secure and authenticated .net development in a distributed world

Secure and authenticated.NET developmentin a distributed worldMagnus Mårtenssonmagnus.martensson@dotway.sehttp://blog.noop.se/

Google Trends: mashup

mashup

mashing

Globalization + Localization

=

?

Globalization + Localization

=

Glocalization

Web 2.0 is about glocalization

Google Trends: Web 2.0 vs. dot com

web 2.0

dot com

Web 2.0:

A new breed of Web Services

new

newer

old stuff

Lots of Bandwidth

Lots of Storage

Lots of Users

How to get started...

Gentlemen: Let’s start our engine!

Service Host Client

Danger!Identity theft

Spoofing

Phishing

Phraud

Malware

Social Engineering

Password fatigue

Danger!Identity theft

Spoofing

Phishing

Phraud

Malware

Social Engineering

Password fatigue

Social Engineering

Social Engineering?

Password fateague

Password fatigue?

Trust

Pressclips

Trust

The Internetwas founded on

anonymity

Trust

Identity is inevitable

Is identity really inevitable?

Identity is inevitable proof!

Users want online experiences

Identity is inevitable proof!

Users need to be able to trust

Identity is inevitable proof!

We have to build trustful applications

Identity is inevitable proof!

Developers have to buildtrustful applications

Identity is inevitable proof!

We developers have know who it is we’re trusting

Identity is inevitable!

Trust

Identity is inevitable!

Trust

Identity is inevitable!

identity...

public class User: IPrincipal

{

[...];

}

public class User: IPrincipal

{

[...];

}

Identity Centric Architecture(ICA)

secure

distributed

open

owner controlled digital identity

Digital Identity

?

?

?

?

?

?

?

?

?

?

Your application

Identity Centric Architecture

ICA

Single sign-on(SSO)

Federated Identity

Alice

Application 1 Application 2 Application 3

ClientAlice’s ID

Application 1 Application 2

Alice wants to login!

Which security level does Alice have?

Alice is “level 2”!

Security Assertion Markup Language(SAML)

Trust

Kim Cameron

Architect of Identity AccessConnected Systems Division, Microsoft

http://identityblog.com/

Identity is inevitable!

briliant man!

The 7 laws of identity (done quick)

The 7 laws of identity(done quick)

#1 User Control and Consent

Trust

#2 Minimal Disclosure for a Constrained Use

#2 Minimal Disclosure for a Constrained Use

Yes I am really 18!

Yes I am really 18! No I am too young!

xxx

#3 Justifiable Parties

#3 Justifiable Parties

#4 Directed Identity

#4 Directed Identity

#5 Pluralism of Operators and Technologies

#5 Pluralism of Operators and Technologies

#6 Human Integration

#6 Human Integration

#7 Consistent Experience Across Contexts

#7 Consistent Experience Across Contexts

… the 7 laws of identity!

WS-*

WS-Security

WS-Trust

WS-MetadataExchange

September 12, 2006

Microsoft Open Specification Promise(OSP)

“Microsoft irrevocably promises not to assert any Microsoft Necessary Claims against you for making, using, selling,

offering for sale, importing or distributing any implementation to the

extent it conforms to a Covered Specification”

“This is a personal promise directly from Microsoft to you […]”

“There is no need for sublicensing.”

“This promise is directly applicable to you and everyone else who wants to

use it.”

Microsoft Open Specification PromiseRemote Shell Web Services Protocol

WS-I Basic Profile

SOAP

WS-Management

SOAP 1.1 Binding for MTOM 1.0

WS-Management Catalog

SOAP MTOM / XOP

WS-MetadataExchange

SOAP-over-UDP

WS-Policy

Web Single Sign-On Interoperability Profile

WS-PolicyAttachment

Web Single Sign-On Metadata Exchange Protocol

WS-ReliableMessaging

WS-Addressing

WS-RM Policy

WS-AtomicTransaction

WS-SecureConversation

WS-BusinessActivity

WS-Security: Kerberos Binding

WS-Coordination

WS-Security: Kerberos Token Profile

WS-Discovery

WS-Security: Rights Expression Language (REL) Token Profile

WSDL

WS-Security: SAML Token profile

WSDL 1.1 Binding Extension for SOAP 1.2

WS-Security: SOAP Message Security

WS-Enumeration

WS-Security: UsernameToken Profile

WS-Eventing

WS-Security: X.509 Certificate Token Profile

WS-Federation

WS-SecurityPolicy

WS-Federation Active Requestor Profile

WS-Transfer

WS-Federation Passive Requestor Profile

WS-Trust

Mark Webbink

“Red Hat believes that the text of the OSP gives sufficient flexibility to implement the listed

specifications in software licensed under free and open source licenses.

We commend Microsoft’s efforts […]”

“I see Microsoft’s introduction of the OSP as a good step by Microsoft to further enable

collaboration between software vendors and the open source community.”

Lawrence Rosen

Ann Cavoukian

Ph.D.Information and Privacy Commissioner Ontario CA

Your codeProxy

What is trust?

Service Instance

WWWSession

simple

consistent

secure way

represent identity

Put users in control of their identity(s)

Based on standards

Accepted and adopted by the industry

Windows CardSpace(WCS)

Old .NET Framework 3.0

WPF

WF

WCF

Why is WCS in .NET

3.0?

Final .NET Framework 3.0

Because it shipps with

Vista!

WCS

WPFWF

WCF

How does Trust work?

Protocol Drill Down

Identity Provider(IP)

Relying Party(RP)

ClientClient would like to access a resource

RP provides identityrequirements: format, claims & issuerof security token

1

2

User

3

Client shows whichof known IPs cansatisfy requirements

User selects an IP4

5

Request to chosen IPfor security token

6

IP generates security token based on RP’s requirements

7User approves/rejects the release of token

8

Token is released to RP RP reads claims and

allows access

WS-Trust

WS-Trust

self issued cards(s-i-c)

No more password fatigue!

The others

•Shibboleth

•BBAuth

•OpenID

•?

Windows Communication Foundation(WCF)

WCF is uninteresting

”WCF is uninteresting

“[…] because they have done such a good job of removing communication details from my problem space.”

WCF is uninteresting

”WCF is uninteresting

because they have done such a good job of removing communication details from

my problem space.”

WCF is uninteresting

“The plug-and-send architecture is easy, and doesn't require much thought.”

Ryan Dawson

WCF Security in a Nutshell

WCF security in a nutshell

WCF Security in a Nutshell

secures message exchange between entities

WCF Security in a Nutshell

secures access to resources by entities

WCF Security in a Nutshell

Entity

==

person, company, software, ...

WCF Security in a Nutshell

Resrouce

==

file, service, operation, ...

How? WCF, WS-* and CardSpace!•Describe policy…–WS-SecurityPolicy

•Retrieve policy… –WS-MetadataExchange

•Security Token Service… –WS-Trust

•Messages…–SOAP and WS-Security

•Security token format…–Anything RP wants and IP can provide

•End-to-end experience is driven by an identity selector on the client–CardSpace is an identity selector for Windows

How? WCF, WS-* and Card Space!

●

WCS

WS-*

WCF

WCS WS-* WCF

Playing the Roles:What it takes to be a(n)…

1) Identity Provider

2) Relying Party

3) Client

Role 1: Identity Providers

All Identity Providers need:

–SSL Certificate

•Provides identity to user and used to sign the security token

•High Assurance certificate with logotype preferred

–Security Token Service

•Processes token request, authenticates user, creates token

–One Information Card per user

•Contains security token metadata

Examples:

–Employer, school, bank, government, club

–The user!

Role 2: Relying Parties

SSL Certificate

–High Assurance certificate with logotype preferred

Policy describing token requirements

Security token processing code

–Decrypt token, verify issuer signature, verify proof of possession, examine claims, identify user, authorize

Examples of relying parties

–Any site or service

Relying Party == Web Service

•Install certificate

•use WCF

•Config

•System.IdentityModel

Relying Party == Web Site

•Do websites need to support WS-*? No!

•To add Information Card support:

–Modify the login and registration pages

•Add a button with Information Card object tags

•Add code to process posted security token

–Issue cookies as usual to authorized users

–Update the account database

•Add a field to store the “user identifier” claim

Role 3: Client Applications

•Rich clients

–Use WCF and System.IdentityModel

•Browsers

–IE7.0 ships with icardie.dll

•Reads HTML tag and calls CardSpace system

–Other browsers can do the same on Windows

•Mac, Linux clients need an identity selector and aWS-* stack!

[...]

WCF Architecture

A

B

C

Address

Binding

Contract

Address =the direction

Contract =the package

WCF Architecture

the journey

Bin

din

g

WCF Binding

”The magic is in the binding. You can configure it however you want...”

Clemens Vasters

Allright show us the code allready!

How to get started...

challenge:

Who are you?

Referenses & Links

Microsoft references:

.NET Framework 3.0:http://netfx3.com/The Laws of Identityhttp://msdn2.microsoft.com/en-us/library/ms996456.aspxMicrosoft Open Specification Promisehttp://www.microsoft.com/interop/osp/Microsoft's Vision for an Identity Metasystemhttp://msdn2.microsoft.com/en-us/library/ms996422.aspxIntroducing Windows CardSpacehttp://msdn2.microsoft.com/en-us/library/aa480189.aspxStep-by-Step Guide to InfoCardhttp://msdn.microsoft.com/msdnmag/issues/06/05/SecurityBriefs/The .NET Developer's Guide to Identityhttp://msdn2.microsoft.com/en-us/library/aa480245.aspxWCF Essentialshttp://msdn.microsoft.com/msdnmag/issues/06/10/WCFEssentials/default.aspxWCF Bindings and Channelshttp://msdn.microsoft.com/msdntv/episode.aspx?xml=episodes/en/20060615WCFCV/manifest.xmlSecurity in WCFhttp://msdn.microsoft.com/msdnmag/issues/06/08/SecurityBriefs/default.aspx

Referenses & Links

Blogs:

Kim Cameron

http://identityblog.com/

Ralph Squillace

http://blogs.msdn.com/ralph.squillace/

Nicholas Allen

http://blogs.msdn.com/drnick/

Garret Serack

http://blogs.msdn.com/garretts/

Channel 9:

Vittorio Bertocci: WS-Trust - Under the Hood

http://channel9.msdn.com/showpost.aspx?postid=241455

Referenses & Links

Misc:

Firefox Identity Selector AND Java based Relying Party

http://xmldap.org/

Google Trends

http://google.com/trends

http://www.zephoria.org/thoughts/archives/2005/09/05/why_web20_matte.html

http://ricksegal.typepad.com/pmv/2005/10/web_20_a_check.html

http://www.windows-now.com/blogs/rdawson/archive/2005/05/05/14016.aspx

References & Links

WayGroup:

http://www.dotway.se/

http://www.jayway.se/

http://www.testway.se/

http://www.leadway.se/

http://www.realway.se/

Code Monkey:

http://www.jonathancoulton.com/

Techie.notepad

http://blog.noop.se