什么是好的 WCF/Web 服务安全读物? [英] What is some good WCF/web services security reading?
问题描述
我最近一直在做很多与 WCF、Web 服务和分布式计算相关的研究和工作,但大多数安全概念都让我无法理解.传输安全、消息安全、加密、证书等.我了解对称和非对称加密的基础知识,但我并不真正了解它们在 SOAP 对话中的实际应用.
我已经阅读了规范,但它们似乎有点密集.任何人都可以向我指出从基础开始并从那里开始工作的资源吗?我很想从大学的网络课程中取出教科书,以便更好地了解最低级别发生的事情,但我不知道这是否非常低效.我不想读一个装满东西的小图书馆 - 我只想扎实地理解这些概念,并能够向我桌子上的橡皮鸭解释它们.
编辑:
自从我第一次写这个答案已经好几年了,这个列表已经变旧了.支持网络的 API 和基于令牌的信任中继得到了广泛采用.
我没读过,但是 很好地介绍了 ASP.NET 的安全模型.您可以跳过细节,因为大部分技术现在已经过时.
特定于 Web 服务的一个很好的概述是
阅读上述内容后,真正帮助我的是查看现有实现,例如 Amazon S3 的身份验证:
Amazon S3 的身份验证 http://docs.amazonwebservices.com/AmazonS3/2006-03-01/images/HMACAuthProcess_You.gif
<块引用>每个身份验证 frob 都是特定的给用户和应用程序的 api键,并且只能与它一起使用键.
验证码有效期为 60从它创建开始的几分钟,或直到应用程序调用flickr.auth.getToken,以哪个为准早点.
每个人只有一个身份验证每个用户的应用程序将在任何时候.应用程序必须处理过期无效身份验证 frobs 并知道如何更新它们.
<块引用>许多 Twitter API 方法需要验证.所有回复都是相对于上下文验证用户.例如,一个尝试检索有关一个的信息不是朋友的受保护用户请求的用户将失败.
对于目前,HTTP Basic身份验证是唯一支持的认证方案.什么时候通过基本身份验证进行身份验证,使用您注册的用户名或电子邮件地址作为用户名组件.会话 cookie 和基于参数的登录已知有效,但无效官方支持.
OAuth基于令牌的身份验证方案将不久将作为实验提供测试版.
所以很高兴知道复杂的证书和 PKI 的东西,但世界似乎没有它也能正常运行.
I've been doing a lot of studying and work recently related to WCF, web services and distributed computing in general, but most of the security concepts go over my head. Transport security, message security, encryption, certificates, etc. I understand the basics of symmetric and asymmetric encryption, but I don't really understand the real world application of them in a SOAP conversation.
I'd read the specs, but they seem a bit dense. Can anyone point me to resources that start with the basics and work up from there? I'm tempted to fish out the textbook from my networking course in college to get a better understanding of what's happening at the lowest level, but I don't know if this is massively inefficient or not. I'd prefer not to have to read a small library full of stuff - I just want to solidly grok the concepts and be able to explain them to the rubber duck on my desk.
Edit:
It's been several years since I first wrote the answer and the list is getting old. There have been some wide adoption of web-enabled APIs and token-based trust relaying.
I haven't read it, but Windows Communication Foundation Security would be a good place to start, if you're looking for something specific to WCF.
Also keep your eyes open for what major players like Facebook, Google, and Twitter are doing. They are using open protocols like OpenID and OAuth. At first, OAuth looks complicated, but you should understand the mechanism.
In my opinion earlier OAuth reinvents a lot of wheels that SSL has already solved, and leaves some security holes open. An interesting read is Compromising Twitter's OAuth security system. Facebook's OAuth 2.0 implementation and Google's OAuth 2.0 implementation simplify many of these issues by using https where it makes sense. These are must reads.
The basic concept around OAuth is trust relaying. You would want third-party developers to make apps against your API, but the end users cannot always trust these apps. Giving password to them, is like giving the keys to the kingdom. So the user types in the password into your UI, and your UI redirects to the third party with an access token.
Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication is a good introduction to ASP.NET's security models. You can skip over the details because much of the technology is now obsolete.
A good overview specific to Web Services is Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0. It says WSE, but basic concepts still remain the same.
To get more details on WS-Security, read Securing Web Services with WS-Security: Demystifying WS-Security, WS-Policy, SAML, XML Signature, and XML Encryption.
After reading above, what really helped me was looking at existing implementations like Amazon S3's authentication:
Each authentication frob is specific to a user and an application's api key, and can only be used with that key.
Authentication frobs are valid for 60 minutes from the time it is created, or until the application calls flickr.auth.getToken, whichever is sooner.
Only one authentication frob per application per user will be valid at any one time. Applications must deal with expired and invalid authentication frobs and know how to renew them.
Many Twitter API methods require authentication. All responses are relative to the context of the authenticating user. For example, an attempt to retrieve information on a protected user who is not friends with the requesting user will fail.
For the time being, HTTP Basic Authentication is the only supported authentication scheme. When authenticating via Basic Auth, use your registered username or email address as the username component. Session cookies and parameter-based login are known to work but are not officially supported.
The OAuth token-based authentication scheme will shortly be offered as an experimental beta release.
So it's nice to know the complicated certs and PKI stuff, but the world seems to operate without it just fine.
这篇关于什么是好的 WCF/Web 服务安全读物?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
