B o m t trong wcf
Sponsored Links
This presentation is the property of its rightful owner.
1 / 78

BẢO MẬT TRONG WCF PowerPoint PPT Presentation


  • 191 Views
  • Uploaded on
  • Presentation posted in: General

BẢO MẬT TRONG WCF. Nhóm 2: Lê Xuân Mạnh Nguyễn Xuân Kỳ Trạc Minh Thắng Trần Minh Hùng. Nội dung chính. Tổng quan về WCF Security Một số lỗi bảo mật Khắc phục lỗ hổng bảo mật trong WCF Các đặc trưng cơ bản của Sercurity WCF Các bước thực hiện trong lập trình Cấu hình một số ví dụ

Download Presentation

BẢO MẬT TRONG WCF

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


BO MT TRONG WCF

Nhm 2:

L Xun Mnh

Nguyn Xun K

Trc Minh Thng

Trn Minh Hng


Ni dung chnh

  • Tng quan v WCF Security

    • Mt s li bo mt

    • Khc phc l hng bo mt trong WCF

    • Cc c trng c bn ca Sercurity WCF

  • Cc bc thc hin trong lp trnh

  • Cu hnh mt s v d

    • Cu hnh Audit &Loging, Tracing

    • Cu hnh netTCPBinding in Messenge security mode

    • Ci t v s dng Certificate in Security Messege mode


1.Mt s li bo mt thng gp

Phn I. TNG QUAN V WCF SECCURITY

  • Quan st cc bn tin trn mng ly ra cc thng tin nhy cm. V d my client thc hin login vo mt h thng s dng ch gi tn ti khon v mt khu dng text khng m ho. Hacker hon ton c th bt c bn tin v trch ra thng tin v ti khoncng vi mt khu.

  • ng gi mt dch v m client khng h bit. Vic ny cng tng t nh web phishing, ngha l lm gi mt trang web ging nh trang web m ngi dng quen thuc (nh trang web yahoo hay trang web ngn hng). Ngi dng s nhp thng tin v ti khon cng vi mt khu ng nhp vo trang gi . Khi hacker s c c cc thng tin ny.

  • Thay i ni dung bn tin. Hacker hon ton c th thay i ni dung ca mt bn tin m client ln dch v khng bit.


2. Khc phc trong WCF

Vic m bo bo mt cho cc bn tin trao i gia client vi dch v WCF cn phi ch trng nhng im sau:

  • Xc thc im cui dch v

  • Xc thc client

  • Tnh nht qun ca bn tin

  • Tnh bo mt ca bn tin

  • Pht hin replay (hin tng lp li yu cu ca client hoc dch v m thc cht client/dch v khng a ra)


3.WCF tch hp cc hnh thc bo mt c sn

  • WCF hon ton c th lm vic vi cc gii php bo mt c sn nh Secure Sockets Layer (SSL) ,giao thc Kerbeos.

  • Ngoi ra n cng c th lm vic vi kin trc bo mt ang s dng nh domain trn Windows s dng Active Directory.

  • WCF cn tch hp vi cc m hnh bo mt sn c tng vn chuyn v c th chuyn h tng sn c sang cc m hnh mi hn da trn bo mt cc bn tin SOAP.


4.Tch hp cc m hnh xc thc c sn

Bt k m hnh bo mt no cng phi xc thc cc thc th trong qu trnh trao i d liu. Cc thc th trong qu trnh ny s dng cc nh danh in t, hay cn gi l credentials.

Cc phng php xc thc chng vi i tng ang trao i nh:

  • Username client credential

  • Certificate client credential

  • Windows (Kerberos v NT LanMan NTML)


5. Kh nng lm vic lin mi trng

Bo mt cng cn phi lm vic lin mi trng

thc hin cc h thng bo mt.

Cc cng ty s dng dch v Web vi mt lot cc chun khc nhau nh:

WS-Security, SOAP Message Security, WS-Trust, WS-SecureConversation, v WS-SecurityPolicy.

Vi cc dch v WCF ta c th s dng WSHttpBinding h tr WS-Security 1.1 v WS-SecureConversation.


