1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How...
-
Upload
kaleigh-oneal -
Category
Documents
-
view
214 -
download
0
Transcript of 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How...
![Page 1: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/1.jpg)
11
WS-Security WS-Security Clement SongClement Song
02-09-0402-09-04
![Page 2: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/2.jpg)
22
OutlineOutline
What is WS-Security?What is WS-Security?
Why WS-Security?Why WS-Security?
Terminology Terminology
How to Secure? How to Secure?
Code Code
Demos Demos
ReferenceReference
![Page 3: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/3.jpg)
33
What is WS-Security?What is WS-Security?
WS-Security:WS-Security: soap message protection through message soap message protection through message
integrity, confidentiality, and single message integrity, confidentiality, and single message authentication authentication
extensible and flexible (multiple security extensible and flexible (multiple security tokens, trust domains, signature formats, and tokens, trust domains, signature formats, and encryption technologies. )encryption technologies. )
a flexible set of mechanisms that can be used a flexible set of mechanisms that can be used to construct a range of security protocols to construct a range of security protocols
Source: WS-Security version 1.0. ref[1]
![Page 4: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/4.jpg)
44
Why WS-Security?Why WS-Security?
Secure soap message exchangeSecure soap message exchange
![Page 5: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/5.jpg)
55
Terminology ReferenceTerminology Reference
ClaimClaim - A - A claimclaim is a statement that a requestor makes is a statement that a requestor makes (e.g. name, identity, key, group, privilege, capability, etc). (e.g. name, identity, key, group, privilege, capability, etc). Security TokenSecurity Token - A - A security tokensecurity token represents a represents a collection of claims. collection of claims. Signed Security TokenSigned Security Token - A - A signed security tokensigned security token is a is a security token that is asserted and cryptographically security token that is asserted and cryptographically endorsed by a specific authority (e.g. an X.509 certificate endorsed by a specific authority (e.g. an X.509 certificate or a Kerberos ticket). or a Kerberos ticket). Proof-of-PossessionProof-of-Possession - The - The proof-of-possessionproof-of-possession information is data that is used in a proof process to information is data that is used in a proof process to demonstrate the sender's knowledge of information that demonstrate the sender's knowledge of information that should only be known to the claiming sender of a should only be known to the claiming sender of a security token. security token.
![Page 6: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/6.jpg)
66
Terminology ReferenceTerminology Reference
DigestDigest - A - A digestdigest is a cryptographic checksum of an is a cryptographic checksum of an octet stream octet stream SignatureSignature - A - A signaturesignature is a cryptographic binding of a is a cryptographic binding of a proof-of-possession and a digest. This covers both proof-of-possession and a digest. This covers both symmetric key-based and public key-based signatures. symmetric key-based and public key-based signatures. Consequently, non-repudiation Consequently, non-repudiation Non-repudiation - Non-repudiation - means to ensure that a transferred means to ensure that a transferred message has been sent and received by the parties message has been sent and received by the parties claiming to have sent and received the message. A way claiming to have sent and received the message. A way to guarantee that the sender of a message cannot later to guarantee that the sender of a message cannot later deny having sent the message and that the recipient deny having sent the message and that the recipient cannot deny having received the message. cannot deny having received the message.
![Page 7: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/7.jpg)
77
How to Secure?How to Secure?
Integrity - information is not modified in Integrity - information is not modified in transit transit XML signature in conjunction with security XML signature in conjunction with security
tokens tokens Multiple signature, multiple actors, additional Multiple signature, multiple actors, additional
signature formats signature formats
![Page 8: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/8.jpg)
88
How to Secure?How to Secure?
Confidentiality - only authorized actors or Confidentiality - only authorized actors or security token owners can view the datasecurity token owners can view the data XML encryption in conjunction with security XML encryption in conjunction with security
tokenstokens Multiple encryption processes, multiple actorsMultiple encryption processes, multiple actors
![Page 9: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/9.jpg)
99
How to Secure?How to Secure?
