1 / 21

XML and Web Services Security Provisions

XML and Web Services Security Provisions. Andrew Mulroney Delbert Harry. Web-Services Security Quality of Protection How actors are to be authenticated, using what mechanisms and with what parameter value ranges,

montgomeryp
Download Presentation

XML and Web Services Security Provisions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XML and Web Services Security Provisions Andrew Mulroney Delbert Harry

  2. Web-Services Security Quality of Protection How actors are to be authenticated, using what mechanisms and with what parameter value ranges, Which XML elements are to be encrypted, for what individual recipients, recipient roles or keys, using what algorithms and key sizes, Which XML elements are to be integrity protected, using what mechanisms, with which algorithms and key sizes, and What additional qualifications the service consumer must demonstrate in order to successfully access the API". Web Services Security Defined

  3. Web Services Security Defined • Need to provide end-to-end protection at communication and application layers. • Elements • Privacy (retention period, intended usage, further disclosure), • Trust (initial parameters of the signature validation procedure, including those keys or authorities that are trusted directly, policy identifiers, maximum trust path length), and • Non-repudiation (requirements for notarization and time-stamping).

  4. Message alteration Attachment alteration Confidentiality Falsified messages Man in the middle Principal spoofing Repudiation Forged claims Replay of message parts Replay Denial of service - amplifier What Menaces do Web Services face?

  5. Is SSL sufficient? • For some applications • Yes . . . When only transport level protection is needed. • As Infrastructure • No • SSL Only supports data in transit, not in storage • SSL does not support multi-party transactions • SSL is all or nothing • Messages are opaque to firewalls • SSL does not support non-Repudiation

  6. Is SSL sufficient? User Commerce Site Credit Company XML XML SSL SSL

  7. What is SAML / What is WS-Security? • SAML (Security Assertion Markup Language). • SAML was developed by OASIS (Organization for the Advancement of Structured Information Standards), and is being supported by Liberty Alliance. SAML does not directly provide message integrity or confidentiality; it relies on XML Signature to protect integrity and on SSL/TLS for confidentiality. Single Sign On (SSO) can assert authorization across multiple services. • WS-Security • Developed by the Web Services Interoperability Organization (IBM, Microsoft and Verisign) enhances SOAP with methods to protect message integrity and confidentiality and to exchange security information. WS-Security specifically protects a single SOAP exchange.

  8. SOAP Message Level Security Confidentiality Integrity Authentication Builds on XML Standards XML Signature & Encryption WS-Security

  9. XML Encryption • XML Encryption defines a protocol for encrypting portions of a SOAP transmission, including • canonicalization • identifying the node to encrypt, perhaps with XPATH • producing an encrypted version of the node • substituting the encrypted node for the plaintext node • you could perform all the XML manipulation yourself • in .net, this is the only alternative open to you • however, in Java there are toolkits to do both encryption and signatures, e.g., • open source – Apache WSS4J (a subproject of WS-FX) • commercial – IBM WSDK …as one example • XML Encryption defines a protocol for encrypting portions of a SOAP transmission, including canonicalization • identifying the node to encrypt, perhaps with XPATH • produce an encrypted version of the node • substituting the encrypted node for the plaintext node you could perform all the XML manipulation yourself • .NET: Must code manually • Java: there are toolkits to do both encryption and signatures, e.g., • qopen source – Apache WSS4J (a subproject of WS-FX) • commercial – IBM WSDK …as one example

  10. XML Encryption <?xml version=‘1.0’?> <PaymentInfo xmlns=‘http://www.page3.com/example’> <Name>Cap’n Crunch </Name> </PaymentInfo> <EncryptionData type=‘http://www.w3c.org/2001/04/xmlenc#Element’ xmlns=‘http://www.w3c.org/2001/04/xmlenc#’> <CipherData> <CipherValue> A23B45C56… </CipherValue> </CipherData> </EncryptionData>

