Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 WS-Security Yosi Taguri Microsoft Israel

Published byRonald McBride Modified over 8 years ago

Similar presentations

Presentation on theme: "1 WS-Security Yosi Taguri Microsoft Israel"— Presentation transcript:

1 1 WS-Security Yosi Taguri http://blogs.msdn.com/yosit Microsoft Israel yosit@microsoft.com

2 WS-Security Yosi Taguri yosit@microsoft.comhttp://blogs.msdn.com/yosit.NET Platform Group Microsoft Israel

3 Agenda WSE Basics Security Tokens IntegrityConfidentiality Making It All Sing Together How do I write WS-Security code faster

4 Protocol domains AdvancedProtocols Internet Transports Security Messaging Transactions Metadata SOAP, XML, WSDL Reliable Messaging

5 Web Service Enhancements WSE offers initial support for new protocols “Close to the metal” implementation Application model left to the developer WSE intended for early adopters Supported, but for 2+1 years Expect to migrate… WSE 2.0 Tech Preview now available

6 WSE and interoperability WSE's protocols are not yet widely implemented Some interop with some kits (WebSphere) Does not interop with arbitrary toolkits There is no standard mechanism for describing protocol usage in WSDL Must know what other end of pipe is doing WS-Policy intended to address this WSE most useful in enterprise or with key partners

7 WSE 1.0 Simple framework layered on ASP.NET Web Services Support for… WS-SecurityWS-Routing/ReferralWS-Attachments/DIME

8 WSE 2.0 Tech Preview Extended security support WS-SecureConversation, WS-Trust Improved token management Protection from replay attacks New WS-Policy support Extended messaging support WS-Addressing supplants WS-Routing

9 ASP.NET and WSE ASP.NET provides support for basic Web services Only the base-line protocols Only RPC programming model Web Services Enhancements (WSE) add-on provides advanced features on top of ASP.NET Latest protocols, like WS-Security A messaging programming model

10 How WSE works Core WSE functionality implemented as input and output filters ClientServer OutputFilters InputFilters InputFilters OutputFilters

11 What the IO filters do WSE’s input and output filters map protocols to and from SOAP messages Protocol info modeled by SoapContext Output filters use SoapContext info to update outbound message Input filters use inbound message to update SoapContext info

12 Pipeline SpecificProtocolproperties Output filters SoapWeb-Request Soap-Context BasicSOAPmessage SOAPmessage with protocols applied Output Filter

13 Pipeline Input filters SpecificProtocolproperties SoapWeb-Response Soap-Context BasicSOAPmessage SOAPmessage with protocols applied Input Filter

14 The Pipeline Use of IO filters encapsulated by pipeline class Pipeline plumbing used by higher-level proxy/service code Pipeline can be extended with custom filters Pipeline can be configured per-proxy or per- process

15 Server integration WebServicesExtension uses pipeline to filter SOAP messages Input filters process request messages Output filters process response messages RequestSoapContext.Current exposes protocol settings of last message received ResponseSoapContext.Current exposes protocol settings for next message sent

16 Pipeline Web Service Server integration WebServicesExtension Http-ResponseSoap-Context Http-Context Http-RequestSoap-Context Input Filter Output Filter HttpContext.Current RequestSoapContext.Current ResponseSoapContext.Current

17 Proxy integration WebServicesClientProtocol is new proxy base class Output filters process request messages Input filters process response messages RequestSoapContext property exposes protocol settings for next message sent ResponseSoapContext property exposes protocol settings for last message received

18 Pipeline ProxyClass Proxy integration WebServices-ClientProtocol SoapWeb-Request SoapWeb-Response SoapContext SoapContext RequestSoapContext ResponseSoapContext Output Filter Input Filter

19 Proxy integration static void Main() { // create WebServicesClientProtocol-derived // proxy class // create WebServicesClientProtocol-derived // proxy class TimeServiceWse proxy = new TimeServiceWse(); TimeServiceWse proxy = new TimeServiceWse(); // WebServiceClientProtocol gives pipeline // WebServiceClientProtocol gives pipeline // a chance to filter messages // a chance to filter messages Console.WriteLine(proxy.GetTime()); Console.WriteLine(proxy.GetTime());}

20 WS-Security Defines a framework for building security protocols using existing protocols Propagation of security tokens Integrity via XML Signature Confidentiality via XML Encryption Framework designed for end-to-end security of SOAP messages From initial sender, through 0-n intermediaries to ultimate receiver

21 Security Tokens Tokens represent claims about identity, capabilities, or privileges WS-Security provides constructs for transmitting security tokens Supports text and binary tokens OASIS WS-Security TC producing several token profiles Username/Password, X509, Kerberos, SAML, XrML

22 Security Tokens

23 UsernameToken UsernameToken contains a username and password Password is optional and can be passed as plaintext or digest Plaintext is BAD unless token is encrypted Digest not much better, token should still be encrypted Best to encrypt token for recipient By default authenticated with windows Only capable to Sign and not Encrypt

24 Where are we Authentication and Authorization is tightly coupled in WSE and integrated with windows Messages are still unsigned

25 Message Integrity How do you know message has not been altered? Bad guy could copy token into another message Bad guy could altering timestamp, headers, body of message Parts of a message can be signed to ensure integrity Based on XML Signature (XMLDSIG)

26 Integrity, sender I want to send a SOAP message and ensure that the body is not modified I generate a digest of the SOAP body I generate a signature over the digest (and some other info) using my private key I include my public key in a security token

27 Integrity, receiver You want to check that the body of the message was not modified You generate a digest for the SOAP body You compare your digest and the one in the message You check that the signature is valid using my public key As a side-effect, you know the message was from me

28 Message confidentiality How do you know message hasn't been read? Bad guy can read XML payload anywhere along the wire Parts of a message can be encrypted to ensure confidentiality Based on XML Encryption (XMLENC)

29 I want to send a SOAP message and ensure that only you can read the content of the body I generate a symmetric key I encrypt that key using your public key I encrypt the content of the body using the symmetric key I include both the encrypted data and encrypted key in the message Confidentiality, sender

30 Confidentiality, receiver You want to read the encrypted content of the body You decrypt the symmetric key using your private key You decrypt the content of the body using the symmetric key

31 Trust

32 Validating a Security Token

33 Using An Issued Security Token

34 Secure Conversation

35 Policy

36 Summary Not all security tokens are created equal Make sure your tokens can do what you want them to do Design with WSE in mind – it is the future Soap, Soap, Soap

37 Resources MSDN Web Services Developer Center http://msdn.microsoft.com/webservices

38 Questions?

39 © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "1 WS-Security Yosi Taguri Microsoft Israel"

Similar presentations

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.

SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.

Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
Core Web Service Security Patterns

Core Web Service Security Patterns
Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.

Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.
© 2007 Charteris plc20 June 2015 1 1 Extending Web Service Security with WS-* Presented by Chris Seary MVP Charteris plc, 39-40 Bartholomew Close, London.

© 2007 Charteris plc20 June Extending Web Service Security with WS-* Presented by Chris Seary MVP Charteris plc, Bartholomew Close, London.
Extending Web Applications with Web Services Mike Taulty Developer & Platform Group Microsoft Ltd

Extending Web Applications with Web Services Mike Taulty Developer & Platform Group Microsoft Ltd
X.509 support in WCF Exploring support for X.509 Certificates in Microsoft’s Windows Communication Foundation Paul Cormier UCCS CS591 Fall 2009.

X.509 support in WCF Exploring support for X.509 Certificates in Microsoft’s Windows Communication Foundation Paul Cormier UCCS CS591 Fall 2009.
Web Services (ASMX 2.0 and WSE 3.0) Mike Taulty Developer & Platform Group Microsoft Ltd

Web Services (ASMX 2.0 and WSE 3.0) Mike Taulty Developer & Platform Group Microsoft Ltd
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Nikola Dudar Program Manager Microsoft Corporation Session Code: DTL 311.

Nikola Dudar Program Manager Microsoft Corporation Session Code: DTL 311.
CS 4720 Security CS 4720 – Web & Mobile Systems. CS 4720 The Traditional Security Model The Firewall Approach “Keep the good guys in and the bad guys.

CS 4720 Security CS 4720 – Web & Mobile Systems. CS 4720 The Traditional Security Model The Firewall Approach “Keep the good guys in and the bad guys.
Web Service Standards, Security & Management Chris Peiris www.ChrisPeiris.com.

Web Service Standards, Security & Management Chris Peiris
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

Similar presentations

Ads by Google