WCF Security Basics Simplifying the Security Maze Michele Leroux

Document Sample
WCF Security Basics Simplifying the Security Maze Michele Leroux Powered By Docstoc
					VWX401: WCF Security Basics –
 Simplifying the Security Maze

    Michele Leroux Bustamante
      Chief Architect, IDesign
    Microsoft Regional Director
About Michele
Leroux Bustamante
•   IDesign Inc., www.idesign.net
•   Microsoft Regional Director
•   MVP – XML Web Services
•   IASA - Board of Directors
•   Published - MSDN, CoDe,
    TheServerSide.NET…
•   International Speaker, INETA
•   Program Advisor, UCSD Extension
•   Web Services Track Chair, SD Expo
•   www.dasblonde.net,
    www.thatindigogirl.com
 Fundamental Security Concepts

• Mutual Authentication – verify sender and
  receiver
• Confidentiality – protect information from
  open view, using encryption
• Integrity – ensure messages have not been
  altered, using digital signatures
• Reliability – prevent message replay and
  denial of service (DoS)
Transport Level Security

• SSL, TLS, IPSec
• Point-to-point
• Applies to entire message
                Trust Relationship




   Sender                            Receiver
Message Level Security

• Web services security (WS*)
• Secure through intermediaries
• Secure message parts
                Trust Relationship




   Sender          Intermediary      Receiver
WCF Security Settings

•   Security mode
•   Protection level
•   Client credentials
•   Impersonation
•   Service credentials
•   Credential negotiation
•   Secure sessions
•   Algorithms
•   Authentication/Authorization
     Security Mode

                                Transport           Service
         Client A

                        C B A               A B C




         Client B

                        C B A               A B C



A   Address => where?            Message
B   Binding => how?

C   Contract => what?
 Security Mode

 • Transport Security
<netTcpBinding>
  <binding name="netTcpTransportSecurity">
    <security mode="Transport>">
      <transport clientCredentialType="Windows" />
   </security>
  </binding>
</netTcpBinding>
 Security Mode

 • Message Security
<wsHttpBinding>
  <binding name="wsHttpMessageSecurity">
    <security mode="Message">
      <message
clientCredentialType="UserName" />
    </security>
  </binding>
</wsHttpBinding>
  Security Mode

 • Mixed Security
<basicHttpBinding>
  <binding name="basicHttp">
    <security
mode="TransportWithMessageCredential">
      <transport />
      <message clientCredentialType="UserName"/>
    </security>
  </binding>
</basicHttpBinding>
  Protection Level

 • By default signed and encrypted
 • Can require minimum message protection
    ●   At service, operation or message contract
    ●   ProtectionLevel options: None, Sign,
        EncryptAndSign
 • Also throttles message protection
[OperationContract(ProtectionLevel=ProtectionLevel.Sign)]
string HelloIndigo(string inputString);}
Client Credentials

• WCF is a claims-based system
  ●   All credentials evaluate to a set of claims
  ●   Enables claims-based security model
• Credential types include:
  ●   Username and password
  ●   Windows credentials
  ●   X.509 certificates
  ●   Issued SAML tokens (includes CardSpace)
• Selections vary for transport and message
  security
  Impersonation

  • Service can control impersonation level
      ●   OperationBehaviorAttribute
      ●   ImpersonationLevel setting: NotAllowed,
          Allowed, Required
[OperationBehavior(Impersonation=ImpersonationOption.NotAllowed)]
public string HelloIndigo(string inputString)



  • Can control for all service operations
      ●   ServiceAuthorization behavior
<serviceAuthorization impersonateCallerForAllOperations="false"/>
   Impersonation

   • Clients can control impersonation level
      ●   TokenImpersonationLevel
      ●   None, Anonymous, Identification,
          Impersonation, Delegation
NetworkCredential creds = new
NetworkCredential("username", "password", "domain");

proxy.ClientCredentials.Windows.AllowedImpersonationLevel =
TokenImpersonationLevel.Identification;
Intranet Scenario

• Windows credentials
• Authentication and authorization using
  Windows membership and role providers
• Transport encryption and signing
• Role-based permission demands on
  protected operations
• Reject impersonation of Windows
  accounts (trusted subsystem)
  Service Certificate

  • Authenticate service to client and secure
    messages
  • Required for non-windows credentials
  • ServiceCredentials behavior
<behaviors>
  <serviceBehaviors>
    <behavior name="serviceBehavior" >
      <serviceCredentials>
        <serviceCertificate findValue="RPKey"
storeLocation="LocalMachine" storeName="My"
x509FindType="FindBySubjectName" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>
  Client Certificate

