Web Service Security - Kasetsart Universitymcs/courses/219451/slides/Lecture8.pdf · Web Service...
Transcript of Web Service Security - Kasetsart Universitymcs/courses/219451/slides/Lecture8.pdf · Web Service...
219451 S ti 450 2 d 2007219451, Section 450, 2nd 2007Web Services Technologygy
Web Service Security
WS Security FrameworkWS-Security Framework
Provides extensions that can be used to implement message-level security measures.Using these measures, message contents can be protected during transport and during p g p gprocessing by service intermediaries.Additional extensions implement authenticationAdditional extensions implement authentication and authorization control, protecting service providers from malicious requestors.providers from malicious requestors.
Five Common Security Requirements
Id tifi ti th ti ti th i tiIdentification, authentication, authorization, confidentiality, and integrityId tifi ti i t i hi tIdentification – a service requestor wishing to access a secured service provider must first provide information that expresses its origin orprovide information that expresses its origin or owner.– This is represented by identification information– This is represented by identification information
stored in the SOAP header.– WS-Security establishes a standardized header block y
that stores this info, at which point it is referred to as a token.
Username Token ExampleUsername Token Example<S:Envelope xmlns:S "http://www w3 org/2001/12/soap<S:Envelope xmlns:S="http://www.w3.org/2001/12/soap-
envelope" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext"> <S:Header>
... <wsse:Security><wsse:Security>
<wsse:UsernameToken> <wsse:Username>ablum</wsse:Username> <wsse:Password Type=“wsse:PasswordDigest”> yp g
93292348347</wsse:Password> </wsse:UsernameToken>
</wsse:Security> / y... </S:Header> ...
</S:Envelope>
AuthenticationAuthentication
Authentication requires that a message being delivered to a recipient prove that g p pthe message is in fact from the sender that it claims to bethat it claims to be.In other words, the service must provide
f h l d dproof that its claimed identity is true.
AuthorizationAuthorization
Once authenticated, the recipient of a message may need to determine what the g yrequestor is allowed to do.This is called authorizationThis is called authorization
Security Assertions Markup Language (SAML)
Si l i id th bilit tSingle sign-on provides the ability to use multiple Web services, or a single Web service made up of multiple services basedservice made up of multiple services, based on a single authenticationSAML: OASIS standard enabling an identitySAML: OASIS standard enabling an identity to be submitted a single time and transported from one enterprise to the nextp pVendor-neutral, XML-based standard framework for describing and exchanging
it l t d i f ll d tisecurity-related info called assertions(declarations on facts about subjects)
Security Assertions Markup Language (SAML)
Done by inserting security info into assertions in XML formsAssertions convey info about an end user ‘s authentication act their authorization tos authentication act, their authorization to access a certain resourceSAML assertions are bound to SOAP messages, to be sent to SAML-aware Webmessages, to be sent to SAML aware Web services
Single sign on via SAMLSingle sign-on via SAML
Th i i th itThe issuing authority provides this info in the form of assertions thatform of assertions that communicate the security details.T t f tiTwo types of assertions that contain authentication andauthentication and authorization info are called authentication assertions andassertions and authorization assertions.
SAML: Two Profiles
An SAML artifact is carried as part of a URL query string. A SAML artifact is a
SAML assertions are uploaded to the browser within an HTML form andURL query string. A SAML artifact is a
pointer to an assertion. browser within an HTML form and conveyed to the destination site as part of an HTTP post payload.
SAML Authorization ExampleSAML Authorization Example<Header><Header>
<wsse:Security xmlns:wsse= http://schemas.xmlsoap.org/ws/2002/12/secext>
<saml:Assertion xmlns:saml “ ”><saml:Assertion xmlns:saml= … ><saml:Conditions NotBefore=“2004-07” NotOnOrAfter=“2004-
08”><saml:AuthorizationDecisionStatement<saml:AuthorizationDecisionStatement
Decision=“Permit”Resource= “http://www.xmltc.com/tls/...”>
l A ti<saml:Actions><saml:Action>Execute</saml:Action>
</saml:Actions></saml:AuthorizationDecisionStatement>
</wsse:Security></Header>/
ConfidentialityConfidentiality
Is concerned with protecting the privacy of the message contents
IntegrityIntegrity
E th t h t b lt dEnsures that a message has not been altered since its departure from the original sender.Thi t th t th t t f thThis guarantees that the state of the message contents remained intact from the time of transmission to the point of deliverytransmission to the point of delivery.
Transport-level security and message-level security
S S k t L (SSL) id t t l lSecure Socket Layer (SSL) provides transport-level security, where requests and responses are transmitted upon a secured HTTP channel.upon a secured HTTP channel.However, within a Web service-based communications framework, it can only protect a message during the t i i b t i d i ttransmission between service endpoints.If, for instance, a service intermediary takes possession of a message it still may have the ability to alter theof a message, it still may have the ability to alter the contents.To ensure that a message is fully protected along its g y p gentire message path, message-level security is required.
Transport-level security and message-level security
Transport-level security Message-level security
Encryption and digital signatureEncryption and digital signature
XML E ti id f t ith hi h tiXML-Encryption provides features with which encryption can be applied to an entire message or only to specific parts of the message (such as the password).parts of the message (such as the password).XML-Signature provides features that allow for an XML document to be accompanied by a special algorithm-d i i f i f th t t di it l i tdriven piece of info that represents a digital signature.This signature is tied to the content of the document so that verification of the signature by the receiving servicethat verification of the signature by the receiving service only will succeed if the content has remained unaltered since it first was sent.
