Web Services Security: Suresh Inavolu

Web services security
Suresh Inavolu
Agenda
Why Web services security
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
1) Read the message pin number of Customer1
2) Change the message send money to CustomerX
3) Create a new message and send it as if Customer1 is
<Request
requesting.
custId=Customer1
pin=myQw6k3z>
<SendMoney
to=Customer2
amount=10000/>
</Request>
Security terms
1) Confidentiality None, other than the receiver, can understand the message
2) Integrity The message has not been changed in between
3) Authentication The message is send the original sender
Agenda
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
Cryptography
Share key encryption
o Also called Symmetric key encryption
Public key encryption

o Also called Asymmetric key encryption
Shared key
Public key
Different keys
(Only private key is
kept secret)
Agenda
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
XML Signatures
Used for authentication and data integrity.
Digital signatures
o Encrypt the hash of the message using private
key
Digital Signature
<Request <Request
custId=Customer1 custId=Customer1
pin=myQw6k3z> pin=myQw6k3z>
<SendMoney <SendMoney
to=Customer2 to=Customer2
amount=10000/> amount=10000/>
</Request> </Request>
m1eRh4!pQ(zcB6
Hash Algorithm Message with

like SHA1 Digital signature
50920620636403163 m1eRh4!pQ(zcB6
Hash Value Encrypt using Digest Value

Private key
Calculating Digital signature

Digital Signature
Message with
Digital signature
Hash Algorithm
<Request <Request like SHA1
custId=Customer1 custId=Customer1
pin=myQw6k3z> pin=myQw6k3z> 50920620636403163
<SendMoney <SendMoney
to=Customer2 to=Customer2 Hash Value
amount=10000/> amount=10000/>
</Request>
m1eRh4!pQ(zcB6 </Request>
Both Should match
m1eRh4!pQ(zcB6 50920620636403163
Decrypt using Hash Value

Senders public key
Verifying Digital Signatures

XML Signature
An extension to digital signatures to sign
XML messages
Ability to sign only specific portions of the
XML tree
Canonicalization
<Request custId=Customer1 pin=myQw6k3z xmlns="urn://bank/request">
<SendMoney to=Customer2 amount=10000/>
<Comments><![CDATA[Send it in two days to Progress.]]></Comments>
</Request>
<? xml version=1.0 ?>

