Upload
kaleigh-oneal
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
11
WS-Security WS-Security Clement SongClement Song
02-09-0402-09-04
22
OutlineOutline
What is WS-Security?What is WS-Security?
Why WS-Security?Why WS-Security?
Terminology Terminology
How to Secure? How to Secure?
Code Code
Demos Demos
ReferenceReference
33
What is WS-Security?What is WS-Security?
WS-Security:WS-Security: soap message protection through message soap message protection through message
integrity, confidentiality, and single message integrity, confidentiality, and single message authentication authentication
extensible and flexible (multiple security extensible and flexible (multiple security tokens, trust domains, signature formats, and tokens, trust domains, signature formats, and encryption technologies. )encryption technologies. )
a flexible set of mechanisms that can be used a flexible set of mechanisms that can be used to construct a range of security protocols to construct a range of security protocols
Source: WS-Security version 1.0. ref[1]
44
Why WS-Security?Why WS-Security?
Secure soap message exchangeSecure soap message exchange
55
Terminology ReferenceTerminology Reference
ClaimClaim - A - A claimclaim is a statement that a requestor makes is a statement that a requestor makes (e.g. name, identity, key, group, privilege, capability, etc). (e.g. name, identity, key, group, privilege, capability, etc). Security TokenSecurity Token - A - A security tokensecurity token represents a represents a collection of claims. collection of claims. Signed Security TokenSigned Security Token - A - A signed security tokensigned security token is a is a security token that is asserted and cryptographically security token that is asserted and cryptographically endorsed by a specific authority (e.g. an X.509 certificate endorsed by a specific authority (e.g. an X.509 certificate or a Kerberos ticket). or a Kerberos ticket). Proof-of-PossessionProof-of-Possession - The - The proof-of-possessionproof-of-possession information is data that is used in a proof process to information is data that is used in a proof process to demonstrate the sender's knowledge of information that demonstrate the sender's knowledge of information that should only be known to the claiming sender of a should only be known to the claiming sender of a security token. security token.
66
Terminology ReferenceTerminology Reference
DigestDigest - A - A digestdigest is a cryptographic checksum of an is a cryptographic checksum of an octet stream octet stream SignatureSignature - A - A signaturesignature is a cryptographic binding of a is a cryptographic binding of a proof-of-possession and a digest. This covers both proof-of-possession and a digest. This covers both symmetric key-based and public key-based signatures. symmetric key-based and public key-based signatures. Consequently, non-repudiation Consequently, non-repudiation Non-repudiation - Non-repudiation - means to ensure that a transferred means to ensure that a transferred message has been sent and received by the parties message has been sent and received by the parties claiming to have sent and received the message. A way claiming to have sent and received the message. A way to guarantee that the sender of a message cannot later to guarantee that the sender of a message cannot later deny having sent the message and that the recipient deny having sent the message and that the recipient cannot deny having received the message. cannot deny having received the message.
77
How to Secure?How to Secure?
Integrity - information is not modified in Integrity - information is not modified in transit transit XML signature in conjunction with security XML signature in conjunction with security
tokens tokens Multiple signature, multiple actors, additional Multiple signature, multiple actors, additional
signature formats signature formats
88
How to Secure?How to Secure?
Confidentiality - only authorized actors or Confidentiality - only authorized actors or security token owners can view the datasecurity token owners can view the data XML encryption in conjunction with security XML encryption in conjunction with security
tokenstokens Multiple encryption processes, multiple actorsMultiple encryption processes, multiple actors
99
How to Secure?How to Secure?
Authentication – you are whom you said you areAuthentication – you are whom you said you are Security Tokens Security Tokens
1010
SyntaxSyntax
<S:Envelope> <S:Header> ... <Security S:actor="...“ S:mustUnderstand="..."> ... </Security> ... </S:Header>
<S:Body>… </S:Body></S:Envelope>
1111
UsernameToken ElementUsernameToken Element
<UsernameToken Id="..."> <UsernameToken Id="..."> <Username>...</Username> <Username>...</Username>
<Password Type="...">...</Password> <Password Type="...">...</Password> </UsernameToken> </UsernameToken>
Types:Types:
wsse:PasswordText wsse:PasswordText (default) (default)
The actual password for the username The actual password for the username
wsse:PasswordDigest wsse:PasswordDigest The digest of the password for the The digest of the password for the username. The value is a base64-encoded username. The value is a base64-encoded SHA1 hash value of the UTF8-encoded SHA1 hash value of the UTF8-encoded password password
1212
UsernameToken ExampleUsernameToken Example
<wsse:Security> <wsse:Security> <wsse:UsernameToken> <wsse:UsernameToken> <wsse:Username>Zoe<wsse:Username>Zoe </wsse:Username> </wsse:Username> <wsse:Password>ILoveDogs<wsse:Password>ILoveDogs </wsse:Password> </wsse:Password> </wsse:UsernameToken> </wsse:UsernameToken> </wsse:Security> </wsse:Security>
1313
Binary Security TokensBinary Security Tokens
<BinarySecurityToken Id=... EncodingType=... ValueType=.../><BinarySecurityToken Id=... EncodingType=... ValueType=.../>
wsse:Base64Binary wsse:Base64Binary base 64 encoding base 64 encoding
wsse:HexBinary wsse:HexBinary hex encoding hex encoding
EncodingType:
ValueType:wsse:X509v3 wsse:X509v3 X.509 v3 certificate X.509 v3 certificate
wsse:Kerberosv5TGT wsse:Kerberosv5TGT Kerberos v5 ticket, ticket Kerberos v5 ticket, ticket granting ticketgranting ticket
wsse:Kerberosv5ST wsse:Kerberosv5ST Kerberos v5 ticket, Kerberos v5 ticket, service ticketservice ticket
1414
Binary Security Tokens ExampleBinary Security Tokens Example
<wsse:BinarySecurityToken <wsse:BinarySecurityToken xmlns:wsse="http://schemas.xmlsoap.org/ws/20xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext" 02/04/secext"
Id="myToken" ValueType="wsse:X509v3" Id="myToken" ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary"> EncodingType="wsse:Base64Binary"> MIIEZzCCA9CgAwIBAgIQEmtJZc0...MIIEZzCCA9CgAwIBAgIQEmtJZc0...
</wsse:BinarySecurityToken> </wsse:BinarySecurityToken>
1515
SecurityTokenReferenceSecurityTokenReference
<SecurityTokenReference Id="..."> <Reference URI="..."/><SecurityTokenReference Id="..."> <Reference URI="..."/>
</SecurityTokenReference> </SecurityTokenReference>
Example: Example:
<wsse:SecurityTokenReference <wsse:SecurityTokenReference xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/sexmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> cext">
<wsse:Reference <wsse:Reference URI="http://www.fabrikam123.com/tokens/Zoe#X509tokeURI="http://www.fabrikam123.com/tokens/Zoe#X509token"/>n"/>
</wsse:SecurityTokenReference> </wsse:SecurityTokenReference>
1616
Username Token DemoUsername Token Demo
1717
Digital SigningDigital Signing
1818
XML SignatureXML Signature
<Signature ID?> <Signature ID?>
<SignedInfo> <SignedInfo>
<CanonicalizationMethod/> <CanonicalizationMethod/>
<SignatureMethod/> <SignatureMethod/>
(<Reference URI? > (<Transforms>)? (<Reference URI? > (<Transforms>)?
