1

S2

DMZ

Partners

STS

WinClient

WinClient

Browser

Browser

IIS