1 / 26

Web Services Security

Web Services Security. Maria Lizarraga CS691. Agenda. Problem Definition SOAP Messages Implementing Security Services Integrity Confidentiality Authentication Implementation. What is a web service?.

malini
Download Presentation

Web Services Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Services Security Maria Lizarraga CS691

  2. Agenda • Problem Definition • SOAP Messages • Implementing Security Services • Integrity • Confidentiality • Authentication • Implementation Maria Lizarraga

  3. What is a web service? • A web service is a web software application available on the network that provides an interface for exchanging information with a client. • the software application • a method to interface to the application • URI associated with the application • a published document that gives visibility to the world Maria Lizarraga

  4. Architecture Maria Lizarraga

  5. Maria’s Competitive Loan Service Maria Lizarraga

  6. Network Layer Firewall • Firewall authenticates user • SOAP server cannot distinguish between • Business Partner • Customer Maria Lizarraga

  7. Solution • Make firewall XML and SOAP aware • SOAP message contains security information • Intruders now stopped at the firewall Maria Lizarraga

  8. Simple Object Access Protocol, SOAP Message • XML • Embedded into HTTP • Three parts • Envelope • Header • Body Maria Lizarraga

  9. SOAP Message POST /GradesService/services/GradesService HTTP/1.0 Content-Type: text/xml; charset=utf-8 Accept: application/soap+xml, application/dime, multipart/related, text/* User-Agent: IBM WebServices/1.0 Host: localhost:9080 Cache-Control: no-cache Pragma: no-cache SOAPAction: "" Content-Length: 356 <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/ envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/ encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance"> <soapenv:Body> <getStudents xmlns="http://grades"/> </soapenv:Body> </soapenv:Envelope> Application package grades; public class GradesService { final int NUMSTUDENTS = 4; String[] students; char[] grade; public GradesService ( ) { students = new String [] {"Mary", "Joe", "Sally", "Tim"}; grade = new char [] {'A', 'B', 'C', 'D'}; } // end constructor public char getStudentGrade (String student) { for (int i = 0; i < NUMSTUDENTS; i++) if (student.equals(students[i])) return grade[i]; return 'Z'; } // end getStudentGrade public String getStudent (int studentID) { return students[studentID]; } // end getStudent public String[] getStudents ( ) { return students; } // end getStudents public static void main(String[] args){ GradesService gs = new GradesService(); for (int i = 0; i < gs.NUMSTUDENTS; i++) System.out.println("Student: " + gs.getStudent (i) + "\tGrade:” + gs.getStudentGrade(gs.getStudent(i))); } // end main } // end class GradesService SOAP Request – Digital Signature Maria Lizarraga

  10. HTTP/1.1 200 OK Server: WebSphere Application Server/5.1 Content-Type: text/xml; charset=utf-8 Content-Language: en-US Connection: close <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Body> <getStudentsResponse xmlns="http://grades"> <getStudentsReturn> Mary </getStudentsReturn> <getStudentsReturn> Joe </getStudentsReturn> <getStudentsReturn> Sally </getStudentsReturn> <getStudentsReturn> Tim </getStudentsReturn> </getStudentsResponse> </soapenv:Body> </soapenv:Envelope> Response Maria Lizarraga

  11. Security Services • Confidentiality • XML Encryption • Integrity • XML Digital Signature • Authentication • Security Tokens Maria Lizarraga

  12. Client Application Maria Lizarraga

  13. Integrity and Authentication Example Goal • Message Integrity • Message Authentication • User Authentication Process • Obtain the message digest of the message. • Encrypt message digest with sender’s private key. Maria Lizarraga

  14. XML Digital Signature • <BinarySecurityToken> -- This section is for specifying the encoding format for binary encoded security tokens. • EncodingType -- Encoding used on Security Token • ValueType -- • ID • Encoded Digital Certificate • <Signature> -- Signature specific information. It contains the following three subsections: • <SignedInfo> -- Processing information – How it is signed • <CanonicalizationMethod> -- Normalizing data algorithm • <SignatureMethod> -- Signature algorithm • <Reference> -- Points to signed content • <Transforms> -- How to process data • <DigestMethod> -- Hashing algorithm used on <body> • <DigestValue> • <SignatureValue> -- Value of the signed data • <KeyInfo> -- Optional key identifier (such as a public key/symmetric key) • <wsse:SecurityTokenReference> • Reference -- Refers to public key inside Digital Certificate Digital Signature Request Example Digital Signature Response Example Maria Lizarraga

  15. Confidentiality Example Goal • Only allow those who have “a need to know” see the data Process • Encrypt <body> with symmetric key • Encrypt symmetric key with recipient's public key Maria Lizarraga

  16. XML Encryption • <EncryptedKey> -- Symmetric key information • <EncryptionMethod> -- Method of Encryption • <KeyInfo> -- Encrypted Key Identifier • <SecurityTokenReference> • <KeyIdentifier> • <CipherData> • <CiperValue> -- Encrypted Symmetric Key • <ReferenceList> -- Reference to the encrypted text Encryption Request Example Encryption Response Example Maria Lizarraga

  17. Other XML Encryption Options • Encrypt entire message • Encrypt attachments • Encrypt any element • Encrypt an encrypted element Maria Lizarraga

  18. Basic Authentication Example Goal • Identify the user Process • Provide user name • Provide user password (not encrypted) Maria Lizarraga

  19. Basic Authentication • < UsernameToken> • <Username> • <Password> Basic Authentication Request Example Basic Authentication Response Example Maria Lizarraga

  20. Security Tokens Security Tokens used to Authenticate • Basic Authentication • Login/Password • Digital Signature • Public Key/Private Key • ID Assertion • Single Sign-On • LTPA – Lightweight Third Party Authentication • Single Sign-On • Forwardable Credentials Maria Lizarraga

  21. Assertions Maria Lizarraga

  22. LTPA Maria Lizarraga

  23. Hash Message Authentication Code (HMAC) <wsse:UsernameToken wsu:Id=“LoanCenterUsernameToken">     <wsse:Username> CompetitiveLoanService</wsse:Username> <wsse:Nonce>WS3Lhf6RpK...</wsse:Nonce> <wsu:Created> 2003-06-12T09:00:00Z </wsu:Created> </wsse:UsernameToken> Maria Lizarraga

  24. WebSphere Implementation Wizard support for: • XML Encryptions • XML Digital Signatures (One or the other, not both for <body> of message) Without Wizardry: • Security Tokens • Basic Authentication • Digital Signatures • Assertions • LTPA • Multiple Encryption on any part of message • Multiple Digital Signatures on any part of message Maria Lizarraga

  25. Summary • Web Service Architecture • SOAP • Implementing Security Services • Integrity  XML Digital Signature • Confidentiality  XML Encryption • Authentication  Security Tokens Maria Lizarraga

  26. References • XML Signature WG (specification), http://www.w3.org/Signature/ • XML Encryption WG (specification), http://www.w3.org/Encryption/2001/ • OASIS Security Services (SAML) TC, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security • OASIS eXtensible Access Control Markup Language (XACML) TC, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml • SOAP Tutorial, http://www.w3schools.com/soap • Specification: Web Services Security (WS-Security), http://www-106.ibm.com/developerworks/webservices/library/ws-secure/ Maria Lizarraga

More Related