B o m t trong wcf
This presentation is the property of its rightful owner.
Sponsored Links
1 / 78

BẢO MẬT TRONG WCF PowerPoint PPT Presentation


  • 171 Views
  • Uploaded on
  • Presentation posted in: General

BẢO MẬT TRONG WCF. Nhóm 2: Lê Xuân Mạnh Nguyễn Xuân Kỳ Trạc Minh Thắng Trần Minh Hùng. Nội dung chính. Tổng quan về WCF Security Một số lỗi bảo mật Khắc phục lỗ hổng bảo mật trong WCF Các đặc trưng cơ bản của Sercurity WCF Các bước thực hiện trong lập trình Cấu hình một số ví dụ

Download Presentation

BẢO MẬT TRONG WCF

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


B o m t trong wcf

BO MT TRONG WCF

Nhm 2:

L Xun Mnh

Nguyn Xun K

Trc Minh Thng

Trn Minh Hng


N i dung ch nh

Ni dung chnh

  • Tng quan v WCF Security

    • Mt s li bo mt

    • Khc phc l hng bo mt trong WCF

    • Cc c trng c bn ca Sercurity WCF

  • Cc bc thc hin trong lp trnh

  • Cu hnh mt s v d

    • Cu hnh Audit &Loging, Tracing

    • Cu hnh netTCPBinding in Messenge security mode

    • Ci t v s dng Certificate in Security Messege mode


1 m t s l i b o m t th ng g p

1.Mt s li bo mt thng gp

Phn I. TNG QUAN V WCF SECCURITY

  • Quan st cc bn tin trn mng ly ra cc thng tin nhy cm. V d my client thc hin login vo mt h thng s dng ch gi tn ti khon v mt khu dng text khng m ho. Hacker hon ton c th bt c bn tin v trch ra thng tin v ti khoncng vi mt khu.

  • ng gi mt dch v m client khng h bit. Vic ny cng tng t nh web phishing, ngha l lm gi mt trang web ging nh trang web m ngi dng quen thuc (nh trang web yahoo hay trang web ngn hng). Ngi dng s nhp thng tin v ti khon cng vi mt khu ng nhp vo trang gi . Khi hacker s c c cc thng tin ny.

  • Thay i ni dung bn tin. Hacker hon ton c th thay i ni dung ca mt bn tin m client ln dch v khng bit.


2 kh c ph c trong wcf

2. Khc phc trong WCF

Vic m bo bo mt cho cc bn tin trao i gia client vi dch v WCF cn phi ch trng nhng im sau:

  • Xc thc im cui dch v

  • Xc thc client

  • Tnh nht qun ca bn tin

  • Tnh bo mt ca bn tin

  • Pht hin replay (hin tng lp li yu cu ca client hoc dch v m thc cht client/dch v khng a ra)


3 wcf t ch h p c c h nh th c b o m t c s n

3.WCF tch hp cc hnh thc bo mt c sn

  • WCF hon ton c th lm vic vi cc gii php bo mt c sn nh Secure Sockets Layer (SSL) ,giao thc Kerbeos.

  • Ngoi ra n cng c th lm vic vi kin trc bo mt ang s dng nh domain trn Windows s dng Active Directory.

  • WCF cn tch hp vi cc m hnh bo mt sn c tng vn chuyn v c th chuyn h tng sn c sang cc m hnh mi hn da trn bo mt cc bn tin SOAP.


4 t ch h p c c m h nh x c th c c s n

4.Tch hp cc m hnh xc thc c sn

Bt k m hnh bo mt no cng phi xc thc cc thc th trong qu trnh trao i d liu. Cc thc th trong qu trnh ny s dng cc nh danh in t, hay cn gi l credentials.

Cc phng php xc thc chng vi i tng ang trao i nh:

  • Username client credential

  • Certificate client credential

  • Windows (Kerberos v NT LanMan NTML)


5 kh n ng l m vi c li n m i tr ng

5. Kh nng lm vic lin mi trng

Bo mt cng cn phi lm vic lin mi trng

thc hin cc h thng bo mt.

Cc cng ty s dng dch v Web vi mt lot cc chun khc nhau nh:

WS-Security, SOAP Message Security, WS-Trust, WS-SecureConversation, v WS-SecurityPolicy.

Vi cc dch v WCF ta c th s dng WSHttpBinding h tr WS-Security 1.1 v WS-SecureConversation.


6 c c l nh v c b o m t trong wcf

6. Cc lnh vc bo mt trong WCF

Bo mt trong WCF chia ra thnh ba vng chc nng:

  • Transfer security (bo mt truyn thng)

  • Access control (iu khin truy nhp)

  • Auditing (ghi vt).


Tranfer security

Tranfer Security

Bo mt truyn thng bao gm ba chc nng chnh: s nht qun, s bo mt, v s xc thc.

  • S nht qun l kh nng pht hin liu bn tin c b thay i hay khng.

  • S bo mt l kh nng gi cho bn tin khng c c bi nhng ngi khng thm quynnh vo cryptography (m mt mt m).

  • S xc thc l kh nng xc minh c mt nh danh c thc ng hay khng.

  • Kt hp ba chc nng ny cho ta m bo rng cc bn tin c gi i mt cch an ton, n ng ni cn n.


Tranfer security1

Tranfer Security

C hai phng php chnh dng thc hin bo mt truyn thng trong WCF l ch bo mt tng vn chuyn (transport security mode) v ch bo mt bn tin (message security mode)


B o m t trong wcf

  • Tranfer Security

Transport security mode s dng cc giao thc tng vn chuyn nh HTTPS m bo bo mt. Ch ny c u im l c s dng rt nhiu cc nn tng khc nhauv phc tp tnh ton t hn.

Tuy vy nhc im l ch m bo bo mt cc bn tin t im-ti-im v chm hn so vi ch Message security mode s dng chun WS-Security, khng ph thuc vo giao thc vn chuyn, d m rng, m bo bo mt t u cui-ti-u cui (thay v im-ti-im).


B o m t trong wcf

  • Tranfer Security

  • Messenger Security: WSHttpBinding,WS2007HttpBinding, WSDualHttpBinding, WSFederationBinding v WS2007FederationBinding.Transport Security:

  • NetTcpBinding, NetNamedPipesBinding, NetMsmqBinding, NePeerBinding v MsmqIntegrationBinding.


I u khi n truy c p authorization

iu khin truy cp(Authorization)

Authorization cho php nhng ngi dng khc nhau c cc quyn khc nhau xem d liu.

Trong WCF, cc tnh nng iu khin truy nhp c cung cp da vo s tch hp vi CLR (common language runtime) thng qua lp thuc tnh PrincipalPermissionAttribute v qua mt lot cc hm API.


L u v t auditing

Lu vt(Auditing)

  • Auditing l qu trnh ghi li cc s kin bo mt vo h thng log ca h iu hnh Windows (Windows event log) nh cc s kin c lin quan ti bo mt, xc thc li hay thnh cng


Authentication v authorization

Authentication v Authorization

  • Authorization trc tin cn phi Authentication. lm iu , bn phi c kh nng xc nh client.

  • Client c th xc nh bng cch cung cp bng chng nh l mt ti khon Windows, tn ngi dng+ mt khu hoc giy chng nhn.

  • Client cng phi bit rng h ang ku gi cc service m h d nh s gi. Service c th xc nh mnh bng cch cung cp mt giy chng nhn.


Authentication v authorization1

Authentication v Authorization

Authenticate cho php bn xc nh client v service bng cch gi cc thng tin. WCF h tr cc loi y nhim sau khi bn ang s dng transport Security mode:* Windows. Client s dng mt m thng bo Windows i din danh tnh ca ngi dng Windows. Services s dng cc thng tin quan trng hoc giy chng nhn mt SSL c y quyn. * Basic. Clients dng tn ngi dng v mt khu. Services s dng mt giy chng nhn SSL. Ty chn ny ch c sn vi cc giao thc HTTP.* Certificate:Client s dng giy chng nhn X.509 v services s dng chng ch hoc giy chng nhn SSL.* NTLM: Dch v ny s dng mt giy chng nhn SSL. Ty chn ny ch c sn vi cc giao thc HTTP.* None. Cc dch v khng xc thc Client.


B o m t trong wcf

  • WCF h tr cc loi y nhim sau khi bn ang s dng mc bo mt tin nhn:* Windows. Client s dng mt m thng bo i din ngi dng Windows. Services s dng cc thng tin quan trng ca qu trnh nhn dng hoc giy chng nhn mt SSL. * UserName: Clientchuyn tn ngi dng v mt khu ti services.* Certificate:Client s dng mt giy chng nhn X.509 v dch v s dng mt trong hai chng ch hoc giy chng nhn mt SSL.* IssueToken: Client v Service s dng dch v Secure Token. * None: Cc dch v khng xc thc ca khch hng.


B o m t trong wcf

  • WCF h tr ba phng php tip cn c bn y quyn:* Role-based: Truy cp vo dch v v hot ng ca dch v da trn vai tr ca ngi dng. * Identity based: Truy cp da trn yu cu thc hin trong vng cc thng tin ca ngi dng. Cch tip cn ny thng s c s dng vi vn xc thc token.* Resource based: Ti nguyn, chng hn nh cc dch v WCF, c m bo bng cch s dng Windows Access Control Lists (ACL).