  11. XML Signature • XML Signature (xml-dsig) allows us to add signing information to an XML document • compute a digest on a block of XML data • add the digest to a SOAP header element • optionally include our certificate, to aid the receiver in validating the digest

  12. XML Signature <env:Header> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>RjmqTulOiJr+Iu/GDC7CNUEAw9A=</DigestValue> </Reference> </SignedInfo> <SignatureValue>oYtzba8fXmi5TTeqmR2XQVkhtNZrflDNHoDCDJv1JtZDPi1iQcWFvQxQXDVGDRImIgA+JhVNVSpP0wDUAdyKKBr+0SCnETkgO7kgxhCeWTZSr hxJwAFMdW818HJaIAe14GPXDuUN7nPWszzmHxGWqcfGzsHlgPec8D+jvstqCkg=</SignatureValue> <KeyInfo> <KeyValue xmlns="http://www.w3.org/2000/09/xmldsig#"> <RSAKeyValue> <Modulus>u0zEjEw9hPw5NmLTT+AkX7DDtn0UJtXnE7S1c2ZN6I/PEnGdbPm/Z72rksGrG3QNoZy7rZlfgPiHfGywjdmpTZN7ixp5j4MGgBcf/3NJ oBRLsgVihe0x3dYLMlpoWW8pA4DczPU/SybQb4onSba2ub3aR9raefj5bwNJ5+7ajOU=</Modulus> <Exponent>AQAB</Exponent>  ………

  13. XML based Framework set of XML vocabularies for : Authentication Assertion Attribute Assertion AuthZ decision Assertion Session Assertion (Future) Credential Assertion (Future) What is SAML?

  14. A standard message exchange protocol Clarity in orchestrating how you ask for and get the information you need How the messages ride “on” and “in” transport protocols For better interoperability Definition: standard way of exchanging security & related data across heterogeneous, distributed systems crossing domain (geographical, namespace, temporal, spatial, organizational,…) boundaries What Is SAML?

  15. SAML Assertions • Assertions are declarations of fact, according to someone • SAML assertions are compounds of one or more of three kinds of “statement” about “subject” (human or program): • Authentication • Attribute • Authorization decision • You can extend SAML to make your own kinds of assertions and statements • Assertions can be digitally signed

  16. <Assertion> <Conditions NotBefore="17:30 23-MAY-2005" NotOnOrAfter="18:00 23-MAY-2005"/> <AuthorizationDecisionStatement Resource=“love.doc" Decision="Permit"> <Subject> <NameIdentifier> Cap’n Crunch </NameIdentifier> </Subject> <Action>Decrypt</Action> </AuthorizationDecisionStatement> <Signature> 5E8C811270A26F615D1F6BFF899BAB46898CF546 <Signature> </Assertion> Cap’n Crunch may access ‘love.doc’, but just between 5:30 and 6:00 PM. Sample SAML

  17. SAML and ebXML • The SAML Protocol defines 2 primary entities: • Service Provider: An entity that provides services to Principals • Identity Provider: A type of service provider that creates, maintains, and manages identity information for Principals • An ebXML Registry can function as a SAML Service Provider • Allows the registry to utilize an Identity Provider to perform client authentication on its behalf • Avoids duplication of Identity Provider user database within registry

  18. Security of SAML conversation is not a stand-alone application; depends on a trust model, typically PKI. Does not address privacy policies. Does not define any technology or approaches for Authentication. Only makes assertions about credentials; does not authenticate or authorize users. Weaknesses: SAML

  19. Does not discuss how proof-of-possession must be implemented. Does not discuss how subject confirmations must be implemented. Not approved as a standard as of yet, there are not commercial web-services that use this specification as of yet. Weaknesses: WS-Security

  20. Implementation: Management of relationships to interrelated specs ( SAML, WS-Trust etc. ), may be highly complex, hence difficult to Threats Vendor rivalries Limited industry for extensions Weaknesses: Integration

  21. Is Web Services security then exactly as secure as the encryption mechanisms employed on the documents? Questions?

More Related