1 / 58

563.xx Web Services Security: A Guide to Current Standards Advanced Computer Security

563.xx Web Services Security: A Guide to Current Standards Advanced Computer Security. Adam Lee and Lars Olson Spring 2006. Overview. Core Standards XML SOAP WSDL UDDI Access Control and Authorization XACML SAML Core Security Standards XML Digital Signature XML Encryption

adonai
Download Presentation

563.xx Web Services Security: A Guide to Current Standards Advanced Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 563.xx Web Services Security: A Guide to Current StandardsAdvanced Computer Security Adam Lee and Lars Olson Spring 2006

  2. Overview • Core Standards • XML • SOAP • WSDL • UDDI • Access Control and Authorization • XACML • SAML • Core Security Standards • XML Digital Signature • XML Encryption • Advanced Security • WS-*

  3. Multiple Standards Bodies • W3C • XML, SOAP, WSDL, XML Encryption, XML Digital Signature, XKMS • OASIS • UDDI, SAML, XACML, WS-Security, WS-Policy, WS-Trust, WS-Authorization, WS-SecureConversation, WS-Federation, WS-* • WS-* standards developed by MS/IBM and submitted to OASIS for standardization • Sun • Liberty Alliance Project

  4. Standards Interactions

  5. Core Standards

  6. XML • eXtensible Markup Language • W3C Recommendation, V1.1 • A restricted form of SGML (an ISO standard) • Allows delivery of custom data • Focuses on what data is, not what data looks like (e.g., HTML) • Use a Document Type Definition (DTD) or Schema to describe new syntax

  7. Simple XML Example <?xml version=“1.1”?> <note> <date>2004-11-10</date> <to>Adam</to> <from>Kody</from> <heading>Hungry</heading> <body>Feed me, dad!</body> </note>

  8. XML with DTD <?xml version=“1.1”?> <!DOCTYPE note[ <!ELEMENT note (date, to, from, heading, body)> <!ELEMENT date (#PCDATA)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]> <note> <date>2004-10-11</date> <to>Adam</to> <from>Jasmine</from> <heading>Bone</heading> <body>Kody stole my bone!</body> </note>

  9. Schema Example <?xml version="1.0"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.w3schools.com" xmlns="http://www.w3schools.com" elementFormDefault="qualified"> <xs:element name="note"> <xs:complexType> <xs:sequence> <xs:element name=“date“ type=“xs:date”/> <xs:element name="to" type="xs:string"/> <xs:element name="from" type="xs:string"/> <xs:element name="heading" type="xs:string"/> <xs:element name="body" type="xs:string"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema> XML Schema Tutorial

  10. XML Namespaces • Namespaces used (as in programming languages) to scope element definitions • What if we want to use multiple “vocabularies” of terms that may overlap? • For instance, if we have two definitions for the element <foo>, which do we use? • Namespaces identified through a URI • Don’t try to look up the URI, it is not guaranteed to exist!

  11. XML Namespace Example <Department> <Name>DVS1</Name> <addr:Address xmlns:addr="http://blah.com/addresses"> <addr:Street>Wilhelminenstr. 7</addr:Street> <addr:City>Darmstadt</addr:City> <addr:State>Hessen</addr:State> <addr:Country>Germany</addr:Country> <addr:PostalCode>D-64285</addr:PostalCode> </addr:Address> <serv:Server xmlns:serv="http://blah.com/servers"> <serv:Name>OurWebServer</serv:Name> <serv:Address>123.45.67.8</serv:Address> </serv:Server> </Department> XML Namespaces FAQ

  12. DOM • Document Object Model • W3C Recommendation, V1.0 Level 3 • Internal representation of an XML document as a tree • Allows us to specify an element and all the data inside it as a subtree • Also allows us to specify a search pattern over the document (e.g. XPath)

  13. SOAP • Simple Object Access Protocol • W3C Recommendation, V1.2 • W3C SOAP Primer • Type of XML document • Extensible messaging framework • Issues such as security not part of specification, addressed as extensions

