Web Services Security Web Services Security PatternsPatterns

Alex MackmanAlex Mackman

CM Group LtdCM Group Ltdalexm@cm-consulting.comalexm@cm-consulting.com

patterns & practicespatterns & practices GuidanceGuidance

http://http://go.microsoft.com/fwlink/?LinkIdgo.microsoft.com/fwlink/?LinkId=55348=55348

AgendaAgenda

BackgroundBackground

Authentication patternsAuthentication patterns

Message protection patternsMessage protection patterns

Applying patterns to common Applying patterns to common scenariosscenarios

Web Service ThreatsWeb Service Threats

ClientClient Service Service Message Message

TamperingTampering

EavesdroppinEavesdroppingg

ConfiguraConfiguration tion

InformatioInformation n

DisclosureDisclosure

Message Message ReplayReplay

Unauthorized Unauthorized Access Access

Elevation of Elevation of PrivilegesPrivileges

CountermeasuresCountermeasures

AuthenticationAuthenticationUser names and passwordsUser names and passwordsX.509 certificatesX.509 certificatesKerberos tokens, SAML STS tokensKerberos tokens, SAML STS tokens

AuthorizationAuthorizationRole based, resource basedRole based, resource based

EncryptionEncryptionSymmetric, asymmetric, transport level, Symmetric, asymmetric, transport level, message levelmessage level

Digital signaturesDigital signaturesMany others!Many others!

Why Patterns?Why Patterns?

Good starting point for investigating Good starting point for investigating specific areasspecific areas

To learn the alternatives within a specific To learn the alternatives within a specific problem domainproblem domain

Navigating the Navigating the patterns & practicespatterns & practices Web service security patterns can be Web service security patterns can be achieved by usingachieved by using

Security decision treesSecurity decision trees

Common scenariosCommon scenarios

Problem / solution matricesProblem / solution matrices

The TechnologiesThe Technologies

TodayTodayWeb Services Enhancements (WSE) 3.0Web Services Enhancements (WSE) 3.0

TomorrowTomorrowWindows Communication Foundation Windows Communication Foundation (WCF)(WCF)

The technologies are getting easier The technologies are getting easier to useto use

Standard policy assertions to help meet Standard policy assertions to help meet key customer scenarios with minimal key customer scenarios with minimal codingcoding

Higher levels of abstractionHigher levels of abstraction

Declarative programming modelsDeclarative programming models

AgendaAgenda

BackgroundBackground

Authentication patternsAuthentication patterns

Message protection patternsMessage protection patterns

Applying patterns to common Applying patterns to common scenariosscenarios

Direct AuthenticationDirect Authentication

ClientClient Service Service Identity Identity StoreStore

1. Request1. Request 2. Validate 2. Validate credentialscredentials

3. Response3. Response

Brokered AuthenticationBrokered Authentication

Service Service

Identity Identity StoreStore

1. Auth

1. Auth

Reques

t

Reques

t

2. Validate 2. Validate credentialscredentials

6. Service Response6. Service Response

Authentication Authentication BrokerBroker

3. A

uth

3. A

uth

Respon

se

Respon

se

4. Service Request4. Service Request

5. Validate 5. Validate TokenToken

Brokered Authentication Brokered Authentication PatternsPatterns

Transport Transport Layer Layer

with Windows with Windows IntegratedIntegrated

Message Layer Message Layer with Kerberos with Kerberos

and WSEand WSE

Transport Transport Layer Layer

with SSLwith SSL

Message Layer Message Layer with X.509 with X.509

and WSEand WSE

Message Message Layer Layer

with SAML with SAML TokensTokens

X.509X.509 KerberosKerberos

Brokered Brokered AuthenticationAuthentication

ArchitectureArchitecture

DesignDesign

ImplementatiImplementationon

SAML STSSAML STS

Direct Authentication Direct Authentication PatternsPatterns

Username Username Token DirectoryToken Directory

ServiceService

UsernameUsername Token Token

Data StoreData StoreHTTP BasicHTTP Basic

Username Username TokenToken

Windows AuthWindows Auth

Direct Direct AuthenticationAuthentication

ArchitectureArchitecture

DesignDesign

ImplementatiImplementationon

Direct Authentication: User Direct Authentication: User name token over transport name token over transport with WSE 3.0with WSE 3.0