<DigestMethod> <DigestValue> </Reference>)+ <DigestMethod> <DigestValue> </Reference>)+
</SignedInfo> </SignedInfo>
<SignatureValue> <SignatureValue>
(<KeyInfo>)? (<Object ID?>)* (<KeyInfo>)? (<Object ID?>)*
</Signature> </Signature>
1919
XML Signature ExampleXML Signature Example<Signature Id="MyFirstSignature" <Signature Id="MyFirstSignature"
xmlns="http://www.w3.org/2000/09/xmldsig#"> xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod <SignedInfo> <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-<Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> 20000126/">
<Transforms> <Transform <Transforms> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </Transforms> </Transforms>
<DigestMethod <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> </Reference> </Reference>
</SignedInfo></SignedInfo><SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> <KeyInfo> <KeyValue> <DSAKeyValue>
<P>...</P><Q>...</Q><G>...</G><Y>...</Y> </DSAKeyValue> <P>...</P><Q>...</Q><G>...</G><Y>...</Y> </DSAKeyValue> </KeyValue> </KeyInfo> </Signature> </KeyValue> </KeyInfo> </Signature>
2020
XML signature in WS-SecurityXML signature in WS-Security<wsse:Security> <wsse:Security> <wsse:BinarySecurityToken ValueType="wsse:X509v3" <wsse:BinarySecurityToken ValueType="wsse:X509v3"
EncodingType="wsse:Base64Binary" Id="X509Token"> EncodingType="wsse:Base64Binary" Id="X509Token"> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... </wsse:BinarySecurityToken> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... </wsse:BinarySecurityToken>
<ds:Signature> <ds:Signature> <ds:SignedInfo> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-<ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-
c14n#"/>c14n#"/> <ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-<ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-
sha1"/> sha1"/> <ds:Reference> <ds:Reference> <ds:Transforms> <ds:Transform Algorithm= "http://...#RoutingTransform"/> <ds:Transforms> <ds:Transform Algorithm= "http://...#RoutingTransform"/>
<ds:Transform Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:Transform Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm= </ds:Transforms> <ds:DigestMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#sha1"/> "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>EULddytSo1...</ds:DigestValue><ds:DigestValue>EULddytSo1...</ds:DigestValue> </ds:Reference></ds:Reference> </ds:SignedInfo> </ds:SignedInfo> <ds:SignatureValue> BL8jdfToEb1l/vXcMZNNjPOV... </ds:SignatureValue> <ds:SignatureValue> BL8jdfToEb1l/vXcMZNNjPOV... </ds:SignatureValue>
<ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo>URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo>
</ds:Signature> </ds:Signature> </wsse:Security> </wsse:Security>
2121
Digital-Signing DemoDigital-Signing Demo
2222
XML EncryptionXML Encryption
<EncryptedData Id? Type? MimeType? Encoding?> <EncryptedData Id? Type? MimeType? Encoding?> <EncryptionMethod/>? <EncryptionMethod/>? <ds:KeyInfo> <ds:KeyInfo> <EncryptedKey>? <EncryptedKey>? <AgreementMethod>? <AgreementMethod>? <ds:KeyName>? <ds:KeyName>? <ds:RetrievalMethod>? <ds:RetrievalMethod>? <ds:*>? <ds:*>? </ds:KeyInfo>? </ds:KeyInfo>? <CipherData> <CipherData> <CipherValue>? <CipherReference URI?>? <CipherValue>? <CipherReference URI?>? </CipherData> </CipherData> <EncryptionProperties>? <EncryptionProperties>? </EncryptedData> </EncryptedData>
2323
ExampleExample
2424
RSA Algorithm DemoRSA Algorithm Demo(optional)(optional)
2525
Primary ReferencesPrimary References
1. WS-Security Specification 1. WS-Security Specification http://msdn.microsoft.com/webservices/understhttp://msdn.microsoft.com/webservices/understanding/advancedwebservices/default.aspx?anding/advancedwebservices/default.aspx?pull=/library/en-us/dnglobspec/html/ws-pull=/library/en-us/dnglobspec/html/ws-security.aspsecurity.asp
2. WS-Security AppNotes (examples and guidance 2. WS-Security AppNotes (examples and guidance to implementers) to implementers) http://www-106.ibm.com/developerworks/http://www-106.ibm.com/developerworks/library/ws-secapp/library/ws-secapp/
2626
Secondary ReferencesSecondary References
1. 1. XML signature (Syntax and processing)XML signature (Syntax and processing)
http://www.w3.org/TR/2002/REC-xmldsig-core-http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/20020212/
2. XML encryption (Syntax and processing)2. XML encryption (Syntax and processing)
http://www.w3.org/TR/xmlenc-core/http://www.w3.org/TR/xmlenc-core/
2. RSA encryption Demo (Explain how RSA works)2. RSA encryption Demo (Explain how RSA works)http://intercom.virginia.edu/crypto/crypto.html http://intercom.virginia.edu/crypto/crypto.html