6. Cc lnh vc bo mt trong WCF

Bo mt trong WCF chia ra thnh ba vng chc nng:

  • Transfer security (bo mt truyn thng)

  • Access control (iu khin truy nhp)

  • Auditing (ghi vt).


Tranfer Security

Bo mt truyn thng bao gm ba chc nng chnh: s nht qun, s bo mt, v s xc thc.

  • S nht qun l kh nng pht hin liu bn tin c b thay i hay khng.

  • S bo mt l kh nng gi cho bn tin khng c c bi nhng ngi khng thm quynnh vo cryptography (m mt mt m).

  • S xc thc l kh nng xc minh c mt nh danh c thc ng hay khng.

  • Kt hp ba chc nng ny cho ta m bo rng cc bn tin c gi i mt cch an ton, n ng ni cn n.


Tranfer Security

C hai phng php chnh dng thc hin bo mt truyn thng trong WCF l ch bo mt tng vn chuyn (transport security mode) v ch bo mt bn tin (message security mode)


  • Tranfer Security

Transport security mode s dng cc giao thc tng vn chuyn nh HTTPS m bo bo mt. Ch ny c u im l c s dng rt nhiu cc nn tng khc nhauv phc tp tnh ton t hn.

Tuy vy nhc im l ch m bo bo mt cc bn tin t im-ti-im v chm hn so vi ch Message security mode s dng chun WS-Security, khng ph thuc vo giao thc vn chuyn, d m rng, m bo bo mt t u cui-ti-u cui (thay v im-ti-im).


  • Tranfer Security

  • Messenger Security: WSHttpBinding,WS2007HttpBinding, WSDualHttpBinding, WSFederationBinding v WS2007FederationBinding.Transport Security:

  • NetTcpBinding, NetNamedPipesBinding, NetMsmqBinding, NePeerBinding v MsmqIntegrationBinding.


iu khin truy cp(Authorization)

Authorization cho php nhng ngi dng khc nhau c cc quyn khc nhau xem d liu.

Trong WCF, cc tnh nng iu khin truy nhp c cung cp da vo s tch hp vi CLR (common language runtime) thng qua lp thuc tnh PrincipalPermissionAttribute v qua mt lot cc hm API.


Lu vt(Auditing)

  • Auditing l qu trnh ghi li cc s kin bo mt vo h thng log ca h iu hnh Windows (Windows event log) nh cc s kin c lin quan ti bo mt, xc thc li hay thnh cng


Authentication v Authorization

  • Authorization trc tin cn phi Authentication. lm iu , bn phi c kh nng xc nh client.

  • Client c th xc nh bng cch cung cp bng chng nh l mt ti khon Windows, tn ngi dng+ mt khu hoc giy chng nhn.

  • Client cng phi bit rng h ang ku gi cc service m h d nh s gi. Service c th xc nh mnh bng cch cung cp mt giy chng nhn.


Authentication v Authorization

Authenticate cho php bn xc nh client v service bng cch gi cc thng tin. WCF h tr cc loi y nhim sau khi bn ang s dng transport Security mode:* Windows. Client s dng mt m thng bo Windows i din danh tnh ca ngi dng Windows. Services s dng cc thng tin quan trng hoc giy chng nhn mt SSL c y quyn. * Basic. Clients dng tn ngi dng v mt khu. Services s dng mt giy chng nhn SSL. Ty chn ny ch c sn vi cc giao thc HTTP.* Certificate:Client s dng giy chng nhn X.509 v services s dng chng ch hoc giy chng nhn SSL.* NTLM: Dch v ny s dng mt giy chng nhn SSL. Ty chn ny ch c sn vi cc giao thc HTTP.* None. Cc dch v khng xc thc Client.


