219451 S ti 450 2 d 2007219451, Section 450, 2nd 2007Web Services Technologygy

Web Service Security

WS Security FrameworkWS-Security Framework

Provides extensions that can be used to implement message-level security measures.Using these measures, message contents can be protected during transport and during p g p gprocessing by service intermediaries.Additional extensions implement authenticationAdditional extensions implement authentication and authorization control, protecting service providers from malicious requestors.providers from malicious requestors.

Five Common Security Requirements

Id tifi ti th ti ti th i tiIdentification, authentication, authorization, confidentiality, and integrityId tifi ti i t i hi tIdentification – a service requestor wishing to access a secured service provider must first provide information that expresses its origin orprovide information that expresses its origin or owner.– This is represented by identification information– This is represented by identification information

stored in the SOAP header.– WS-Security establishes a standardized header block y

that stores this info, at which point it is referred to as a token.

Username Token ExampleUsername Token Example<S:Envelope xmlns:S "http://www w3 org/2001/12/soap<S:Envelope xmlns:S="http://www.w3.org/2001/12/soap-

envelope" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext"> <S:Header>

... <wsse:Security><wsse:Security>

<wsse:UsernameToken> <wsse:Username>ablum</wsse:Username> <wsse:Password Type=“wsse:PasswordDigest”> yp g

93292348347</wsse:Password> </wsse:UsernameToken>

</wsse:Security> / y... </S:Header> ...

</S:Envelope>

AuthenticationAuthentication

Authentication requires that a message being delivered to a recipient prove that g p pthe message is in fact from the sender that it claims to bethat it claims to be.In other words, the service must provide

f h l d dproof that its claimed identity is true.

AuthorizationAuthorization

Once authenticated, the recipient of a message may need to determine what the g yrequestor is allowed to do.This is called authorizationThis is called authorization

Security Assertions Markup Language (SAML)

Si l i id th bilit tSingle sign-on provides the ability to use multiple Web services, or a single Web service made up of multiple services basedservice made up of multiple services, based on a single authenticationSAML: OASIS standard enabling an identitySAML: OASIS standard enabling an identity to be submitted a single time and transported from one enterprise to the nextp pVendor-neutral, XML-based standard framework for describing and exchanging

it l t d i f ll d tisecurity-related info called assertions(declarations on facts about subjects)

Security Assertions Markup Language (SAML)

Done by inserting security info into assertions in XML formsAssertions convey info about an end user ‘s authentication act their authorization tos authentication act, their authorization to access a certain resourceSAML assertions are bound to SOAP messages, to be sent to SAML-aware Webmessages, to be sent to SAML aware Web services

Single sign on via SAMLSingle sign-on via SAML

Th i i th itThe issuing authority provides this info in the form of assertions thatform of assertions that communicate the security details.T t f tiTwo types of assertions that contain authentication andauthentication and authorization info are called authentication assertions andassertions and authorization assertions.

SAML: Two Profiles

An SAML artifact is carried as part of a URL query string. A SAML artifact is a

SAML assertions are uploaded to the browser within an HTML form andURL query string. A SAML artifact is a

pointer to an assertion. browser within an HTML form and conveyed to the destination site as part of an HTTP post payload.

SAML Authorization ExampleSAML Authorization Example<Header><Header>

<wsse:Security xmlns:wsse= http://schemas.xmlsoap.org/ws/2002/12/secext>

<saml:Assertion xmlns:saml “ ”><saml:Assertion xmlns:saml= … ><saml:Conditions NotBefore=“2004-07” NotOnOrAfter=“2004-

08”><saml:AuthorizationDecisionStatement<saml:AuthorizationDecisionStatement

Decision=“Permit”Resource= “http://www.xmltc.com/tls/...”>

l A ti<saml:Actions><saml:Action>Execute</saml:Action>

</saml:Actions></saml:AuthorizationDecisionStatement>

</wsse:Security></Header>/

ConfidentialityConfidentiality

Is concerned with protecting the privacy of the message contents

IntegrityIntegrity

E th t h t b lt dEnsures that a message has not been altered since its departure from the original sender.Thi t th t th t t f thThis guarantees that the state of the message contents remained intact from the time of transmission to the point of deliverytransmission to the point of delivery.

Transport-level security and message-level security

S S k t L (SSL) id t t l lSecure Socket Layer (SSL) provides transport-level security, where requests and responses are transmitted upon a secured HTTP channel.upon a secured HTTP channel.However, within a Web service-based communications framework, it can only protect a message during the t i i b t i d i ttransmission between service endpoints.If, for instance, a service intermediary takes possession of a message it still may have the ability to alter theof a message, it still may have the ability to alter the contents.To ensure that a message is fully protected along its g y p gentire message path, message-level security is required.

Transport-level security and message-level security

Transport-level security Message-level security

Encryption and digital signatureEncryption and digital signature

XML E ti id f t ith hi h tiXML-Encryption provides features with which encryption can be applied to an entire message or only to specific parts of the message (such as the password).parts of the message (such as the password).XML-Signature provides features that allow for an XML document to be accompanied by a special algorithm-d i i f i f th t t di it l i tdriven piece of info that represents a digital signature.This signature is tied to the content of the document so that verification of the signature by the receiving servicethat verification of the signature by the receiving service only will succeed if the content has remained unaltered since it first was sent.

