Date post: | 19-Jan-2016 |
Category: |
Documents |
Upload: | harvey-bradley |
View: | 213 times |
Download: | 1 times |
Web Services Security Web Services Security PatternsPatterns
Alex MackmanAlex Mackman
CM Group LtdCM Group [email protected]@cm-consulting.com
patterns & practicespatterns & practices GuidanceGuidance
http://http://go.microsoft.com/fwlink/?LinkIdgo.microsoft.com/fwlink/?LinkId=55348=55348
AgendaAgenda
BackgroundBackground
Authentication patternsAuthentication patterns
Message protection patternsMessage protection patterns
Applying patterns to common Applying patterns to common scenariosscenarios
Web Service ThreatsWeb Service Threats
ClientClient Service Service Message Message
TamperingTampering
EavesdroppinEavesdroppingg
ConfiguraConfiguration tion
InformatioInformation n
DisclosureDisclosure
Message Message ReplayReplay
Unauthorized Unauthorized Access Access
Elevation of Elevation of PrivilegesPrivileges
CountermeasuresCountermeasures
AuthenticationAuthenticationUser names and passwordsUser names and passwordsX.509 certificatesX.509 certificatesKerberos tokens, SAML STS tokensKerberos tokens, SAML STS tokens
AuthorizationAuthorizationRole based, resource basedRole based, resource based
EncryptionEncryptionSymmetric, asymmetric, transport level, Symmetric, asymmetric, transport level, message levelmessage level
Digital signaturesDigital signaturesMany others!Many others!
Why Patterns?Why Patterns?
Good starting point for investigating Good starting point for investigating specific areasspecific areas
To learn the alternatives within a specific To learn the alternatives within a specific problem domainproblem domain
Navigating the Navigating the patterns & practicespatterns & practices Web service security patterns can be Web service security patterns can be achieved by usingachieved by using
Security decision treesSecurity decision trees
Common scenariosCommon scenarios
Problem / solution matricesProblem / solution matrices
The TechnologiesThe Technologies
TodayTodayWeb Services Enhancements (WSE) 3.0Web Services Enhancements (WSE) 3.0
TomorrowTomorrowWindows Communication Foundation Windows Communication Foundation (WCF)(WCF)
The technologies are getting easier The technologies are getting easier to useto use
Standard policy assertions to help meet Standard policy assertions to help meet key customer scenarios with minimal key customer scenarios with minimal codingcoding
Higher levels of abstractionHigher levels of abstraction
Declarative programming modelsDeclarative programming models
AgendaAgenda
BackgroundBackground
Authentication patternsAuthentication patterns
Message protection patternsMessage protection patterns
Applying patterns to common Applying patterns to common scenariosscenarios
Direct AuthenticationDirect Authentication
ClientClient Service Service Identity Identity StoreStore
1. Request1. Request 2. Validate 2. Validate credentialscredentials
3. Response3. Response
Brokered AuthenticationBrokered Authentication
Service Service
Identity Identity StoreStore
1. Auth
1. Auth
Reques
t
Reques
t
2. Validate 2. Validate credentialscredentials
6. Service Response6. Service Response
Authentication Authentication BrokerBroker
3. A
uth
3. A
uth
Respon
se
Respon
se
4. Service Request4. Service Request
5. Validate 5. Validate TokenToken
Brokered Authentication Brokered Authentication PatternsPatterns
Transport Transport Layer Layer
with Windows with Windows IntegratedIntegrated
Message Layer Message Layer with Kerberos with Kerberos
and WSEand WSE
Transport Transport Layer Layer
with SSLwith SSL
Message Layer Message Layer with X.509 with X.509
and WSEand WSE
Message Message Layer Layer
with SAML with SAML TokensTokens
X.509X.509 KerberosKerberos
Brokered Brokered AuthenticationAuthentication
ArchitectureArchitecture
DesignDesign
ImplementatiImplementationon
SAML STSSAML STS
Direct Authentication Direct Authentication PatternsPatterns
Username Username Token DirectoryToken Directory
ServiceService
UsernameUsername Token Token
Data StoreData StoreHTTP BasicHTTP Basic
Username Username TokenToken
Windows AuthWindows Auth
Direct Direct AuthenticationAuthentication
ArchitectureArchitecture
DesignDesign
ImplementatiImplementationon
Direct Authentication: User Direct Authentication: User name token over transport name token over transport with WSE 3.0with WSE 3.0
AgendaAgenda
BackgroundBackground
Authentication patternsAuthentication patterns
Message protection patternsMessage protection patterns
Applying patterns to common Applying patterns to common scenariosscenarios
Message Protection PatternsMessage Protection Patterns
