Скачать презентацию Applied WSE 2 0 Security Mike Shaw NET Скачать презентацию Applied WSE 2 0 Security Mike Shaw NET

4fc013e43929dfb57054921badbd2ea0.ppt

  • Количество слайдов: 40

Applied WSE 2. 0 Security Mike Shaw. NET Security Dude mikeshaw@microsoft. com Dr. Security@hotmail. Applied WSE 2. 0 Security Mike Shaw. NET Security Dude mikeshaw@microsoft. com Dr. Security@hotmail. co. uk

Background Mike join the 125 people that World: April 2002 - Security in a Background Mike join the 125 people that World: April 2002 - Security in a Web Services made. Aup Proposed Architecture and Roadmap Microsoft UK in October 1991. IBM and Microsoft March 2004 - WS-Security standard OASIS (http: //www. oasis-open. org) released Web services Security 1. 0 April 2004 WS-I. org Basic Profile 1. 0 Final (1. 1 WGD) http: //www. ws-i. org/Profiles/Basic. Profile-1. 0 -2004 -0416. html May 2004 WS-I. org Basic Security Profile 1. 0 WG draft http: //www. wsi. org/deliverables/workinggroup. aspx? wg=basicsecurity Other security standards in the pipeline Public Specifications WS-Trust, WS-Policy, WS-Federation, WSSecure. Conversation, WS-Security. Policy

Channel – point-to-point Channel – point-to-point

Channel vs Message The channel is the ‘pipe’ or transport mechanism for data Could Channel vs Message The channel is the ‘pipe’ or transport mechanism for data Could use standard approaches: SSL/TLS HTTP/S (Basic, digest, certs, etc) Only applies to point-to-point Need greater flexibility Eg send my credit card data to the retailer who passes it to the credit card authorisation company, but must not see my cc details

Secure Communication Protocol-level security SSL Security Encrypts the entire message Sender must trust all Secure Communication Protocol-level security SSL Security Encrypts the entire message Sender must trust all intermediaries Restricts protocols that can be used

A Message via intermediary Auditing/logging Channel doesn’t matter*. Could be HTTP, SSL, MIME/SMIME etc A Message via intermediary Auditing/logging Channel doesn’t matter*. Could be HTTP, SSL, MIME/SMIME etc Secure SOAP message using WS-Security Client Signed Message Intermediary Encrypted Authorized message Authorization Target Service Authentication Message Validation Any Web service capable application. WS-Security for Encryption and Signing * WS-I basic profile specifies HTTP Confidential message processing

Secure Communication Message-level security End to end message security independent of transport Supports multiple Secure Communication Message-level security End to end message security independent of transport Supports multiple protocols and multiple encryption technologies Encrypt only parts of the message Sender need only trust endpoint

Security of a Message Integrity – the message has not changed Open Standards algorithms, Security of a Message Integrity – the message has not changed Open Standards algorithms, Hashing, XML Signature (Canonicalization C 14 N) Confidentiality – content only visible to Authorised entities XML Encryption Asymmetric and Symmetric Exchange Data More Securely with XML Signatures and Encryption http: //msdn. microsoft. com/security/default. aspx? pull=/ msdnmag/issues/04/11/xmlsignatures/default. aspx Tokens Claims and Assertions Authentication and Authorization information

More text " src="https://present5.com/presentation/4fc013e43929dfb57054921badbd2ea0/image-9.jpg" alt="Canonicalization Some text More text " /> Canonicalization Some text More text Some text More text

Web Services Enhancements 2. 0 http: //msdn. microsoft. com/webser vices/building/wse/ WS-Security XML Signature XML Web Services Enhancements 2. 0 http: //msdn. microsoft. com/webser vices/building/wse/ WS-Security XML Signature XML Encryption Tokens WS-Secure. Conversation WS-Trust WS-Policy WS-Security. Policy

How does WSE work? Soap. Context Custom Policy Referral Security Trace Security Token Manager How does WSE work? Soap. Context Custom Policy Referral Security Trace Security Token Manager Custom Filters User Code

How does WSE work? Soap. Context Security Token Manager Trace Security Referral Custom Filters How does WSE work? Soap. Context Security Token Manager Trace Security Referral Custom Filters Policy Custom User Code

What are the security choices? Code or Policy Authentication Tokens User Name and Password What are the security choices? Code or Policy Authentication Tokens User Name and Password x 509 v 3 Certificate Kerberos Ticket Custom Security Token Security Context Integrity Confidentiality

What is WS-Policy? A way to advertise and enforce the policies of your site What is WS-Policy? A way to advertise and enforce the policies of your site Message Age Types of tokens Lifetime of tokens Which elements need to be signed XML Based Complex: , Send-side and Receive-side Role-Based Authorisation For plain text Username. Tokens it gets windows identity

