ws security n.
Skip this Video
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 26

WS-Security - PowerPoint PPT Presentation

  • Uploaded on

WS-Security . Clement Song 02-09-04. Outline. What is WS-Security? Why WS-Security? Terminology How to Secure? Code Demos Reference. What is WS-Security?. WS-Security: soap message protection through message integrity, confidentiality, and single message authentication

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'WS-Security' - sandra_john

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ws security


Clement Song


  • What is WS-Security?
  • Why WS-Security?
  • Terminology
  • How to Secure?
  • Code
  • Demos
  • Reference
what is ws security
What is WS-Security?
  • WS-Security:
    • soap message protection through message integrity, confidentiality, and single message authentication
    • extensible and flexible (multiple security tokens, trust domains, signature formats, and encryption technologies. )
    • a flexible set of mechanisms that can be used to construct a range of security protocols

Source: WS-Security version 1.0. ref[1]

why ws security
Why WS-Security?
  • Secure soap message exchange
terminology reference
Terminology Reference
  • Claim - A claim is a statement that a requestor makes (e.g. name, identity, key, group, privilege, capability, etc).
  • Security Token - A security token represents a collection of claims.
  • Signed Security Token - A signed security token is a security token that is asserted and cryptographically endorsed by a specific authority (e.g. an X.509 certificate or a Kerberos ticket).
  • Proof-of-Possession - The proof-of-possession information is data that is used in a proof process to demonstrate the sender's knowledge of information that should only be known to the claiming sender of a security token.
terminology reference1
Terminology Reference
  • Digest - A digest is a cryptographic checksum of an octet stream
  • Signature - A signature is a cryptographic binding of a proof-of-possession and a digest. This covers both symmetric key-based and public key-based signatures. Consequently, non-repudiation
  • Non-repudiation - means to ensure that a transferred message has been sent and received by the parties claiming to have sent and received the message. A way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.
how to secure
How to Secure?
  • Integrity - information is not modified in transit
    • XML signature in conjunction with security tokens
    • Multiple signature, multiple actors, additional signature formats
how to secure1
How to Secure?
  • Confidentiality - only authorized actors or security token owners can view the data
    • XML encryption in conjunction with security tokens
    • Multiple encryption processes, multiple actors
how to secure2
How to Secure?
  • Authentication – you are whom you said you are
    • Security Tokens





S:actor="...“ S:mustUnderstand="...">








usernametoken element
UsernameToken Element

<UsernameToken Id="..."> <Username>...</Username>

<Password Type="...">...</Password> </UsernameToken>


usernametoken example
UsernameToken Example









binary security tokens
Binary Security Tokens

<BinarySecurityToken Id=... EncodingType=... ValueType=.../>



binary security tokens example
Binary Security Tokens Example

<wsse:BinarySecurityToken xmlns:wsse=""

Id="myToken" ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary"> MIIEZzCCA9CgAwIBAgIQEmtJZc0...



<SecurityTokenReference Id="..."> <Reference URI="..."/>



<wsse:SecurityTokenReference xmlns:wsse="">

<wsse:Reference URI=""/>


xml signature
XML Signature

<Signature ID?>




(<Reference URI? > (<Transforms>)?

<DigestMethod> <DigestValue> </Reference>)+



(<KeyInfo>)? (<Object ID?>)*


xml signature example
XML Signature Example

<Signature Id="MyFirstSignature" xmlns="">

<SignedInfo> <CanonicalizationMethod Algorithm=""/> <SignatureMethod Algorithm=""/> <Reference URI="">

<Transforms> <Transform Algorithm=""/> </Transforms>

<DigestMethod Algorithm=""/> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> </Reference>



<KeyInfo> <KeyValue> <DSAKeyValue> <P>...</P><Q>...</Q><G>...</G><Y>...</Y> </DSAKeyValue> </KeyValue> </KeyInfo> </Signature>

xml signature in ws security
XML signature in WS-Security


<wsse:BinarySecurityToken ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary" Id="X509Token"> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... </wsse:BinarySecurityToken>



<ds:CanonicalizationMethod Algorithm= ""/>

<ds:SignatureMethod Algorithm= ""/>


<ds:Transforms> <ds:Transform Algorithm= "http://...#RoutingTransform"/> <ds:Transform Algorithm= ""/>

</ds:Transforms> <ds:DigestMethod Algorithm= ""/>




<ds:SignatureValue> BL8jdfToEb1l/vXcMZNNjPOV... </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo>



xml encryption
XML Encryption

<EncryptedData Id? Type? MimeType? Encoding?>










<CipherValue>? <CipherReference URI?>?




primary references
Primary References

1. WS-Security Specification

2. WS-Security AppNotes (examples and guidance to implementers)

secondary references
Secondary References

1. XML signature (Syntax and processing)

2. XML encryption (Syntax and processing)

2. RSA encryption Demo (Explain how RSA works)