ArchitectureArchitecture
DesignDesign
Data Origin Data Origin AuthenticationAuthentication
Message Message ValidatorValidator
Message Layer Message Layer X.509 CertsX.509 Certs
in WSEin WSE
Transport Layer Transport Layer ConfidentialityConfidentiality
with HTTPSwith HTTPS
Data Data ConfidentialityConfidentiality
ImplementatiImplementationon
Message layer security Message layer security with X.509 certificates in with X.509 certificates in WSE 3.0WSE 3.0
AgendaAgenda
BackgroundBackground
Authentication patternsAuthentication patterns
Message protection patternsMessage protection patterns
Applying patterns to common Applying patterns to common scenariosscenarios
Public Web Service Public Web Service ScenarioScenarioMerchant Web Application ExampleMerchant Web Application Example
Merchant Merchant Web Web
ApplicationApplication
Distributor Distributor ServiceService
Catalog DataCatalog Data
Public Web Service Public Web Service ScenarioScenarioSecurity DecisionsSecurity DecisionsFactorFactor ConsiderationConsideration DecisionDecisionAuthenticationAuthentication Merchant accounts are stored Merchant accounts are stored
in a custom database or in a custom database or directory servicedirectory service
UsernameToken can UsernameToken can be used with custom be used with custom auth, Windows auth or auth, Windows auth or any other directory any other directory serviceservice
AuthenticationAuthentication Merchants accessing the Web Merchants accessing the Web service must be service must be authenticatedauthenticated
UsernameToken UsernameToken provides the ability to provides the ability to authenticate authenticate merchantsmerchants
Message Message ProtectionProtection
Message data is sensitive and Message data is sensitive and must be protectedmust be protected
HTTPS protects the HTTPS protects the message data while in message data while in transit between transit between merchant and merchant and distributordistributor
Public Web Service Public Web Service ScenarioScenarioRecommended PatternsRecommended PatternsDirect authentication patternDirect authentication pattern
Direct authentication: Username token Direct authentication: Username token over HTTPS patternover HTTPS pattern
Data confidentiality patternData confidentiality pattern
Trusted subsystem patternTrusted subsystem pattern
Public Web Service Public Web Service ScenarioScenarioSecurity SolutionSecurity Solution
Merchant Merchant Web Web
ApplicationApplication
Distributor Distributor Web ServiceWeb Service
Catalog DataCatalog Data
Identity Identity StoreStore
TrustedTrustedSubsystemSubsystem
Username Username token with token with
HTTPSHTTPS
Intranet Web Service Intranet Web Service ScenarioScenarioBanking Application ExampleBanking Application Example
Banking Banking ApplicationApplication
Withdrawal Withdrawal Web Service Web Service
Customer Customer Account Account
DatabaseDatabase
Intranet Web Service Intranet Web Service ScenarioScenarioSecurity DecisionsSecurity DecisionsFactorFactor ConsiderationConsideration DecisionDecisionAuthenticationAuthentication Customer service reps are Customer service reps are
located in AD on a computer located in AD on a computer running Windows Server 2003running Windows Server 2003
Active Directory Active Directory supports Kerberos supports Kerberos protocolprotocol
AuthenticationAuthentication Application must support SSO Application must support SSO capabilitiescapabilities
Kerberos supports Kerberos supports SSO capabilitiesSSO capabilities
AuthenticationAuthentication Mutual authentication is Mutual authentication is requiredrequired
KerberosToken KerberosToken contains both contains both requestor and service requestor and service informationinformation
AuditingAuditing Account activities carried out Account activities carried out by customer service reps by customer service reps must be auditedmust be audited
Kerberos supports Kerberos supports impersonation/delegatimpersonation/delegation which enables ion which enables downstream auditingdownstream auditing
Message Message protectionprotection
Message data is sensitive. Message data is sensitive. Must be protected against Must be protected against unauthorized access and unauthorized access and tamperingtampering
KerberosToken can be KerberosToken can be used to encrypt a used to encrypt a message and sign a message and sign a messagemessage
Intranet Web Service Intranet Web Service ScenarioScenarioRecommended PatternsRecommended PatternsBrokered authentication patternBrokered authentication pattern
Brokered authentication: Kerberos Brokered authentication: Kerberos patternpattern