Policy Driven Architecture Saying what you need, to do what you will do Policy Policy Driven Architecture Saying what you need, to do what you will do Policy used by X when sending a message out (often implicit) X Get Policy Compatible? X’s Out Y Y’s In Policy used by Y when receiving a message in Cache Y’s In Yes send( To: Y X’s Out Y’s In ) ' To: Y receive( To: Y Y’s In ) '

" src="https://present5.com/presentation/4fc013e43929dfb57054921badbd2ea0/image-16.jpg" alt="WS-Security. Policy " /> WS-Security. Policy wsse: Kerberosv 5 TGT wsse: Username. Token

Simple WSE 2. 0 App & Service using policy Simple WSE 2. 0 App & Service using policy

WS-Policy, UDDI and WSE Services t. Models Silicon. Valley Policy Encryption: x 509 New WS-Policy, UDDI and WSE Services t. Models Silicon. Valley Policy Encryption: x 509 New York Policy Integrity: Username Redmond Client App Policy Integrity: x 509 UDDI Services WSE California Service Policy Silicon. Valley Integrity: Username Encryption: x 509 WSE New York Service Policy New. York Integrity: x 509 Encryption: x 509 WSE Policy. Cache Policy Silicon. Valley Policy New. York Policy Redmond Service WSE Policy Redmond Integrity: Username

Tokens Asserts Claims Username Public Keys Proof of Possession Passwords Private Keys Available Tokens Tokens Asserts Claims Username Public Keys Proof of Possession Passwords Private Keys Available Tokens Username. Token Binary. Security. Token Custom. Xml. Token

Tokens Username Tokens Binary Security Tokens X 509 Tokens Kerberos Tokens Custom XML Tokens Tokens Username Tokens Binary Security Tokens X 509 Tokens Kerberos Tokens Custom XML Tokens SAML Tokens Gateway Tokens

Sending lots of messages The problem Asymmetric encryption is: Most secure Slow, bulky and Sending lots of messages The problem Asymmetric encryption is: Most secure Slow, bulky and inefficient Symmetric encryption is: Faster Needs token issuing WS-Trust Security Token Service (STS) Request for Security Token (RST) Request for Security Token Response (RSTR) Security Context Token (SCT)

Scope of Trust Client presents a username token and requests a custom token STS Scope of Trust Client presents a username token and requests a custom token STS returns a Custom. Token Scope of Trust Client presents custom token with each SOAP function call

Derived Security Token The Derived. Key. Token creates a different key for each message Derived Security Token The Derived. Key. Token creates a different key for each message Ensures a different key is used for each message Makes a cipher-only attack more difficult Use it wherever possible!

Managing Security Context Tokens in a Web Farm http: //msdn. microsoft. com/library/enus/dnwebsrv/html/sctinfarm. asp Managing Security Context Tokens in a Web Farm http: //msdn. microsoft. com/library/enus/dnwebsrv/html/sctinfarm. asp

Intranet – Behind the Firewall Problem Perceived to be ‘secure’ Latency usually an issue Intranet – Behind the Firewall Problem Perceived to be ‘secure’ Latency usually an issue Systems need to work together SSO expected Windows world Kerberos WSE 2. 0 gives you a Windows. Principal in the Service Limitations include: size, ‘single hop’, need KDC Heterogeneous x 509 v 3, Username, custom

Internet – outside the Firewall The Problem All routes are potentially hostile Undoubtedly heterogeneous Internet – outside the Firewall The Problem All routes are potentially hostile Undoubtedly heterogeneous Lowest common denominator x 509 v 3 certificates Offers best levels of security – Auth. N, integrity, confidentiality Can be awkward to deal with – issue, trust, revocation Future – WS-Federation Active Directory Federation Server

WS-Federation Interop Scenario Identity Provider (STS-IP) Employee Benefits Portal Federation Claims Client My Employer WS-Federation Interop Scenario Identity Provider (STS-IP) Employee Benefits Portal Federation Claims Client My Employer Application Claims Resource Provider (STS-RP) Benefits Application Benefits Company 1. User attempts to access My Employer’s Employee Portal 2. 3. User is authenticated by My Employer’s Security Token Service (STS-IP) User requests access to Benefits Company’s Benefits Application and obtains federation SAML token from STS-IP containing claims specific to the trust agreement between My Employer and Benefits Company 4. The Benefits Company’s STS (STS-RP) verifies the SAML token and gives user a security token containing claims specific to the Benefits Application 5. User signs out of the Benefits Application and returns to Employee Portal