  • WCF h tr cc loi y nhim sau khi bn ang s dng mc bo mt tin nhn:* Windows. Client s dng mt m thng bo i din ngi dng Windows. Services s dng cc thng tin quan trng ca qu trnh nhn dng hoc giy chng nhn mt SSL. * UserName: Clientchuyn tn ngi dng v mt khu ti services.* Certificate:Client s dng mt giy chng nhn X.509 v dch v s dng mt trong hai chng ch hoc giy chng nhn mt SSL.* IssueToken: Client v Service s dng dch v Secure Token. * None: Cc dch v khng xc thc ca khch hng.


  • WCF h tr ba phng php tip cn c bn y quyn:* Role-based: Truy cp vo dch v v hot ng ca dch v da trn vai tr ca ngi dng. * Identity based: Truy cp da trn yu cu thc hin trong vng cc thng tin ca ngi dng. Cch tip cn ny thng s c s dng vi vn xc thc token.* Resource based: Ti nguyn, chng hn nh cc dch v WCF, c m bo bng cch s dng Windows Access Control Lists (ACL).


Phn II: Lp trnh bo mt trong WCF


t ch bo mt

Bc 1: Chn mt trong cc binding ph hp vi cc yu cu ca ng dng.

Bc 2: Chn mt trong cc ch bo mt cho binding chn

Bc 3: Cu hnh cho host mt chng nhn SSL v cho php SSL hot ng mt cng no


V d: cu hnh bo mt trong WCF

t ch bo mt


Thit lp cc gi tr credentials cho Service

  • Sau khi chn kiu xc thc client, bn cn phi thit lp gi tr credential thc cho dch v.

  • pha dch v, cc credential c thit lp s dng lp ServiceCredentials v c tr v t thuc tnh Credentials ca lp ServiceHostBase.


NetTcpBinding b = new NetTcpBinding();

b.Security.Mode = SecurityMode.Message;

Uri baseUri = new Uri("net.tcp://MachineName/tcpBase");

Uri[] baseAddresses = new Uri[] { baseUri };

ServiceHost sh = new ServiceHost(typeof(Calculator), baseAddresses);

Type c = typeof(ICalculator);

sh.AddServiceEndpoint(c, b, "MyEndpoint");

sh.Credentials.ServiceCertificate.SetCertificate(

StoreLocation.LocalMachine, StoreName.My,

X509FindType.FindBySubjectName, "client.com");

sh.Open();


Thit lp cc gi tr credentials cho client

pha client, cc gi tr credentials c thit lp thng qu lp ClientCredentials v c tr v qua thuc tnh ClientCredentials ca lp ClientBase.


NetTcpBinding b = new NetTcpBinding();

b.Security.Mode = SecurityMode.Message;

b.Security.Message.ClientCredentialType = MessageCredentialType.Windows;

Type c = typeof(ICalculator);

Uri tcpBaseAddress =

new Uri("net.tcp://machineName.Domain.Contoso.com:8036/serviceName");

Uri[] baseAddresses = new Uri[] { tcpBaseAddress };

ServiceHost sh = new ServiceHost(typeof(CalculatorClient), baseAddresses);

sh.AddServiceEndpoint(c, b, "");

sh.Open();


Phn III: Cu hnh


V d 1: K thut AuditandLogSecuritys kin

Mc ch:

  • Gii thiu cch kim sot vic ng nhp bo mt cc s kin.

  • Cch cu hnh mt dch v WCF vi Auditing,Message Logging,andTracing.

  • Cch s dng cng c SvcTraceViewer xem cc tp tin ng nhp.


1. Trong MS Visual studio 2008, clickFile>NewWebSite.Chn WCFService,Locationthit lp l Httpv ng dn o ging nhhttp://localhost/WCFTestService).


2. Thit lp trongConfigurationEditor nh sau: Chn"ServiceBehavior node.Trong ServiceBehaviorsection,clickAdd.Chn serviceSecurityAudit/Add.


Trong serviceSecurityAuditoption.Thit lp gi tr: AudtiLogLocationbngApplication, MessageAuthenticationAuditLevelbngSuccessOrFailure vServiceAuthorizationAuditLevelattributetoSuccessOrFailure


Kt qu


Bt chc nng LoggingandTracingforcho WCFService

Bc 1: Cu hnhLogging:Trong Configuration Editor


ChntheDiagnosticsnode.clickEnableMessageLogging.N s to mtServiceModelMessageLoggingListener v System.ServiceModel.MessageLoggingnodesdiListenersandSourcesfolders.