AgendaAgenda

BackgroundBackground

Authentication patternsAuthentication patterns

Message protection patternsMessage protection patterns

Applying patterns to common Applying patterns to common scenariosscenarios

Message Protection PatternsMessage Protection Patterns

ArchitectureArchitecture

DesignDesign

Data Origin Data Origin AuthenticationAuthentication

Message Message ValidatorValidator

Message Layer Message Layer X.509 CertsX.509 Certs

in WSEin WSE

Transport Layer Transport Layer ConfidentialityConfidentiality

with HTTPSwith HTTPS

Data Data ConfidentialityConfidentiality

ImplementatiImplementationon

Message layer security Message layer security with X.509 certificates in with X.509 certificates in WSE 3.0WSE 3.0

AgendaAgenda

BackgroundBackground

Authentication patternsAuthentication patterns

Message protection patternsMessage protection patterns

Applying patterns to common Applying patterns to common scenariosscenarios

Public Web Service Public Web Service ScenarioScenarioMerchant Web Application ExampleMerchant Web Application Example

Merchant Merchant Web Web

ApplicationApplication

Distributor Distributor ServiceService

Catalog DataCatalog Data

Public Web Service Public Web Service ScenarioScenarioSecurity DecisionsSecurity DecisionsFactorFactor ConsiderationConsideration DecisionDecisionAuthenticationAuthentication Merchant accounts are stored Merchant accounts are stored

in a custom database or in a custom database or directory servicedirectory service

UsernameToken can UsernameToken can be used with custom be used with custom auth, Windows auth or auth, Windows auth or any other directory any other directory serviceservice

AuthenticationAuthentication Merchants accessing the Web Merchants accessing the Web service must be service must be authenticatedauthenticated

UsernameToken UsernameToken provides the ability to provides the ability to authenticate authenticate merchantsmerchants

Message Message ProtectionProtection

Message data is sensitive and Message data is sensitive and must be protectedmust be protected

HTTPS protects the HTTPS protects the message data while in message data while in transit between transit between merchant and merchant and distributordistributor

Public Web Service Public Web Service ScenarioScenarioRecommended PatternsRecommended PatternsDirect authentication patternDirect authentication pattern

Direct authentication: Username token Direct authentication: Username token over HTTPS patternover HTTPS pattern

Data confidentiality patternData confidentiality pattern

Trusted subsystem patternTrusted subsystem pattern

Public Web Service Public Web Service ScenarioScenarioSecurity SolutionSecurity Solution

Merchant Merchant Web Web

ApplicationApplication

Distributor Distributor Web ServiceWeb Service

Catalog DataCatalog Data

Identity Identity StoreStore

TrustedTrustedSubsystemSubsystem

Username Username token with token with

HTTPSHTTPS

Intranet Web Service Intranet Web Service ScenarioScenarioBanking Application ExampleBanking Application Example

Banking Banking ApplicationApplication

Withdrawal Withdrawal Web Service Web Service

Customer Customer Account Account

DatabaseDatabase

Intranet Web Service Intranet Web Service ScenarioScenarioSecurity DecisionsSecurity DecisionsFactorFactor ConsiderationConsideration DecisionDecisionAuthenticationAuthentication Customer service reps are Customer service reps are

located in AD on a computer located in AD on a computer running Windows Server 2003running Windows Server 2003

Active Directory Active Directory supports Kerberos supports Kerberos protocolprotocol

AuthenticationAuthentication Application must support SSO Application must support SSO capabilitiescapabilities

Kerberos supports Kerberos supports SSO capabilitiesSSO capabilities

AuthenticationAuthentication Mutual authentication is Mutual authentication is requiredrequired

KerberosToken KerberosToken contains both contains both requestor and service requestor and service informationinformation

AuditingAuditing Account activities carried out Account activities carried out by customer service reps by customer service reps must be auditedmust be audited

Kerberos supports Kerberos supports impersonation/delegatimpersonation/delegation which enables ion which enables downstream auditingdownstream auditing

Message Message protectionprotection

Message data is sensitive. Message data is sensitive. Must be protected against Must be protected against unauthorized access and unauthorized access and tamperingtampering

KerberosToken can be KerberosToken can be used to encrypt a used to encrypt a message and sign a message and sign a messagemessage

Intranet Web Service Intranet Web Service ScenarioScenarioRecommended PatternsRecommended PatternsBrokered authentication patternBrokered authentication pattern

Brokered authentication: Kerberos Brokered authentication: Kerberos patternpattern

