Web_Services_Security

WebServicesSecurityMikeShawmikeshaw@microsoft.com.NETArchitecturalEngineerAgendaTrustWorthyComputingWhatareWebServices?XMLSignaturesXMLEncryptionWhatisWS-Security?LinksTrustworthyComputingMicrosoftiscommittedtoTrustworthyComputing:SecurityPrivacyReliabilityBusinessIntegrityTrustworthycomputingcanonlybeachievedthroughpartnership&teamworkTrustworthyComputingisajourneywithalongtermvisionandhighlightsandobstaclesalongtheroadTrustworthyComputingSecurityPrivacyReliabilityBusinessIntegrityResilienttoattackProtectsconfidentiality,integrity,availabilityanddataDependableAvailablewhenneededPerformsatexpectedlevelsIndividualscontrolpersonaldataProductsandOnlineServicesadheretofairinformationprinciplesVendorsprovidequalityproductsProductsupportisappropriateGoalsUnderstandthegoalsandapplicationofWS-SecurityProvideyouaroadmaponhowtoimplementsecureWebservicesToday:PointtoPointServiceServiceSSL/TLSServiceCServiceAEndtoEndMessagingServiceServiceBAnyWebservicecapableapplication.WS-SecurityforEncryptionandSigningSecureSOAPmessageusingWS-SecurityChanneldoesn’tmatter.CouldbeHTTP,SSL,MIME/SMIMEAuthenticationMessageValidationMaybeISAServerAuditing/loggingConfidentialmessageprocessingEncryptedmessageSignedMessageWebServicesIndustrystandardsforinteroperabilityBasedonInternetstandardsNotweddedtoanyplatformLooselycoupledprogrammingPreserveandconnectexistingsystemsIntegrateinsideandoutsidethefirewallBroadindustrysupportEnableEnd-to-EndmessagingsystemsWhatisaWebServicetoday?MessageprocessorStandardsbasedSOAP1.1LanguageandtransportneutralWSDL1.1Predominantlyparticipateinpoint-to-pointscenariosduetolackofadditionalstandardsInherentlyinsecureWebServiceSOAP1.1WSDL1.1ImplementationIndustryinitiativeforWebservicesOver150membersFacilitatescustomeradoptionEnsuresinteroperabilityBroadalignmentaroundWebservicesFirsttestingtoolsthisyearMoreinfo:Flexiblemessage-levelsecurityMaintaincoretenetsIntegrity(XMLDigitalSignatures)Confidentiality(XMLEncryption)AuthenticationTokensLeverageexistinginfrastructureandstandardsKerberosPKISAMLCustom…SSL/TLSXMLSignatureXMLEncryption…XMLSignatureXMLsyntaxusedtorepresentadigitalsignatureoveranydigitalcontentVerifiedwhetheramessagewasalteredduringtransitEnablesnon-repudiationSignspecificportionsoftheXMLdocumentormessageOne-waytransformationviaprivatekeyDefinedschemaXMLEncryptionEncryptspecificportionsoftheXMLdocumentormessageSupportssymmetricandasymmetrickeyalgorithmsDefinedschemaHowdoesthismaterializeinaWebservicesmodel?CompositionviaSOAPHeadersSOAPheaderscanbeanythingsoweneedaschematoensureinteroperabilityacrossallimplementationsWS-Security1.0aspecificationwithOASISJointproposalfromIBM,VeriSign&MicrosoftWS-Security1.0SecurityModelSecurityToken+DigitalSignature=ProofofKeyPossessionClaimsPublicKeyProofofpossessionOfPrivateKey+=WS-Security1.0TrustModelSecurityTokenUnendorsed=NotsignedbyanauthorityProof-of-Possession=claimthatcanbemutuallyverifiedEndorsed=Signedbyanauthority?SigningAuthorityWS-Security1.0ProtectionIntegrity=XMLSignature+SecurityTokensConfidentiality=XMLEncryption+SecurityTokensNon-GoalsofWS-SecurityEstablishingasecuritycontextthatrequiresmultipleexchanges(WS-SecureConversation)KeyexchangeandderivedkeysHowtrustisestablished(WS-Trust)PolicyDefinition(WS-Policy)Provisioningofcertificates(XKMS)Rights(XrML)etcSecurityRoadmapSOAPWS-SecurityWS-PolicyWS-TrustWS-FederationWS-PrivacyWS-AuthorizationWS-SecureConversationRefertoSecurityRoadmap–…Thinkbig,startsmallUnderstandyoursecuritytopologyWhatdoestheend-to-endmessagingpathlooklikeforyourscenarios?UnderstandXMLSignatureXMLEncryptionWSSecuritySystem.Security.CryptographynamespaceCreateathreatmodelforyourWebserviceenvironmentBlendpoint-to-pointsecuritywithend-to-endsecurityLeveragethe.NETFrameworkbaseclasses,WindowsCryptoAPI,CAPICOM,.NETServerCertificateAuthorityCalltoaction1.Foracopyofthispresentationvisit::register.microsoft.com/subscription/subscribeMe.asp?lcid=1033&id=1553.FortheMicrosoftsecurityresourcetoolkitvisit:FirewallandVPNIdentityManagementSecuringWindowsWindowsServer2003SecurityWirelessSecurityMicrosoftSecuritySeminarsTIMEAPRIL29APRIL30MAY110:15TrustworthyComputing–OneYearLaterMicrosoft’sSecurityRoadmapIdentityManagement–Strategy&Solution11:00SecuringWirelessNetworkswithWindowsServer2003SecuringWirelessNetworkswithWindowsServer2003SecuringWirelessNetworkswithWindowsServer200311:45Application-layerFirewallingApplication-layerFirewallingApplication-layerFirewalling12:30WebService