ws security
Download
Skip this Video
Download Presentation
WS-Security

Loading in 2 Seconds...

play fullscreen
1 / 26

WS-Security - PowerPoint PPT Presentation


  • 179 Views
  • Uploaded on

WS-Security . Clement Song 02-09-04. Outline. What is WS-Security? Why WS-Security? Terminology How to Secure? Code Demos Reference. What is WS-Security?. WS-Security: soap message protection through message integrity, confidentiality, and single message authentication

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'WS-Security' - sandra_john


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ws security

WS-Security

Clement Song

02-09-04

outline
Outline
  • What is WS-Security?
  • Why WS-Security?
  • Terminology
  • How to Secure?
  • Code
  • Demos
  • Reference
what is ws security
What is WS-Security?
  • WS-Security:
    • soap message protection through message integrity, confidentiality, and single message authentication
    • extensible and flexible (multiple security tokens, trust domains, signature formats, and encryption technologies. )
    • a flexible set of mechanisms that can be used to construct a range of security protocols

Source: WS-Security version 1.0. ref[1]

why ws security
Why WS-Security?
  • Secure soap message exchange
terminology reference
Terminology Reference
  • Claim - A claim is a statement that a requestor makes (e.g. name, identity, key, group, privilege, capability, etc).
  • Security Token - A security token represents a collection of claims.
  • Signed Security Token - A signed security token is a security token that is asserted and cryptographically endorsed by a specific authority (e.g. an X.509 certificate or a Kerberos ticket).
  • Proof-of-Possession - The proof-of-possession information is data that is used in a proof process to demonstrate the sender\'s knowledge of information that should only be known to the claiming sender of a security token.
terminology reference1
Terminology Reference
  • Digest - A digest is a cryptographic checksum of an octet stream
  • Signature - A signature is a cryptographic binding of a proof-of-possession and a digest. This covers both symmetric key-based and public key-based signatures. Consequently, non-repudiation
  • Non-repudiation - means to ensure that a transferred message has been sent and received by the parties claiming to have sent and received the message. A way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.
how to secure
How to Secure?
  • Integrity - information is not modified in transit
    • XML signature in conjunction with security tokens
    • Multiple signature, multiple actors, additional signature formats
how to secure1
How to Secure?
  • Confidentiality - only authorized actors or security token owners can view the data
    • XML encryption in conjunction with security tokens
    • Multiple encryption processes, multiple actors
how to secure2
How to Secure?
  • Authentication – you are whom you said you are
    • Security Tokens
syntax
Syntax

<S:Envelope>

<S:Header>

...

<Security

S:actor="...“ S:mustUnderstand="...">

...

</Security>

...

</S:Header>

<S:Body>…

</S:Body>

</S:Envelope>

usernametoken element
UsernameToken Element

<UsernameToken Id="..."> <Username>...</Username>

<Password Type="...">...</Password> </UsernameToken>

Types:

usernametoken example
UsernameToken Example

<wsse:Security>

<wsse:UsernameToken>

<wsse:Username>Zoe

</wsse:Username>

<wsse:Password>ILoveDogs

</wsse:Password>

</wsse:UsernameToken>

</wsse:Security>

binary security tokens
Binary Security Tokens

<BinarySecurityToken Id=... EncodingType=... ValueType=.../>

EncodingType:

ValueType:

binary security tokens example
Binary Security Tokens Example

<wsse:BinarySecurityToken xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"

Id="myToken" ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary"> MIIEZzCCA9CgAwIBAgIQEmtJZc0...

</wsse:BinarySecurityToken>

securitytokenreference
SecurityTokenReference

<SecurityTokenReference Id="..."> <Reference URI="..."/>

</SecurityTokenReference>

Example:

<wsse:SecurityTokenReference xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext">

<wsse:Reference URI="http://www.fabrikam123.com/tokens/Zoe#X509token"/>

</wsse:SecurityTokenReference>

xml signature
XML Signature

<Signature ID?>

<SignedInfo>

<CanonicalizationMethod/>

<SignatureMethod/>

(<Reference URI? > (<Transforms>)?

<DigestMethod> <DigestValue> </Reference>)+

</SignedInfo>

<SignatureValue>

(<KeyInfo>)? (<Object ID?>)*

</Signature>

xml signature example
XML Signature Example

<Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">

<SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">

<Transforms> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </Transforms>

<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> </Reference>

</SignedInfo>

<SignatureValue>MC0CFFrVLtRlk=...</SignatureValue>

<KeyInfo> <KeyValue> <DSAKeyValue> <P>...</P><Q>...</Q><G>...</G><Y>...</Y> </DSAKeyValue> </KeyValue> </KeyInfo> </Signature>

xml signature in ws security
XML signature in WS-Security

<wsse:Security>

<wsse:BinarySecurityToken ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary" Id="X509Token"> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... </wsse:BinarySecurityToken>

<ds:Signature>

<ds:SignedInfo>

<ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/>

<ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<ds:Reference>

<ds:Transforms> <ds:Transform Algorithm= "http://...#RoutingTransform"/> <ds:Transform Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:Transforms> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/>

<ds:DigestValue>EULddytSo1...</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue> BL8jdfToEb1l/vXcMZNNjPOV... </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo>

</ds:Signature>

</wsse:Security>

xml encryption
XML Encryption

<EncryptedData Id? Type? MimeType? Encoding?>

<EncryptionMethod/>?

<ds:KeyInfo>

<EncryptedKey>?

<AgreementMethod>?

<ds:KeyName>?

<ds:RetrievalMethod>?

<ds:*>?

</ds:KeyInfo>?

<CipherData>

<CipherValue>? <CipherReference URI?>?

</CipherData>

<EncryptionProperties>?

</EncryptedData>

primary references
Primary References

1. WS-Security Specification http://msdn.microsoft.com/webservices/understanding/advancedwebservices/default.aspx?pull=/library/en-us/dnglobspec/html/ws-security.asp

2. WS-Security AppNotes (examples and guidance to implementers)

http://www-106.ibm.com/developerworks/library/ws-secapp/

secondary references
Secondary References

1. XML signature (Syntax and processing)

http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/

2. XML encryption (Syntax and processing)

http://www.w3.org/TR/xmlenc-core/

2. RSA encryption Demo (Explain how RSA works) http://intercom.virginia.edu/crypto/crypto.html

ad