Nov 28, 2014
2
Building Secure Web Services Using Windows Communication Foundation
Petar VucetinSenior Software EngineerVertigo
Session Code: SOA312
3
Agenda
Learn how to use standard WCF security mechanisms correctlyUnderstand appropriate scenarios for the various WCF security optionsUnderstand how to extend WCF security for custom applications
4
5
6
Threat Modeling
CIA ConfidentialityIntegrityAvailability
STRIDESpoofingTamperingRepudiationInformation DisclosureDoSElevation of Privilege
7
Security
ConfidentialityContent of the message is kept secret
IntegrityConfidence that message received is the same that sender sent
AuthenticationConfidence that we know caller identityConfidentiality and Integrity useless without authenticity
8
WCF Out of the box experience
Defaults to secure modeClaim-basedInternet, Intranet and custom security scenariosSecure conversations
TransferMessage integrity and protectionMutual Authentication
(client->service, service-> client)Authorization
9
Host
WCF Service
A B C
Caller Service
Caller Identity
Message (WS*)
Service Identity
A
B
C
Address – Where?Binding – How?Contract – What?
A B C
Transport (TLS, SSL, IPSec)
Trust
PolicyClaims
10
Transport Security
Prevents eavesdropping, tampering, and message forgeryPoint-to-Point communication SSL over HTTPTLS over TCPProvides endpoint authentication and communications privacy using cryptography.IPSEC/L2TP
ABC
Caller Service
ABC
Transport (TLS, SSL, IPSec)
11
Message WS-Security
SOAP Envelope
SOAP Header
SOAP Body
Misc. Headers
Data
Security Token
Timestamp
Signature
Encrypted Key
Encrypted Data
Security Header
12
Message Security
Transport independentUses SOAP / WS-SecurityParts of the message can be signed or encrypted. All of the security information is encapsulated in the messageSecurity credentials and claims with every message. Wide set of credentials and claims supportedWCF requires X509 certificate
ABC
Caller Service
Message (WS*)
ABC
13
Authentication
Caller identificationWindows tokensCertificatesUser Name TokensCustom
Service identification (to caller)Windows tokens, X.509 certificates
Microsoft Confidential
AuthenticationWS-Security
S
X509
KerberosSAML
XrML Custom
E
Contract &Policies
X509Certificate
Private KeyThe service verifies that the user owns/is able to use a key that is
never transmitted
15
Authorization
What is caller allowed to doWCF uses callers claims
Can have manyWindows token, SAML
Windows groups, ASP.NET providers, Custom providerNo good without authentication
18
Scenarios
IntranetDirect access to service (rare) – single machineApplication servers – more common, distributed, maybe port restrictions and firewallsAD, Windows auth
InternetFirewalled, DMZed Restricted ports and routes, custom identity storeMaybe trusted subsystem down the line with AD/Windows authMaybe multiple authentication systems involved
19
Scenarios (cont.)
B2BCrossing multiple network topologies, firewalls, port restrictionsNon Windows security topologies and implementationsMay require acquiring and using different identitiesMaybe multiple authentication systems involvedMost likely service to service
20
21
Service and Client
How does this stuff work?
configuring
22
Security ModesNone. Turns security off.
Not recommended (default for BasicHttpBinding)Transport.
Uses transport security for mutual authentication and message protection.
Message. Uses message security for mutual authentication and message protection. WCF requires X509 certificate.
Both. Allows you to supply settings for transport and message-level security (only MSMQ supports this).
23
Controlling security modes
NameTitleCompany
demo
24
Security Modes (cont.)
TransportWithMessageCredential. Client credentials are passed with the message. Service authentication, confidentiality, data integrity is provided by the transport layer.
TransportCredentialOnly. Client credentials are passed with the transport layer and no message protection is applied.