Data confidentiality patternData confidentiality pattern

Data origin authentication patternData origin authentication pattern

Composite implementation patternComposite implementation patternMessage layer security with Kerberos in Message layer security with Kerberos in WSE 3.0 patternWSE 3.0 pattern

Authenticates, signs and encryptsAuthenticates, signs and encrypts

Intranet Web Service Intranet Web Service ScenarioScenarioSecurity SolutionSecurity Solution

Banking Banking ApplicationApplication

Withdrawal Withdrawal Web Service Web Service

Customer Customer Account Account

DatabaseDatabase

Active Directory / Active Directory / KDCKDC

Kerberos Kerberos TokenToken

ImpersonatioImpersonation / n /

DelegationDelegation

Internet B2B ScenarioInternet B2B ScenarioManufacturing Company ExampleManufacturing Company Example

Supply Chain Supply Chain ApplicationApplication

Procurement Procurement Web Service Web Service

Ordering Ordering Web ServiceWeb Service

InterneInternett

SupplieSupplierr

Manufacturing Manufacturing CompanyCompany

Internet B2B ScenarioInternet B2B ScenarioSecurity DecisionsSecurity Decisions

FactorFactor ConsiderationConsideration DecisionDecisionAuthenticatiAuthenticationon

Supply chain application Supply chain application users are in AD on users are in AD on Windows Server 203Windows Server 203

Kerberos is support by AD on Kerberos is support by AD on intranetintranet

AuthenticatiAuthenticationon

Application must support Application must support SSO capabilitiesSSO capabilities

Kerberos supports SSO Kerberos supports SSO capabilitiescapabilities

AuthenticatiAuthenticationon

External Web service is External Web service is hosted in an unknown hosted in an unknown environmentenvironment

Interaction between internal Interaction between internal and external Web service and external Web service does not require credentials. does not require credentials. X.509 certs can be usedX.509 certs can be used

AuthenticatiAuthenticationon

External Web service is External Web service is hosted in an unknown hosted in an unknown environmentenvironment

X.509 certs represent a well X.509 certs represent a well known protocol that supports known protocol that supports interop with other platformsinterop with other platforms

Message Message protectionprotection

Message data is sensitive. Message data is sensitive. Must be protected against Must be protected against unauthorized access and unauthorized access and tamperingtampering

X.509 certs can be used to X.509 certs can be used to encrypt a message and sign encrypt a message and sign a messagea message

Intranet B2B ScenarioIntranet B2B ScenarioRecommended PatternsRecommended Patterns

Brokered authentication patternBrokered authentication patternBrokered authentication: X.509 Brokered authentication: X.509 certificates patterncertificates pattern

Brokered authentication: Kerberos Brokered authentication: Kerberos patternpattern

Data confidentiality patternData confidentiality pattern

Data origin authentication patternData origin authentication pattern

Composite implementation patternComposite implementation patternMessage layer security with Kerberos in Message layer security with Kerberos in WSE 3.0 patternWSE 3.0 pattern

Authenticates, signs and encryptsAuthenticates, signs and encrypts

Internet B2B ScenarioInternet B2B ScenarioSecurity SolutionSecurity Solution

Supply Chain Supply Chain ApplicationApplication

Procurement Procurement Web Service Web Service

Ordering Ordering Web ServiceWeb Service

InterneInternett

Active Directory / Active Directory / KDCKDC

X.509 CertX.509 Cert

Service Service PerimetePerimete

r r RouterRouter

ManufactuManufacturing ring CompanyCompany

SupplieSupplierr

More InformationMore Information

Web Service Security: Scenarios, Web Service Security: Scenarios, Patterns and Implementation Patterns and Implementation Guidance for Web Services Guidance for Web Services Enhancements (WSE) 3.0Enhancements (WSE) 3.0

http://http://go.microsoft.com/fwlink/?LinkIdgo.microsoft.com/fwlink/?LinkId=55348=55348

Encrypting part of a message nuggetEncrypting part of a message nuggethttp://www.microsoft.com/http://www.microsoft.com/uk/msdn/events/nuggets.aspxuk/msdn/events/nuggets.aspx

WSE 3.0 DownloadWSE 3.0 Downloadhttp://msdn.microsoft.com/webservices/http://msdn.microsoft.com/webservices/webservices/building/wse/default.aspxwebservices/building/wse/default.aspx

Mail me with questionsMail me with questionsalexm@cm-consulting.comalexm@cm-consulting.com

© 2004 Microsoft Limited. All rights reserved.© 2004 Microsoft Limited. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summaryThis presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary..