|
|
Browse by Tags
All Tags » Security (RSS)
-
Security and streaming are two features that often do not get along with each other. Although the concepts are not inherently in conflict, their implementations often do things that cause problems for the optimal execution of the other. You may have seen that the message security channel, like the reliable messaging channel, in its native mode likes to buffer messages. This is because signing is one of the aspects of message security. The message signature is typically computed based on the contents of the message to allow detection of any changes. Although you could still achieve some benefit from streaming on the network and on the client, buffering of the message requires storage space on the server even though that storage space doesn't have to be in memory. Pre-computation of the message also negates one of the major benefits of streaming: the interleaving between computation and transmission of the data. A stream security mechanism, such as SSL, is one way to avoid this buffering problem. Stream to stream transformations tend to be less likely to assume complete knowledge of the data than message to message transformations. One popular combination to use streaming with message security is to secure transmission of the messages with stream security and to use message security only for passing credentials. HTTP authentication is another implementation that in some cases needs to buffer messages. HTTP defines a challenge and response for its basic authentication model. You might be able to predict the challenge and send the appropriate response as part of the request. If not, then the request needs to be transmitted from the beginning when the challenge response is supplied. In most cases it would be difficult to completely regenerate the request. Instead, the transmitted portion of the request is buffered so that it can be transmitted again. It is unpredictable how much of the request needs to be buffered since the challenge is asynchronous with respect to the response. This leads to many implementations that either do not work with streaming or only work when the HTTP server behaves nicely. The server may read as little or as much of the request as it likes before deciding to initiate the challenge. In practice though, the server most likely would like to issue the challenge sooner rather than later so that it can stop processing the request. Next time: Working with Session State Read More...
|
-
An index of all of the different standard stores for certificates used to authenticate with a service. There are two store locations- one for the stores for the local machine and one for the stores for the current user. There's no way to directly reference the location of the stores for some other particular user besides the current user. Here are the eight standard stores. The My store keeps your personal certificates that you use and is where most custom certificates go. The Disallowed store keeps certificates that have been revoked so they aren't forgotten. The AddressBook store keeps certificates for other people and resources. The TrustedPeople store keeps certificates for other people and resources that you trust. The TrustedPublisher store keeps certificates for application publishers that you trust. The Root store keeps certificates for certificate authorities that you trust. The CertificateAuthority store keeps certificates for intermediate certificate authorities. The AuthRoot store keeps certificates for other third-party certificate authorities. Next time: Cross Domain Policy Read More...
|
-
Encryption is counterproductive for compression if the two features aren't used together correctly. Generally, you want to compress first and then encrypt. This is the order that naturally happens when you compress at the encoding level and encrypt at the transport level. You tend to get disadvantageous results if you encrypt first and then compress. This order can happen when you encrypt early on, such as when you use message security with transport compression, or if you attempt to apply compression from outside the system after encryption has already taken place. If you think about how a typical lossless compression method works, it is exploiting repeatability or non-randomness in the uncompressed content. Completely random content will tend to compress very poorly, possibly even growing in size, because there is no statistical redundancy to eliminate. On the other hand, completely predictable content will tend to compress very well. Text and many kinds of binary content that are not already compressed tend to at least be somewhat predictable. Most secure encryption mechanisms will transform content such that the result is very close to being random. Statistical tendencies in the resulting encryption output could be a way to attack the encryption mechanism, possibly revealing the original content or even the secrets used for encryption. Therefore, the encrypted output tends to be more random than the original content. If the original content was fairly predictable, then this can cause a significant decline in compression effectiveness. This makes encrypted content a poor candidate for compression. Next time: Getting Better Time Formats Read More...
|
-
How do I force propagation of changes to information about a certificate revocation list after an update? A service is going to have several kinds of caching around the information that links the certificate to revocation information. The first kind of caching is based on the revocation mode of the certificate. A revocation mode of NoCheck disables checking on the certificate while a revocation mode of Offline directs checking to use a cached certificate revocation list. A revocation mode of Online gets the freshest data. The second kind of caching is at the service process. Information is stored in memory as long as the process continues to run to reduce the number of active checks required. This memory cache is cleared when the process restarts. The third kind of caching is at the machine. Information is cached by the machine for a limited time to again reduce the number of active checks required. The machine cache can be viewed by running "certutil -urlcache" and the same command is used to delete or force updating of specific cache entries. Next time: Getting Rid of Namespaces Read More...
|
-
If you've been following along, I have mentioned the WCF security guide project being worked on in the patterns and practices team a few times now. After months of drafts and betas, the complete guide is now ready for official release. The WCF security guide is available as a free download. Read More...
|
-
How do I find the address of a client connection to make a trust decision? Don't base security decisions on the perceived client address. Any address that we have comes from the underlying socket implementation and could be spoofed. The data that the socket has is sourced by the client. You should be using a source of information that has a verification process that the server trusts, such as a certificate, to distinguish clients. Next time: Reader Trends Read More...
|
-
Security programming today tends to contain large amount of plumbing code to handle the modeling, management, and evaluation of identities. An identity is the basis of many common security operations, such as authentication, personalization, authorization, and access control. There are a variety of different kinds of identities and ways of implementing security operations on top of those identities. Here are two libraries that help make dealing with identities easier. Zermatt is a claims-based identity system that focuses on simplifying the use of claims in web services. You can download Zermatt from its Connect site. LeastPrivilege.IdentityModel is a library by Dominick Baier that simplifies the existing identity model rather than introduces a new one. You can download LeastPrivilege.IdentityModel from leastprivilege.com. Next time: Trusting IP Addresses Read More...
|
-
Host headers in IIS are a way to associate multiple names with a single address. The typical use of host headers is to be able to host more than one web site at a single IP address by giving each of the web sites a distinct DNS name. Host headers also play a role in WCF beyond the definition of a web site. Metadata for a web service, such as that appearing WSDL, uses host headers as a way to pick a preferred name when talking about the service. The user interface for setting host headers is relatively straightforward when the web site is hosted over HTTP but becomes a challenge when the web site is hosted over HTTPS. Here are the command line equivalents that you can use to set HTTPS host headers. On IIS 6, you need to know the id of the web site. Assuming that SSL is taking place on the default port, the command looks like this. cscript.exe adsutil.vbs set w3svc/<id>/SecureBindings ":443:<header>" On IIS 7, the command line looks very different due to the more flexible but complicated support for different web site bindings. You can also use a name that's meaningful for you to distinguish web sites. appcmd set site /site.name:<name> /+bindings.[protocol='https',bindingInformation='*:443:<header>'] To keep the example simple, I'm assuming that you're adding a new binding rather than modifying an existing binding. Next time: Transaction Header Magic Read More...
|
-
What does the InactivityTimeout on a secure channel do? The inactivity timeout on a message security channel controls how long the channel will allow pending security sessions to linger in its cache before giving up on them. This is completely different from the inactivity timeout on a reliable messaging channel, which controls how long the reliable session will live without an infrastructure message before being torn down, and the inactivity timeout in the application, which controls how long the service instance will live without an application message before being torn down. Next time: JSON Service Speed Read More...
|
-
Whenever my service receives a message the service operation fails because the user identity is not mapped to a Windows identity. How can I make this mapping? What's probably going wrong is that the user identity is specified by a certificate but there's no active mapping from the client certificate to a Windows account. By default, no mapping is performed. You can enable certificate mapping by setting mapClientCertificateToWindowsAccount on the service credentials to be true. < serviceCredentials > < clientCertificate > < authentication mapClientCertificateToWindowsAccount ="true" /> </ clientCertificate > </ serviceCredentials > The actual mappings are not provided by the service configuration. Mappings are typically defined using the certificate mapping features of either IIS or Active Directory. IIS mappings can be varied from web site to web site but it's difficult to manage more than a small number of mappings. Active Directory mappings are the same all across the directory but the centralized directory makes the mappings easier to manage. Next time: How WebServiceHost Works Read More...
|
-
The WCF Security Guide content that I've mentioned a few times before is now done with early drafts and has been rolled up into a beta release of the full book. There's a ton of content in the real thing on top of what you've been seeing in the drafts. You can download the beta of the full security guide from CodePlex now. If you want to know what I think about the guide, here's the foreword I wrote for them: The computer industry has come to a realization – based on many years of slowly learning from painful experiences – that computer networks are hostile environments. Nevertheless, computer users demand as part of their basic expectations that applications take advantage of the ubiquitous and continuously available connectivity at their disposal to deliver a rich connected experience. It is now your task to design and assemble the loosely coupled service components that you have available in a way that blunts threats and thwarts attacks on the user’s precious assets. Your applications must withstand the hazards of living in a hostile networked environment. To make that possible, you must understand the risks that your applications face and you must be certain that the remedies you put in place properly mitigate the dangers of those risks. As someone who has been through several rounds of security and threat modeling for Windows Communication Foundation, I can say without hesitation that knowledge and experience are your greatest assets for designing secure Web service applications. The trick is to gain as much of that knowledge as possible from the painful experiences of other people rather than painful experiences of your own. J.D. Meier and team have done a fantastic job of assembling and digesting countless practical experiences into a convenient and centralized resource. Practitioners of service-oriented development with WCF will want to use this guide as both a means of learning about the fundamentals of Web service security and a reference for getting specific, step-by-step instructions for dozens of the most common security problems. I enjoy that this guide collects together several different approaches for learning about and implementing security solutions. By combining a variety of formats – scenarios, how-to articles, and guidelines are only a sample of the offered modes – solutions are both reinforced and made more easily discoverable through different entry points. The reason that I’m so excited to see Improving Web Services Security: Scenarios Read More...