25
Security ModesName None Transport Message Mixed Both
NetTcpBinding + R + + -
NetNamedPipeBinding + R - - -
NetMsmqBinding + R + - -
BasicHttpBinding R + + + -
WSHttpBinding + + R + -
WSDualHttpBinding + - R - +
R Default
26
WCF Channel StackWCF Runtime
Channel StackProtocol
Protocol
Protocol
Encoding
Transport
Dispatcher
Service Instance
Operation Operation
Bind
ing
27
netTcpBinding
Security.Mode == None
TcpTransportBinding
BinaryMessageEncodingBinding
TransactionFlowBinding
WCF Runtime
Channel StackProtocolProtocolProtocolEncodingTransport
Dispatcher
Service InstanceOperation Operation
Bind
ing
28
netTcpBinding
Security.Mode == Transport
TcpTransportBinding
WindowsStreamSecurityBinding
BinaryMessageEncodingBinding
TransactionFlowBinding
WCF Runtime
Channel StackProtocolProtocolProtocolEncodingTransport
Dispatcher
Service InstanceOperation Operation
Bind
ing
29
netTcpBinding
Security.Mode == Message
TcpTransportBinding
BinaryMessageEncodingBinding
SymmetricSecurityBinding
TransactionFlowBinding
WCF Runtime
Channel StackProtocolProtocolProtocolEncodingTransport
Dispatcher
Service InstanceOperation Operation
Bind
ing
30
netTcpBinding
Security.Mode == TransportWithMessageCredentials
TcpTransportBinding
WCF Runtime
Channel StackProtocolProtocolProtocolEncodingTransport
Dispatcher
Service InstanceOperation Operation
Bind
ingBinaryMessageEncodingBinding
SslStreamSecurityBinding
TransactionFlowBinding
TransportSecurityBinding
31
Controlling credentials at the transport level
demo
32
Transport Security and CredentialsName None Windows User Name Certificate
NetTcpBinding+ R - +
NetNamedPipeBinding- R - -
NetMsmqBinding+ R - +
BasicHttpBinding R + + +
WSHttpBinding+ R + +
WSDualHttpBinding n/a n/a n/a n/a
R Default
33
Controlling Message Security and credentials
NameTitleCompany
demo
34
Message Security and CredentialsName None Windows User Name Certificate Issued
TokenNetTcpBinding
+ R + + +
NetNamedPipeBinding n/a n/a n/a n/a n/a
NetMsmqBinding+ R - + +
BasicHttpBinding - - - + -
WSHttpBinding+ R + + +
WSDualHttpBinding+ R + + +
R Default
35
36
Choices
ChoicesChoicesYou confused by now?
37
Out of the box bindingsIntranet
NetNamedPipeBindingLimited reach – same machine, cross processFastNo SOAP supportDefaults:
Security Mode: TransportCredentials: WindowsMessage protection : Encrypt and Sign
38
Out of the box bindings (cont.)Intranet
NetTCPBindingWCF-to-WCF scenariosFast, can add WS* features – performance tradeoffIf you used COM+/DCOM use this bindingLoad balancing – has server affinity, reduce lease timeoutDefaults:
Security Mode: TransportCredentials: WindowsMessage protection : Encrypt and Sign
39
Out of the box bindings (cont.) Intranet
NetMsmqBindingQueued work / workload leveling / Disconnected scenariosDefaults:
Security Mode: TransportCredentials: WindowsMessage protection: Sign
MsmqIntegrationBinding Non WCF clients
40
Out of the box bindings (cont.) Internet
BasicHttpBindingInterop for ASMX, support for WS-I Basic Profile 1.1Does not support WS* stackWorks well with existing HTTP load balancing techniquesOnly binding supported in Silverlight 2.0Defaults:
Security Mode: NoneTransport: NoneCredentials: User NameMessage protection: None
41
Out of the box bindings (cont.) Internet
WsHttpBindingNon Windows/WCF clientsRestricted Ports, firewallsCan use HTTP load balancing – Can’t use reliable session, EstablishSecurityContext == off.Defaults:
Security Mode: MessageTransport: HTTPCredentials: WindowsMessage protection: Sign and Encrypt
42
Out of the box bindings (cont.) Internet
WsFederationHttpBindingshare identities across multiple systemsCustom tokensDefaults:
Security Mode: MessageTransport: HTTPCredentials: WindowsMessage protection: Sign and Encrypt
43
44
Service and Client
Security Extension Points
customization
45
Customization Scenarios
Custom security tokensCustom authentication methodsClaims-based authorizationClaims transformationCustom principals
46
WCF Security Extensible PointsCredentials
Authorization
Service Authorization Manager
External Authorization Policy
Custom Endpoint Identity Verifier
Authentication
Security Token Authenticator Security Token Provider Custom Authorization
Policy
Serialization
Security Token Serializer
Security Key Identifier Clause
Custom Security Token Manager
Custom Service Credentials
Custom Client Credentials
Microsoft Confidential
Custom Authentication
ISecureCalculator
CalculatorService
SAML1.0
http://schemas../givennamehttp://schemas../lastname
http://schemas../self
http://localhost/serv.svc
<services> <service name="CalculatorService" behaviorConfiguration="ServiceCredentials"> <endpoint address="" binding="wsFederationHttpBinding" bindingConfiguration="requireInfoCard" contract="ISecureCalculator" > <identity> <certificateReference findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> </identity> </endpoint> </service> </services> <bindings> <wsFederationHttpBinding> <binding name="requireInfoCard"> ...</binding> </wsFederationHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="ServiceCredentials">...</behavior> </serviceBehaviors> </behaviors>
<behavior name="ServiceCredentials"> <serviceAuthorization serviceAuthorizationManagerType=“MyServiceAuthorizationManagers.SelfissuedServAuthMgr, MyServiceAuthorizationManagers" /> <serviceCredentials> <serviceCertificate findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> <issuedTokenAuthentication allowUntrustedRsaIssuers="true" /> </serviceCredentials> </behavior>
48
Custom Authentication
demo
Microsoft Confidential
Service Config
ISecureCalculator
CalculatorService
SAML1.0
http://schemas../givennamehttp://schemas../lastname
http://schemas../self
http://localhost/serv.svc
<services> <service name="CalculatorService" behaviorConfiguration="ServiceCredentials"> <endpoint address="" binding="wsFederationHttpBinding" bindingConfiguration="requireInfoCard" contract="ISecureCalculator" > <identity> <certificateReference findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> </identity> </endpoint> </service> </services> <bindings> <wsFederationHttpBinding> <binding name="requireInfoCard"> ...</binding> </wsFederationHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="ServiceCredentials">...</behavior> </serviceBehaviors> </behaviors>
<binding name="requireInfoCard"> <security mode="Message"> <message issuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion"> <claimTypeRequirements> <add claimType ="http://schemas../givenname"/> <add claimType =" schemas../lastname "/> </claimTypeRequirements> <issuer address="http://schemas.../self"/> </message> </security> </binding> </wsFederationHttpBinding>
<behavior name="ServiceCredentials"> <serviceCredentials> <serviceCertificate findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> <issuedTokenAuthentication allowUntrustedRsaIssuers="true" /> </serviceCredentials> </behavior>
Microsoft Confidential
Client Config
SAML1.0
http://scheams../givennamehttp://schemas../lastname
http://madSTS.org/sts
ISecureCalculator
CalculatorService
http://localhost/serv.svc
<client> <endpoint address="http://localhost/serv.svc/" bindingConfiguration="requireInfoCard" binding="wsFederationHttpBinding" contract="ISecureCalculator" behaviorConfiguration="ClientCredentials"> <identity> <certificateReference findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" /> </identity> </endpoint> </client> <bindings> <wsFederationHttpBinding> <binding name="requireInfoCard">…</binding> </wsFederationHttpBinding> </bindings> <behaviors> <endpointBehaviors> <behavior name="ClientCredentials" >…</behavior> </endpointBehaviors> </behaviors>
<binding name="requireInfoCard"> <security mode="Message"> <message issuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion"> <claimTypeRequirements> <add claimType ="http://schemas../emailaddress"/> <add claimType ="http://schemas../givenname"/> </claimTypeRequirements> <issuer address="http://schemas../self"/> </message> </security> </binding>
<behavior name="ClientCredentials" > <clientCredentials> <serviceCertificate> <defaultCertificate findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" /> <authentication revocationMode="NoCheck“ certificateValidationMode="PeerOrChainTrust" /> </serviceCertificate> </clientCredentials> </behavior>
Microsoft Confidential
Tips & Tricks
VS2008 SP1
Microsoft Confidential
Tips & Tricks (cont.)
53
New Services
NetMsmqActivator (Net.Msmq Listener Adapter)
Receives activation requests over the net.msmq and msmq.formatname protocols and passes them to the Windows Process Activation Service.
NetPipeActivator (Net.Pipe Listener Adapter)Receives activation requests over the net.pipe protocol and passes them to the Windows Process Activation Service.
54
New Services
NetTcpActivator (Net.Tcp Listener Adapter)Receives activation requests over the net.tcp protocol and passes them to the Windows Process Activation Service.
NetTcpPortSharing (Net.Tcp Port Sharing Service)
Provides ability to share TCP ports over the net.tcp protocol.
55
56
Q & A
www.microsoft.com/teched Tech·Talks Tech·Ed BloggersLive Simulcasts Virtual Labs
http://microsoft.com/msdn
Developer’s Kit, Licenses, and MORE!
Resources for Developers
CodePlex WCF Secruity Guidance - http://www.codeplex.com/WCFSecurity
IDesign code library - http://www.idesign.net/
MSDN WCF demos and examples - http://wcf.netfx3.com/
(WCF), (WF) and Windows CardSpace Samples - MSDN http://tinyurl.com/4zvppt
Track Resources
Bloggers:Ron Jacobs, Vittorio Bertocci, Michelle Bustamante, Aaron Skonnard, etc.
Complete anevaluation onCommNet andenter to win!
1 Year Subscription!
61
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED
OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
62
Client Claims
Service Claims
Authority
Authority
Valid?
Valid?
63
Idenity Types
DNS - Use this element with X.509 certificates or Windows accounts.
Certificate - This element specifies a Base64-encoded X.509 certificate value to compare with the client. Also use this element when using a CardSpace as a credential to authenticate the service.
64
Certificate ReferenceRSAUser Principal NameService Principal Name
65
Topology
INTRANETIIS
RouterS1
S2
DMZ
Partners
STS
WinClient
WinClient
Browser
Browser
IIS