1 / 29

Web Services Security

INFOSYS 290, Section 3 Web Services: Concepts, Design and Implementation. Web Services Security. Adam Blum ablum@good.com. Agenda. Security Issues with Web Services WS-Security XML Signature XML Encryption Tool Support. Security Issues Addressed by WS-Security. Identity Authentication

karinaj
Download Presentation

Web Services Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INFOSYS 290, Section 3Web Services: Concepts, Design and Implementation Web Services Security Adam Blum ablum@good.com

  2. Agenda • Security Issues with Web Services • WS-Security • XML Signature • XML Encryption • Tool Support

  3. Security Issues Addressed by WS-Security • Identity • Authentication • Authorization • Integrity • Confidentiality

  4. Terms • Proof-of-possession – data to demonstrate knowledge by sender that should only be known by claimed sender • Integrity – process to guarantee no modification in transit • Confidentiality - process by which data is protected such that only authorized actors can view data • Digest - cryptographic checksum of content • Signature - binding of proof of possession and digest

  5. Message with Token <?xml version="1.0" encoding="utf-8"?> <S:Envelope xmlns:S="http://www.w3.org/2001/12/soap-envelope" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <S:Header> <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ ws/2002/04/secext"> <wsse:UsernameToken Id="MyID"> <wsse:Username>Zoe</wsse:Username> </wsse:UsernameToken>

  6. …a Digital Signature <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> <ds:Reference URI="#MsgBody"> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>LyLsF0Pi4wPU...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#MyID"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </S:Header>

  7. …and a Body • <S:Body Id="MsgBody"> • <tru:StockSymbol xmlns:tru="http://fabrikam123.com/payloads"> QQQ • </tru:StockSymbol> • </S:Body> </S:Envelope>

  8. Identity

  9. Message Security Model • Security tokens - assert claims • Signatures • Provide mechanism for proving sender’s knowledge of key • Associate signature with claims in the security token • Endorsed Claims • Represented as security tokens signed by a trusted authority • X.509 certificate claims a binding between one’s identity and a public key • Unendorsed claims • Can be trusted if there is trust relationship between sender and receiver • Proof of possession claim – e.g. username/password

  10. Username Token Example <S:Envelope xmlns:S="http://www.w3.org/2001/12/soap-envelope" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <S:Header> ... <wsse:Security> <wsse:UsernameToken> <wsse:Username>ablum</wsse:Username> <wsse:Password>lauren</wsse:Password> </wsse:UsernameToken> </wsse:Security> ... </S:Header> ... </S:Envelope>

  11. Security Tokens • Binary Security Tokens <wsse:BinarySecurityToken xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext" Id="myToken" ValueType="wsse:Kerberosv5ST" EncodingType="wsse:Base64Binary"> MIIEZzCCA9CgAwIBAgIQEmtJZc0... </wsse:BinarySecurityToken> - or X509 (note that there is thus no guarantee of interoperability) • Security Token References <SecurityTokenReference Id="..."> <Reference URI="..."/> </SecurityTokenReference>

  12. Integrity

  13. Signatures • determine whether a message was altered in transit • Verify that message was sent by possessor of particular security token

  14. XML Signature <Signature ID?> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> (<Reference URI? > (<Transforms>)? <DigestMethod> <DigestValue> </Reference>)+ </SignedInfo> <SignatureValue> (<KeyInfo>)? (<Object ID?>)* </Signature>

  15. CanonicalizationMethod A way to guarantee that two equivalent bits of XML are represented the same so that they can be signed Algorithms used for this • Identifier for REQUIRED Canonical XML (omits comments): • http://www.w3.org/TR/2001/REC-xml-c14n-20010315 • Identifier for Canonical XML with Comments: • http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments An example of an XML canonicalization element is: • <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>

  16. SignatureMethod • Algorithm used to create digital signature • Required • Secure Hash Algorithm-1 with Digital Signature Algorithm

  17. Reference Element • Digest algorithm • Digest value • Optional identifier of object being signed • Optional transforms applied prior to digesting • With SOAP • Signed parts of SOAP message • Base64-encoded • SHA1 algorithm

  18. Elements Outside SignedInfo • SignatureValue • Base64 encoded bytes making up digital signature • KeyInfo • Indicates what key should be used to validate signature • Can be embedded, referenced or left out entirely

  19. Signature Example <Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#"> [s02] <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> <Transforms> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> [s10] <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> </Reference> </SignedInfo> <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> [s15c] <P>...</P><Q>...</Q><G>...</G><Y>...</Y> </DSAKeyValue> </KeyValue> </KeyInfo> </Signature>

  20. Confidentiality

  21. Encryption Components • xenc:ReferenceList • Manifest of encrypted elements in message • xenc:EncryptedData • Contains encrypted elements

  22. Encryption Example (Shared Secret) <S:Envelope xmlns:S="http://www.w3.org/2001/12/soap-envelope" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <S:Header> <wsse:Security> <xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList> </wsse:Security> </S:Header> <S:Body> <xenc:EncryptedData Id="bodyID"> <ds:KeyInfo> <ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S:Body> </S:Envelope>

  23. Encrypting Keys • Encrypt elements with key • Encrypt key with recipient’s key • Embed in header • E.g. encrypting with randomly generated symmetric key that is encrypted with recipients public key

  24. Encrypting with Encrypted Key <S:Header> <wsse:Security> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm="..."/> <ds:KeyInfo> <ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName></ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList> </xenc:EncryptedKey> /wsse:Security> </S:Header> <S:Body> <xenc:EncryptedData Id="bodyID"> <ds:KeyInfo> <ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S:Body> </S:Envelope>

  25. WS-Security Specs • WS-Security • http://www-128.ibm.com/developerworks/webservices/library/ws-secure/ • XML Signature • http://www.w3.org/TR/xmldsig-core/

  26. Microsoft WSE 3.0 • Turnkey Security Scenarios • Username over Transport • Username over Certificate • Anonymous over Certificate • Mutual Certificate • Kerberos (Windows)

  27. WSE 3.0 Named Policies • [WebService(Namespace = "http://stockservice.contoso.com/wse/samples/2005/10")] [Policy("ServerPolicy")] • public class WSSecurityUsernameService : System.Web.Services.WebService { • public WSSecurityUsernameService() { } • [WebMethod] public List<StockQuote> StockQuoteRequest([XmlArray(), XmlArrayItem("Symbol"] string[] symbols) { • // Business logic here • } }

More Related