Service Oriented Architecture Lecture 4 Web Service Security, XML Signature and XML Encryption Mike McCarthy Notes adapted from “Web Services Security”, Bilal Siddiqui 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 1 Web Services & Cryptography • Bob and Alice – Want to exchange SOAP messages. • Eve is always watching. • Mallory is always trying to cause trouble. 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 2 What’s going on? • Web Services Security (WSS) specification from OASIS • Message confidentiality • Message identification (Who are you?) • Message authentication (Can you prove it?) • Authorization (What are you allowed to do?) • End-to-end (not just point-to-point) 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 3 The WS Cryptography Stack XML Web Services Security SAML (Security Assertion ML),XKMS (XML Key Management Specification), XACML (eXtensible Access Control Markup Language) XMLDSIG (W3C) XMLENC (W3C) .NET Crypto API’s 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management Java Security API’s 4 Tools Becoming common • Apache’s WSS4J (Web Services Security) • Java’s JCE and JCA • C# Crypto API’s • Active Endpoints supports security if you purchase their product • IBM’s WebSphere • Microsoft, Oracle… 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 5 The Need For Web Services Application integration within the enterprise Application integration across enterprise boundaries customers partners suppliers 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 6 A Tourism Supply Chain Hotel Hotel Tourists Tour Operator Car Rental Car Rental Without WSS - coarse-grained protection provided by firewalls Hotel - SSL provides point-to-point encryption and authentication Anyone may call RoomRentInfoForAll() With WSS - fine grained security Restricted callers RoomRentInfoForPartnersOnly() decisions 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 7 Service Oriented Architecture SOAP over HTTP SOAP Server Hotel RoomRentInfoForAll() RoomRentInfoForPartnersOnly() 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 8 Listing 1 SOAP Request POST /Vendors HTTP/1.1 Host: www.myHotel.com Content-Type: text/xml;Charset=utf-8 Content-Length: 350 SOAPACtion:"" <?xml version='1.0'?> <SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' > <SOAP-Env:Body> <s:GetSpecialDiscountedBookingForPartners xmlns:s='http://www.MyHotel.com/partnerservice/' > <!--Parameters passed with the method call--> </s:GetSpecialDiscountedBookingForPartners> </SOAP-Env:Body> </SOAP-Env:Envelope> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 9 Listing 2 SOAP Response HTTP/1.0 200 OK Content-Type: text/xml; charset=utf-8 Content-Length: 1474 <?xml version="1.0"> <SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' > <SOAP-ENV:Body> <m:GetSpecialDiscountedBookingForPartnersResponse xmlns:m="http://www.MyHotel.com/partnerservice/" > <!-- Booking confirmation details--> </m:GetSpecialDiscountedBookingForPartnersResponse> </SOAP-ENV:Body> </SOAP-ENV:Envelope> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 10 1st Generation Web Services SOAP Client SOAP Server 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management Hotel Class RDBMS 11 2ND Generation Web Services SOAP Server SOAP Client SOAP Server 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management Hotel Class RDBMS Tour Planning Class 12 3RD Generation Web Services •• •• SOAP Server Plane Class RDBMS SOAP Server Hotel Class RDBMS WS-Transaction/WS-Security SOAP Client SOAP SOAP Server Server 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management Tour Tour Planning Planning Class Class 13 WS Security SOAP Client SOAP Server Hotel Class RDBMS SOAP Server (SOAP Aware Firewall) • inspect SOAP message • match user roles with access lists • XML Signature (not SOAP specific) • XML Encryption (not SOAP specific) • WSS (SOAP specific use of XMLEnc and XMLDsig) • Security Access Markup Language (SAML) for single sign on replacing HTTP cookies • XACML (extensible Access Control Markup Language) to express authorization and access policies 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 14 XML Signature An IETF/W3C Recommendation 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 