What is some good WCF/web services security reading?
I've been doing a lot of studying and work recently related to WCF, web services and distributed computing in general, but most of the security concepts go over my head. Transport security, message security, encryption, certificates, etc. I understand the basics of symmetric and asymmetric encryption, but I don't really understand the real world application of them in a SOAP conversation.
I'd read the specs, but they seem a bit dense. Can anyone point me to resources that start with the basics and work up from there? I'm tempted to fish out the textbook from my networking course in college to get a better understanding of what's happening at the lowest level, but I don't know if this is massively inefficient or not. I'd prefer not to have to read a small library full of stuff - I just want to solidly grok the concepts and be able to explain them to the rubber duck on my desk.
Edit:
It's been several years since I first wrote the answer and the list is getting old. There have been some wide adoption of web-enabled APIs and token-based trust relaying.
I haven't read it, but Windows Communication Foundation Security would be a good place to start, if you're looking for something specific to WCF.
Also keep your eyes open for what major players like Facebook, Google, and Twitter are doing. They are using open protocols like OpenID and OAuth. At first, OAuth looks complicated, but you should understand the mechanism.
In my opinion earlier OAuth reinvents a lot of wheels that SSL has already solved, and leaves some security holes open. An interesting read is Compromising Twitter's OAuth security system. Facebook's OAuth 2.0 implementation and Google's OAuth 2.0 implementation simplify many of these issues by using https where it makes sense. These are must reads.
The basic concept around OAuth is trust relaying. You would want third-party developers to make apps against your API, but the end users cannot always trust these apps. Giving password to them, is like giving the keys to the kingdom. So the user types in the password into your UI, and your UI redirects to the third party with an access token.
Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication is a good introduction to ASP.NET's security models. You can skip over the details because much of the technology is now obsolete.
A good overview specific to Web Services is Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0. It says WSE, but basic concepts still remain the same.
To get more details on WS-Security, read Securing Web Services with WS-Security: Demystifying WS-Security, WS-Policy, SAML, XML Signature, and XML Encryption.
After reading above, what really helped me was looking at existing implementations like Amazon S3's authentication:
Each authentication frob is specific to a user and an application's api key, and can only be used with that key.
Authentication frobs are valid for 60 minutes from the time it is created, or until the application calls flickr.auth.getToken, whichever is sooner.
Only one authentication frob per application per user will be valid at any one time. Applications must deal with expired and invalid authentication frobs and know how to renew them.
Many Twitter API methods require authentication. All responses are relative to the context of the authenticating user. For example, an attempt to retrieve information on a protected user who is not friends with the requesting user will fail.
For the time being, HTTP Basic Authentication is the only supported authentication scheme. When authenticating via Basic Auth, use your registered username or email address as the username component. Session cookies and parameter-based login are known to work but are not officially supported.
The OAuth token-based authentication scheme will shortly be offered as an experimental beta release.
So it's nice to know the complicated certs and PKI stuff, but the world seems to operate without it just fine.
- Collection was modified; enumeration operation may not execute
- No connection could be made because the target machine actively refused it 127.0.0.1:3446
- .Net: Running code when assembly is loaded
- Getting a "Value for <column> in table <table> is DBNull" error
- TCP/IP failed to establish an outgoing connection
- log4net using ThreadContext.Properties in wcf PerSession service
- Run other project when running unit tests in Visual Studio 2013
- Calling a webservice that uses ISO-8859-1 encoding from WCF
- Handling the returned html in a wcf service
- scalable WCF solution
- Pass API key / auth information from HttpOperationHandler to API class in WCF4 webservice
- WCF REST parameter object is null
- Can you add WCF Endpoint to .NET API
- WCF as a web service with the smallest possible payload
- WCF service - trying to return a class
- IIS Log - WCF Service Track Operation Contract Name
- How to return custom responses as a WCF behavior?
- Call one WCF service from another WCF Service: Endpoint Error?
- Serialize Generic type over WCF Service
- Use of GUIDs as id in public facing data integration web service
- Prevent ServiceContractGenerator from generating message contracts (request/response wrappers)
- WCF ChannelFactory and Channel caching in ASP.NET client application
- Refactoring WCF Service
- How to pass TimeSpan value in JSON format?
- WCF client failes to authenticate Java web service. Cannot find a token authenticator for the X509SecurityToken
- WCF: Web Service Login / Authentication: HowTo?
- Context lost when IClientMessageInspector is configured on a WCF service and method is called with async/await
- WCF Certificate Authentication works with all client certificates
- Could not establish secure channel for SSL/TLS with authority '*'
- Single instance WCF service with concurrent tasks (that can be limited)