Encryption and digital signatureEncryption and digital signature
As illustrated, XML-Encryption can be applied to parts of a SOAP header, as well as the contents of the SOAP body.When signing a document, the XML-Signature can reside in the SOAP header.
a Digital Signature…a Digital Signature<ds:Signature>
<ds:SignedInfo><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=
"http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#hmac sha1"/>xmldsig#hmac-sha1"/> <ds:Reference URI="#MsgBody">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/ xmldsig#sha1"/><ds:DigestValue>LyLsF0Pi4wPU...</ds:DigestValue>
</ds:Reference> </ds:SignedInfo><ds:SignatureValue>DJbchm5gK...</ds:SignatureValue>g g / g
<ds:KeyInfo><wsse:SecurityTokenReference>
<wsse:Reference URI="#MyID"/></ S it T k R f ></wsse:SecurityTokenReference>
</ds:KeyInfo></ds:Signature>
</wsse:Security> / sse: ecu ty</S:Header>
Integrity
SignaturesSignatures
Determine whether a message was altered in transitVerify that message was sent by possessor of particular security tokenpossessor of particular security token
XML Signature elementsXML Signature elements
El tElementCanonicalizationMethod
DigestMethod
DigestValue
KeyInfo
SignatureSignature
SignatureMethod
SignatureValue
SignedInfo
Reference
CanonicalizationMethodCanonicalizationMethod
Identifies the type of “canonicalization algorithm” used to detect and represent g psubtle variances in the document content (e g location of white space)(e.g., location of white space)An example of an XML canonicalization lelement is: <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> /
Other elementsOther elements
Di tM th d id tifi th l ith d tDigestMethod: identifies the algorithm used to create the signature, e.g., sha-1DigestValue:DigestValue: – contains a value that represents the document being
signed. – generated by applying the DigestMethod algorithm to
the XML documentKeyInfo:KeyInfo:– Contains the public key info of the message sender– Can be embedded, referenced or left out entirelyCan be embedded, referenced or left out entirely
Signature: root element, housing all info for the digital signatureg g
Other elementsOther elements
Si t M th dSignatureMethod:– Algorithm used to create digital signature– Required Secure Hash Algorithm-1 with Digital– Required Secure Hash Algorithm-1 with Digital
Signature AlgorithmSignatureValue: actual value of the digital g gsignatureSignedInfo: provides info about process that leads to XML signature and data objects that areleads to XML signature and data objects that are signedReference: a construct that hosts digest andReference: a construct that hosts digest and optional transformation details
XML SignatureXML Signature<Signature ID?><Signature ID?>
<SignedInfo> <CanonicalizationMethod/> <SignatureMethod/><SignatureMethod/> (<Reference URI? >
(<Transforms>)? <DigestMethod> <DigestValue>
</Reference>)+ </SignedInfo> <SignatureValue> (<KeyInfo>)? ( y )(<Object ID?>)*
</Signature>
Note: "?" denotes zero or one occurrence; "+" denotes one or more occurrences; and "*" denotes zero or more occurrences
Signature ExampleSignature Example<Signature Id="MyFirstSignature"
xmlns="http://www.w3.org/2000/09/xmldsig#"> [s02] <SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/ REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig g g p g g#dsa-sha1"/>
<Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> <Transforms>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-g p // g/ / /c14n-20010315"/>
</Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig
#sha1"/>#sha1 /><DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
</Reference></SignedInfo>Si t V l MC0CFF VLtRlk /Si t V l<SignatureValue>MC0CFFrVLtRlk=...</SignatureValue>
<KeyInfo><KeyValue>
<DSAKeyValue> <P>...</P><Q>...</Q><G>...</G><Y>...</Y> y / Q /Q / /</DSAKeyValue>
</KeyValue> </KeyInfo>
</Signature>
ConfidentialityConfidentiality
Encryption ComponentsEncryption Components
xenc:ReferenceList– Manifest of encrypted elements in messageManifest of encrypted elements in message
xenc:EncryptedDataC t i t d l t– Contains encrypted elements
Encryption Example (Shared Secret)
<S:Envelope xmlns:S="http://www w3 org/2001/12/soap envelope"<S:Envelope xmlns:S="http://www.w3.org/2001/12/soap-envelope" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<S:Header> <wsse:Security>
<xenc:ReferenceList> D t R f URI "#b d ID"/<xenc:DataReference URI="#bodyID"/>
</xenc:ReferenceList> </wsse:Security>
</S:Header></S:Header> <S:Body>
<xenc:EncryptedData Id="bodyID"> <ds:KeyInfo><ds:KeyInfo>
<ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData>
<xenc:CipherValue>R5J7UUI78</xenc:CipherValue> </xenc:CipherData>
</xenc:EncryptedData>
Encrypting KeysEncrypting Keys
Encrypt elements with keyEncrypt key with recipient’s keyEncrypt key with recipient s keyEmbed in headerE.g. encrypting with randomly generated symmetric key that is encrypted withsymmetric key that is encrypted with recipients public key
Encrypting with Encrypted Keyyp g yp y<S:Header>
<wsse:Security> <xenc:EncryptedKey>
<xenc:EncryptionMethod Algorithm="..."/> yp g /<ds:KeyInfo> <ds:KeyName>CN=Hiroshi Maruyama,
C=JP</ds:KeyName></ds:KeyInfo> <xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData></xenc:CipherData> <xenc:ReferenceList>
<xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList>
</xenc:EncryptedKey> / yp y/wsse:Security>
</S:Header> <S:Body>
<xenc:EncryptedData Id="bodyID"> <ds:KeyInfo>
<ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData>
i h l / i h l<xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData>
</xenc:EncryptedData> </S:Body> </S E l ></S:Envelope>
WS Security SpecsWS-Security Specs
WS-Security– http://www-http://www
128.ibm.com/developerworks/webservices/library/ws-secure/a y/ s secu e/
XML Signaturehtt // 3 /TR/ ld i /– http://www.w3.org/TR/xmldsig-core/