|
-
After the first announcement for the WCF Security Guidance Project , the amount of content has grown tremendously. Here's a summary of what's new over the last month. Seven new application scenarios: Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem TCP) Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem, HTTP) Intranet - Web to Remote WCF Using Transport Security (Original Caller, TCP) Intranet - Windows Forms to Remote WCF Using Transport Security (TCP) Internet - Web to Remote WCF Using Transport Security (Trusted Subsystem) Internet - Windows Forms Client Calling WCF Using Message Security Internet - WCF and ASMX Client to Remote WCF Using Transport Security (HTTP) More than eighty annotated guidelines . Six new how-to guides: How To - Perform Input Validation in WCF How To - Perform Message Validation with Schemas in WCF How To - Use basicHttpBinding with Windows Authentication and TransportCredentialOnly in WCF from Windows Forms How To - Use Certificate Authentication and Message Security in WCF calling from Windows Forms How To - Use netTcpBinding with Windows Authentication and Message Security in WCF from Windows Forms How To - Use wsHttpBinding with Username Authentication and TransportWithMessageCredential in WCF calling from Windows Forms Answers to more than one hundred security questions . Read More...
|
-
Continuing on with the theme of messaging additions in Orcas, today I'll look at some more of the protocols and community-driven features that were added. WS Atomic Transaction 1.1 . Transactions tie together multiple participants in a distributed application. The framework of transactions is built on various coordination protocols between parties. Transactions are a kind of coordination in which either all or none of the parties agree to perform an action. Validation for issued token certificates . We've added support for configuring the certificate validation policy for issued token authentication, similar to the configuration for other certificates that are used for service credentials. Flowing SAML tokens. We've added support to flow a SAML assertion without having to re-sign the token. This allows these assertions to be handled by proxies without special configuration. Using message contents for authorization . We've added support to ServiceAuthorizationManager for performing access checks that make use of the body of the message. WS Secure Conversation 1.3 . A secure conversation is an exchange of multiple, protected messages. Using a conversation mechanism allows a security context to be established across several messages, which performs better than having to exchange security keys with every message. WS Trust 1.3 . Building a secure conversation requires that the two parties exchange security credentials. In order to perform this exchange, the two parties need to establish a trust relationship where they can evaluate the assertions made by the other side. The protocols that I've talked about today and last time are available through the new WS2007HttpBinding and WS2007FederationHttpBinding as updates to the previous web service standard bindings. Next time: Messaging Additions in Orcas, Part 3 Read More...
|
-
This is another step in the right direction to make the web a safer place: Online payment service PayPal plans to block users from making transactions from Web browsers that don't provide anti-phishing protection. http://www.eweek.com/c/a/Security/PayPal-Plans-to-Ban-Unsafe-Browsers/ http://news.bbc.co.uk/2/hi/technology/7354539.stm In a white paper that outlines a five-pronged action plan aimed at slowing the phishing epidemic, PayPal Chief Information Security Officer Michael Barrett said there's a "significant set of [PayPal customers] who use very old and vulnerable browsers" and made it clear that any browser that falls into the "unsafe" category will be banned. "In our view letting users view the PayPal site on [an unsafe] browser is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts." So if you're a browser maker that doesn't provide any anti-phishing protection and doesn't support the use of EV (Extended Verification) SSL certificates, then you better get an update out soon!... Read More...
|
-
How can I run a service operation hosted in IIS using a specific identity? There are two ways for your operation to be running using a specific identity: start off running under that identity; or, start off running under a different identity and change to the right identity later. You can make either approach work although having to change the identity every time a service operation is called will introduce a small performance hit. Let's look at the two options. Impersonation is a mechanism that you can use to change to the right identity when the service operation is invoked. I've talked about impersonation in the past, mostly for impersonating the caller rather than impersonating a specific identity. However, impersonating a specific identity works in much the same way in terms of the Windows calls involved and generally works simpler in terms of the service setup required. That simplicity partially comes from not having the client involved in the act of impersonation but also because impersonating a specific identity doesn't have the same level of configurable options for automatically applying impersonation rules. The application pool is a mechanism that you can use to start with the right identity. This approach assumes that your service always wants to be running under the same specific identity. That partially covers the case of those missing configuration options. By default your application pool runs under the Network Service account. You can change that application pool identity to be any specific identity you want. Configuring Application Pool Identity with IIS 6.0 (IIS 6.0) IIS 7.0: Specify an Identity for an Application Pool This may require reorganizing how applications map into pools because the identity is shared by everyone in that pool. Next time: Why Dual is Reliable Read More...
|
|
|
|