<Request custId='Customer1' pin='myQw6k3z' xmlns="urn://bank/request>
<SendMoney
to='Customer2'
amount='10000
bank=abc>
</SendMoney>
<Comments xmlns="urn://bank/request>Send it in two days to &PRGS;.</Comments>
</Request>
However both these XML documents generate different hash value and
hence different digital signatures
XML Signature Structure
<Signature ID?>
<SignedInfo>
(CanonicalizationMethod)
(SignatureMethod)
(<Reference URI? >
(Transforms)?
(DigestMethod)
(DigestValue)
</Reference>)+
</SignedInfo>
(SignatureValue)
(KeyInfo)?
(Object ID?)*
</Signature>
Sample XML Signature
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo Id="foobar">
<CanonicalizationMethod Algorithm="www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<Reference URI=http://test/results.xml">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
</Reference>
<Reference URI=file:/C:/input.xml#message">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>UrXLDLBIta6skoV5/A8Q38GEw44=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>MC0E~LE=</SignatureValue>
<KeyInfo>
<X509Data>
<X509SubjectName>O=XMLSec Inc.,ST=OTTAWA,C=CA</X509SubjectName>
<X509Certificate> MIID5jCCA0+gA...lVN </X509Certificate>
Agenda
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
XML Encryption
Ensuring Confidentiality of XML Messages
Encrypt data using Shared key technology
Shared key will be distributed
o Either by a separate channel
o Encrypt the shared key using public key of
receiver Digital Enveloping
XML Encryption Syntax
<EncryptedData Id? Type? MimeType? Encoding?>
<EncryptionMethod/>?
<ds:KeyInfo>?
</ds:KeyInfo>
<CipherData>
<CipherValue>?
<CipherReference URI?>?
</CipherData>
<EncryptionProperties>?
</EncryptedData>
Sample XML Encryption (using Digital
Enveloping)
<EncryptedData>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmlsig#">
<EncryptedKey>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa"/>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>CN=suresh,OU=Sonic,O=Progress,ST=AP,C=IN</ds:X509SubjectName>
</ds:X509Data>
</ds:KeyInfo>
<CipherData>
<CipherValue>QYJKoZIhvcNAQkBFhhz</CipherValue>
</CipherData>
</EncryptedKey>
</ds:KeyInfo>
<CipherData>
<CipherValue>DTA4MDQwOTA5NTUwNFoXDTA5MDQwOTA5NTUwNFowT</CipherValue>
</CipherData>
</EncryptedData>
Agenda
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
WS-Policy
A framework for describing policy assertions.
Four elements: Policy, All, ExactlyOne,
PolicyReference and one attribute wsp:Optional
All: All policy assertions should be satisfied.
ExactlyOne: Only one policy assertion should be
satisfied.
Wsp:Optional: Policy assertion is an optional
feature.
Operations for processing policies; Normalize,
Merge, and Intersect
Policy example Reusing policy using PolicyReference
<Policy>
<All> <Policy id="common">
<mtom:OptimizedMimeSerialization wsp:Optional=true/> <All>
<wsap:UsingAddressing/> <mtom:OptimizedMimeSerialization wsp:Optional=true/>
<ExactlyOne> <wsap:UsingAddressing/>
<sp:TransportBinding>...</sp:TransportBindig> </All>
<sp:AsymmetricBinding>...</sp:AsymmetricBinding> </Policy>
</ExactlyOne>
</All> <Policy id="security">
</Policy> <All>
<PolicyReference="#common">
<ExactlyOne>
<sp:TransportBinding>...</sp:TransportBindig>
<sp:AsymmetricBinding>...</sp:AsymmetricBinding>
</ExactlyOne>
</All>
</Policy>
Normal Form for Policy
Expressions
<Policy>
<ExactlyOne>
<All>
<wsap:UsingAddressing/>
</All>
<Policy> <All>
<All> <wsap:UsingAddressing/>
<mtom:OptimizedMimeSerialization <sp:AsymmetricBinding>...</sp:AsymmetricBinding>
wsp:Optional=true/> </All>
<All>
<mtom:OptimizedMimeSerialization/>
<ExactlyOne>
<sp:TransportBinding>...</sp:TransportBindig> <sp:TransportBinding>...</sp:TransportBindig>
<sp:AsymmetricBinding>...</sp:AsymmetricBinding> </All>
</ExactlyOne> <All>
</All> <mtom:OptimizedMimeSerialization/>
</Policy>
</All>
</ExactlyOne>
</Policy>
Compatible Policies
Only mutually compatible policies can interact with each others
Normalized Providers policy Normalized Requestor policy
<Policy> <Policy>
<ExactlyOne> <ExactlyOne>
<All> <All>
<wsap:UsingAddressing/> <sp:TransportBinding>...</sp:TransportBindig>
<sp:TransportBinding>...</sp:TransportBindig> </All>
</All> <All>
<All> <sp:TransportBinding>...</sp:TransportBindig>
<wsap:UsingAddressing/> <wsap:UsingAddressing/>
<sp:AsymmetricBinding>...</sp:AsymmetricBinding> </All>
</All> </ExactlyOne>
<All> </Policy>
</All>
<All>
</All>
</ExactlyOne>
WS-PolicyAttachment
To attach a Policy to a WSDL document
o Using PolicyReference tag (RECOMMENDED)
<wsdl:binding name="SecureBinding" type="tns:RealTimeDataInterface" >
<wsp:PolicyReference URI="#secure" />
<wsdl:operation name="GetRealQuote" >...</wsdl:operation>
...
</wsdl:binding>
o Using PolicyURIs attribute
<wsdl:binding name="SecureBinding" type="tns:RealTimeDataInterface"
wsp:PolicyURIs=www.localhost:8080/policies/policy.xml#secure" >
<wsdl:operation name="GetRealQuote" >...</wsdl:operation>
...
</wsdl:binding>
o Using PolicyAttachment
<wsp:PolicyAttachment>
<wsp:AppliesTo>
<wsa:EndpointReference xmlns:fabrikam="" >
<wsa:Address>http://www.fabrikam123.example.com/acct</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wsp:PolicyReference URI=#secure" />
</wsp:PolicyAttachment>
Effective Policy
Agenda
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
WS-SecurityPolicy
Standard way to define how to secure
messages exchanged between Web services
and clients
Used to publish security requirements and
constrains of a Web service using the WSDL
specification
Assertions: Security binding assertions,
Protection assertions, Token assertions,
Protocol assertions
Sonic Create policy wizard
Security Binding
Assertion
Protection Assertion
Token Assertion and

Protocol assertions
Security binding assertions
Three types of Security Binding assertions
Transport binding assertion (HTTPS)
Asymmetric binding assertion (Public Key)
Symmetric binding assertion (Shared Key)
Token Assertion
Specify the types of the tokens to be used to protect messages like X509
Properties on tokens
o Token Inclusion property (Never, Once, AlwaysToRecipient, Always)
<wsp:Policy>
<sp:X509Token IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'></sp:X509Token>
</wsp:Policy>
Protection Assertions
Defines which message parts or SOAP headers are protected
Sample WS Policy
<wsp:Policy wsu:Id="TransferMoney"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wsrmp="http://schemas.xmlsoap.org/ws/2005/02/rm/policy"
xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy' >
<wsp:ExactlyOne>
<wsp:All alternative-id="TransferMoneyAlternative">
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:IncludeTimestamp></sp:IncludeTimestamp>
<sp:EncryptBeforeSigning></sp:EncryptBeforeSigning>
<sp:Layout>
<wsp:Policy>
<sp:Lax></sp:Lax>
</wsp:Policy>
</sp:Layout>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15></sp:TripleDesRsa15>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never'></sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'></sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:EncryptedParts>
Agenda
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
Conclusion

Web Services Security: Suresh Inavolu

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Web Services Security: Suresh Inavolu

Hochgeladen von

Copyright:

Verfügbare Formate

Web services security

Public key encryption

Hash Algorithm Message with

Hash Value Encrypt using Digest Value

Calculating Digital signature

Both Should match

Decrypt using Hash Value

Verifying Digital Signatures

<? xml version=1.0 ?>

Normalized Providers policy Normalized Requestor policy

Token Assertion and

Das könnte Ihnen auch gefallen