1 / 26

WS-Security

WS-Security. Clement Song 02-09-04. Outline. What is WS-Security? Why WS-Security? Terminology How to Secure? Code Demos Reference. What is WS-Security?. WS-Security: soap message protection through message integrity, confidentiality, and single message authentication

tave
Download Presentation

WS-Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WS-Security Clement Song 02-09-04

  2. Outline • What is WS-Security? • Why WS-Security? • Terminology • How to Secure? • Code • Demos • Reference

  3. What is WS-Security? • WS-Security: • soap message protection through message integrity, confidentiality, and single message authentication • extensible and flexible (multiple security tokens, trust domains, signature formats, and encryption technologies. ) • a flexible set of mechanisms that can be used to construct a range of security protocols Source: WS-Security version 1.0. ref[1]

  4. Why WS-Security? • Secure soap message exchange

  5. Terminology Reference • Claim - A claim is a statement that a requestor makes (e.g. name, identity, key, group, privilege, capability, etc). • Security Token - A security token represents a collection of claims. • Signed Security Token - A signed security token is a security token that is asserted and cryptographically endorsed by a specific authority (e.g. an X.509 certificate or a Kerberos ticket). • Proof-of-Possession - The proof-of-possession information is data that is used in a proof process to demonstrate the sender's knowledge of information that should only be known to the claiming sender of a security token.

  6. Terminology Reference • Digest - A digest is a cryptographic checksum of an octet stream • Signature - A signature is a cryptographic binding of a proof-of-possession and a digest. This covers both symmetric key-based and public key-based signatures. Consequently, non-repudiation • Non-repudiation - means to ensure that a transferred message has been sent and received by the parties claiming to have sent and received the message. A way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.

  7. How to Secure? • Integrity - information is not modified in transit • XML signature in conjunction with security tokens • Multiple signature, multiple actors, additional signature formats

  8. How to Secure? • Confidentiality - only authorized actors or security token owners can view the data • XML encryption in conjunction with security tokens • Multiple encryption processes, multiple actors

  9. How to Secure? • Authentication – you are whom you said you are • Security Tokens

  10. Syntax <S:Envelope> <S:Header> ... <Security S:actor="...“ S:mustUnderstand="..."> ... </Security> ... </S:Header> <S:Body>… </S:Body> </S:Envelope>

  11. UsernameToken Element <UsernameToken Id="..."> <Username>...</Username> <Password Type="...">...</Password> </UsernameToken> Types:

  12. UsernameToken Example <wsse:Security> <wsse:UsernameToken> <wsse:Username>Zoe </wsse:Username> <wsse:Password>ILoveDogs </wsse:Password> </wsse:UsernameToken> </wsse:Security>

  13. Binary Security Tokens <BinarySecurityToken Id=... EncodingType=... ValueType=.../> EncodingType: ValueType:

  14. Binary Security Tokens Example <wsse:BinarySecurityToken xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext" Id="myToken" ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary"> MIIEZzCCA9CgAwIBAgIQEmtJZc0... </wsse:BinarySecurityToken>

  15. SecurityTokenReference <SecurityTokenReference Id="..."> <Reference URI="..."/> </SecurityTokenReference> Example: <wsse:SecurityTokenReference xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <wsse:Reference URI="http://www.fabrikam123.com/tokens/Zoe#X509token"/> </wsse:SecurityTokenReference>

  16. Username Token Demo

  17. Digital Signing

  18. XML Signature <Signature ID?> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> (<Reference URI? > (<Transforms>)? <DigestMethod> <DigestValue> </Reference>)+ </SignedInfo> <SignatureValue> (<KeyInfo>)? (<Object ID?>)* </Signature>

  19. XML Signature Example <Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> <Transforms> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> </Reference> </SignedInfo> <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> <P>...</P><Q>...</Q><G>...</G><Y>...</Y> </DSAKeyValue> </KeyValue> </KeyInfo> </Signature>

  20. XML signature in WS-Security <wsse:Security> <wsse:BinarySecurityToken ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary" Id="X509Token"> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... </wsse:BinarySecurityToken> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference> <ds:Transforms> <ds:Transform Algorithm= "http://...#RoutingTransform"/> <ds:Transform Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>EULddytSo1...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> BL8jdfToEb1l/vXcMZNNjPOV... </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>

  21. Digital-Signing Demo

  22. XML Encryption <EncryptedData Id? Type? MimeType? Encoding?> <EncryptionMethod/>? <ds:KeyInfo> <EncryptedKey>? <AgreementMethod>? <ds:KeyName>? <ds:RetrievalMethod>? <ds:*>? </ds:KeyInfo>? <CipherData> <CipherValue>? <CipherReference URI?>? </CipherData> <EncryptionProperties>? </EncryptedData>

  23. Example

  24. RSA Algorithm Demo(optional)

  25. Primary References 1. WS-Security Specification http://msdn.microsoft.com/webservices/understanding/advancedwebservices/default.aspx?pull=/library/en-us/dnglobspec/html/ws-security.asp 2. WS-Security AppNotes (examples and guidance to implementers) http://www-106.ibm.com/developerworks/library/ws-secapp/

  26. Secondary References 1. XML signature (Syntax and processing) http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/ 2. XML encryption (Syntax and processing) http://www.w3.org/TR/xmlenc-core/ 2. RSA encryption Demo (Explain how RSA works) http://intercom.virginia.edu/crypto/crypto.html

More Related