  • Clients may also authenticate with a
    certificate
  • ClientCredentials behavior

<behaviors>
  <endpointBehaviors>
    <behavior name="clientBehavior">
      <clientCredentials>
        <clientCertificate findValue="SubjectKey"
storeLocation="CurrentUser" storeName="My"
x509FindType="FindBySubjectName"/>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>
Business Partner Scenario

• Service certificate identifies service and
  protects messages during transfer
• Certificates uniquely identify partners
• Certificates are authenticated using the
  default certificate validation process
• Certificates authorized by public key in the
  TrustedPeople folder for the LocalMachine
  certificate store
Negotiation

• Service credentials can be negotiated
  ●   By default this is enabled
  ●   SPNego (Windows) or TLSNego
• Requires a service certificate
  ●   Transport level uses SSL, message level
      uses WS-Trust tunnel
• Can disable with
  negotiateServiceCredential
  ●   Requires Kerberos domain or access to
      service credentials
  Negotiation
<security mode="Message">
  <message clientCredentialType="UserName"
negotiateServiceCredential="false"   />
</security>
  Secure Sessions

  • Reduce the overhead of one-off key
    exchange and validation
  • Security context token (SCT)
  • Enabled by default
     ●   Can disable, client must provide public key

<security mode="Message">
  <message clientCredentialType="UserName"
establishSecurityContext="false"   />
</security>
  Algorithms

  • Can choose algorithm for message
    encryption and signing
     ●   Important for interoperability
  • Available choices match conventions
    described in the WS-SecurityPolicy
    specification
<security mode="Message">
  <message clientCredentialType="UserName"
algorithmSuite="TripleDes" />
</security>
Authentication

• Claims are added to the security context
  when client credentials are authenticated
  ●   SecurityTokenAuthenticator handles
      this for each token
  ●   AuthorizationContext holds claims
• Can control authentication settings
  ●   Settings in ServiceCredentials behavior
  ●   Control membership provider, certificate
      authentication modes, anonymous users, etc.
<serviceCredentials>
  <windowsAuthentication allowAnonymousLogons="false"
includeWindowsGroups="true" />
  <userNameAuthentication
userNamePasswordValidationMode="MembershipProvider"/>
  <clientCertificate>
    <authentication certificateValidationMode="ChainTrust"
revocationMode="Online"/>
  </clientCertificate>
</serviceCredentials>
Authorization

• Can configure authorization with behaviors
  ●   ServiceAuthorization behavior,
      PrincipalPermissionMode setting
      • None, UseWindowsGroups, UseAspNetRoles,
        Custom (requires IAuthorizationPolicy)
• Controls the type of security principal
  ●   WindowsPrincipal,
      RoleProviderPrincipal,
      GenericPrincipal
  Authorization

  • Can use ASP.NET roles provider
<serviceAuthorization
principalPermissionMode="UseAspNetRoles"/>
  Authorization

  • Can provide custom authorization policy
      ●   Implement IAuthorizationPolicy
      ●   Useful for certificates or claims-based security
          model
<serviceAuthorization principalPermissionMode="Custom" >
  <authorizationPolicies>
    <add policyType=
"ClaimsBasedAuthorization.ClaimsAuthorizationPolicy,
ClaimsBasedAuthorization"/>
  </authorizationPolicies>
</serviceAuthorization>
Internet Scenario

• SSL used for transport security and
  service authentication
• Service certificate for service
  authentication and message protection
• UserName credentials
• Services are hosted with IIS/ASP.NET
• Authentication and authorization use the
  built-in ASP.NET membership and
  provider model
Summary

• WCF provides granular control over
  security through bindings, behaviors and
  built-in service model types
• Supports Intranet, Internet, business
  partner exchanges and claims-based
• Highly extensible
• IDesign’s declarative security model
  simplifies configuration to remove the
  complexity and potential for error
Resources

• www.idesign.net
  ● Code library, coding standard, sample
    architecture report
  ● IDesign Method™

• WCF Master Classes
  ●   IDesign WCF Master Class available on-site
      and as quarterly public offering
Resources

• My Book
  ●   Learning Windows Communication
      Foundation, O’Reilly
      • Online at: http://www.thatindigogirl.com
      • Printed in January 2007
• My Blog
  ●   http://www.dasblonde.net