  14. The Stack SOAP XML HTTP (Usually but not always)

  15. SOAP Envelope SOAP Header (optional) SOAP Body SOAP Messages • Two main parts to the message • Header: Contains message meta-information • Body: Contains the main message

  16. SOAP Example <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"> <env:Header> <n:alertcontrol xmlns:n="http://example.org/alertcontrol"> <n:priority>1</n:priority> <n:expires>2001-06-22T14:00:00-05:00</n:expires> </n:alertcontrol> </env:Header> <env:Body> <m:alert xmlns:m="http://example.org/alert"> <m:msg>Pay the electric bill today!</m:msg> </m:alert> </env:Body> </env:Envelope>

  17. SOAP RPC Request POST /travelservice SOAPAction: http://www.acme-travel.com/flightinfo Content-Type: text/xml; charset="utf-8“ Content-Length: nnnn <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP:Body> <m:GetFlightInfo xmlns:m="http://www.acme-travel.com/flightinfo" SOAP:encodingStyle= "http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance"> <airlineName xsi:type="xsd:string">UL </airlineName> <flightNumber xsi:type="xsd:int">506 </flightNumber> </m:GetFlightInfo> </SOAP:Body> </SOAP:Envelope> Unraveling the Web Services Web

  18. SOAP RPC Response HTTP/1.1 200 OK Content-Type: text/xml; charset="utf-8“ Content-Length: nnnn <SOAP:Envelope xmlns:SOAP= "http://schemas.xmlsoap.org/soap/envelope/"> <SOAP:Body> <m:GetFlightInfoResponse xmlns:m="http://www.acme-travel.com/flightinfo" SOAP:encodingStyle= "http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance"> <flightInfo> <gate xsi:type="xsd:int">10</gate> <status xsi:type="xsd:string">ON TIME</status> </flightInfo> </m:GetFlightInfoResponse> </SOAP:Body> </SOAP:Envelope>

  19. WSDL • Web Services Description Language • W3C Recommendation, V1.1 • Tutorial • Another type of XML document • Describes ports (services), port types (sets of operations), data type definitions, …

  20. The Stack Redux WSDL SOAP XML HTTP (Usually but not always)

  21. Sample WSDL • WSDL is usually long and ugly • Click here for an annotated example • Fortunately, WSDL is not usually written by hand • Apache Axis • Java2WSDL – Generate WSDL form Java source • WSDL2Java – Generate proxy and stub Java code from WSDL

  22. UDDI • Universal Description, Discovery and Integration • OASIS Specification, V3.0.1 • Set of services supporting description and discovery of: • Businesses and web service providers • The web services the above entities make available • The interfaces used to access the above service • Note security issues: • Are the services you find really the services you’re looking for?

  23. The Stack, Fin UDDI WSDL SOAP XML HTTP (Usually but not always)

  24. Access Control and Authorization

  25. XACML • eXtensible Access Control Markup Language • OASIS Standard, V1.0 • An Introduction to XACML • Type of XML document • Provides a means of describing and enforcing access control policies using a simple language

  26. XACML Layers • Policy Administration Point • Creates and stores policies • Policy Enforcement Point • Makes decision requests and enforces authorization decisions • Policy Information Point • Repository for attribute values or data required for policy evaluation • Policy Decision Point • Evaluates the applicable policy and gives returns a decision

  27. XACML Policy Example • Discussion on XACML Technical Committee mailing list • http://lists.oasis-open.org/archives/xacml/200206/msg00003.html • Fairly intuitive and readable, but very “wordy”

  28. SAML • Security Assertion Markup Language • OASIS Standard, V1.1 • An Introduction to SAML • Allows an organization to make assertions about security properties of a subject • Authentication • Attributes • Authorization decisions

  29. SAML (cont.) • Subjects can present these assertions to other organizations to prove that the issuing organization “vouches” for them • Allows state for single sign-on services, like browser cookies for HTTP

