WS-Security TCWS-Security TC
Christopher KalerChristopher KalerKelvin LawrenceKelvin Lawrence
2
AgendaAgenda Context for WS-SecurityContext for WS-Security WS-Security Elements and ExampleWS-Security Elements and Example TC Charter and DeliverablesTC Charter and Deliverables
3
Web Service Security Issues Web Service Security Issues Getting easier to build web Getting easier to build web
services but services but who is sending the who is sending the messagesmessages??
Several approachesSeveral approaches SSL with username and SSL with username and
passwordpassword SSL with X509 client certificatesSSL with X509 client certificates VPN with KerberosVPN with Kerberos XrML, SAML, …XrML, SAML, …
ChallengesChallenges Computational costComputational cost InflexibilityInflexibility FirewallsFirewalls Distributed managementDistributed management Hop-to-hop vs. end-to-endHop-to-hop vs. end-to-end
Username/passwordUsername/password
Client certificates,Client certificates,Smart Cards, …Smart Cards, …
VPNVPN
4
Security and Web ServicesSecurity and Web ServicesSecurity in a Web Services WorldSecurity in a Web Services World Safer: Safer: no exposure at intermediariesno exposure at intermediaries Interoperable: Interoperable: broad vendor supportbroad vendor support
Leverages XML signature and XML encryptionLeverages XML signature and XML encryption Flexible: Flexible: builds on web infrastructurebuilds on web infrastructure
Works with HTTP, SMTP, and transportsWorks with HTTP, SMTP, and transports Works over firewall, through the DB, …Works over firewall, through the DB, …
Durable: Durable: security is available at the security is available at the business request / application layerbusiness request / application layer
Higher performance and scalabilityHigher performance and scalability Supports both public and symmetric keysSupports both public and symmetric keys Clients exchange security tokens and cacheClients exchange security tokens and cache
Easier: Easier: a simple common approach for a simple common approach for manageable authentication, authorization, manageable authentication, authorization, and permissionsand permissions
5
A Typical ChallengeA Typical Challenge
CertificationCertificationPartnerPartner
Web Web ServiceService
Business PartnersBusiness PartnersCompany ACompany A
1. Run Application1. Run Application3. Get Proof of Certification3. Get Proof of Certification
2. Req
uest
Fails
2. Req
uest
Fails
5. A
ppro
ve5.
App
rove
4. Fax Certif
ication
4. Fax Certif
ication
6
A WS-Security SolutionA WS-Security Solution
CertificationCertificationPartnerPartner
1. Run Application1. Run Application
3. Req
uest
Succe
eds
3. Req
uest
Succe
eds
2. Get Proof of Certification2. Get Proof of Certification
Web Web ServiceService
Business PartnersBusiness PartnersCompany ACompany A
How Does it Work?How Does it Work?1.1. Security tokens assert claimsSecurity tokens assert claims2.2. Web services have policiesWeb services have policies3.3. A security token service is just a web A security token service is just a web
service that issues security tokensservice that issues security tokens
8
Security TokensSecurity Tokens
X.509, Kerberos, XrML, SAML, …X.509, Kerberos, XrML, SAML, …
Security tokens assert claims
IdentityIdentityKeysKeysPrivileges, rights, capabilitiesPrivileges, rights, capabilitiesCustomCustom……
9
PoliciesPolicies
PolicyPolicy
Services have policies
?? Does the request havethe correct security tokens?
• Policies describe the required claims
• Security tokens assert the claims
10
Security Token ServiceSecurity Token Service
PolicyPolicy
WebWebServiceService
PolicyPolicy
SecuritySecurityTokenTokenServiceService
A security token service issues security tokens
• It is just a web service • A solution may require
multiple token services
11
AgendaAgenda Context for WS-SecurityContext for WS-Security WS-Security Elements and ExampleWS-Security Elements and Example TC Charter and DeliverablesTC Charter and Deliverables
12
New SOAP ElementsNew SOAP ElementsWS-SecurityWS-Security NewNew
<Security> Header<Security> Header <UsernameToken><UsernameToken> <SecurityTokenReference><SecurityTokenReference> <BinarySecurityToken><BinarySecurityToken>
ExistingExisting XML SignatureXML Signature XML EncryptionXML Encryption Token formats (e.g., X.509, Kerberos, XrML, Token formats (e.g., X.509, Kerberos, XrML,
SAML)SAML)
13
<Security><Security>
SOAP:actor is optionalSOAP:actor is optional One header per actorOne header per actor All security information togetherAll security information together Sub-elements are pre-pendendSub-elements are pre-pendend Supports multiple signaturesSupports multiple signatures
<Security SOAP:actor="..."> ... </Security>
14
Elements In <Security>Elements In <Security> Including and referencing security tokensIncluding and referencing security tokens
<UsernameToken><UsernameToken> <BinarySecurityToken><BinarySecurityToken> <SecurityTokenReference><SecurityTokenReference> <ds:KeyInfo><ds:KeyInfo> <xenc:EncryptedKey><xenc:EncryptedKey>
SignatureSignature <ds:Signature><ds:Signature>
Encryption ManifestEncryption Manifest <xenc:ReferenceList><xenc:ReferenceList>
Encrypted AttachmentsEncrypted Attachments <xenc:EncryptedData><xenc:EncryptedData>
Other…Other…
15
Simple ExampleSimple Example Requesting a stock quoteRequesting a stock quote Security token indicates usernameSecurity token indicates username Signature uses key generated Signature uses key generated
