Security is an unavoidable topic for any enterprise-level application. How to identify a user? How can I limit user executable operations and accessible resources to the permitted permissions? How can we record user behaviors so that all operations can be traced? These are typical issues that need to be considered by application security mechanisms or security frameworks. They correspond to three security behaviors: Authentication, Authorization, and audit ).
In addition to these typical security issues, for a distributed application that uses messages as communication means, Message Protection needs to be considered. Specifically, the message protection mechanism mainly includes Signature and Encryption ). The signature ensures Message Integrity, that is, the Message is not tampered with by a third party between the original sender and the final receiver. Encryption ensures Message Confidentiality, that is, to ensure that the Message content is only visible to the recipient expected by the sender.
As the most complete distributed communication platform on Windows, WCF has a powerful and complete security system that can be expanded to provide effective support for the preceding security issues. As the security system plays an extremely important role in the entire WCF framework system, in the next series of articles, I will discuss this situation that I have never touched in my previous articles. Since the security system has an extremely important component in the entire WCF framework system, I specifically divided it into two parts:Transmission Security(Mainly involves the implementation of authentication, message consistency, and message confidentiality) andAuthorization and review.
WCF is a distributed programming platform that uses messages as communication means. It allows us to define reusable functions in the form of services and deploy them to a node in a distributed network environment, it can be called by potential service consumers. The Service and the client that calls the service can have the same network or span different networks, or even use the Internet. Network uncertainty poses a series of security risks to distributed applications. Before introducing the transmission security of WCF, let's first introduce these security risks.
1. Transmission security risks in distributed applications
We can regard it as a message processing framework. The entire framework is divided into two parts: client and server. The client is responsible for sending the request message and receiving the reply message, while the server is responsible for receiving the request message and sending the reply message. WCF can only control the processing before and after a message is sent, but it cannot control the transmission process before and after the message is sent. It is precisely because the message transmission network cannot provide sufficient security protection, which brings the following typical security risks:
- Message tampering:Messages in transmission are captured by some network interception tools and maliciously tampered with and forwarded to the message recipient. The message recipient will make an incorrect operation or return the error result to the client. For example, if a client calls a service for bank transfer, the request will contain the transfer and transfer to the bank account and transfer amount. If the hacker intercepts the message and changes the corresponding account or amount data, and forward the tampered requests. How can the server treat the received message as a normal transfer request, the consequences can be imagined;
- Sensitive information leakage:Messages often contain sensitive information, such as credit card numbers and ID card numbers. How can these messages be transmitted in plain text on the network, after being captured by the Network interception tool, it will naturally be seen by malicious hackers;
- Phishing Attack ):Requests targeting service A are maliciously redirected to another service B to perform operations that damage the interests of visitors or steal sensitive information related to visitors. Taking the online banking service as an example, users can call the online banking authentication service and provide their own accounts and passwords for logon. If a visitor does not verify the real identity of the user attempting to access the service before calling the service, he or she rashly sends the password of his or her online banking account as a request, if the request is found to be a service forged by a hacker or rogue software vendor, it can directly obtain the account and password information you provide;
- Replay Attack (Replay Attack ):Hackers use network interception tools to capture access requests for a service, then copy the requests and initiate calls to the target service at a very high frequency. If the service regards each received message as a request from a normal visitor, the service will consume the available resources of the server and crash.
The preceding figure shows several typical security risks in distributed network applications due to the uncertainty of the network environment. In fact, because the network protocol itself does not provide sufficient security protection, we also encounter many other network problems. Network security is particularly prominent in the Internet environment. Since its emergence, the Internet has been so rapidly developing for a period of time that it has changed our way of life, learning, and thinking, one of the major technical factors is that it is built on a "simple" HTTP protocol. However, it is the simplicity of HTTP that makes it unable to provide adequate security mechanisms. In short, in order to make up for the limitations of network protocols on security assurance, we often have to re-build the security system at the application level.
However, security is a relatively "advanced" topic. Building a security system suitable for specific application requirements has high requirements for application developers and architects. For general small and medium-sized distributed applications, the cost invested in the security architecture is likely to exceed the sum of the business application modules. Moreover, the security system built with great effort may not be as secure as you think. So,It is not realistic to completely implement security to specific applications..
Since the network communication layer cannot provide adequate security assurance, and it is not realistic to implement security assurance at the application layer, we can only build the entire security assurance system between the two, our solutions are called platform-level or framework-level security assurance systems.