  30. Sample SAML Assertion <saml:Assertion MajorVersion="1" MinorVersion="0" AssertionID="128.9.167.32.12345678" Issuer="Company.com" IssueInstant="2002-03-21T10:02:00Z"> <saml:Conditions NotBefore="2002-03-21T10:02:00Z" NotAfter="2002-03-21T10:07:00Z" /> <saml:AuthenticationStatement AuthenticationMethod="password" AuthenticationInstant="2002-03-21T10:02:00Z"> <saml:Subject> <saml:NameIdentifier SecurityDomain="Comany.com" Name="joeuser" /> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion> An Introduction to SAML

  31. Core Security Standards

  32. Base64 • Specification: http://www.faqs.org/rfcs/rfc1521.html • A way to encode arbitrary binary data into a text-friendly format [A-Za-z0-9+/=]* • A: 000000, B: 000001, …, +: 111110, /: 111111, = is for padding

  33. XMLENC (XML Encryption) • Current version: http://www.w3.org/TR/xmlenc-core/ • Uses 3DES, AES to encrypt an arbitrary subtree of a document • Key can be a shared key, or it can be encrypted by another key and included in the document

  34. <sampleDoc> <value attr=“1”>some value</value> </sampleDoc> <sampleDoc> <xenc:EncryptedData> <xenc:EncryptionMethod Algorithm=” http://www.w3.org/2001/04/xmlenc#aes128-cbc”/> <xenc:CipherData> <xenc:CipherValue> cj2U3b428DXg+tB13/b8rx1yTh4oDEDbLInjCdZn28HNWsDEF621zEciHqsdGyz2eRn6huyWrgBEILbufIx9ww== </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </sampleDoc> Example XMLENC transformation

  35. Example XMLENC transformation <sampleDoc> <xenc:EncryptedData> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc”/> <ds:KeyInfo> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5”/> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </sampleDoc>

  36. Things to Note • Different parts of a single document can be encrypted by different keys for multiple recipients • API’s not particularly well-documented yet (Xerces was better than anything else I found) • Does not allow special use of the SOAP header—all metadata (e.g. KeyInfo, EncryptionMethod) must be within EncryptedData element

  37. XMLENC API’s • Java • IBM XML Security Suite for Java (XSS4J) http://www.trl.ibm.com/projects/xml/xss4j/apidocs/index.html • Apache Xerces for Java http://xml.apache.org/security/Java/api/index.html • Verisign http://www.xmltrustcenter.org/developer/verisign/tsik/docs/api/index.html • C++ • Apache Xerces for C++ http://xml.apache.org/security/c/apiDocs/index.html • C • Not much out there, I found http://www.aleksey.com/xmlsec/ which is based on Gnome's libxml2. • .NET: • “Currently, XML Encryption is not yet supported by .NET” (as of 1.1?) • Seems to be implemented in 2.0, see sample code • Perl? Others?

  38. Using Xerces for Java API • No enumerated type for the algorithms • Must use 3DES or AES for encryption • RSA is in the list of enumerated algorithms, but it can only be used for key encryption! • Must make the transformation on the document itself, cannot generate it to a new document • Decoding is easier than encoding, but the document parser must be namespace-aware! • Not pretty-printed

  39. Using Xerces for Java API • Example encryption code: (see source) Document sourceDoc = …load/parse document to encrypt…; Element elementToEncrypt = …select element of sourceDoc to encrypt…; Key symmetricKey = …generate key…; XMLCipher xmlCipher = XMLCipher.getInstance(XMLCipher.AES_128); xmlCipher.init(XMLCipher.ENCRYPT_MODE, symmetricKey); // to include encrypted key... XMLCipher keyCipher = XMLCipher.getInstance(XMLCipher.RSA_v1dot5); keyCipher.init(XMLCipher.WRAP_MODE, privKey); EncryptedKey encryptedKey = keyCipher.encryptKey(sourceDoc, symmetricKey); KeyInfo keyInfo = new KeyInfo(sourceDoc); keyInfo.add(encryptedKey); xmlCipher.getEncryptedData().setKeyInfo(keyInfo); xmlCipher.doFinal(sourceDoc, elementToEncrypt, true);

