Prabath Siriwardana - WSO2 SOA Security Architect, gives out a presentation on secured SOA at the SOA workshop in Colombo, Sri Lanka (September 17, 2009).
Page 1
Secured SOABy Prabath Siriwardena ~ WSO2
Page 2
November 01st, 2007
Page 3
WSO2NO: 59Flower Road,Colombo 07,Sri Lanka
Page 4
Ruchith FernandoSecurity LeadWSO2, 2006 – 2008
Now, PhD student at University of Purdue
Page 6
Securing a Web Service..???
Page 8
People Can SEE What You Send
Page 9
People Can ALTER What You Send
Page 10
Anyone Can CALL Your Service
Page 11
People SEE What’s On HTTP
Page 12
People Can ALTER What’s On HTTP
Page 13
HTTP is NOT Secured
Page 15
HTTPS is Transport Level
Page 18
Security inherited from the transport channel
Page 19
Safe only while on the transport
Page 20
Parts of the message CANNOT
BEencrypted
Page 22
Authenticating with HTTPS ?
Page 27
Mutual Authentication
Page 29
CLIENT_HELLO
Highest SSL Version,
Ciphers Supported,
Data Compression Methods,
SessionId = 0,
Random Data
Page 30
SERVER_HELLO
Selected SSL Version,
Selected Cipher,
Selected Data Compression Method,
Assigned Session Id,
Random Data
Page 31
CERTIFICATE
Public Key,
Authentication Signature
Page 32
CLIENT_CERT_REQUEST
[Optional]
Page 33
CLIENT_CERT
[Optional]
Page 34
CLIENT_KEY_EXCHANGE
Page 35
CERTIFICATE_VERIFY[Optional]
Page 36
CHANGE_CIPHER_SPEC
Page 38
CHANGE_CIPHER_SPEC
Page 41
NOT Happy With HTTPS
Page 42
Requires END To END Security
Page 43
Parts of message need to be Encrypted
Page 44
<soap:Envelope > <soap:Body>
<ns1:withdrawMoney > <param1></ param1><param2></ param2><param3></ param3>
</ ns1:withdrawMoney > </soap:Body>
</soap:Envelope>
Page 45
<soap:Envelope > <soap:Body>
<ns1:withdrawMoney > <param1></ param1><param2></ param2><param3></ param3>
</ ns1:withdrawMoney > </soap:Body>
</soap:Envelope>
Page 46
Message Level Security
Page 52
NON - Repudiation
Page 55
<wsse:UsernameToken wsu:Id="Example-1"><wsse:Username> ... </wsse:Username><wsse:Password
Type="..."> ... </wsse:Password><wsse:Nonce
EncodingType="..."> ... </wsse:Nonce><wsu:Created> ... </wsu:Created>
</wsse:UsernameToken>
Page 56
NOBODY Can See the Message in Clear Text Other
than the Intended Recipient
Page 57
NOBODY In the Middle Can ALTER the Message
Page 58
Only the Authenticated Users Can Invoke the Service
Page 59
XML SignatureXML
EncryptionUsername
Token ProfileX.509 Token
Profile
WS - Security
Page 60
DONE with My First Assignment
Page 61
BUT… Paul NOT Happy
Page 62
Authentication LIMITED to
INTERNAL Users ONLY
Page 63
Users OUT SIDE OurDomain Need ACCESS
Page 64
We DON’T Have Their Credentials
Page 65
We Can’t Use UsernameToken
Page 66
Delegate Authentication to the External Domain
itself
Page 67
They Should Know How to Authenticate Their Own
Users
Page 68
We TRUST What the External Domain Says
Page 71
<s:Envelope><s:Header>
<wsa:Action>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
</wsa:Action></s:Header><s:Body>
<wst:RequestSecurityToken><wst:TokenType>
http://example.org/mySpecialToken</wst:TokenType><wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
</wst:RequestSecurityToken></s:Body>
</s:Envelope>
Page 72
<s:Envelope><s:Header>
<wsa:Action>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue
</wsa:Action></s:Header><s:Body>
<wst:RequestSecurityTokenResponseCollection> <wst:RequestSecurityTokenResponse>
<wst:RequestedSecurityToken><xyz:CustomToken xmlns:xyz="..."> </xyz:CustomToken>
</wst:RequestedSecurityToken> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection>
</s:Body> </s:Envelope>
Page 73
XML Signature
XML Encryption
Username Token Profile
X.509 Token Profile
WS - Security
WS - Trust
Page 74
Another Problem on HAND…
Page 75
How Do We Communicate our Security
Requirements to Outsiders ?
Page 76
The Encryption Algorithm We Use…
Page 79
Elements to be Signed…
Page 80
Elements to be Encrypted…
Page 81
Use Symmetric Key or Asymmetric Key…
Page 82
WS-Security Policy
Page 83
Finally… We All Moved to the White Board…
Page 86
http://wso2.com
http://wso2.com/about/contact
[email protected]
[email protected]