As a distributed development platform, WCF provides a fully functional and scalable security architecture to meet the security requirements of most distributed application scenarios. As an architecture engineer for distributed applications built on WCF, you only need to configure them according to your own scenarios. In other words, WCF provides a series of ready-made implementation solutions for each specific security problem. Security architects only need to select the most suitable solution for each specific security problem according to the specific needs of the application, then they are combined to form the ultimate security assurance implementation solution. Next, let's briefly introduce how the WCF Transmission security system solves these network security risks.
At the beginning of this article, we mentioned that the transmission security of WCF aims to solve three typical security problems: authentication, message consistency, and message confidentiality. Let's discuss what authentication is, how to implement authentication.
Ii. Authentication)
In the era of cold weapons, in order to defend against enemy intrusions and protect the city pool security, we need to build solid walls and explore deeper moat. In fact, the original meaning of the word Chengchi is the city wall and moat. For some military towns that require competition, there is often more than one solid city. A typical defense system is to build internal and external cities. In this way, the Defense settings ensure that you still return to the second line of defense after the outer line is broken.
Although Gaocheng's deep pools cannot play any defensive role in contemporary wars, the concept of setting up a defense system with multiple security barriers is still the guiding principle for building a network security system. Taking a distributed Web application as an example, we can set a firewall on the Web server and application server. The former ensures the security of Web servers and makes the first line of defense. Real-time Hackers break through this line of defense and can still ensure the security of core services, because such logic processing is deployed on the application server as a service.
To a large extent, security meansLet someone do what he can do. Applications provide users with the implementation of a function or access to a certain resource. However, the execution of operations and access to resources must depend on the user's own permissions. That is to say, we need to ensure that the service is provided to the user within the user's defined permissions. This is what we callAuthorization)OrAccess Control).
However,One premise for reasonable user authorization is that the current user identity has been confirmed.This kind of behavior to identify and identify visitors is called Authentication ). Authentication is often the first barrier of the application or service security system. Without this barrier, the subsequent security defense will be ineffective. Certification helps usConfirm "who is hitting my door ?". Visitors of an application or service ring the first gate with a declared identity. The Gatekeeper can open a convenient portal for the visitor only after the identity of the other party is determined. Otherwise, the visitor will directly sweep the door.
If you want to define authentication, my personal preference is that authentication is an action to determine whether the real identity of the authenticated party matches the identity of the authenticated party or her Claim (Claim. The authenticated party must provide the relevant proof of identity to identify whether the identity is consistent with the claimed identity. In computer languages, the Identity Authentication here has a proprietary name, namely, "Credential", User Credential, and Authentication Credential ).
3. User Credential)
The best design is to simulate the reality as much as possible. There are countless examples of Security Authentication in real life. For example, if I say "I am Zhang San" to a person I don't know, how can the other Party believe that I am actually Zhang San, not Li Si? Although we may not all be identified, we are all identified by ID cards, which can prove our real identity. The ID card here is a typical user credential.
The authenticated party can identify the real identity of the other party based on the ID card provided by the authenticated party. three conditions must be met: 1,The authenticated person claimed to be the person indicated on his ID card.; Second,The ID card holder is the ID card owner.; 3,The ID card is legal and valid.Even if the certificate is issued by the public security department, rather than by calling the "Certificate handling" phone. The first problem is generally not a problem, because for a person with a slightly normal nerves, he will not prove that he is James with the ID card of Li Si; the second problem can be determined based on the photo above the ID card. The third problem depends on the anti-counterfeit identity of the ID card and the authentication capability of the authenticated party.
The above three conditions also reflect the attributes of the creden themselves and the relationship between the creden and the authenticator in the authentication process based on the user creden, namely:Consistency between creden and declarations,Ownership of the certificate by the authenticated person, AndValidity of the Credential. For simplicity, we can refer to the three attributes of user creden。 for short. The type of user creden。 determines the authentication method. WCF supports a series of different types of user creden。 to meet different authentication requirements. Next, we will briefly introduce several common user creden。 and corresponding authentication methods based on the above three points.
User name/Password
The most common authentication method we use is to verify the user name and password, so that we mention identity authentication, many people will think of a password. The most common credential type. A user name/password credential consists of two elements: user name and password. We may analyze the user name/password creden。 through the three attributes of the user creden。 we mentioned above.