ChnMessageLoggingdiDiagnosticsnode.Thit lpLogMessagesAtServiceLevel=True


ChnServiceModelMessageLoggingListener di Listenersnode.Ch gi tr mc nh caInitData l c:\inetpub\wwwroot\WCFService\web_messages.svclog, ni cc message s c logged.


Bc 2: Cu hnh Tracing

Trong ConfigurationEditor,chntheDiagnosticsnode.


panel bn phi,clickEnableTracing.N s to mt ServiceModelTraceListenervSystem.ServiceModelnodesdiListenersvSourcesfolders.


ChnServiceMode TraceListener diListenersnode. Gi tr mc nh ca InitDatas lu cc messenger s c tracingTrong c:\inetpub\wwwroot\WCFService\web_tracelog.svclog


Kt qu


Bc4

To mtWindowsFormsTestClientApplication

Step5

Tham chiu dch vWCFServiceReferencetiClient

tURLti WCFservice ca bn(v d nh:

http://localhost/WCFTestService/Service.svc)v clickGo.

TrongWebreferencename,thay iServiceReference1thnhWCFTestService.

Bc6Kim traClientandWCFService


Bc 7: Xc minh cc s kin dch v

Start/Run.Trongcommandline, geventvwr mEventViewerwindow.


Chn Applicationnode, ch ServiceModelAudit3.0.0.0.


M event viServiceAuthorization.Bn s thythng tin messagenuservicec authorizesmtclient nh sau:


Bc 8: Tm cc File Log S dng SvcTraceViewerVo:C:\ProgramFiles\MicrosoftSDKs\Windows\v6.0\Bin.MSvcTraceViewe.exetool.clickFile,clickOpen,v browsetilocationca messagelogfile.


V d 2. Cu hnh netTcpBinding vi Windows Authentication v Message Security mode

Mc ch:

Gii thiu cch s dng netTcpBinding vi Windows Authentication ch bo mt Message.

NetTcpBinding c s dng giao tip vi client trong mng ni b. Mng ni b mc nh l s dng ch bo mt transport vi cc chng thc windows. iu nycho bn thy l lm th no cu hnh cc dch v s dng message thay v transport.


Trong Visual Studio, trn File menu, click New , sau click Project. - Chn Windows Service, v g tn d n.


- Trong ch designer view of ProjectInstaller.cs, right-click serviceProcessInstaller1 chn click Properties. - Thit lp thuc tnh Account= NetworkService.


Thm WCF Service. Thit lp Name l myService.cs


Cu hnh li Dowork()


V cc hm Onstart(), OnStop()

using System.ServiceModel;

internal static ServiceHost myServiceHost = null;

protected override void OnStart(string[] args)

{

if (myServiceHost != null)

{

myServiceHost.Close();

}

myServiceHost = new ServiceHost(typeof(MyService));

myServiceHost.Open();

}

protected override void OnStop()

{

if (myServiceHost != null)

{

myServiceHost.Close();

myServiceHost = null;

}

}


Cu hnh WCF Service s dng netTcpBinding vi ch Message Security Trong Host node, thit lp li Base address thnh: net.tcp://localhost:8523/WCFTestService.


Endpoint1 thit lp Binding=netTCPBindingEnpoint 2 thit lp Binding=mexTCPBinding


Chn Bindings node v click NewBinding Configuration. Trong New Binding dialog box, select netTcpBinding v click OK. Click Security tab, thit lp Mode =Message. MessageClientCredentials =Windows.


Trong endpoint 1: Chn Binding Configuaration=NewBinding0 va to


Kt qu nh sau:


Chn Advanced node sau chn Service Behaviors node. Trong WCFHostService.MyServiceBehavior node chn serviceMetadata node.Thit lp HttpGetEnabled=False.