  40. Using Xerces for Java API • Example decryption code: (see source) Document sourceDoc = …load/parse document to decrypt…; Element encryptedDataElement = …select element of sourceDoc to decrypt…; XMLCipher xmlCipher = XMLCipher.getInstance(); // if the key is included encrypted in the document... xmlCipher.init(XMLCipher.DECRYPT_MODE, null); xmlCipher.setKEK(…private or shared key for key encryption…); // otherwise... xmlCipher.init(XMLCipher.DECRYPT_MODE, …shared key for document encryption…) xmlCipher.doFinal(sourceDoc, encryptedDataElement);

  41. XMLDSIG (XML Digital Signatures) • Current version: http://www.w3.org/TR/xmldsig-core/ • Allows a large collection of algorithms to sign arbitrary parts of a document • Enveloped (contained within the document) • Enveloping (document contained within the signature) • Detached (separate document for signature)

  42. Example XMLDSIG transformation <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"> <env:Header> </env:Header> <env:Body> <value attr="1">some value</value> </env:Body> </env:Envelope>

  43. Example XMLDSIG transformation <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"> <env:Header> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod> <ds:Reference URI=""> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform> ...more stuff than can fit on this slide!!... </ds:Signature></env:Header> <env:Body> <value attr="1">some value</value> </env:Body> </env:Envelope>

  44. Example XMLDSIG transformation <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"> <env:Header> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo>...</ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> ...Base64 representation of certificate... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature></env:Header> <env:Body>...</env:Body> </env:Envelope>

  45. Things to Note • Any part of an XML document can be signed • The signature can be placed anywhere in the document (e.g. SOAP header!!) • A key or certificate can be (optionally) included in the signature • Whitespace is significant

  46. XMLDSIG API’s • Same as XMLENC • Also, specifically for Web Services: http://java.sun.com/webservices/docs/1.4/xmldsig/api/index.html • .NET: http://www.dotnet247.com/247reference/System/Security/Cryptography/Xml/SignedXml.aspx

  47. Using Xerces for Java API • Easier than XMLENC • Again, to verify the signature, the document parser must be namespace-aware • Not pretty-printed (remember, whitespace is significant) • Possible bug? Actual output: --INFO: Verification successful for URI "" --invalid signature

  48. Using Xerces for Java API • Example signature creation code: (see source) Document sourceDoc = …load/parse document to sign…; XMLSignature sig = new XMLSignature(sourceDoc, null, XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1); sourceDoc.getDocumentElement().appendChild(sig.getElement()); Transforms transforms = new Transforms(sourceDoc); transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE); transforms.addTransform(Transforms.TRANSFORM_C14N_WITH_COMMENTS); // sign the whole document, hence the referenceURI is "" sig.addDocument("", transforms, Constants.ALGO_ID_DIGEST_SHA1); // remove next line to exclude key information from the document sig.addKeyInfo(cert.getPublicKey()); sig.sign(privKey);

  49. Using Xerces for Java API • Example signature verification code: (see source) Document sourceDoc = …load/parse document to sign…; Element sigElement = …find <Signature> element in sourceDoc…; XMLSignature sig = new XMLSignature(sigElement, null); // replace below with checkSignatureValue(verifyKey) if the verification key is not included if (sig.checkSignatureValue(sig.getKeyInfo().getPublicKey())) { System.out.println("valid signature"); } else { System.out.println("invalid signature"); }

  50. Canonicalizations and Transformations • Need some agreement between sender and receiver about a “canonical” document • whitespace? • XML comments? • Also need some agreement about how to transform the signed document • A signature cannot sign itself! How much of the signature do we remove? • How much of the document are we signing?

More Related