Ws security
Download
1 / 26

WS-Security - PowerPoint PPT Presentation


  • 179 Views
  • Uploaded on

WS-Security . Clement Song 02-09-04. Outline. What is WS-Security? Why WS-Security? Terminology How to Secure? Code Demos Reference. What is WS-Security?. WS-Security: soap message protection through message integrity, confidentiality, and single message authentication

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'WS-Security' - sandra_john


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Ws security

WS-Security

Clement Song

02-09-04


Outline
Outline

  • What is WS-Security?

  • Why WS-Security?

  • Terminology

  • How to Secure?

  • Code

  • Demos

  • Reference


What is ws security
What is WS-Security?

  • WS-Security:

    • soap message protection through message integrity, confidentiality, and single message authentication

    • extensible and flexible (multiple security tokens, trust domains, signature formats, and encryption technologies. )

    • a flexible set of mechanisms that can be used to construct a range of security protocols

Source: WS-Security version 1.0. ref[1]


Why ws security
Why WS-Security?

  • Secure soap message exchange


Terminology reference
Terminology Reference

  • Claim - A claim is a statement that a requestor makes (e.g. name, identity, key, group, privilege, capability, etc).

  • Security Token - A security token represents a collection of claims.

  • Signed Security Token - A signed security token is a security token that is asserted and cryptographically endorsed by a specific authority (e.g. an X.509 certificate or a Kerberos ticket).

  • Proof-of-Possession - The proof-of-possession information is data that is used in a proof process to demonstrate the sender's knowledge of information that should only be known to the claiming sender of a security token.


Terminology reference1
Terminology Reference

  • Digest - A digest is a cryptographic checksum of an octet stream

  • Signature - A signature is a cryptographic binding of a proof-of-possession and a digest. This covers both symmetric key-based and public key-based signatures. Consequently, non-repudiation

  • Non-repudiation - means to ensure that a transferred message has been sent and received by the parties claiming to have sent and received the message. A way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.


How to secure
How to Secure?

  • Integrity - information is not modified in transit

    • XML signature in conjunction with security tokens

    • Multiple signature, multiple actors, additional signature formats


How to secure1
How to Secure?

  • Confidentiality - only authorized actors or security token owners can view the data

    • XML encryption in conjunction with security tokens

    • Multiple encryption processes, multiple actors


How to secure2
How to Secure?

  • Authentication – you are whom you said you are

    • Security Tokens


Syntax
Syntax

<S:Envelope>

<S:Header>

...

<Security

S:actor="...“ S:mustUnderstand="...">

...

</Security>

...

</S:Header>

<S:Body>…

</S:Body>

</S:Envelope>


Usernametoken element
UsernameToken Element

<UsernameToken Id="..."> <Username>...</Username>

<Password Type="...">...</Password> </UsernameToken>

Types:


Usernametoken example
UsernameToken Example

<wsse:Security>

<wsse:UsernameToken>

<wsse:Username>Zoe

</wsse:Username>

<wsse:Password>ILoveDogs

</wsse:Password>

</wsse:UsernameToken>

</wsse:Security>


Binary security tokens
Binary Security Tokens

<BinarySecurityToken Id=... EncodingType=... ValueType=.../>

EncodingType:

ValueType:


Binary security tokens example
Binary Security Tokens Example

<wsse:BinarySecurityToken xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"

Id="myToken" ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary"> MIIEZzCCA9CgAwIBAgIQEmtJZc0...

</wsse:BinarySecurityToken>


Securitytokenreference
SecurityTokenReference

<SecurityTokenReference Id="..."> <Reference URI="..."/>

</SecurityTokenReference>

Example:

<wsse:SecurityTokenReference xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext">

<wsse:Reference URI="http://www.fabrikam123.com/tokens/Zoe#X509token"/>

</wsse:SecurityTokenReference>




Xml signature
XML Signature

<Signature ID?>

<SignedInfo>

<CanonicalizationMethod/>

<SignatureMethod/>

(<Reference URI? > (<Transforms>)?

<DigestMethod> <DigestValue> </Reference>)+

</SignedInfo>

<SignatureValue>

(<KeyInfo>)? (<Object ID?>)*

</Signature>


Xml signature example
XML Signature Example

<Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">

<SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">

<Transforms> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </Transforms>

<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> </Reference>

</SignedInfo>

<SignatureValue>MC0CFFrVLtRlk=...</SignatureValue>

<KeyInfo> <KeyValue> <DSAKeyValue> <P>...</P><Q>...</Q><G>...</G><Y>...</Y> </DSAKeyValue> </KeyValue> </KeyInfo> </Signature>


Xml signature in ws security
XML signature in WS-Security

<wsse:Security>

<wsse:BinarySecurityToken ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary" Id="X509Token"> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... </wsse:BinarySecurityToken>

<ds:Signature>

<ds:SignedInfo>

<ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/>

<ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<ds:Reference>

<ds:Transforms> <ds:Transform Algorithm= "http://...#RoutingTransform"/> <ds:Transform Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:Transforms> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/>

<ds:DigestValue>EULddytSo1...</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue> BL8jdfToEb1l/vXcMZNNjPOV... </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo>

</ds:Signature>

</wsse:Security>



Xml encryption
XML Encryption

<EncryptedData Id? Type? MimeType? Encoding?>

<EncryptionMethod/>?

<ds:KeyInfo>

<EncryptedKey>?

<AgreementMethod>?

<ds:KeyName>?

<ds:RetrievalMethod>?

<ds:*>?

</ds:KeyInfo>?

<CipherData>

<CipherValue>? <CipherReference URI?>?

</CipherData>

<EncryptionProperties>?

</EncryptedData>




Primary references
Primary References

1. WS-Security Specification http://msdn.microsoft.com/webservices/understanding/advancedwebservices/default.aspx?pull=/library/en-us/dnglobspec/html/ws-security.asp

2. WS-Security AppNotes (examples and guidance to implementers)

http://www-106.ibm.com/developerworks/library/ws-secapp/


Secondary references
Secondary References

1. XML signature (Syntax and processing)

http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/

2. XML encryption (Syntax and processing)

http://www.w3.org/TR/xmlenc-core/

2. RSA encryption Demo (Explain how RSA works) http://intercom.virginia.edu/crypto/crypto.html


ad