Authentication – you are whom you said you areAuthentication – you are whom you said you are Security Tokens Security Tokens
![Page 10: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/10.jpg)
1010
SyntaxSyntax
<S:Envelope> <S:Header> ... <Security S:actor="...“ S:mustUnderstand="..."> ... </Security> ... </S:Header>
<S:Body>… </S:Body></S:Envelope>
![Page 11: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/11.jpg)
1111
UsernameToken ElementUsernameToken Element
<UsernameToken Id="..."> <UsernameToken Id="..."> <Username>...</Username> <Username>...</Username>
<Password Type="...">...</Password> <Password Type="...">...</Password> </UsernameToken> </UsernameToken>
Types:Types:
wsse:PasswordText wsse:PasswordText (default) (default)
The actual password for the username The actual password for the username
wsse:PasswordDigest wsse:PasswordDigest The digest of the password for the The digest of the password for the username. The value is a base64-encoded username. The value is a base64-encoded SHA1 hash value of the UTF8-encoded SHA1 hash value of the UTF8-encoded password password
![Page 12: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/12.jpg)
1212
UsernameToken ExampleUsernameToken Example
<wsse:Security> <wsse:Security> <wsse:UsernameToken> <wsse:UsernameToken> <wsse:Username>Zoe<wsse:Username>Zoe </wsse:Username> </wsse:Username> <wsse:Password>ILoveDogs<wsse:Password>ILoveDogs </wsse:Password> </wsse:Password> </wsse:UsernameToken> </wsse:UsernameToken> </wsse:Security> </wsse:Security>
![Page 13: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/13.jpg)
1313
Binary Security TokensBinary Security Tokens
<BinarySecurityToken Id=... EncodingType=... ValueType=.../><BinarySecurityToken Id=... EncodingType=... ValueType=.../>
wsse:Base64Binary wsse:Base64Binary base 64 encoding base 64 encoding
wsse:HexBinary wsse:HexBinary hex encoding hex encoding
EncodingType:
ValueType:wsse:X509v3 wsse:X509v3 X.509 v3 certificate X.509 v3 certificate
wsse:Kerberosv5TGT wsse:Kerberosv5TGT Kerberos v5 ticket, ticket Kerberos v5 ticket, ticket granting ticketgranting ticket
wsse:Kerberosv5ST wsse:Kerberosv5ST Kerberos v5 ticket, Kerberos v5 ticket, service ticketservice ticket
![Page 14: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/14.jpg)
1414
Binary Security Tokens ExampleBinary Security Tokens Example
<wsse:BinarySecurityToken <wsse:BinarySecurityToken xmlns:wsse="http://schemas.xmlsoap.org/ws/20xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext" 02/04/secext"
Id="myToken" ValueType="wsse:X509v3" Id="myToken" ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary"> EncodingType="wsse:Base64Binary"> MIIEZzCCA9CgAwIBAgIQEmtJZc0...MIIEZzCCA9CgAwIBAgIQEmtJZc0...
</wsse:BinarySecurityToken> </wsse:BinarySecurityToken>
![Page 15: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/15.jpg)
1515
SecurityTokenReferenceSecurityTokenReference
<SecurityTokenReference Id="..."> <Reference URI="..."/><SecurityTokenReference Id="..."> <Reference URI="..."/>
</SecurityTokenReference> </SecurityTokenReference>
Example: Example:
<wsse:SecurityTokenReference <wsse:SecurityTokenReference xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/sexmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> cext">
<wsse:Reference <wsse:Reference URI="http://www.fabrikam123.com/tokens/Zoe#X509tokeURI="http://www.fabrikam123.com/tokens/Zoe#X509token"/>n"/>
</wsse:SecurityTokenReference> </wsse:SecurityTokenReference>
![Page 16: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/16.jpg)
1616
Username Token DemoUsername Token Demo
![Page 17: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/17.jpg)
1717
Digital SigningDigital Signing
![Page 18: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/18.jpg)
1818
XML SignatureXML Signature
<Signature ID?> <Signature ID?>
<SignedInfo> <SignedInfo>
<CanonicalizationMethod/> <CanonicalizationMethod/>
<SignatureMethod/> <SignatureMethod/>
(<Reference URI? > (<Transforms>)? (<Reference URI? > (<Transforms>)?