Step 6 Install the Windows Service Rebuild solution v m Visual Studio command prompt. Tm n directory ca project ni WCFServiceHost.exe c cha. Trong command line, g Installutil WCFServiceHost.exeNu khng thnh cng g g Installutil /u WCFServiceHost.exe


Bt dch v va to


Bc 7 To mt ng dng Test Client Application


Tham chiu dch v


Chy ng dng


V d 3. To v ci t Certificatestrong ch Message Security

Gip bn to v ci t Certificatestm thi s c s dng trong qu trnh pht trin v th nghim cc dch v WCFthc hin bo mt tin nhn

MVisualStudiocommandpromptvbrowsetilocationni bn mun lucertificatefiles.G:

makecertn"CN=RootCATest"rsvRootCATest.pvkRootCATest.cer


GPassword trong dialogbox vclickOK


G password li mt ln na


Bc 2 - To mt tp tin Thu hi danh sch Certificate(CRL) t Root Certificate

M VisualStudiocommandpromptv browsetilocationni bn mun lu CRLfilechotherootcertificate.

RunthefollowingcommandtocreatetheCRLfile.

makecertcrln"CN=RootCATest"rsvRootCATest.pvkRootCATest.crl


Bc 3: InstallRootCertificateAuthorityCertificatetrnServerandClient

Lp li cc bc sau trn cclientv server:

CopytheRootCATest.cerfileti clientandserver

ClickStartandthenclickRun.

Trongcommandline,gMMCv clickOK.


VoFileclickAdd/Remove Snapin. Khi AddRemoveSnap dialogbox m ra,clickAdd.Trong Add Stanadalone Snap- in chn Certificate


Chn ch Computer Account certificate cn to vi tt c ngi dng./ Next v click OK


DiTrustedRootCertificationAuthorities,rightclick

Certificates subfolder,chnAllTasks,v sau chnImport.


Xut hinCertificateImportWizardwelcomescreen,clickNext.TrnFiletoImportscreen,clickBrowse ti locationchasignedRootCertificateAuthorityRootCATest.cerv clickOpen.


Sau clickNext.


Ci t CertificateRevocationListFiletrn ServerandClientMachines

CopyfileRootCATest.crlfilecc myclientvserver

ClickStartandthenclickRun.

Trong command line g mmc/ok

Cc bc ci t nh i vi CertificateAuthorityCertificate cc bc trc.


Tovci tTemporaryService Certificate

MVisualStudiocommandpromptvbrowsetilocationni lurootCAcertificatevprivatekeyfilecreated.G:

makecertskMyKeyNameivRootCATest.pvkn"CN=tempCert"icRootCATest.cersrlocalmachinessmyskyexchangepe

G li mt khu t


Nhn dng TemporaryCertificatesPrivateKey

MVisualStudiocommandprompt.Chylnh sau:

FindPrivateKey.exeMyLocalMachinen"CN=tempCert"


Ch nuFindPrivateKeykhng c trn my,downloadFindPrivateKeytooltihttp://www.microsoft.com/downloads/details.aspx?FamilyId=2611A6FFFD2D4F5BA672C002F1C09CCD&displaylang=en


FindPrivateKeytr liprivatekeycacertificate,nh

"C:\DocumentsandSettings\AllUsers\Application

Data\Microsoft\Crypto\RSA\Machinekeys\4d657b73466481beba7b0e1b5781db81_c225a308d2ad4e5891a86e87f354b030".

Chy lnh sau gn quyn truy cp voWCFservice.

cacls.exe"C:\DocumentsandSettings\AllUsers\Application

Data\Microsoft\Crypto\RSA\Machinekeys\4d657b73466481beba7b0e1b5781db81_c225a308

d2ad4e5891a86e87f354b030"/E/G"NTAUTHORITY\NETWORKSERVICE":R

Chy cc lnh sau y xc minh quyn ca kha ny

cacls.exe"C:\DocumentsandSettings\AllUsers\ApplicationData\Microsoft\Crypto\RSA\Machinekeys\4d657b73466481beba7b0e1b5781db81_c225a308d2ad4e5891a86e87f354b030"


Thng tin certificate trong IIS


Q&A


  • Login