Secure and authenticated .NET development in a distributed world
Transcript of Secure and authenticated .NET development in a distributed world
Secure and authenticated.NET developmentin a distributed worldMagnus Må[email protected]://blog.noop.se/
Google Trends: mashup
mashup
mashing
Globalization + Localization
=
?
Globalization + Localization
=
Glocalization
Web 2.0 is about glocalization
Google Trends: Web 2.0 vs. dot com
web 2.0
dot com
Web 2.0:
A new breed of Web Services
new
newer
old stuff
Lots of Bandwidth
Lots of Storage
Lots of Users
How to get started...
Gentlemen: Let’s start our engine!
Service Host Client
Danger!Identity theft
Spoofing
Phishing
Phraud
Malware
Social Engineering
Password fatigue
Danger!Identity theft
Spoofing
Phishing
Phraud
Malware
Social Engineering
Password fatigue
Social Engineering
Social Engineering?
Password fateague
Password fatigue?
Trust
Pressclips
Trust
The Internetwas founded on
anonymity
Trust
Identity is inevitable
Is identity really inevitable?
Identity is inevitable proof!
Users want online experiences
Identity is inevitable proof!
Users need to be able to trust
Identity is inevitable proof!
We have to build trustful applications
Identity is inevitable proof!
Developers have to buildtrustful applications
Identity is inevitable proof!
We developers have know who it is we’re trusting
Identity is inevitable!
Trust
Identity is inevitable!
Trust
Identity is inevitable!
identity...
public class User: IPrincipal
{
[...];
}
public class User: IPrincipal
{
[...];
}
Identity Centric Architecture(ICA)
secure
distributed
open
owner controlled digital identity
Digital Identity
?
?
?
?
?
?
?
?
?
?
Your application
Identity Centric Architecture
ICA
Single sign-on(SSO)
Federated Identity
Alice
Application 1 Application 2 Application 3
ClientAlice’s ID
Application 1 Application 2
Alice wants to login!
Which security level does Alice have?
Alice is “level 2”!
Security Assertion Markup Language(SAML)
Trust
Kim Cameron
Architect of Identity AccessConnected Systems Division, Microsoft
http://identityblog.com/
Identity is inevitable!
briliant man!
The 7 laws of identity (done quick)
The 7 laws of identity(done quick)
#1 User Control and Consent
Trust
#2 Minimal Disclosure for a Constrained Use
#2 Minimal Disclosure for a Constrained Use
Yes I am really 18!
Yes I am really 18! No I am too young!
xxx
#3 Justifiable Parties
#3 Justifiable Parties
#4 Directed Identity
#4 Directed Identity
#5 Pluralism of Operators and Technologies
#5 Pluralism of Operators and Technologies
#6 Human Integration
#6 Human Integration
#7 Consistent Experience Across Contexts
#7 Consistent Experience Across Contexts
… the 7 laws of identity!
WS-*
WS-Security
WS-Trust
WS-MetadataExchange
September 12, 2006
Microsoft Open Specification Promise(OSP)
“Microsoft irrevocably promises not to assert any Microsoft Necessary Claims against you for making, using, selling,
offering for sale, importing or distributing any implementation to the
extent it conforms to a Covered Specification”
“This is a personal promise directly from Microsoft to you […]”
“There is no need for sublicensing.”
“This promise is directly applicable to you and everyone else who wants to
use it.”
Microsoft Open Specification PromiseRemote Shell Web Services Protocol
WS-I Basic Profile
SOAP
WS-Management
SOAP 1.1 Binding for MTOM 1.0
WS-Management Catalog
SOAP MTOM / XOP
WS-MetadataExchange
SOAP-over-UDP
WS-Policy
Web Single Sign-On Interoperability Profile
WS-PolicyAttachment
Web Single Sign-On Metadata Exchange Protocol
WS-ReliableMessaging
WS-Addressing
WS-RM Policy
WS-AtomicTransaction
WS-SecureConversation
WS-BusinessActivity
WS-Security: Kerberos Binding
WS-Coordination
WS-Security: Kerberos Token Profile
WS-Discovery
WS-Security: Rights Expression Language (REL) Token Profile
WSDL
WS-Security: SAML Token profile
WSDL 1.1 Binding Extension for SOAP 1.2
WS-Security: SOAP Message Security
WS-Enumeration
WS-Security: UsernameToken Profile
WS-Eventing
WS-Security: X.509 Certificate Token Profile
WS-Federation
WS-SecurityPolicy
WS-Federation Active Requestor Profile
WS-Transfer
WS-Federation Passive Requestor Profile
WS-Trust
Mark Webbink
“Red Hat believes that the text of the OSP gives sufficient flexibility to implement the listed
specifications in software licensed under free and open source licenses.
We commend Microsoft’s efforts […]”
“I see Microsoft’s introduction of the OSP as a good step by Microsoft to further enable
collaboration between software vendors and the open source community.”
Lawrence Rosen
Ann Cavoukian
Ph.D.Information and Privacy Commissioner Ontario CA
Your codeProxy
What is trust?
Service Instance
WWWSession
simple
consistent
secure way
represent identity
Put users in control of their identity(s)
Based on standards
Accepted and adopted by the industry
Windows CardSpace(WCS)
Old .NET Framework 3.0
WPF
WF
WCF
Why is WCS in .NET
3.0?
Final .NET Framework 3.0
Because it shipps with
Vista!
WCS
WPFWF
WCF
How does Trust work?
