230 likes | 400 Views
WS-Security TC. Christopher Kaler Kelvin Lawrence. Agenda. Context for WS-Security WS-Security Elements and Example TC Charter and Deliverables. Getting easier to build web services but who is sending the messages ? Several approaches SSL with username and password
E N D
WS-Security TC Christopher Kaler Kelvin Lawrence
Agenda • Context for WS-Security • WS-Security Elements and Example • TC Charter and Deliverables
Getting easier to build web services but who is sending the messages? Several approaches SSL with username and password SSL with X509 client certificates VPN with Kerberos XrML, SAML, … Challenges Computational cost Inflexibility Firewalls Distributed management Hop-to-hop vs. end-to-end Web Service Security Issues Username/password Client certificates, Smart Cards, … VPN
Security and Web Services Security in a Web Services World • Safer: no exposure at intermediaries • Interoperable: broad vendor support • Leverages XML signature and XML encryption • Flexible: builds on web infrastructure • Works with HTTP, SMTP, and transports • Works over firewall, through the DB, … • Durable: security is available at the business request / application layer • Higher performance and scalability • Supports both public and symmetric keys • Clients exchange security tokens and cache • Easier: a simple common approach for manageable authentication, authorization, and permissions
3. Get Proof of Certification 1. Run Application 2. Request Fails 4. Fax Certification 5. Approve A Typical Challenge Certification Partner Business Partners Web Service Company A
2. Get Proof of Certification 1. Run Application 3. Request Succeeds A WS-Security Solution Certification Partner Business Partners Web Service Company A
How Does it Work? Security tokens assert claims Web services have policies A security token service is just a web service that issues security tokens
Security Tokens Security tokens assert claims X.509, Kerberos, XrML, SAML, … Identity Keys Privileges, rights, capabilities Custom …
Policies Services have policies • Policies describe the required claims • Security tokens assert the claims Policy Does the request havethe correct security tokens? ?
Security Token Service A security token service issues security tokens Security Token Service Policy Web Service • It is just a web service • A solution may require multiple token services Policy
Agenda • Context for WS-Security • WS-Security Elements and Example • TC Charter and Deliverables
New SOAP ElementsWS-Security • New • <Security> Header • <UsernameToken> • <SecurityTokenReference> • <BinarySecurityToken> • Existing • XML Signature • XML Encryption • Token formats (e.g., X.509, Kerberos, XrML, SAML)
<Security> <Security SOAP:actor="..."> ... </Security> • SOAP:actor is optional • One header per actor • All security information together • Sub-elements are pre-pendend • Supports multiple signatures
Elements In <Security> • Including and referencing security tokens • <UsernameToken> • <BinarySecurityToken> • <SecurityTokenReference> • <ds:KeyInfo> • <xenc:EncryptedKey> • Signature • <ds:Signature> • Encryption Manifest • <xenc:ReferenceList> • Encrypted Attachments • <xenc:EncryptedData> • Other…
Simple Example • Requesting a stock quote • Security token indicates username • Signature uses key generated from password
Simple Example (1 of 2) (001) <?xml version="1.0" encoding="utf-8"?> (002) <S:Envelope xmlns:S=“.../soap-envelope“ xmlns:ds=“…/xmldsig#"> (003) <S:Header> (004) <m:path xmlns:m="http://schemas.xmlsoap.org/rp/"> (005) <m:action>http://fabrikam.org/getQuote</m:action> (006) <m:to>http://fabrikam.org/stocks</m:to> (007) <m:id>uuid:84b9f5d0-33fb-4a81-b02b-5b760641c1d6</m:id> (008) </m:path> (009) <wsse:Security xmlns:wsse=“…/secext"> (010) <wsse:UsernameToken Id="MyID"> (011) <wsse:Username>Zoe</wsse:Username> (012) </wsse:UsernameToken> (013) <ds:Signature> (014) <ds:SignedInfo> (015) <ds:CanonicalizationMethod Algorithm=".../xml-exc-c14n#"/> (016) <ds:SignatureMethod Algorithm=".../xmldsig#hmac-sha1"/>
Simple Example (2 of 2) (017) <ds:Reference URI="#MsgBody"> (018) <ds:DigestMethod Algorithm="http://.../xmldsig#sha1"/> (019) <ds:DigestValue>LyLsF0Pi4wPU...</ds:DigestValue> (020) </ds:Reference> (021) </ds:SignedInfo> (022) <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue> (023) <ds:KeyInfo> (024) <wsse:SecurityTokenReference> (025) <wsse:Reference URI="#MyID"/> (026) </wsse:SecurityTokenReference> (027) </ds:KeyInfo> (028) </ds:Signature> (029) </wsse:Security> (030) </S:Header> (031) <S:Body Id="MsgBody"> (032) <tru:StockSymbol xmlns:tru=“…">QQQ</tru:StockSymbol> (033) </S:Body>
Agenda • Context for WS-Security • WS-Security Elements and Example • TC Charter and Deliverables
WS-Security TC Charter Continue work on the Web service security foundations published in the WS-Security specification and under the context of the Web Services Security roadmap
WS-Security TC Scope • Using XML signature to provide SOAP message integrity for Web services • Using XML encryption to provide SOAP message confidentiality for Web services • Attaching and/or referencing security tokens in headers of SOAP messages • Carrying security information for potentially multiple, designated actors • Associating signatures with security tokens • Representing specific forms of binary security tokens as defined in WS-Security specification.
WS-Security TC Deliverables • Accept as input the Web Services Security (WS-Security) • Produce as output a specification for Web Services Security. This specification will reflect refinements and changes made to the submitted version of WS-Security that are identified by the WSS TC members for additional functionality within the scope of the TC charter. • Liaise and/or forge relationships with other Web services efforts to assist in leveraging WS-Security as a part of their specifications or solutions. • Coordinate with the chairs of the other OASIS security related groups via the Security Joint Coordination Committee. • Oversee ongoing maintenance and errata of the WS-Security specification.