Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

04_Cryptography.ppt

advertisement 
Service Oriented
Architecture
Lecture 4 Web Service Security, XML
Signature and XML Encryption
Mike McCarthy
Notes adapted from “Web Services Security”,
Bilal Siddiqui
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
1
Web Services &
Cryptography
• Bob and Alice – Want to
exchange SOAP messages.
• Eve is always watching.
• Mallory is always trying to cause
trouble.
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
2
What’s going on?
• Web Services Security (WSS)
specification from OASIS
• Message confidentiality
• Message identification (Who are
you?)
• Message authentication (Can you
prove it?)
• Authorization (What are you allowed
to do?)
• End-to-end (not just point-to-point)
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
3
The WS Cryptography
Stack
XML Web Services Security
SAML (Security Assertion ML),XKMS (XML Key Management Specification),
XACML (eXtensible Access Control Markup Language)
XMLDSIG (W3C)
XMLENC (W3C)
.NET Crypto API’s
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
Java Security API’s
4
Tools Becoming
common
• Apache’s WSS4J (Web Services
Security)
• Java’s JCE and JCA
• C# Crypto API’s
• Active Endpoints supports security
if you purchase their product
• IBM’s WebSphere
• Microsoft, Oracle…
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
5
The Need For Web
Services
Application integration within
the enterprise
Application integration across
enterprise boundaries
customers
partners
suppliers
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
6
A Tourism Supply
Chain
Hotel
Hotel
Tourists
Tour Operator
Car Rental
Car Rental
Without WSS
- coarse-grained protection provided
by firewalls
Hotel
- SSL provides point-to-point
encryption and authentication
Anyone may call
RoomRentInfoForAll()
With WSS
- fine grained security
Restricted callers
RoomRentInfoForPartnersOnly()
decisions
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
7
Service Oriented
Architecture
SOAP over HTTP
SOAP Server
Hotel
RoomRentInfoForAll()
RoomRentInfoForPartnersOnly()
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
8
Listing 1 SOAP Request
POST /Vendors HTTP/1.1
Host: www.myHotel.com
Content-Type: text/xml;Charset=utf-8
Content-Length: 350
SOAPACtion:""
<?xml version='1.0'?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' >
<SOAP-Env:Body>
<s:GetSpecialDiscountedBookingForPartners
xmlns:s='http://www.MyHotel.com/partnerservice/' >
<!--Parameters passed with the method call-->
</s:GetSpecialDiscountedBookingForPartners>
</SOAP-Env:Body>
</SOAP-Env:Envelope>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
9
Listing 2 SOAP Response
HTTP/1.0 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: 1474
<?xml version="1.0">
<SOAP-ENV:Envelope
xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' >
<SOAP-ENV:Body>
<m:GetSpecialDiscountedBookingForPartnersResponse
xmlns:m="http://www.MyHotel.com/partnerservice/" >
<!-- Booking confirmation details-->
</m:GetSpecialDiscountedBookingForPartnersResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
10
1st Generation Web
Services
SOAP Client
SOAP
Server
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
Hotel
Class
RDBMS
11
2ND Generation Web
Services
SOAP
Server
SOAP Client
SOAP
Server
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
Hotel
Class
RDBMS
Tour
Planning
Class
12
3RD Generation Web
Services
••
••
SOAP
Server
Plane
Class
RDBMS
SOAP
Server
Hotel
Class
RDBMS
WS-Transaction/WS-Security
SOAP Client
SOAP
SOAP
Server
Server
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
Tour
Tour
Planning
Planning
Class
Class
13
WS Security
SOAP Client
SOAP
Server
Hotel
Class
RDBMS
SOAP Server (SOAP Aware Firewall)
• inspect SOAP message
• match user roles with access lists
• XML Signature (not SOAP specific)
• XML Encryption (not SOAP specific)
• WSS (SOAP specific use of XMLEnc and XMLDsig)
• Security Access Markup Language (SAML) for
single sign on replacing HTTP cookies
• XACML (extensible Access Control Markup Language)
to express authorization and access policies
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
14
XML Signature
An IETF/W3C Recommendation
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
15
XML Digital Signatures
First, some fundamental ideas:
Message Digest
-message m + digest algorithm da ->
hash value h = hda(m)
-impossible to go from h(m) back to m
-very hard to find m’ so that hda(m’) =
h(m)
Alice transmits (da,m,h(m)) triple.