Protocol Drill Down
Identity Provider(IP)
Relying Party(RP)
ClientClient would like to access a resource
RP provides identityrequirements: format, claims & issuerof security token
1
2
User
3
Client shows whichof known IPs cansatisfy requirements
User selects an IP4
5
Request to chosen IPfor security token
6
IP generates security token based on RP’s requirements
7User approves/rejects the release of token
8
Token is released to RP RP reads claims and
allows access
WS-Trust
WS-Trust
self issued cards(s-i-c)
No more password fatigue!
The others
•Shibboleth
•BBAuth
•OpenID
•?
Windows Communication Foundation(WCF)
WCF is uninteresting
”WCF is uninteresting
“[…] because they have done such a good job of removing communication details from my problem space.”
WCF is uninteresting
”WCF is uninteresting
because they have done such a good job of removing communication details from
my problem space.”
WCF is uninteresting
“The plug-and-send architecture is easy, and doesn't require much thought.”
Ryan Dawson
WCF Security in a Nutshell
WCF security in a nutshell
WCF Security in a Nutshell
secures message exchange between entities
WCF Security in a Nutshell
secures access to resources by entities
WCF Security in a Nutshell
Entity
==
person, company, software, ...
WCF Security in a Nutshell
Resrouce
==
file, service, operation, ...
How? WCF, WS-* and CardSpace!•Describe policy…–WS-SecurityPolicy
•Retrieve policy… –WS-MetadataExchange
•Security Token Service… –WS-Trust
•Messages…–SOAP and WS-Security
•Security token format…–Anything RP wants and IP can provide
•End-to-end experience is driven by an identity selector on the client–CardSpace is an identity selector for Windows
How? WCF, WS-* and Card Space!
●
WCS
WS-*
WCF
WCS WS-* WCF
Playing the Roles:What it takes to be a(n)…
1) Identity Provider
2) Relying Party
3) Client
Role 1: Identity Providers
All Identity Providers need:
–SSL Certificate
•Provides identity to user and used to sign the security token
•High Assurance certificate with logotype preferred
–Security Token Service
•Processes token request, authenticates user, creates token
–One Information Card per user
•Contains security token metadata
Examples:
–Employer, school, bank, government, club
–The user!
Role 2: Relying Parties
SSL Certificate
–High Assurance certificate with logotype preferred
Policy describing token requirements
Security token processing code
–Decrypt token, verify issuer signature, verify proof of possession, examine claims, identify user, authorize
Examples of relying parties
–Any site or service
Relying Party == Web Service
•Install certificate
•use WCF
•Config
•System.IdentityModel
Relying Party == Web Site
•Do websites need to support WS-*? No!
•To add Information Card support:
–Modify the login and registration pages
•Add a button with Information Card object tags
•Add code to process posted security token
–Issue cookies as usual to authorized users
–Update the account database
•Add a field to store the “user identifier” claim
Role 3: Client Applications
•Rich clients
–Use WCF and System.IdentityModel
•Browsers
–IE7.0 ships with icardie.dll
•Reads HTML tag and calls CardSpace system
–Other browsers can do the same on Windows
•Mac, Linux clients need an identity selector and aWS-* stack!
[...]
WCF Architecture
A
B
C
Address
Binding
Contract
Address =the direction
Contract =the package
WCF Architecture
the journey
Bin
din
g
WCF Binding
”The magic is in the binding. You can configure it however you want...”
Clemens Vasters
Allright show us the code allready!
How to get started...
challenge:
Who are you?
Referenses & Links
Microsoft references:
.NET Framework 3.0:http://netfx3.com/The Laws of Identityhttp://msdn2.microsoft.com/en-us/library/ms996456.aspxMicrosoft Open Specification Promisehttp://www.microsoft.com/interop/osp/Microsoft's Vision for an Identity Metasystemhttp://msdn2.microsoft.com/en-us/library/ms996422.aspxIntroducing Windows CardSpacehttp://msdn2.microsoft.com/en-us/library/aa480189.aspxStep-by-Step Guide to InfoCardhttp://msdn.microsoft.com/msdnmag/issues/06/05/SecurityBriefs/The .NET Developer's Guide to Identityhttp://msdn2.microsoft.com/en-us/library/aa480245.aspxWCF Essentialshttp://msdn.microsoft.com/msdnmag/issues/06/10/WCFEssentials/default.aspxWCF Bindings and Channelshttp://msdn.microsoft.com/msdntv/episode.aspx?xml=episodes/en/20060615WCFCV/manifest.xmlSecurity in WCFhttp://msdn.microsoft.com/msdnmag/issues/06/08/SecurityBriefs/default.aspx
Referenses & Links
Blogs:
Kim Cameron
http://identityblog.com/
Ralph Squillace
http://blogs.msdn.com/ralph.squillace/
Nicholas Allen
http://blogs.msdn.com/drnick/
Garret Serack
http://blogs.msdn.com/garretts/
Channel 9:
Vittorio Bertocci: WS-Trust - Under the Hood
http://channel9.msdn.com/showpost.aspx?postid=241455
Referenses & Links
Misc:
Firefox Identity Selector AND Java based Relying Party
http://xmldap.org/
Google Trends
http://google.com/trends
http://www.zephoria.org/thoughts/archives/2005/09/05/why_web20_matte.html
http://ricksegal.typepad.com/pmv/2005/10/web_20_a_check.html
http://www.windows-now.com/blogs/rdawson/archive/2005/05/05/14016.aspx
References & Links
WayGroup:
http://www.dotway.se/
http://www.jayway.se/
http://www.testway.se/
http://www.leadway.se/
http://www.realway.se/
Code Monkey:
http://www.jonathancoulton.com/