
4fc013e43929dfb57054921badbd2ea0.ppt
- Количество слайдов: 40
Applied WSE 2. 0 Security Mike Shaw. NET Security Dude mikeshaw@microsoft. com Dr. Security@hotmail. co. uk
Background Mike join the 125 people that World: April 2002 - Security in a Web Services made. Aup Proposed Architecture and Roadmap Microsoft UK in October 1991. IBM and Microsoft March 2004 - WS-Security standard OASIS (http: //www. oasis-open. org) released Web services Security 1. 0 April 2004 WS-I. org Basic Profile 1. 0 Final (1. 1 WGD) http: //www. ws-i. org/Profiles/Basic. Profile-1. 0 -2004 -0416. html May 2004 WS-I. org Basic Security Profile 1. 0 WG draft http: //www. wsi. org/deliverables/workinggroup. aspx? wg=basicsecurity Other security standards in the pipeline Public Specifications WS-Trust, WS-Policy, WS-Federation, WSSecure. Conversation, WS-Security. Policy
Channel – point-to-point
Channel vs Message The channel is the ‘pipe’ or transport mechanism for data Could use standard approaches: SSL/TLS HTTP/S (Basic, digest, certs, etc) Only applies to point-to-point Need greater flexibility Eg send my credit card data to the retailer who passes it to the credit card authorisation company, but must not see my cc details
Secure Communication Protocol-level security SSL Security Encrypts the entire message Sender must trust all intermediaries Restricts protocols that can be used
A Message via intermediary Auditing/logging Channel doesn’t matter*. Could be HTTP, SSL, MIME/SMIME etc Secure SOAP message using WS-Security Client Signed Message Intermediary Encrypted Authorized message Authorization Target Service Authentication Message Validation Any Web service capable application. WS-Security for Encryption and Signing * WS-I basic profile specifies HTTP Confidential message processing
Secure Communication Message-level security End to end message security independent of transport Supports multiple protocols and multiple encryption technologies Encrypt only parts of the message Sender need only trust endpoint
Security of a Message Integrity – the message has not changed Open Standards algorithms, Hashing, XML Signature (Canonicalization C 14 N) Confidentiality – content only visible to Authorised entities XML Encryption Asymmetric and Symmetric Exchange Data More Securely with XML Signatures and Encryption http: //msdn. microsoft. com/security/default. aspx? pull=/ msdnmag/issues/04/11/xmlsignatures/default. aspx Tokens Claims and Assertions Authentication and Authorization information
Web Services Enhancements 2. 0 http: //msdn. microsoft. com/webser vices/building/wse/ WS-Security XML Signature XML Encryption Tokens WS-Secure. Conversation WS-Trust WS-Policy WS-Security. Policy
How does WSE work? Soap. Context Custom Policy Referral Security Trace Security Token Manager Custom Filters User Code
How does WSE work? Soap. Context Security Token Manager Trace Security Referral Custom Filters Policy Custom User Code
What are the security choices? Code or Policy Authentication Tokens User Name and Password x 509 v 3 Certificate Kerberos Ticket Custom Security Token Security Context Integrity Confidentiality
What is WS-Policy? A way to advertise and enforce the policies of your site Message Age Types of tokens Lifetime of tokens Which elements need to be signed XML Based Complex:
Policy Driven Architecture Saying what you need, to do what you will do Policy used by X when sending a message out (often implicit) X Get Policy Compatible? X’s Out Y Y’s In Policy used by Y when receiving a message in Cache Y’s In Yes send( To: Y X’s Out Y’s In ) ' To: Y receive( To: Y Y’s In ) '
" src="https://present5.com/presentation/4fc013e43929dfb57054921badbd2ea0/image-16.jpg" alt="WS-Security. Policy
Simple WSE 2. 0 App & Service using policy
WS-Policy, UDDI and WSE Services t. Models Silicon. Valley Policy Encryption: x 509 New York Policy Integrity: Username Redmond Client App Policy Integrity: x 509 UDDI Services WSE California Service Policy Silicon. Valley Integrity: Username Encryption: x 509 WSE New York Service Policy New. York Integrity: x 509 Encryption: x 509 WSE Policy. Cache Policy Silicon. Valley Policy New. York Policy Redmond Service WSE Policy Redmond Integrity: Username
Tokens Asserts Claims Username Public Keys Proof of Possession Passwords Private Keys Available Tokens Username. Token Binary. Security. Token Custom. Xml. Token
Tokens Username Tokens Binary Security Tokens X 509 Tokens Kerberos Tokens Custom XML Tokens SAML Tokens Gateway Tokens
Sending lots of messages The problem Asymmetric encryption is: Most secure Slow, bulky and inefficient Symmetric encryption is: Faster Needs token issuing WS-Trust Security Token Service (STS) Request for Security Token (RST) Request for Security Token Response (RSTR) Security Context Token (SCT)
Scope of Trust Client presents a username token and requests a custom token STS returns a Custom. Token Scope of Trust Client presents custom token with each SOAP function call
Derived Security Token The Derived. Key. Token creates a different key for each message Ensures a different key is used for each message Makes a cipher-only attack more difficult Use it wherever possible!
Managing Security Context Tokens in a Web Farm http: //msdn. microsoft. com/library/enus/dnwebsrv/html/sctinfarm. asp
Intranet – Behind the Firewall Problem Perceived to be ‘secure’ Latency usually an issue Systems need to work together SSO expected Windows world Kerberos WSE 2. 0 gives you a Windows. Principal in the Service Limitations include: size, ‘single hop’, need KDC Heterogeneous x 509 v 3, Username, custom
Internet – outside the Firewall The Problem All routes are potentially hostile Undoubtedly heterogeneous Lowest common denominator x 509 v 3 certificates Offers best levels of security – Auth. N, integrity, confidentiality Can be awkward to deal with – issue, trust, revocation Future – WS-Federation Active Directory Federation Server
WS-Federation Interop Scenario Identity Provider (STS-IP) Employee Benefits Portal Federation Claims Client My Employer Application Claims Resource Provider (STS-RP) Benefits Application Benefits Company 1. User attempts to access My Employer’s Employee Portal 2. 3. User is authenticated by My Employer’s Security Token Service (STS-IP) User requests access to Benefits Company’s Benefits Application and obtains federation SAML token from STS-IP containing claims specific to the trust agreement between My Employer and Benefits Company 4. The Benefits Company’s STS (STS-RP) verifies the SAML token and gives user a security token containing claims specific to the Benefits Application 5. User signs out of the Benefits Application and returns to Employee Portal
Performance Use WS-Secure. Conversation for >2 messages Canonicalization process is complex and involves generation of multiple hashes (MD 5 slightly quicker than SHA 1) Payload size of tokens: Kerberos v 5 – 4 k (3256 bytes) x 509 v 3 Certificate – 1 k (608 bytes) Username. Token - <1 k Security. Context. Token – 128 bit (AES) Custom – up to you
http: //www. fawcette. com/xmlmag/2002_10/online/webservices_rjennings_10_16_02/page 4. aspx
Role-based Auth. Z with Policy Security. Token. Principal Implementation of IPrincipal Automatically set for Username. Token and Kerberos. Security. Token IPrincipal is the. NET interface for role-based authoriztion bool Is. In. Role(String str) Call method explicitly or use Policy
Long Lived messages Scenario example Send a message signed with Kerberos token to Biz. Talk where it is waits for 2 days before being sent on to final destination. When it finally arrives, the token causes an exception. Messages retained for auditing Messages have TTL
Non-Repudiation How to you ensure that a transaction was at the request of a particular sender? Certificates Auditing The cipher text and key Possibly hole messages signed by auditing service
WSE 2. 0 and Interop Info. Path……… Biz. Talk ……… Office ……… Cross Platform…… (http: //msdn. microsoft. com/webservices/building/in terop/ ) Sun JWSDP (Java Web services Developer Pack) 1. 4 http: //msdn. microsoft. com/library/enus/dnbda/html/interopsun. asp IBM Web. Sphere Application Developer 5. 1. 2 http: //msdn. microsoft. com/library/enus/dnbda/html/wsinteroprecsibm-final. asp BEA Web. Logic 8. 1 SP 3 (8. 1. 3) http: //msdn. microsoft. com/library/enus/dnbda/html/wsinteroprecsbea. asp SAML or Xr. ML…
A Glance at the Past
Summary Policy will get you going quickest User Name and Password Good for boot strapping Security Context or integration with other Auth. N mechanisms, Window. Principal x 509 v 3 Certificate Good for interop, , Internet Kerberos Ticket Big, offers integrated security (getting better), Auth. N/Z data, road to federation Custom Security Token Can implement SAML or Xr. ML Security Context Great for lots of messages, small, fast
Links WSE Info http: //msdn. microsoft. com/webservices/building/wse/d efault. aspx Hands on Lab: Web Services Security and Policy with Web Services Enhancements 2. 0 http: //download. microsoft. com/download/7/A/A/7 AA 99 4 A 0 -98 E 1 -42 CC-A 527 -0 FE 1 B 49 DEB 40/HOL-WSESecurity. EXE WS-Security Drilldown http: //msdn. microsoft. com/library/enus/dnwse/html/wssecdrill. asp Build Security Into Your Web Services with WSE 2. 0 and ISA Server 2004 http: //msdn. microsoft. com/msdnmag/issues/04/11/We b. Service. Security/default. aspx
© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Government Gateway and WSE Custom Filters Enterprise Instrumentation Framework Tracing Custom. Security. Token. Service Distributes Gateway. Tokens Username. Token. Manager Validates Username/Password against database X 509 Token. Manager Validates signature and certificate Custom. Token. Manager Used to validate Gateway. Tokens Policy files
Lessons Learnt… WSE Config files No room for error Mainly an issue early on in the project Certificates Permissions Performance WSE comes with a Certificate tool ISA Time difference between servers Server on a domain do not sync accurately enough
Lessons Learnt… Interoperability Design WSDL first Avoid Complex types Cultural issues Specifications Still evolving Not all are ratified Start-up times Easy to miss in testing Web farms make it worse