Very useful for checking if errors
occurred during transmission
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
16
XML Digital Signatures
Problem:
Mallory might replace the message,
hash value pair with her own message,
hash value pair. She has access to
digest algorithms just like everyone
else. Bob checks the arriving triple and
everything looks great. No errors during
transmission?
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
17
XML Digital Signatures
Solution: Get a secret key involved in the calculation
of the hash.
Given a message m, compute a hash of m. h = hda(m).
Alice encrypts the hash with a private
key. E = Epriv(h).
Alice Transmit (da,m,E).
Mallory doesn’t know the private key.
Bob verifies by decrypting E using the secret key
(which he shares with Alice). He now has h which he
compares with his own hash of m using the same
digest algorithm. If they are equal he has good reason to
believe that m was from Alice and that it has not been
manipulated by Mallory.
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
18
What Are XML Signatures?
• XML Signatures are digital signatures
used in XML transactions
• May be used to sign only a portion of an
XML document. The document might
have a long history with different parts
holding different signatures
• The signature may apply to XML or nonXML data
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
19
Referencing What is
Signed
• An XML Signature can be used to
sign a message outside of the
document itself.
• Or, it can be used to sign parts of
the document itself.
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
20
XMLDsig General Form
The Components of an XML Signature
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
21
The <Reference> Element
Each signed resource is specified with a
<Reference> element
A typical <Reference> element will contain
- a pointer to what is signed
- a digest method (for example
SHA1)
- and a digest value of the message
in base 64 notation
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
22
The <Reference> Element
This is the location
of the document being
signed.
<Reference URI =“http://.../po.xml”>
<DigestMethod>….</DigestMethod>
<DigestValue> calculated digest of
po.xml
</DigestValue>
</Reference>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
23
We may have many
references
<Reference>
pointer, digest method, digest value
</Reference>
:
<Reference>
pointer, digest method, digest value
</Reference>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
24
Place Within a SignedInfo
Element
<SignedInfo>
<CanonicalizationMethod> algorithm used on
SignedInfo
element
<SignatureMethod> for example dsa-sha1
<Reference>
pointer, digest method, digest value
</Reference>
<Reference>
pointer, digest method, digest value
</Reference>
</SignedInfo>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
25
Compute Digest of
SignedInfo
<SignedInfo>
<CanonicalizationMethod> algorithm used on
SignedInfo element
<SignatureMethod> for example dsa-sha1
<Reference>
pointer, digest method, digest value
</Reference>
<Reference>
pointer, digest method, digest value
</Reference>
</SignedInfo>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
26
Sign the digest and place value in a
SignatureValue element…
<SignedInfo>
<CanonicalizationMethod> algorithm used on SignedInfo
element
<SignatureMethod> for example dsa-sha1
<Reference>
pointer, digest method, digest value
</Reference>
<Reference>
pointer, digest method, digest value
</Reference>
</SignedInfo>
<SignatureValue>Base 64 signature of the SignedInfo Element m.
Epriv(hda(m))
</SignatureValue>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
27
Enclose in a Signature
Element
<Signature>
<SignedInfo>
<CanonicalizationMethod> algorithm used on SignedInfo
element
<SignatureMethod> for example dsa-sha1
<Reference>
pointer, method, digest value
</Reference>
<Reference>
pointer, method, digest value
</Reference>
</SignedInfo>
<SignatureValue>Signature in Base 64
</SignatureValue>
</Signature>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
28
We may include KeyInfo
<Signature>
<SignedInfo>
<Canonicalization>
<SignatureMethod>
<Reference>…
<Reference>…
</SignedInfo>
<SignatureValue>Base 64 signature of the SignedInfo Element
</SignatureValue>
<KeyInfo>
<X509Data>
<X509SubjectName>CN=Cristina McCarthy, O=CMU,…
<X509Certificate> base 64 public key and identity signed by
a CA
</X509Certificate>
</X509Data>
</KeyInfo>
95-843: Service Oriented Architecture
</Signature>
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
29
What Can Mallory Do?
• Can she modify the CA signed
certificate so that someone else
appears to have signed the
document?
• Can she modify what is being
pointed by the reference element?
• Can she change the
canonicalization method?
• Can she change the contents of
the signature method tag?
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
30
Verification
1. Canonicalize the SignedInfo element.
2. Compute the digest of the SignedInfo
element using the method described within it
3. Compare the above value with that value
got from applying the shred secret (or signer’s public
key) to the value in the SignatureValue element
4. Compute digests of referenced items (after any
transformations) and compare those digests
found within each reference tag
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
31
XML Security Tools
Abound
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
32
Sign a grade book
Gradebook.xml
<?xml version="1.0" encoding="UTF-8"?>
<GradeBook>
<Student>
<Score>100</Score>
<Score>89</Score>
</Student>
</GradeBook>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
33
We need keys…
D:\..\95-804\IBMXMLSecuritySuite\SampleSign2>
keytool -genkey -keyalg RSA -keystore test.keystore
-dname "CN=Mike McCarthy, OU=Heinz School,
O=CMU, L=Pgh, S=PA, C=US" -alias mjm
-storepass sesame -keypass sesame
Creates test.keystore holding keys and a self-signed
certificate
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
34
Run XSS4J’s SampleSign2
D:\...\95-804\IBMXMLSecuritySuite\
SampleSign2>java SampleSign2 mjm
sesame sesame
-embxml gradebook.xml > signature.xml
Key store: test.keystore
Sign: 851ms
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
35
Examine Signature.xml
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xmlc14n-20010315"></CanonicalizationMethod>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1"></SignatureMethod>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
36
We are signing resource 0
Transforms
Prior to hashing
<Reference URI="#Res0">
<Transforms>
<Transform Algorithm=
"http://www.w3.org/TR/2001/REC-xmlc14n-20010315">
</Transform>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
</DigestMethod>
<DigestValue>m6f9xhOc4iEXokD/29V9EsdY3yI=
</DigestValue>
</Reference>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
37
</SignedInfo>
<SignatureValue>
Gll1H/uplOwfaX3j7ST6UqQlc92Hx2nsCdN2KWz32CW0D4hH
64n32v/InkGux1dYgTya6S4s55iHqZEjDpH2I359H4PAxBYYX
Jj4LUBNxAFxUcDy6xrEUbLnKeutT5pf1DBSmxg9Cp3PO5Rs3
6nVN8GVfnFl1M86WQd19/RsAnA=
</SignatureValue>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
38
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>
7V5eyhVaw0clED11H6PTPoKQA1VxrLAugU3QxKA0hbbUOiavFb
qCdc6Z+Fe9JZFMkS
Iqdl+khwWwd+AIsRyrN4V2DWm1f+xyYQf6bdZgCaVVgkST1B
pQxBTgNKRcS5VbLrXf
4MXb5TbhA+eo1Qbr2IjlV10aLbVhUk/g+ylag+k=
</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
39
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=Mike
McCarthy,OU=Heinz
School,O=CMU,L=Pgh,ST=PA,C=US
</X509IssuerName>
<X509SerialNumber>1049138061
</X509SerialNumber>
</X509IssuerSerial>
<X509SubjectName>CN=Mike McCarthy,OU=Heinz
School,O=CMU,L=Pgh,ST=PA,C=US
</X509SubjectName>
<X509Certificate>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
40
MIICPDCCAaUCBD6Ik40wDQYJKoZIhvcNAQEEBQAwZTELMAkGA
UEBhMCVVMxCzAJBgNVBAgTAlBBMQwwCgYDVQQHEwNQZ2gx
DAKBgNVBAoTA0NNVTEVMBMGA1UECxMMSGVpbnogU2Nob29s
RYwFAYDVQQDEw1NaWtlIE1jQ2FydGh5MB4XDTAzMDMzMTE5M
QyMVoXDTAzMDYyOTE5MTQyMVowZTELMAkGA1UEBhMCVVMx
zAJBgNVBAgTAlBBMQwwCgYDVQQHEwNQZ2gxDDAKBgNVBAoT
0NNVTEVMBMGA1UECxMMSGVpbnogU2Nob29sMRYwFAYDVQQ
Ew1NaWtlIE1jQ2FydGh5MIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDtXl7KFVrDRyUQPXUfo9M+gpADVXGssC6BT
DEoDSFttQ6Jq8VuoJ1zpn4V70lkUyRIip2X6SHBbB34AixHKs3hXYN
bV/7HJhB/pt1mAJpVWCRJPUGlDEFOA0pFxLlVsutd/gxdvl
NuED56jVBuvYiOVXXRottWFST+D7KVqD6QIDAQABMA0GCSqG
3DQEBBAUAA4GBAMpUaA8Cw8mKQn408KuV4xrTciEEcTLNniDGn
8d9W1fR4veqhKz8L8+886+4bNS5Wih+1oEC5k/da23QicpTdXfUyA1c
9Zu3cGU4ulUfhFPWv0IgdpI63KQt9QwsuTxWck5dAta2+KWWTv85I
ByHXgoaDlvJ65JjT87nAPAI3
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
41
</X509Certificate>
</X509Data>
</KeyInfo>
The resource 0 object
<dsig:Object xmlns=""
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
Id="Res0">
<GradeBook>
<Student>
<Score>100</Score>
<Score>89</Score>
</Student>
</GradeBook>
</dsig:Object>
</Signature>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
42
Let’s change the low
grade!
<dsig:Object xmlns=""
xmlns:dsig="http://www.w3.org/2000/09/xml
dsig#" Id="Res0">
<GradeBook>
<Student>
<Score>100</Score>
<Score>100</Score>
</Student>
</GradeBook></dsig:Object>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
43
And run verify…
D:\McCarthy\www\95804\IBMXMLSecuritySuite\SampleSign2>java VerifyCUI <
signature.xml
The signature has a KeyValue element.
The signature has one or more X509Data elements.
Checks an X509Data:
1 certificate(s).
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
44
Certificate Information:
Version: 1
Validity: OK
SubjectDN: CN=Mike McCarthy, OU=Heinz School, O=CMU,
L=Pgh, ST=PA, C=US
IssuerDN: CN=Mike McCarthy, OU=Heinz School, O=CMU,
L=Pgh, ST=PA, C=US
Serial#: 0x3e88938d
Time to verify: 521 [msec]
Core Validity: NG
Signature Validity: OK
[0] "#Res0"
NG: Digest value mismatch: calculated:
tfVyHns8wRB6l/HDU2dXZkzf+7Q=
Exception in thread "main" java.lang.RuntimeException:
Core Validity: NG
at dsig.VerifyCUI.main(VerifyCUI.java:137)
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
45
Another Example PO.XML
<?xml version="1.0" encoding="UTF-8"?>
<PurchaseOrder xmlns="urn:purchase-order">
<Customer>
<Name>Robert Smith</Name>
<CustomerId>788335</CustomerId>
</Customer>
<Item partNum="C763">
<ProductId>6883-JF3</ProductId>
<Quantity>3</Quantity>
<ShipDate>2002-09-03</ShipDate>
<Name>ThinkPad X20</Name>
</Item>
</PurchaseOrder>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
46
PO After Signing
<?xml version='1.0' encoding='UTF-8'?>
<SignedPurchaseOrder>
<PurchaseOrder id="id0" xmlns="urn:purchase-order">
<Customer>
<Name>Robert Smith</Name>
<CustomerId>788335</CustomerId>
</Customer>
<Item partNum="C763">
<ProductId>6883-JF3</ProductId>
<Quantity>3</Quantity>
<ShipDate>2002-09-03</ShipDate>
<Name>ThinkPad X20</Name>
</Item>
</PurchaseOrder>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
47
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n20010315"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1"/>
<Reference URI="#id0">
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>UfeiscUCL7QkhZtRDLWDPWLpVlA=</Digest
Value>
</Reference>
</SignedInfo>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
48
<SignatureValue>
Ptysg8WdHI2mxwryOOt5I9r9qZm/2gNFNOJyH1Wak4nCUeg
Rpe72tWnsigAKZyopmgUSH3TG
aGGQF1BTSvk3JUUY/ljrw+5FpTpf3hgZBi7GSWf6WtXqZvMY
GUKIlvR/421MZg7P9XRUyy37
ZUzQHtmCYkBorEkEx1J4CYB0G2c=
</SignatureValue>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
49
<KeyInfo>
<X509Data>
<X509Certificate>
MIIDGjCCAoOgAwIBAgICAQAwDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCSlAxETAPBgNVBAgT
CEthbmFnYXdhMQ8wDQYDVQQHEwZZYW1hdG8xDDAKBgNVBAoTA0lCTTEMMAoGA1UECxMDVFJMMRAw
DgYDVQQDEwdUZXN0IENBMB4XDTAxMTAwMTA3MTYxMFoXDTExMTAwMTA3MTYxMFowUDELMAkGA1UE
BhMCSlAxETAPBgNVBAgTCEthbmFnYXdhMQwwCgYDVQQKEwNJQk0xDDAKBgNVBAsTA1RSTDESMBAG
A1UEAxMJU2lnbmF0dXJlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvnFQiPEJnUZnkmzoc
MjsseD8ms9HBgasZR0VOAvsby5aajsm9CtB18dDCemDXZ2YjBdprX+epfF4SLNP5ankfphhr9QXA
NJdCKpyF3jPoydckle7E7gI9w3Q4NDa4ryVOuIS2qev6jlE7OVPqiXIDVlCH4u6GbIoJEpJ57yzx
dQIDAQABo4HzMIHwMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIBDQQfFh1PcGVu
U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUYapFv9MvQ9NNn1Q7zgzqka4XORsw
gYgGA1UdIwSBgDB+gBR7FuT9bLBj3vVsgAzIeYa4hBUZBaFjpGEwXzELMAkGA1UEBhMCSlAxETAP
BgNVBAgTCEthbmFnYXdhMQ8wDQYDVQQHEwZZYW1hdG8xDDAKBgNVBAoTA0lCTTEMMAoGA1UECxMD
VFJMMRAwDgYDVQQDEwdUZXN0IENBggEAMA0GCSqGSIb3DQEBBQUAA4GBALFzGDXMzxJvOnCdJCMZ
2NsZdz1+wmoYyejB5J6Ch2ygdPeibMnW/CiYKCTWBhpEgxEqr1BNlgSVqA6nyvjHsVIvgBfwx37D
hJ5hz4azpWu1X22XqyU9fUqoQUtEAdM/MlLekBkprkJVb9uJXTFzzvm/3DoEiBkX/BT78YdM8eq0
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</SignedPurchaseOrder>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
50
Web Service Security
• Describes how XMLDSig is used
within the web service framework.
• SOAP Headers are used to hold the
signature
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
51
SOAP
<Envelope>
<Header>
:
</Header>
<Body>
:
</Body>
</Envelope>
WS-* specifications
are placed in the
header area and will be
handles by intermediaries
Message payload including
fault messages
as well-formed XML.
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
52
WSS XMLDSig Listing 1
<?xml version=”1.0”?>
<SOAP-ENV:Envelope
xmlns:
SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”>
<SOAP-ENV:Body>
<s:GetSpecialDiscountedBookingForPartners
xmlns:s=“http://www.MyHotel.com/partnerservice/”>
<!--Parameters passed with the method call-->
</s:GetSpecialDiscountedBookingForPartners>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
From “Web Services Security”, Bilal Siddiqui
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
53
Sign The SOAP Request
<?xml version=”1.0”?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”
xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>
<SOAP-ENV:Header>
<ds:Signature>
<!– wraps all other XMLDS elements
<ds:SignedInfo>
<!– note the ds prefix 
</ds:SignedInfo>
<!– note three children of signedInfo 
<ds:SignatureValue>
</ds:SignatureValue>
<ds:KeyInfo>
</ds:KeyInfo>
</ds:Signature>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<s:GetSpecialDiscountedBookingForPartners
xmlns:s=“http://www.MyHotel.com/partnerservice/”>
<!--Parameters passed with the method call-->
</s:GetSpecialDiscountedBookingForPartners>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
54
After Signing (1)
<?xml version=”1.0”?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”
xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>
<SOAP-ENV:Header>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#GetSpecialDiscountedBookingForPartners">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
95-843: Service Oriented Architecture
55
Master of Information System
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Management
After Signing (2)
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
BIUddkjKKo2...
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
halHJghyf765....
</ds:SignatureValue>
<ds:KeyInfo>
<!– the key name for signature verification 
<ds:KeyName>MyKeyIdentifier</ds:KeyName>
</ds:KeyInfo>
<!– application dependent, perhaps a symmetric key ID
</ds:Signature>
</SOAP-ENV:Header>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
56
After Signing (3)
<SOAP-ENV:Body>
<s:GetSpecialDiscountedBookingForPartners
xmlns:s=“http://www.MyHotel.com/partnerservice/”
ID="GetSpecialDiscountedBookingForPartners">
<!--Parameters passed with the method call-->
</s:GetSpecialDiscountedBookingForPartners>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
57
Validation Procedure
(1) Canonicalize the SignedInfo element.
(2) Check message integrity. We’ll need
a. the data to be digested
b. any transforms to perform first
c. the digest algorithm
(3) If the digests compare equal verify the
signature (continued)
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
58
Validation Procedure
(3) If the digests compare equal verify the
signature
a. get the signer’s key (public key or
shared secret) perhaps by consulting
the <keyInfo> element.
b. read the signature method used to
compute the signature
c. Attempt to verify and if we have a match call
GetSpecialDiscountedBookingForPartners
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
59
XML Encryption & Web
Service Security
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
60
XML Encryption
• W3C Recommendation 10 December
2002
• JSR 105 XMLDSig proposed final draft
• JSR 106 XMLEnc is in progress
• JWSDP1.5 supports Web Services
Security V1.0
• .Net supports XMLEnc out of the box
• Some notes from
http://www-106.ibm.com/developerworks/library/xencrypt/index.html
by Bilal Siddiqui
And “Secure XML” by Eastlake and Niles Addison Wesley
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
61
General Form 1
<EncryptedData>
<CipherData>
<CipherValue>
cipher text in Base 64
</CipherValue>
</CipherData>
</EncryptedData>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
62
General Form 2
<EncryptedData>
<CipherData>
<CipherReference>
pointer (URL) to cipher
text
</CipherReference>
</CipherData>
</EncryptedData>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
63
EncryptedData is the core
element
• Replaces the encrypted element or
• Serves as the new document root
• May contain a KeyInfo element
that describes the key needed for
decryption (borrowed from XML
Digital Signature) or
signature verification
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
64
General Example (1)
<MedInfo>
<ID>
<Name>
<Address>
</ID>
<Medical>…</Medical>
<Financial>…</Financial>
</MedInfo>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
65
General Example (2)
<MedInfo>
<ID>….</ID>
<EncryptedData>
<KeyInfo>
<KeyName>Medical
</KeyInfo>
<CipherData>
<CipherValue> cipher text
</EncryptedData>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
66
General Example (3)
<Financial>
<EncryptedData>
<KeyInfo>
<KeyName>Pay
</KeyInfo>
<CipherData>
<CipherValue> cipher text
</EncryptedData>
</Finacial>
</MedInfo>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
67
Detailed Example (Listing 1)
<purchaseOrder>
<Order>
<Item>book</Item>
<Id>123-958-74598</Id>
<Quantity>12</Quantity>
</Order>
<Payment>
<CardId>123654-8988889-9996874</CardId>
<CardName>visa</CardName>
<ValidDate>12-10-2004</ValidDate>
</Payment>
</purchaseOrder>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
68
Encrypting the Entire File (Listing 2)
<?xml version='1.0' ?>
<EncryptedData
xmlns='http://www.w3.org/2001/04/xmlenc#'
Type='http://www.isi.edu/innotes/iana/assignments/media-types/text/xml'>
<CipherData>
<CipherValue>bd347ba…</CipherValue>
</CipherData>
</EncryptedData>
IANA = Internet Assigned Numbers Authority a function of
The Internet Corporation
for Assigned Names and Numbers
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
69
Encrypting The Payment
(Listing 3)
<?xml version='1.0' ?>
<PurchaseOrder>
<Order>
<Item>book</Item>
<Id>123-958-74598</Id>
One element
<Quantity>12</Quantity>
</Order>
<EncryptedData
Type='http://www.w3.org/2001/04/xmlenc#Element'
xmlns='http://www.w3.org/2001/04/xmlenc#'>
<CipherData>
<CipherValue>A23B45C564587…</CipherValue>
</CipherData>
</EncryptedData>
</PurchaseOrder>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
70
Encrypting Only the CardId
(Listing 4)
<?xml version='1.0' ?>
<PurchaseOrder>
<Order>
<Item>book</Item>
<Id>123-958-74598</Id>
<Quantity>12</Quantity>
Element content
</Order>
<Payment>
<CardId>
<EncryptedData
Type='http://www.w3.org/2001/04/xmlenc#Content'
xmlns='http://www.w3.org/2001/04/xmlenc#'>
<CipherData>
<CipherValue>A23B45C564587</CipherValue>
</CipherData>
</EncryptedData>
</CardId>
<CardName>visa</CardName>
<ValidDate>12-10-2004</CardName>
</Payment>
</PurchaseOrder>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
71
Encrypting Non-XML Data
(Listing 5)
<?xml version='1.0' ?>
<EncryptedData
xmlns='http://www.w3.org/2001/04/xmlen#'
Type='http://www.isi.edu/innotes/iana/assignments/media-types/jpeg' >
<CipherData>
<CipherValue>A23B45C56…</CipherValue>
</CipherData>
</EncryptedData>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
72
Web Services Security
Using Sun’s Application
Server
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
73
No Security SOAP Going to
Service
Running the simple.TestClient program....
Service URL=http://localhost:8080/securesimple/Ping
About to ping
Apr 9, 2005 10:17:52 AM com.sun.xml.wss.filter.DumpFilter process
INFO: ==== Sending Message Start ====
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:ns0="http://xmlsoap.org/Ping"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<ns0:Ping>
<ns0:ticket>SUNW</ns0:ticket>
<ns0:text>Hello!</ns0:text>
</ns0:Ping>
</env:Body>
</env:Envelope>
95-843: Service Oriented Architecture
74
Master of Information System
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Management
SOAP Response
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:ns0="http://xmlsoap.org/Ping"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<ns0:PingResponse>
<ns0:text>Hello! Mike!</ns0:text>
</ns0:PingResponse>
</env:Body>
</env:Envelope>
Ping complete
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
75
Configure The Client to
Encrypt
<xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Service>
<xwss:SecurityConfiguration dumpMessages="true">
<!-Since no targets have been specified below, the contents of
the soap body would be encrypted by default.
-->
<xwss:Encrypt>
<xwss:X509Token certificateAlias="s1as"/>
</xwss:Encrypt>
</xwss:SecurityConfiguration>
</xwss:Service>
<xwss:SecurityEnvironmentHandler>
com.sun.xml.wss.sample.SecurityEnvironmentHandler
</xwss:SecurityEnvironmentHandler>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
</xwss:JAXRPCSecurity>
Management
76
Configure The Server To
Require Encryption
<xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Service>
<xwss:SecurityConfiguration dumpMessages="true">
<!-Encryption requirement. As no target is specified, the contents
of the soap body of the request are expected to be encrypted.
-->
<xwss:RequireEncryption/>
</xwss:SecurityConfiguration>
</xwss:Service>
<xwss:SecurityEnvironmentHandler>
com.sun.xml.wss.sample.SecurityEnvironmentHandler
</xwss:SecurityEnvironmentHandler>
</xwss:JAXRPCSecurity>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
77
Encrypted Request
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:ns0="http://xmlsoap.org/Ping"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss
env:mustUnderstand="1">
<wsse:BinarySecurityToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x5
wsu:Id="Id-6842673312555922560">MIIDWTCCAsKgAwIBAgIBATANBgk
G9w0BAQQFADB0MQswCQYDVQQ
Large truncation for slides
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
78
</wsse:BinarySecurityToken>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#Id-6842673312555922560"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>KB79tvoF6Bu7JeL2Re6iGG8
BhdhOFcZiNDJrJNe8lV3GE6
Sk+s453IF3GFpmkmQttPhzH1D
HKQ+2nFjIWPdyZObK3cVyDf
rox7Ysjbfuo4TNwElHvKtnGVNb
cQIGWiwyxHIZCjqCdF8LM8E1
gCZgYSaRh3V48VMlOsfZ8RCR
Vjw=
</xenc:CipherValue>
</xenc:CipherData>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
79
<xenc:ReferenceList>
<xenc:DataReference URI="#Id7870285788177789579"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
</wsse:Security>
</env:Header>
<env:Body>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="Id7870285788177789579"
Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm=
"http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>
SL1G08+bGFaqEOefJWtBpOipgkvs8i7JWNwoGum5TO
EyZkStSKav/lYygoC5/ji11rccnQWNq/Tg1eYX52UTalAS
Large truncation for slides
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</env:Body>
95-843: Service Oriented Architecture
</env:Envelope>
80
Master of Information System
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Management
SOAP Response
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env=
"http://schemas.xmlsoap.org/soap/envelope/"
xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:ns0="http://xmlsoap.org/Ping"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<ns0:PingResponse>
<ns0:text>Hello! Mike!</ns0:text>
</ns0:PingResponse>
</env:Body>
</env:Envelope>
95-843: Service Oriented Architecture
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
Master of Information System
Management
81
Related documents
Applied research gets no respect…
Applied research gets no respect…
Document
Document
Measuring Mass
Measuring Mass
Download
advertisement