15 XML Digital Signatures First, some fundamental ideas: Message Digest -message m + digest algorithm da -> hash value h = hda(m) -impossible to go from h(m) back to m -very hard to find m’ so that hda(m’) = h(m) Alice transmits (da,m,h(m)) triple. Very useful for checking if errors occurred during transmission 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 16 XML Digital Signatures Problem: Mallory might replace the message, hash value pair with her own message, hash value pair. She has access to digest algorithms just like everyone else. Bob checks the arriving triple and everything looks great. No errors during transmission? 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 17 XML Digital Signatures Solution: Get a secret key involved in the calculation of the hash. Given a message m, compute a hash of m. h = hda(m). Alice encrypts the hash with a private key. E = Epriv(h). Alice Transmit (da,m,E). Mallory doesn’t know the private key. Bob verifies by decrypting E using the secret key (which he shares with Alice). He now has h which he compares with his own hash of m using the same digest algorithm. If they are equal he has good reason to believe that m was from Alice and that it has not been manipulated by Mallory. 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 18 What Are XML Signatures? • XML Signatures are digital signatures used in XML transactions • May be used to sign only a portion of an XML document. The document might have a long history with different parts holding different signatures • The signature may apply to XML or nonXML data 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 19 Referencing What is Signed • An XML Signature can be used to sign a message outside of the document itself. • Or, it can be used to sign parts of the document itself. 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 20 XMLDsig General Form The Components of an XML Signature 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 21 The <Reference> Element Each signed resource is specified with a <Reference> element A typical <Reference> element will contain - a pointer to what is signed - a digest method (for example SHA1) - and a digest value of the message in base 64 notation 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 22 The <Reference> Element This is the location of the document being signed. <Reference URI =“http://.../po.xml”> <DigestMethod>….</DigestMethod> <DigestValue> calculated digest of po.xml </DigestValue> </Reference> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 23 We may have many references <Reference> pointer, digest method, digest value </Reference> : <Reference> pointer, digest method, digest value </Reference> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 24 Place Within a SignedInfo Element <SignedInfo> <CanonicalizationMethod> algorithm used on SignedInfo element <SignatureMethod> for example dsa-sha1 <Reference> pointer, digest method, digest value </Reference> <Reference> pointer, digest method, digest value </Reference> </SignedInfo> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 25 Compute Digest of SignedInfo <SignedInfo> <CanonicalizationMethod> algorithm used on SignedInfo element <SignatureMethod> for example dsa-sha1 <Reference> pointer, digest method, digest value </Reference> <Reference> pointer, digest method, digest value </Reference> </SignedInfo> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 26 Sign the digest and place value in a SignatureValue element… <SignedInfo> <CanonicalizationMethod> algorithm used on SignedInfo element <SignatureMethod> for example dsa-sha1 <Reference> pointer, digest method, digest value </Reference> <Reference> pointer, digest method, digest value </Reference> </SignedInfo> <SignatureValue>Base 64 signature of the SignedInfo Element m. Epriv(hda(m)) </SignatureValue> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 27 Enclose in a Signature Element <Signature> <SignedInfo> <CanonicalizationMethod> algorithm used on SignedInfo element <SignatureMethod> for example dsa-sha1 <Reference> pointer, method, digest value </Reference> <Reference> pointer, method, digest value </Reference> </SignedInfo> <SignatureValue>Signature in Base 