Ph n ii l p tr nh b o m t trong wcf

Phn II: Lp trnh bo mt trong WCF


B o m t trong wcf

t ch bo mt

Bc 1: Chn mt trong cc binding ph hp vi cc yu cu ca ng dng.

Bc 2: Chn mt trong cc ch bo mt cho binding chn

Bc 3: Cu hnh cho host mt chng nhn SSL v cho php SSL hot ng mt cng no


V d c u h nh b o m t trong wcf

V d: cu hnh bo mt trong WCF

t ch bo mt


Thi t l p c c gi tr credentials cho service

Thit lp cc gi tr credentials cho Service

  • Sau khi chn kiu xc thc client, bn cn phi thit lp gi tr credential thc cho dch v.

  • pha dch v, cc credential c thit lp s dng lp ServiceCredentials v c tr v t thuc tnh Credentials ca lp ServiceHostBase.


B o m t trong wcf

NetTcpBinding b = new NetTcpBinding();

b.Security.Mode = SecurityMode.Message;

Uri baseUri = new Uri("net.tcp://MachineName/tcpBase");

Uri[] baseAddresses = new Uri[] { baseUri };

ServiceHost sh = new ServiceHost(typeof(Calculator), baseAddresses);

Type c = typeof(ICalculator);

sh.AddServiceEndpoint(c, b, "MyEndpoint");

sh.Credentials.ServiceCertificate.SetCertificate(

StoreLocation.LocalMachine, StoreName.My,

X509FindType.FindBySubjectName, "client.com");

sh.Open();


Thi t l p c c gi tr credentials cho client

Thit lp cc gi tr credentials cho client

pha client, cc gi tr credentials c thit lp thng qu lp ClientCredentials v c tr v qua thuc tnh ClientCredentials ca lp ClientBase.


B o m t trong wcf

NetTcpBinding b = new NetTcpBinding();

b.Security.Mode = SecurityMode.Message;

b.Security.Message.ClientCredentialType = MessageCredentialType.Windows;

Type c = typeof(ICalculator);

Uri tcpBaseAddress =

new Uri("net.tcp://machineName.Domain.Contoso.com:8036/serviceName");

Uri[] baseAddresses = new Uri[] { tcpBaseAddress };

ServiceHost sh = new ServiceHost(typeof(CalculatorClient), baseAddresses);

sh.AddServiceEndpoint(c, b, "");

sh.Open();


Ph n iii c u h nh

Phn III: Cu hnh


V d 1 k thu t audit and log security s ki n

V d 1: K thut AuditandLogSecuritys kin

Mc ch:

  • Gii thiu cch kim sot vic ng nhp bo mt cc s kin.

  • Cch cu hnh mt dch v WCF vi Auditing,Message Logging,andTracing.

  • Cch s dng cng c SvcTraceViewer xem cc tp tin ng nhp.


B o m t trong wcf

1. Trong MS Visual studio 2008, clickFile>NewWebSite.Chn WCFService,Locationthit lp l Httpv ng dn o ging nhhttp://localhost/WCFTestService).


B o m t trong wcf

2. Thit lp trongConfigurationEditor nh sau: Chn"ServiceBehavior node.Trong ServiceBehaviorsection,clickAdd.Chn serviceSecurityAudit/Add.


B o m t trong wcf

Trong serviceSecurityAuditoption.Thit lp gi tr: AudtiLogLocationbngApplication, MessageAuthenticationAuditLevelbngSuccessOrFailure vServiceAuthorizationAuditLevelattributetoSuccessOrFailure


K t qu

Kt qu


B t ch c n ng logging and tracing for cho wcf service

Bt chc nng LoggingandTracingforcho WCFService

Bc 1: Cu hnhLogging:Trong Configuration Editor


B o m t trong wcf

ChntheDiagnosticsnode.clickEnableMessageLogging.N s to mtServiceModelMessageLoggingListener v System.ServiceModel.MessageLoggingnodesdiListenersandSourcesfolders.


Ch n messagelogging d i diagnostics node thi t l p logmessagesatservicelevel true

ChnMessageLoggingdiDiagnosticsnode.Thit lpLogMessagesAtServiceLevel=True


B o m t trong wcf

ChnServiceModelMessageLoggingListener di Listenersnode.Ch gi tr mc nh caInitData l c:\inetpub\wwwroot\WCFService\web_messages.svclog, ni cc message s c logged.


B c 2 c u h nh tracing

Bc 2: Cu hnh Tracing

Trong ConfigurationEditor,chntheDiagnosticsnode.


B o m t trong wcf

panel bn phi,clickEnableTracing.N s to mt ServiceModelTraceListenervSystem.ServiceModelnodesdiListenersvSourcesfolders.


B o m t trong wcf

ChnServiceMode TraceListener diListenersnode. Gi tr mc nh ca InitDatas lu cc messenger s c tracingTrong c:\inetpub\wwwroot\WCFService\web_tracelog.svclog


K t qu1

Kt qu


B o m t trong wcf

Bc4

To mtWindowsFormsTestClientApplication

Step5

Tham chiu dch vWCFServiceReferencetiClient

tURLti WCFservice ca bn(v d nh:

http://localhost/WCFTestService/Service.svc)v clickGo.

TrongWebreferencename,thay iServiceReference1thnhWCFTestService.

Bc6Kim traClientandWCFService


B o m t trong wcf

Bc 7: Xc minh cc s kin dch v

Start/Run.Trongcommandline, geventvwr mEventViewerwindow.


Ch n application node ch servicemodel audit 3 0 0 0

Chn Applicationnode, ch ServiceModelAudit3.0.0.0.


B o m t trong wcf

M event viServiceAuthorization.Bn s thythng tin messagenuservicec authorizesmtclient nh sau:


B o m t trong wcf

Bc 8: Tm cc File Log S dng SvcTraceViewerVo:C:\ProgramFiles\MicrosoftSDKs\Windows\v6.0\Bin.MSvcTraceViewe.exetool.clickFile,clickOpen,v browsetilocationca messagelogfile.


V d 2 c u h nh nettcpbinding v i windows authentication v message security mode

V d 2. Cu hnh netTcpBinding vi Windows Authentication v Message Security mode

Mc ch:

Gii thiu cch s dng netTcpBinding vi Windows Authentication ch bo mt Message.

NetTcpBinding c s dng giao tip vi client trong mng ni b. Mng ni b mc nh l s dng ch bo mt transport vi cc chng thc windows. iu nycho bn thy l lm th no cu hnh cc dch v s dng message thay v transport.


Trong visual studio tr n file menu click new sau click project ch n windows service v g t n d n

Trong Visual Studio, trn File menu, click New , sau click Project. - Chn Windows Service, v g tn d n.


B o m t trong wcf

- Trong ch designer view of ProjectInstaller.cs, right-click serviceProcessInstaller1 chn click Properties. - Thit lp thuc tnh Account= NetworkService.


Th m wcf service thi t l p name l myservice cs

Thm WCF Service. Thit lp Name l myService.cs


C u h nh l i dowork

Cu hnh li Dowork()


B o m t trong wcf

V cc hm Onstart(), OnStop()

using System.ServiceModel;

internal static ServiceHost myServiceHost = null;

protected override void OnStart(string[] args)

{

if (myServiceHost != null)

{

myServiceHost.Close();

}

myServiceHost = new ServiceHost(typeof(MyService));

myServiceHost.Open();

}

protected override void OnStop()

{

if (myServiceHost != null)

{

myServiceHost.Close();

myServiceHost = null;

}

}


B o m t trong wcf

Cu hnh WCF Service s dng netTcpBinding vi ch Message Security Trong Host node, thit lp li Base address thnh: net.tcp://localhost:8523/WCFTestService.


Endpoint1 thi t l p binding nettcpbinding enpoint 2 thi t l p binding mextcpbinding

Endpoint1 thit lp Binding=netTCPBindingEnpoint 2 thit lp Binding=mexTCPBinding


B o m t trong wcf

Chn Bindings node v click NewBinding Configuration. Trong New Binding dialog box, select netTcpBinding v click OK. Click Security tab, thit lp Mode =Message. MessageClientCredentials =Windows.


Trong endpoint 1 ch n binding configuaration newbinding0 v a t o

Trong endpoint 1: Chn Binding Configuaration=NewBinding0 va to


K t qu nh sau

Kt qu nh sau:


B o m t trong wcf

Chn Advanced node sau chn Service Behaviors node. Trong WCFHostService.MyServiceBehavior node chn serviceMetadata node.Thit lp HttpGetEnabled=False.


B o m t trong wcf

Step 6 Install the Windows Service Rebuild solution v m Visual Studio command prompt. Tm n directory ca project ni WCFServiceHost.exe c cha. Trong command line, g Installutil WCFServiceHost.exeNu khng thnh cng g g Installutil /u WCFServiceHost.exe


B t d ch v v a t o

Bt dch v va to


B c 7 t o m t ng d ng test client application

Bc 7 To mt ng dng Test Client Application


Tham chi u d ch v

Tham chiu dch v


Ch y ng d ng

Chy ng dng


V d 3 t o v c i t certificates trong ch message security

V d 3. To v ci t Certificatestrong ch Message Security

Gip bn to v ci t Certificatestm thi s c s dng trong qu trnh pht trin v th nghim cc dch v WCFthc hin bo mt tin nhn

MVisualStudiocommandpromptvbrowsetilocationni bn mun lucertificatefiles.G:

makecertn"CN=RootCATest"rsvRootCATest.pvkRootCATest.cer


G password trong dialog box v click ok

GPassword trong dialogbox vclickOK


G password l i m t l n n a

G password li mt ln na


B c 2 t o m t t p tin thu h i danh s ch certificate crl t root certificate

Bc 2 - To mt tp tin Thu hi danh sch Certificate(CRL) t Root Certificate

M VisualStudiocommandpromptv browsetilocationni bn mun lu CRLfilechotherootcertificate.

RunthefollowingcommandtocreatetheCRLfile.

makecertcrln"CN=RootCATest"rsvRootCATest.pvkRootCATest.crl


B c 3 install root certificate authority certificate tr n server and client

Bc 3: InstallRootCertificateAuthorityCertificatetrnServerandClient

Lp li cc bc sau trn cclientv server:

CopytheRootCATest.cerfileti clientandserver

ClickStartandthenclickRun.

Trongcommandline,gMMCv clickOK.


B o m t trong wcf

VoFileclickAdd/Remove Snapin. Khi AddRemoveSnap dialogbox m ra,clickAdd.Trong Add Stanadalone Snap- in chn Certificate


Ch n ch computer account certificate c n t o v i t t c ng i d ng next v click ok

Chn ch Computer Account certificate cn to vi tt c ngi dng./ Next v click OK


B o m t trong wcf

DiTrustedRootCertificationAuthorities,rightclick

Certificates subfolder,chnAllTasks,v sau chnImport.


B o m t trong wcf

Xut hinCertificateImportWizardwelcomescreen,clickNext.TrnFiletoImportscreen,clickBrowse ti locationchasignedRootCertificateAuthorityRootCATest.cerv clickOpen.


Sau click next

Sau clickNext.


C i t certificate revocation list file tr n server and client machines

Ci t CertificateRevocationListFiletrn ServerandClientMachines

CopyfileRootCATest.crlfilecc myclientvserver

ClickStartandthenclickRun.

Trong command line g mmc/ok

Cc bc ci t nh i vi CertificateAuthorityCertificate cc bc trc.


T o v c i t temporary service certificate

Tovci tTemporaryService Certificate

MVisualStudiocommandpromptvbrowsetilocationni lurootCAcertificatevprivatekeyfilecreated.G:

makecertskMyKeyNameivRootCATest.pvkn"CN=tempCert"icRootCATest.cersrlocalmachinessmyskyexchangepe

G li mt khu t


Nh n d ng temporary certificate s private key

Nhn dng TemporaryCertificatesPrivateKey

MVisualStudiocommandprompt.Chylnh sau:

FindPrivateKey.exeMyLocalMachinen"CN=tempCert"


B o m t trong wcf

Ch nuFindPrivateKeykhng c trn my,downloadFindPrivateKeytooltihttp://www.microsoft.com/downloads/details.aspx?FamilyId=2611A6FFFD2D4F5BA672C002F1C09CCD&displaylang=en


B o m t trong wcf

FindPrivateKeytr liprivatekeycacertificate,nh

"C:\DocumentsandSettings\AllUsers\Application

Data\Microsoft\Crypto\RSA\Machinekeys\4d657b73466481beba7b0e1b5781db81_c225a308d2ad4e5891a86e87f354b030".

Chy lnh sau gn quyn truy cp voWCFservice.

cacls.exe"C:\DocumentsandSettings\AllUsers\Application

Data\Microsoft\Crypto\RSA\Machinekeys\4d657b73466481beba7b0e1b5781db81_c225a308

d2ad4e5891a86e87f354b030"/E/G"NTAUTHORITY\NETWORKSERVICE":R

Chy cc lnh sau y xc minh quyn ca kha ny

cacls.exe"C:\DocumentsandSettings\AllUsers\ApplicationData\Microsoft\Crypto\RSA\Machinekeys\4d657b73466481beba7b0e1b5781db81_c225a308d2ad4e5891a86e87f354b030"


Th ng tin certificate trong iis

Thng tin certificate trong IIS


B o m t trong wcf

Q&A


  • Login