Upload
chenoa
View
32
Download
4
Embed Size (px)
DESCRIPTION
WS-Security Additional Material. Security Element: enclosing information. UsernameToken block Defines how username-and-password info is enclosed in SOAP Password must be protected against eavesdroppers (enc) and replay (timestamp/nonce) BinarySecurityToken block Encloses binary data - PowerPoint PPT Presentation
Citation preview
WS-Security Additional Material
Security Element: enclosing information
UsernameToken block Defines how username-and-password info is enclosed in
SOAP Password must be protected against eavesdroppers
(enc) and replay (timestamp/nonce) BinarySecurityToken block
Encloses binary data An X.509 certificate or a Kerberos ticket Has an identifier (Id), a value (ValueType), and an
encoding (EncodingType) XML Signature KeyInfo may point to a certificate used in
signing using a Reference to its Id. Similar for XML Encryption.
So we can sign/encrypt data with a certificate in the header.
ID References
A new global attribute: wsu:Id attribute <anyElement wsu:id=”..”>..</anyElement> Note that the SOAP processor needs to support
this wsu:id a WS-Security namespace (wssecurity-
secext-1.0.xsd) Recipients do not need to understand the full
schema of the message for processing the security elements
Two wsu:Id attributes within an XML document MUST NO have the same value
Recommended that wsu:Id is used instead of a more general transformation, especially XPath
Signatures
Does not use the Enveloped Signature Transform So sig does not envelope signed data Due to mutability of SOAP header
Does not use the Enveloping Signature So sig is not appended as a child to the document
The sig is appended to the security block Explicitly include the elements to be signed
Allows for extensions, multiple signatures, etc.
Signing Messages
Multiple signature entries MAY be added into a single SOAP Envelope within one <wsse:Security> header block
MUST be prepended to the existing content <ds:Reference> elements contained in the signature should
refer to a resource within the enclosing SOAP envelope <wsse:SecurityTokenreference>
How to locate a key in a security token? Extensible mechanism that provides an open content model for
referencing security tokens Specification considers only use in a header block
New reference option for XML signature STR Deference Transform
Applied to a SecurityTokenreference Means that the output is the token referenced by the element, not the
element itself You can conveniently locate and sign security tokens anywhere in the
header
XML Encryption Example
Encryption
Public key Private keyAsymmetric Key Pair
Encrypt Decrypt
XML Encryption
<EncryptedData Id? Type? MimeType? Encoding?> <EncryptionMethod/>? <ds:KeyInfo> <EncryptedKey>? <AgreementMethod>? <ds:Keyname>? <ds:RetrievalMethod>? <ds:*>? </ds:KeyInfo> <CipherData> <CipherValue>? <CipherReference URI?>? </CipherData><EncryptionProperties>?</EncryptedData>
Example
SOAP Envelope SOAP Header
WS Security
• Security token (a certificate)
• Encryption key (passing symmetric key)
• Signature SOAP Body
Encrypted content
Overall message structure
<?xml version="1.0" encoding="utf-8"?> <soap:Envelope> <soap:Header> <wsse:Security> <wsse:BinarySecurityToken>...</wsse:Binary...> <xenc:EncryptedKey>...</xenc:EncryptedKey> <ds:Signature> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo>...</ds:KeyInfo> </ds:Signature> </wsse:Security> </soap:Header> <soap:Body wsu:Id="body"> <xenc:EncryptedData>...</xenc:EncryptedData> </soap:Body> </soap:Envelope>
Security block
1.2.
3.
4.
1. Binary security token
<wsse:Security> <wsu:Timestamp wsu:Id="T0"> <wsu:Created> 2001-09-13T08:42:00Z </wsu:Created> </wsu:Timestamp><wsse:BinarySecurityToken ValueType="...#X509v3" wsu:Id="X509Token" EncodingType="...#Base64Binary"> ABCDEF....</wsse:BinarySecurityToken><xenc:EncryptedKey>...</xenc:EncryptedKey><ds:Signature>...</ds:Signature></wsse:Security>
2. Passing encryption key
<xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm="...#rsa-1_5"/> <ds:KeyInfo> <wsse:KeyIdentifier EncodingType="...#Base64Binary" ValueType="...#X509v3"> ABCDEF.... </wsse:KeyIdentifier> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#enc1"> </xenc:ReferenceList> </xenc:EncryptedKey>
We are using another certificate for asymmetric
crypto. This one is for symmetric
Encrypted symmetric key
Reference to cipher data
3. Actual signature<ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod algorithm="http://...-exc-c14n#"/> <ds:SignatureMethod algorithm="http://...#rsa-sha1"/> <ds:Reference URI="#T0">...</ds:Reference> <ds:Reference URI="#body">...</ds:Reference> …. </ds:SignedInfo> <ds:SignatureValue> ..... </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo></ds:Signature>
Exclusive canonicalization
References & digests to data
Reference to certificate.
<ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://...-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://...#rsa-sha1"/> <ds:Reference URI="#T0"> <ds:Transforms> <ds:Transform Algorithm="http://...exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://...#sha1"/> <ds:DigestValue>...</ds:DigestValue> </ds:Reference> <ds:Reference URI="#body"> <ds:Transforms> <ds:Transform Algorithm="http://...exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://...#sha1"/> <ds:DigestValue>...</ds:DigestValue> </ds:Reference> </ds:SignedInfo>
3. SignedInfo in more detail
4. Actual message body
<soap:Body wsu:Id="body"> <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" wsu:Id="enc1"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData></soap:Body></soap:Envelope>
SAML Examples
Attribute assertion
An issuing authority asserts that: subject S is associated with attributes A,B,.. with values ”a”,”b”,…
Typically this would be gotten from an LDAP repository ”john.doe” in ”example.com” is associated with attribute ”Department” with value ”Human Resources”
Example attribute assertion<saml:Assertion ...> <saml: Conditions .../> <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier SecurityDomain="example.com" Name="johndoe" /> </saml:Subject> <saml:Attribute AttributeName="PaidStatus" AttributeNameSpace="http://example.com"> <saml:AttributeValue> PaidUp </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion>
Authorization decision assertion
An issuing authority decides whether to grant the request by subject S for access type A to resource R given evidence E
The subject could be a human or a program
The resource could be a web page or a web service, for example
Example authorization decision assertion
<saml:Assertion ...> <saml:Conditions .../> <saml:AuthorizationStatement Decision="Permit" Resource="http://example.com/res123"> <saml:Subject> <saml:NameIdentifier SecurityDomain="example.com" Name="johndoe" /> </saml:Subject> </saml:AuthorizationStatement> </saml:Assertion>