64 </SignatureValue> </Signature> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 28 We may include KeyInfo <Signature> <SignedInfo> <Canonicalization> <SignatureMethod> <Reference>… <Reference>… </SignedInfo> <SignatureValue>Base 64 signature of the SignedInfo Element </SignatureValue> <KeyInfo> <X509Data> <X509SubjectName>CN=Cristina McCarthy, O=CMU,… <X509Certificate> base 64 public key and identity signed by a CA </X509Certificate> </X509Data> </KeyInfo> 95-843: Service Oriented Architecture </Signature> Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 29 What Can Mallory Do? • Can she modify the CA signed certificate so that someone else appears to have signed the document? • Can she modify what is being pointed by the reference element? • Can she change the canonicalization method? • Can she change the contents of the signature method tag? 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 30 Verification 1. Canonicalize the SignedInfo element. 2. Compute the digest of the SignedInfo element using the method described within it 3. Compare the above value with that value got from applying the shred secret (or signer’s public key) to the value in the SignatureValue element 4. Compute digests of referenced items (after any transformations) and compare those digests found within each reference tag 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 31 XML Security Tools Abound 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 32 Sign a grade book Gradebook.xml <?xml version="1.0" encoding="UTF-8"?> <GradeBook> <Student> <Score>100</Score> <Score>89</Score> </Student> </GradeBook> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 33 We need keys… D:\..\95-804\IBMXMLSecuritySuite\SampleSign2> keytool -genkey -keyalg RSA -keystore test.keystore -dname "CN=Mike McCarthy, OU=Heinz School, O=CMU, L=Pgh, S=PA, C=US" -alias mjm -storepass sesame -keypass sesame Creates test.keystore holding keys and a self-signed certificate 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 34 Run XSS4J’s SampleSign2 D:\...\95-804\IBMXMLSecuritySuite\ SampleSign2>java SampleSign2 mjm sesame sesame -embxml gradebook.xml > signature.xml Key store: test.keystore Sign: 851ms 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 35 Examine Signature.xml <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xmlc14n-20010315"></CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1"></SignatureMethod> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 36 We are signing resource 0 Transforms Prior to hashing <Reference URI="#Res0"> <Transforms> <Transform Algorithm= "http://www.w3.org/TR/2001/REC-xmlc14n-20010315"> </Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"> </DigestMethod> <DigestValue>m6f9xhOc4iEXokD/29V9EsdY3yI= </DigestValue> </Reference> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 37 </SignedInfo> <SignatureValue> Gll1H/uplOwfaX3j7ST6UqQlc92Hx2nsCdN2KWz32CW0D4hH 64n32v/InkGux1dYgTya6S4s55iHqZEjDpH2I359H4PAxBYYX Jj4LUBNxAFxUcDy6xrEUbLnKeutT5pf1DBSmxg9Cp3PO5Rs3 6nVN8GVfnFl1M86WQd19/RsAnA= </SignatureValue> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 38 <KeyInfo> <KeyValue> <RSAKeyValue> <Modulus> 7V5eyhVaw0clED11H6PTPoKQA1VxrLAugU3QxKA0hbbUOiavFb qCdc6Z+Fe9JZFMkS Iqdl+khwWwd+AIsRyrN4V2DWm1f+xyYQf6bdZgCaVVgkST1B pQxBTgNKRcS5VbLrXf 4MXb5TbhA+eo1Qbr2IjlV10aLbVhUk/g+ylag+k= </Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue> </KeyValue> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 39 <X509Data> <X509IssuerSerial> <X509IssuerName>CN=Mike McCarthy,OU=Heinz School,O=CMU,L=Pgh,ST=PA,C=US </X509IssuerName> <X509SerialNumber>1049138061 </X509SerialNumber> </X509IssuerSerial> <X509SubjectName>CN=Mike McCarthy,OU=Heinz School,O=CMU,L=Pgh,ST=PA,C=US </X509SubjectName> <X509Certificate> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 40 MIICPDCCAaUCBD6Ik40wDQYJKoZIhvcNAQEEBQAwZTELMAkGA UEBhMCVVMxCzAJBgNVBAgTAlBBMQwwCgYDVQQHEwNQZ2gx DAKBgNVBAoTA0NNVTEVMBMGA1UECxMMSGVpbnogU2Nob29s RYwFAYDVQQDEw1NaWtlIE1jQ2FydGh5MB4XDTAzMDMzMTE5M QyMVoXDTAzMDYyOTE5MTQyMVowZTELMAkGA1UEBhMCVVMx zAJBgNVBAgTAlBBMQwwCgYDVQQHEwNQZ2gxDDAKBgNVBAoT 0NNVTEVMBMGA1UECxMMSGVpbnogU2Nob29sMRYwFAYDVQQ Ew1NaWtlIE1jQ2FydGh5MIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQDtXl7KFVrDRyUQPXUfo9M+gpADVXGssC6BT