The former indicates the Identity declared by the authenticated party, and the latter is evidence that the holder is the legal owner of the credential. For the authenticated party, because the password corresponding to the account belongs to the private information of the account owner, if the authenticated Party can provide a password that matches the declared identity, it can prove that the other party is indeed the same person as he declares. First,The user name represents the identity (Identify). The consistency between the credential and the declaration means that the identity declared by the authenticated party is consistent with the user name.;The authenticated person's possession of the certificate proves by password that the password belongs to absolute privacy information. If the authenticated person can provide a password that matches the declared identity, to prove that he is the real owner of the credential.Because the user name/password credential does not belong to the certificate type credential and does not need to be issued by a legal authority, there is no legality to start.
In applications that adopt user name/password authentication, the authenticated party generally has a list of all user accounts and passwords. Of course, because the privacy of the password to the decision of the holder is limited in principle to the holder's own knowledge, and no one else (including the authenticated party) should use technical means to obtain the password. If the validators maintain a list of usernames and passwords of all accounts that are responsible for authentication, the hash value of the original password and the Key used for hashing are stored in this document. Because the hash algorithm is irreversible, the original value cannot be obtained through the hash value and the corresponding Key, thus ensuring the security of the password. During authentication, you only need to find the corresponding Key based on the user name, and then use the Key to hash the password provided by the user using the same algorithm, the final calculation result is compared with the locally stored value to verify the authenticity of the password.
During project development, we also choose to encrypt and store the password provided during user registration so that users can forget the original password, verify the real identity of the authenticated party, and allow the authenticated Party to return the original password through decryption. For the encrypted storage of passwords, whether symmetric or asymmetric encryption, we can obtain the original password through the corresponding decryption algorithm, So theoretically there is a security problem. However, when selecting a Password Storage Policy for a specific application, you can choose to hash or encrypt the original password Based on the required security level and whether to return the original password. However, plaintext storage of passwords is not allowed.
What authentication methods should the WCF server use for the user name/password user creden provided by the client? In terms of user name/password-based authentication rules, the WCF Security Framework provides you with a variety of solutions. I personally think that ASP. NET Membership-based authentication is the most valuable. With regard to ASP. NET Membership authentication, I believe that readers who have used ASP. NET 2.0 and later versions should not feel unfamiliar.
We can also map the user name and password provided by the client to the Windows Account and the corresponding password, so that we can use Windows authentication to identify the real identity of the client. If the two methods still cannot meet your authentication requirements based on user name/password, you can customize the authentication implementation. You only need to create one that inherits from the System. identityModel. selectors. userNamePasswordValidator class.
Windows credential
It should be said that the degree of frequency adopted, Integrated Windows Authentication (IWA: Integrated Windows Authentication) is second only to the user name/password Authentication method. Especially for Intranet applications based on Windows Active Directory (AD: Active Directory), Windows authentication is the first choice. Almost all products or development platforms that need to be authenticated by Microsoft are integrated with Windows authentication, such as IIS, SQL Server, ASP. NET, and so on. Of course, WCF cannot be used as an exception.
Windows is the best way to achieve Single Sign-On (SSO: Single Sign-On. Whether it is in Domain mode or Workgroup mode, you will get a credential as long as you log on to a machine with a Windows account and password. Before the current session times out, you can carry the Windows credential and automatically log on to all applications integrated with the Windows authentication method without frequently entering the same Windows account and password. If the Logon account does not have the permission to operate the target application, you can normally re-enter the Windows Account and the corresponding password (if the current user has multiple Windows accounts) operate on the target application as another identity (this identity has the permission to operate on the target application.
Similar to Windows in WCF, without considering Impersonation and Delegation, the WCF Client Security Framework automatically uses the Windows credential of the client application process, the client segment credential used to call the service is sent to the service for authentication. In addition, when writing a client program, we can dynamically create a Windows credential by specifying the Windows user name and password, and use it as the client credential for service calling. Windows creden must be obtained by providing a Window account and a matched password. in nature, they can also be seen as a variant of the user name/password creden, we can analyze the three properties of Windows creden。 based on the user name/password credential.
In terms of implementation, Windows has two different authentication protocols: NTLM (nt lan Manager) and Kerberos, which are used as network authentication protocols in the workgroup and domain modes respectively. In a specific service calling environment, the Windows creden。 used are actually NTML or Kerberos tickets.
In the next article, we will discuss another important user credential, digital certificate, and the resulting asymmetric cryptography (or public key cryptography ). The next article will not only give you a deep understanding of the principles behind digital certificates, but also give you a deep understanding of digital signatures and encryption.
Author: Artech
Source: http://artech.cnblogs.com
The copyright of this article is shared by the author and the blog Park. You are welcome to repost this article. However, you must retain this statement without the author's consent and provide a clear link to the original article on the article page. Otherwise, you will be held legally liable.