Data confidentiality patternData confidentiality pattern
Data origin authentication patternData origin authentication pattern
Composite implementation patternComposite implementation patternMessage layer security with Kerberos in Message layer security with Kerberos in WSE 3.0 patternWSE 3.0 pattern
Authenticates, signs and encryptsAuthenticates, signs and encrypts
Intranet Web Service Intranet Web Service ScenarioScenarioSecurity SolutionSecurity Solution
Banking Banking ApplicationApplication
Withdrawal Withdrawal Web Service Web Service
Customer Customer Account Account
DatabaseDatabase
Active Directory / Active Directory / KDCKDC
Kerberos Kerberos TokenToken
ImpersonatioImpersonation / n /
DelegationDelegation
Internet B2B ScenarioInternet B2B ScenarioManufacturing Company ExampleManufacturing Company Example
Supply Chain Supply Chain ApplicationApplication
Procurement Procurement Web Service Web Service
Ordering Ordering Web ServiceWeb Service
InterneInternett
SupplieSupplierr
Manufacturing Manufacturing CompanyCompany
Internet B2B ScenarioInternet B2B ScenarioSecurity DecisionsSecurity Decisions
FactorFactor ConsiderationConsideration DecisionDecisionAuthenticatiAuthenticationon
Supply chain application Supply chain application users are in AD on users are in AD on Windows Server 203Windows Server 203
Kerberos is support by AD on Kerberos is support by AD on intranetintranet
AuthenticatiAuthenticationon
Application must support Application must support SSO capabilitiesSSO capabilities
Kerberos supports SSO Kerberos supports SSO capabilitiescapabilities
AuthenticatiAuthenticationon
External Web service is External Web service is hosted in an unknown hosted in an unknown environmentenvironment
Interaction between internal Interaction between internal and external Web service and external Web service does not require credentials. does not require credentials. X.509 certs can be usedX.509 certs can be used
AuthenticatiAuthenticationon
External Web service is External Web service is hosted in an unknown hosted in an unknown environmentenvironment
X.509 certs represent a well X.509 certs represent a well known protocol that supports known protocol that supports interop with other platformsinterop with other platforms
Message Message protectionprotection
Message data is sensitive. Message data is sensitive. Must be protected against Must be protected against unauthorized access and unauthorized access and tamperingtampering
X.509 certs can be used to X.509 certs can be used to encrypt a message and sign encrypt a message and sign a messagea message
Intranet B2B ScenarioIntranet B2B ScenarioRecommended PatternsRecommended Patterns
Brokered authentication patternBrokered authentication patternBrokered authentication: X.509 Brokered authentication: X.509 certificates patterncertificates pattern
Brokered authentication: Kerberos Brokered authentication: Kerberos patternpattern
Data confidentiality patternData confidentiality pattern
Data origin authentication patternData origin authentication pattern
Composite implementation patternComposite implementation patternMessage layer security with Kerberos in Message layer security with Kerberos in WSE 3.0 patternWSE 3.0 pattern
Authenticates, signs and encryptsAuthenticates, signs and encrypts
Internet B2B ScenarioInternet B2B ScenarioSecurity SolutionSecurity Solution
Supply Chain Supply Chain ApplicationApplication
Procurement Procurement Web Service Web Service
Ordering Ordering Web ServiceWeb Service
InterneInternett
Active Directory / Active Directory / KDCKDC
X.509 CertX.509 Cert
Service Service PerimetePerimete
r r RouterRouter
ManufactuManufacturing ring CompanyCompany
SupplieSupplierr
More InformationMore Information
Web Service Security: Scenarios, Web Service Security: Scenarios, Patterns and Implementation Patterns and Implementation Guidance for Web Services Guidance for Web Services Enhancements (WSE) 3.0Enhancements (WSE) 3.0
http://http://go.microsoft.com/fwlink/?LinkIdgo.microsoft.com/fwlink/?LinkId=55348=55348
Encrypting part of a message nuggetEncrypting part of a message nuggethttp://www.microsoft.com/http://www.microsoft.com/uk/msdn/events/nuggets.aspxuk/msdn/events/nuggets.aspx
WSE 3.0 DownloadWSE 3.0 Downloadhttp://msdn.microsoft.com/webservices/http://msdn.microsoft.com/webservices/webservices/building/wse/default.aspxwebservices/building/wse/default.aspx
Mail me with questionsMail me with [email protected]@cm-consulting.com
© 2004 Microsoft Limited. All rights reserved.© 2004 Microsoft Limited. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summaryThis presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary..