itcamp 2012 - leonard abu-saa - wcf security
TRANSCRIPT
itcampro @ itcamp12 # Premium conference on Microsoft technologies
WCF Security
Abu-Saa Leonard, Software Architect
Arobs Transilvania Software
Blog: http://net-daylight.blogspot.com/
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Architecture &
Best Practices ITCamp 2012 sponsors
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Architecture &
Best Practices
• Overview
• Authentication & Authorization
• Security Modes
• Credential Types
• WCF Authentication Service
• Custom UserName & Password
Authentication
• Q&A
Agenda
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Architecture &
Best Practices
• Online transactions
• Do we ignore security ?
Overview
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Architecture &
Best Practices
• Auditing and Logging
• Authentication
• Authorization
• Configuration Management
• Message Protection
• Message Validation
• Senzitive data
• Session Management
Overview – Security fundamentals
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Architecture &
Best Practices
• Asset
• Threat
• Vulnerability
• Attack
Threats, Vulnerabilities and Attacks
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Architecture &
Best Practices
• Authentication identifies a user, process
• One of the most important aspect of
security
• We use id daily: ids, user names &
passwords, etc.
Authentication != Authorization
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Architecture &
Best Practices
• Verifies what resources can access the
itentified party
• It happens after authentication
• Very close related with Authentication
Authorization
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Architecture &
Best Practices
• None
• Basic
• NTLM
• Windows
• Certificate
• Username – Custom Provider
– SqlMembership Provider
• Issued Token
Authentication in WCF
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Architecture &
Best Practices
• None
– Not recommended
• Transport Security
– Encrypts the communication channel
• Message Security
– The message is encrypted
Security Modes
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Architecture &
Best Practices
• Transport Credential Only
– Credentials are sent as part of the message but are not
encrypted
• Transport With Message Credential
– Credentials are sent as part of the message and the
message protection is done at the transport level
Security Modes - Variations
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Architecture &
Best Practices
• SSL over HTTP(S)/TCP
• Our purpose is to ensure integrity,
condidentiality and authentication
• Integrity = encryption key
• Confidentiality = data encryption
• Authentication = credentials
• Use a digital certificate to encrypt the
channel
Transport Security
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Architecture &
Best Practices
• When we use Transport Security ?
• Advantages – Better performance
– Interoperability
• Disadvantages – ‘Point-2-Point’
Transport Security
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Architecture &
Best Practices
• When we use Message Security?
• Encrypts only the message
• Advantages – ‘End-2-End’ security
– Independent of the communication protocol
• Disadvantages – Lower perfomance compared to transport
– Does not support interoperability with older ASMX
clients
Message Security
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Architecture &
Best Practices
• Uses ASP.NET membership to authenticate
users
• It requires cookies
• Can customize user login
• Can customize authentication cookie
WCF Authentication Service
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Q & A