<DigestMethod> <DigestValue> </Reference>)+ <DigestMethod> <DigestValue> </Reference>)+
</SignedInfo> </SignedInfo>
<SignatureValue> <SignatureValue>
(<KeyInfo>)? (<Object ID?>)* (<KeyInfo>)? (<Object ID?>)*
</Signature> </Signature>
![Page 19: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/19.jpg)
1919
XML Signature ExampleXML Signature Example<Signature Id="MyFirstSignature" <Signature Id="MyFirstSignature"
xmlns="http://www.w3.org/2000/09/xmldsig#"> xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod <SignedInfo> <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-<Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> 20000126/">
<Transforms> <Transform <Transforms> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </Transforms> </Transforms>
<DigestMethod <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> </Reference> </Reference>
</SignedInfo></SignedInfo><SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> <KeyInfo> <KeyValue> <DSAKeyValue>
<P>...</P><Q>...</Q><G>...</G><Y>...</Y> </DSAKeyValue> <P>...</P><Q>...</Q><G>...</G><Y>...</Y> </DSAKeyValue> </KeyValue> </KeyInfo> </Signature> </KeyValue> </KeyInfo> </Signature>
![Page 20: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/20.jpg)
2020
XML signature in WS-SecurityXML signature in WS-Security<wsse:Security> <wsse:Security> <wsse:BinarySecurityToken ValueType="wsse:X509v3" <wsse:BinarySecurityToken ValueType="wsse:X509v3"
EncodingType="wsse:Base64Binary" Id="X509Token"> EncodingType="wsse:Base64Binary" Id="X509Token"> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... </wsse:BinarySecurityToken> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... </wsse:BinarySecurityToken>
<ds:Signature> <ds:Signature> <ds:SignedInfo> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-<ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-
c14n#"/>c14n#"/> <ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-<ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-
sha1"/> sha1"/> <ds:Reference> <ds:Reference> <ds:Transforms> <ds:Transform Algorithm= "http://...#RoutingTransform"/> <ds:Transforms> <ds:Transform Algorithm= "http://...#RoutingTransform"/>
<ds:Transform Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:Transform Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm= </ds:Transforms> <ds:DigestMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#sha1"/> "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>EULddytSo1...</ds:DigestValue><ds:DigestValue>EULddytSo1...</ds:DigestValue> </ds:Reference></ds:Reference> </ds:SignedInfo> </ds:SignedInfo> <ds:SignatureValue> BL8jdfToEb1l/vXcMZNNjPOV... </ds:SignatureValue> <ds:SignatureValue> BL8jdfToEb1l/vXcMZNNjPOV... </ds:SignatureValue>
<ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo>URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo>
</ds:Signature> </ds:Signature> </wsse:Security> </wsse:Security>
![Page 21: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/21.jpg)
2121
Digital-Signing DemoDigital-Signing Demo
![Page 22: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/22.jpg)
2222
XML EncryptionXML Encryption
<EncryptedData Id? Type? MimeType? Encoding?> <EncryptedData Id? Type? MimeType? Encoding?> <EncryptionMethod/>? <EncryptionMethod/>? <ds:KeyInfo> <ds:KeyInfo> <EncryptedKey>? <EncryptedKey>? <AgreementMethod>? <AgreementMethod>? <ds:KeyName>? <ds:KeyName>? <ds:RetrievalMethod>? <ds:RetrievalMethod>? <ds:*>? <ds:*>? </ds:KeyInfo>? </ds:KeyInfo>? <CipherData> <CipherData> <CipherValue>? <CipherReference URI?>? <CipherValue>? <CipherReference URI?>? </CipherData> </CipherData> <EncryptionProperties>? <EncryptionProperties>? </EncryptedData> </EncryptedData>
![Page 23: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/23.jpg)
2323
ExampleExample
![Page 24: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/24.jpg)
2424
RSA Algorithm DemoRSA Algorithm Demo(optional)(optional)
![Page 25: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/25.jpg)
2525
Primary ReferencesPrimary References
1. WS-Security Specification 1. WS-Security Specification http://msdn.microsoft.com/webservices/understhttp://msdn.microsoft.com/webservices/understanding/advancedwebservices/default.aspx?anding/advancedwebservices/default.aspx?pull=/library/en-us/dnglobspec/html/ws-pull=/library/en-us/dnglobspec/html/ws-security.aspsecurity.asp
2. WS-Security AppNotes (examples and guidance 2. WS-Security AppNotes (examples and guidance to implementers) to implementers) http://www-106.ibm.com/developerworks/http://www-106.ibm.com/developerworks/library/ws-secapp/library/ws-secapp/
![Page 26: 1 WS-Security Clement Song 02-09-04. 2 Outline What is WS-Security? Why WS-Security? Terminology How to Secure? CodeDemosReference.](https://reader033.fdocuments.in/reader033/viewer/2022051614/551aa756550346856e8b48dc/html5/thumbnails/26.jpg)
2626
Secondary ReferencesSecondary References
1. 1. XML signature (Syntax and processing)XML signature (Syntax and processing)
http://www.w3.org/TR/2002/REC-xmldsig-core-http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/20020212/
2. XML encryption (Syntax and processing)2. XML encryption (Syntax and processing)
http://www.w3.org/TR/xmlenc-core/http://www.w3.org/TR/xmlenc-core/
2. RSA encryption Demo (Explain how RSA works)2. RSA encryption Demo (Explain how RSA works)http://intercom.virginia.edu/crypto/crypto.html http://intercom.virginia.edu/crypto/crypto.html