from passwordfrom password
16
Simple Example (1 of 2)Simple Example (1 of 2)(001) <?xml version="1.0" encoding="utf-8"?>(001) <?xml version="1.0" encoding="utf-8"?>(002) <S:Envelope xmlns:S=“.../soap-envelope“ xmlns:ds=“…/xmldsig#">(002) <S:Envelope xmlns:S=“.../soap-envelope“ xmlns:ds=“…/xmldsig#">(003) <S:Header>(003) <S:Header>(004) <m:path xmlns:m="http://schemas.xmlsoap.org/rp/">(004) <m:path xmlns:m="http://schemas.xmlsoap.org/rp/">(005) <m:action>http://fabrikam.org/getQuote</m:action>(005) <m:action>http://fabrikam.org/getQuote</m:action>(006) <m:to>http://fabrikam.org/stocks</m:to>(006) <m:to>http://fabrikam.org/stocks</m:to>(007) <m:id>uuid:84b9f5d0-33fb-4a81-b02b-5b760641c1d6</m:id>(007) <m:id>uuid:84b9f5d0-33fb-4a81-b02b-5b760641c1d6</m:id>(008) </m:path>(008) </m:path>(009) <wsse:Security xmlns:wsse=“…(009) <wsse:Security xmlns:wsse=“…/secext">/secext">(010) <wsse:UsernameToken Id="MyID">(010) <wsse:UsernameToken Id="MyID">(011) <wsse:Username>Zoe</wsse:Username> (011) <wsse:Username>Zoe</wsse:Username> (012) </wsse:UsernameToken>(012) </wsse:UsernameToken>(013) <ds:Signature>(013) <ds:Signature>(014) <ds:SignedInfo>(014) <ds:SignedInfo>(015) <ds:CanonicalizationMethod Algorithm=".../xml-exc-c14n#"/>(015) <ds:CanonicalizationMethod Algorithm=".../xml-exc-c14n#"/>(016) <ds:SignatureMethod Algorithm=".../xmldsig#hmac-sha1"/>(016) <ds:SignatureMethod Algorithm=".../xmldsig#hmac-sha1"/>
17
Simple Example (2 of 2)Simple Example (2 of 2)(017) <ds:Reference URI="#MsgBody">(017) <ds:Reference URI="#MsgBody">(018) <ds:DigestMethod Algorithm="http://.../xmldsig#sha1"/>(018) <ds:DigestMethod Algorithm="http://.../xmldsig#sha1"/>(019) <ds:DigestValue>LyLsF0Pi4wPU...</ds:DigestValue>(019) <ds:DigestValue>LyLsF0Pi4wPU...</ds:DigestValue>(020) </ds:Reference>(020) </ds:Reference>(021) </ds:SignedInfo>(021) </ds:SignedInfo>(022) <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue>(022) <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue>(023) <ds:KeyInfo>(023) <ds:KeyInfo>(024) <wsse:SecurityTokenReference>(024) <wsse:SecurityTokenReference>(025) <wsse:Reference URI="#MyID"/>(025) <wsse:Reference URI="#MyID"/>(026) </wsse:SecurityTokenReference>(026) </wsse:SecurityTokenReference>(027) </ds:KeyInfo>(027) </ds:KeyInfo>(028) </ds:Signature>(028) </ds:Signature>(029) </wsse:Security>(029) </wsse:Security>(030) </S:Header>(030) </S:Header>(031) <S:Body Id="MsgBody">(031) <S:Body Id="MsgBody">(032) <tru:StockSymbol xmlns:tru=“…">QQQ</tru:StockSymbol>(032) <tru:StockSymbol xmlns:tru=“…">QQQ</tru:StockSymbol>(033) </S:Body>(033) </S:Body>
18
AgendaAgenda Context for WS-SecurityContext for WS-Security WS-Security Elements and ExampleWS-Security Elements and Example TC Charter and DeliverablesTC Charter and Deliverables
19
WS-Security TC CharterWS-Security TC Charter
Continue work on the Web service Continue work on the Web service security foundations published in the security foundations published in the WS-Security specification and under the WS-Security specification and under the context of the Web Services Security context of the Web Services Security roadmaproadmap
20
WS-Security TC ScopeWS-Security TC Scope Using XML signature to provide SOAP message Using XML signature to provide SOAP message
integrity for Web servicesintegrity for Web services Using XML encryption to provide SOAP message Using XML encryption to provide SOAP message
confidentiality for Web servicesconfidentiality for Web services Attaching and/or referencing security tokens in Attaching and/or referencing security tokens in
headers of SOAP messagesheaders of SOAP messages Carrying security information for potentially multiple, Carrying security information for potentially multiple,
designated actorsdesignated actors Associating signatures with security tokensAssociating signatures with security tokens Representing specific forms of binary security tokens Representing specific forms of binary security tokens
as defined in WS-Security specification.as defined in WS-Security specification.
21
WS-Security TC DeliverablesWS-Security TC Deliverables Accept as input the Web Services Security (WS-Security)Accept as input the Web Services Security (WS-Security) Produce as output a specification for Web Services Security. Produce as output a specification for Web Services Security.
This specification will reflect refinements and changes made This specification will reflect refinements and changes made to the submitted version of WS-Security that are identified by to the submitted version of WS-Security that are identified by the WSS TC members for additional functionality within the the WSS TC members for additional functionality within the scope of the TC charter.scope of the TC charter.
Liaise and/or forge relationships with other Web services Liaise and/or forge relationships with other Web services efforts to assist in leveraging WS-Security as a part of their efforts to assist in leveraging WS-Security as a part of their specifications or solutions.specifications or solutions.
Coordinate with the chairs of the other OASIS security Coordinate with the chairs of the other OASIS security related groups via the Security Joint Coordination related groups via the Security Joint Coordination Committee.Committee.
Oversee ongoing maintenance and errata of the WS-Security Oversee ongoing maintenance and errata of the WS-Security specification.specification.
22
QuestionsQuestions