Encryption and digital signatureEncryption and digital signature

As illustrated, XML-Encryption can be applied to parts of a SOAP header, as well as the contents of the SOAP body.When signing a document, the XML-Signature can reside in the SOAP header.

a Digital Signature…a Digital Signature<ds:Signature>

<ds:SignedInfo><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=

"http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/

xmldsig#hmac sha1"/>xmldsig#hmac-sha1"/> <ds:Reference URI="#MsgBody">

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/ xmldsig#sha1"/><ds:DigestValue>LyLsF0Pi4wPU...</ds:DigestValue>

</ds:Reference> </ds:SignedInfo><ds:SignatureValue>DJbchm5gK...</ds:SignatureValue>g g / g

<ds:KeyInfo><wsse:SecurityTokenReference>

<wsse:Reference URI="#MyID"/></ S it T k R f ></wsse:SecurityTokenReference>

</ds:KeyInfo></ds:Signature>

</wsse:Security> / sse: ecu ty</S:Header>

Integrity

SignaturesSignatures

Determine whether a message was altered in transitVerify that message was sent by possessor of particular security tokenpossessor of particular security token

XML Signature elementsXML Signature elements

El tElementCanonicalizationMethod

DigestMethod

DigestValue

KeyInfo

SignatureSignature

SignatureMethod

SignatureValue

SignedInfo

Reference

CanonicalizationMethodCanonicalizationMethod

Identifies the type of “canonicalization algorithm” used to detect and represent g psubtle variances in the document content (e g location of white space)(e.g., location of white space)An example of an XML canonicalization lelement is: <CanonicalizationMethod

Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> /

Other elementsOther elements

Di tM th d id tifi th l ith d tDigestMethod: identifies the algorithm used to create the signature, e.g., sha-1DigestValue:DigestValue: – contains a value that represents the document being

signed. – generated by applying the DigestMethod algorithm to

the XML documentKeyInfo:KeyInfo:– Contains the public key info of the message sender– Can be embedded, referenced or left out entirelyCan be embedded, referenced or left out entirely

Signature: root element, housing all info for the digital signatureg g

Other elementsOther elements

Si t M th dSignatureMethod:– Algorithm used to create digital signature– Required Secure Hash Algorithm-1 with Digital– Required Secure Hash Algorithm-1 with Digital

Signature AlgorithmSignatureValue: actual value of the digital g gsignatureSignedInfo: provides info about process that leads to XML signature and data objects that areleads to XML signature and data objects that are signedReference: a construct that hosts digest andReference: a construct that hosts digest and optional transformation details

XML SignatureXML Signature<Signature ID?><Signature ID?>

<SignedInfo> <CanonicalizationMethod/> <SignatureMethod/><SignatureMethod/> (<Reference URI? >

(<Transforms>)? <DigestMethod> <DigestValue>

</Reference>)+ </SignedInfo> <SignatureValue> (<KeyInfo>)? ( y )(<Object ID?>)*

</Signature>

Note: "?" denotes zero or one occurrence; "+" denotes one or more occurrences; and "*" denotes zero or more occurrences

Signature ExampleSignature Example<Signature Id="MyFirstSignature"

xmlns="http://www.w3.org/2000/09/xmldsig#"> [s02] <SignedInfo>

<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/ REC-xml-c14n-20010315"/>

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig g g p g g#dsa-sha1"/>

<Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> <Transforms>

<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-g p // g/ / /c14n-20010315"/>

</Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig

#sha1"/>#sha1 /><DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>

</Reference></SignedInfo>Si t V l MC0CFF VLtRlk /Si t V l<SignatureValue>MC0CFFrVLtRlk=...</SignatureValue>

<KeyInfo><KeyValue>

<DSAKeyValue> <P>...</P><Q>...</Q><G>...</G><Y>...</Y> y / Q /Q / /</DSAKeyValue>

</KeyValue> </KeyInfo>

</Signature>

ConfidentialityConfidentiality

Encryption ComponentsEncryption Components

xenc:ReferenceList– Manifest of encrypted elements in messageManifest of encrypted elements in message

xenc:EncryptedDataC t i t d l t– Contains encrypted elements

Encryption Example (Shared Secret)

<S:Envelope xmlns:S="http://www w3 org/2001/12/soap envelope"<S:Envelope xmlns:S="http://www.w3.org/2001/12/soap-envelope" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

<S:Header> <wsse:Security>

<xenc:ReferenceList> D t R f URI "#b d ID"/<xenc:DataReference URI="#bodyID"/>

</xenc:ReferenceList> </wsse:Security>

</S:Header></S:Header> <S:Body>

<xenc:EncryptedData Id="bodyID"> <ds:KeyInfo><ds:KeyInfo>

<ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData>

<xenc:CipherValue>R5J7UUI78</xenc:CipherValue> </xenc:CipherData>

</xenc:EncryptedData>

Encrypting KeysEncrypting Keys

Encrypt elements with keyEncrypt key with recipient’s keyEncrypt key with recipient s keyEmbed in headerE.g. encrypting with randomly generated symmetric key that is encrypted withsymmetric key that is encrypted with recipients public key

Encrypting with Encrypted Keyyp g yp y<S:Header>

<wsse:Security> <xenc:EncryptedKey>

<xenc:EncryptionMethod Algorithm="..."/> yp g /<ds:KeyInfo> <ds:KeyName>CN=Hiroshi Maruyama,

C=JP</ds:KeyName></ds:KeyInfo> <xenc:CipherData>

<xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData></xenc:CipherData> <xenc:ReferenceList>

<xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList>

</xenc:EncryptedKey> / yp y/wsse:Security>

</S:Header> <S:Body>

<xenc:EncryptedData Id="bodyID"> <ds:KeyInfo>

<ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData>

i h l / i h l<xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData>

</xenc:EncryptedData> </S:Body> </S E l ></S:Envelope>

WS Security SpecsWS-Security Specs

WS-Security– http://www-http://www

128.ibm.com/developerworks/webservices/library/ws-secure/a y/ s secu e/

XML Signaturehtt // 3 /TR/ ld i /– http://www.w3.org/TR/xmldsig-core/