Performance Use WS-Secure. Conversation for >2 messages Canonicalization process is complex and involves generation Performance Use WS-Secure. Conversation for >2 messages Canonicalization process is complex and involves generation of multiple hashes (MD 5 slightly quicker than SHA 1) Payload size of tokens: Kerberos v 5 – 4 k (3256 bytes) x 509 v 3 Certificate – 1 k (608 bytes) Username. Token - <1 k Security. Context. Token – 128 bit (AES) Custom – up to you

http: //www. fawcette. com/xmlmag/2002_10/online/webservices_rjennings_10_16_02/page 4. aspx http: //www. fawcette. com/xmlmag/2002_10/online/webservices_rjennings_10_16_02/page 4. aspx

Role-based Auth. Z with Policy Security. Token. Principal Implementation of IPrincipal Automatically set for Role-based Auth. Z with Policy Security. Token. Principal Implementation of IPrincipal Automatically set for Username. Token and Kerberos. Security. Token IPrincipal is the. NET interface for role-based authoriztion bool Is. In. Role(String str) Call method explicitly or use Policy Az. Man can be used but need to write some code…

Long Lived messages Scenario example Send a message signed with Kerberos token to Biz. Long Lived messages Scenario example Send a message signed with Kerberos token to Biz. Talk where it is waits for 2 days before being sent on to final destination. When it finally arrives, the token causes an exception. Messages retained for auditing Messages have TTL Tokens have TTL Kerberos default in Windows is 10 hours X 509 certificate – controlled by Certificate Authority

Non-Repudiation How to you ensure that a transaction was at the request of a Non-Repudiation How to you ensure that a transaction was at the request of a particular sender? Certificates Auditing The cipher text and key Possibly hole messages signed by auditing service

WSE 2. 0 and Interop Info. Path……… Biz. Talk ……… Office ……… Cross Platform…… WSE 2. 0 and Interop Info. Path……… Biz. Talk ……… Office ……… Cross Platform…… (http: //msdn. microsoft. com/webservices/building/in terop/ ) Sun JWSDP (Java Web services Developer Pack) 1. 4 http: //msdn. microsoft. com/library/enus/dnbda/html/interopsun. asp IBM Web. Sphere Application Developer 5. 1. 2 http: //msdn. microsoft. com/library/enus/dnbda/html/wsinteroprecsibm-final. asp BEA Web. Logic 8. 1 SP 3 (8. 1. 3) http: //msdn. microsoft. com/library/enus/dnbda/html/wsinteroprecsbea. asp SAML or Xr. ML…

A Glance at the Past A Glance at the Past

Summary Policy will get you going quickest User Name and Password Good for boot Summary Policy will get you going quickest User Name and Password Good for boot strapping Security Context or integration with other Auth. N mechanisms, Window. Principal x 509 v 3 Certificate Good for interop, , Internet Kerberos Ticket Big, offers integrated security (getting better), Auth. N/Z data, road to federation Custom Security Token Can implement SAML or Xr. ML Security Context Great for lots of messages, small, fast

Links WSE Info http: //msdn. microsoft. com/webservices/building/wse/d efault. aspx Hands on Lab: Web Services Links WSE Info http: //msdn. microsoft. com/webservices/building/wse/d efault. aspx Hands on Lab: Web Services Security and Policy with Web Services Enhancements 2. 0 http: //download. microsoft. com/download/7/A/A/7 AA 99 4 A 0 -98 E 1 -42 CC-A 527 -0 FE 1 B 49 DEB 40/HOL-WSESecurity. EXE WS-Security Drilldown http: //msdn. microsoft. com/library/enus/dnwse/html/wssecdrill. asp Build Security Into Your Web Services with WSE 2. 0 and ISA Server 2004 http: //msdn. microsoft. com/msdnmag/issues/04/11/We b. Service. Security/default. aspx

© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. © 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Government Gateway and WSE Custom Filters Enterprise Instrumentation Framework Tracing Custom. Security. Token. Service Government Gateway and WSE Custom Filters Enterprise Instrumentation Framework Tracing Custom. Security. Token. Service Distributes Gateway. Tokens Username. Token. Manager Validates Username/Password against database X 509 Token. Manager Validates signature and certificate Custom. Token. Manager Used to validate Gateway. Tokens Policy files

Lessons Learnt… WSE Config files No room for error Mainly an issue early on Lessons Learnt… WSE Config files No room for error Mainly an issue early on in the project Certificates Permissions Performance WSE comes with a Certificate tool ISA Time difference between servers Server on a domain do not sync accurately enough

Lessons Learnt… Interoperability Design WSDL first Avoid Complex types Cultural issues Specifications Still evolving Lessons Learnt… Interoperability Design WSDL first Avoid Complex types Cultural issues Specifications Still evolving Not all are ratified Start-up times Easy to miss in testing Web farms make it worse