DEoDSFttQ6Jq8VuoJ1zpn4V70lkUyRIip2X6SHBbB34AixHKs3hXYN bV/7HJhB/pt1mAJpVWCRJPUGlDEFOA0pFxLlVsutd/gxdvl NuED56jVBuvYiOVXXRottWFST+D7KVqD6QIDAQABMA0GCSqG 3DQEBBAUAA4GBAMpUaA8Cw8mKQn408KuV4xrTciEEcTLNniDGn 8d9W1fR4veqhKz8L8+886+4bNS5Wih+1oEC5k/da23QicpTdXfUyA1c 9Zu3cGU4ulUfhFPWv0IgdpI63KQt9QwsuTxWck5dAta2+KWWTv85I ByHXgoaDlvJ65JjT87nAPAI3 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 41 </X509Certificate> </X509Data> </KeyInfo> The resource 0 object <dsig:Object xmlns="" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="Res0"> <GradeBook> <Student> <Score>100</Score> <Score>89</Score> </Student> </GradeBook> </dsig:Object> </Signature> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 42 Let’s change the low grade! <dsig:Object xmlns="" xmlns:dsig="http://www.w3.org/2000/09/xml dsig#" Id="Res0"> <GradeBook> <Student> <Score>100</Score> <Score>100</Score> </Student> </GradeBook></dsig:Object> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 43 And run verify… D:\McCarthy\www\95804\IBMXMLSecuritySuite\SampleSign2>java VerifyCUI < signature.xml The signature has a KeyValue element. The signature has one or more X509Data elements. Checks an X509Data: 1 certificate(s). 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 44 Certificate Information: Version: 1 Validity: OK SubjectDN: CN=Mike McCarthy, OU=Heinz School, O=CMU, L=Pgh, ST=PA, C=US IssuerDN: CN=Mike McCarthy, OU=Heinz School, O=CMU, L=Pgh, ST=PA, C=US Serial#: 0x3e88938d Time to verify: 521 [msec] Core Validity: NG Signature Validity: OK [0] "#Res0" NG: Digest value mismatch: calculated: tfVyHns8wRB6l/HDU2dXZkzf+7Q= Exception in thread "main" java.lang.RuntimeException: Core Validity: NG at dsig.VerifyCUI.main(VerifyCUI.java:137) 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 45 Another Example PO.XML <?xml version="1.0" encoding="UTF-8"?> <PurchaseOrder xmlns="urn:purchase-order"> <Customer> <Name>Robert Smith</Name> <CustomerId>788335</CustomerId> </Customer> <Item partNum="C763"> <ProductId>6883-JF3</ProductId> <Quantity>3</Quantity> <ShipDate>2002-09-03</ShipDate> <Name>ThinkPad X20</Name> </Item> </PurchaseOrder> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 46 PO After Signing <?xml version='1.0' encoding='UTF-8'?> <SignedPurchaseOrder> <PurchaseOrder id="id0" xmlns="urn:purchase-order"> <Customer> <Name>Robert Smith</Name> <CustomerId>788335</CustomerId> </Customer> <Item partNum="C763"> <ProductId>6883-JF3</ProductId> <Quantity>3</Quantity> <ShipDate>2002-09-03</ShipDate> <Name>ThinkPad X20</Name> </Item> </PurchaseOrder> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 47 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1"/> <Reference URI="#id0"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>UfeiscUCL7QkhZtRDLWDPWLpVlA=</Digest Value> </Reference> </SignedInfo> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 48 <SignatureValue> Ptysg8WdHI2mxwryOOt5I9r9qZm/2gNFNOJyH1Wak4nCUeg Rpe72tWnsigAKZyopmgUSH3TG aGGQF1BTSvk3JUUY/ljrw+5FpTpf3hgZBi7GSWf6WtXqZvMY GUKIlvR/421MZg7P9XRUyy37 ZUzQHtmCYkBorEkEx1J4CYB0G2c= </SignatureValue> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 49 <KeyInfo> <X509Data> <X509Certificate> MIIDGjCCAoOgAwIBAgICAQAwDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCSlAxETAPBgNVBAgT CEthbmFnYXdhMQ8wDQYDVQQHEwZZYW1hdG8xDDAKBgNVBAoTA0lCTTEMMAoGA1UECxMDVFJMMRAw DgYDVQQDEwdUZXN0IENBMB4XDTAxMTAwMTA3MTYxMFoXDTExMTAwMTA3MTYxMFowUDELMAkGA1UE BhMCSlAxETAPBgNVBAgTCEthbmFnYXdhMQwwCgYDVQQKEwNJQk0xDDAKBgNVBAsTA1RSTDESMBAG A1UEAxMJU2lnbmF0dXJlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvnFQiPEJnUZnkmzoc MjsseD8ms9HBgasZR0VOAvsby5aajsm9CtB18dDCemDXZ2YjBdprX+epfF4SLNP5ankfphhr9QXA NJdCKpyF3jPoydckle7E7gI9w3Q4NDa4ryVOuIS2qev6jlE7OVPqiXIDVlCH4u6GbIoJEpJ57yzx dQIDAQABo4HzMIHwMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIBDQQfFh1PcGVu U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUYapFv9MvQ9NNn1Q7zgzqka4XORsw gYgGA1UdIwSBgDB+gBR7FuT9bLBj3vVsgAzIeYa4hBUZBaFjpGEwXzELMAkGA1UEBhMCSlAxETAP BgNVBAgTCEthbmFnYXdhMQ8wDQYDVQQHEwZZYW1hdG8xDDAKBgNVBAoTA0lCTTEMMAoGA1UECxMD VFJMMRAwDgYDVQQDEwdUZXN0IENBggEAMA0GCSqGSIb3DQEBBQUAA4GBALFzGDXMzxJvOnCdJCMZ 2NsZdz1+wmoYyejB5J6Ch2ygdPeibMnW/CiYKCTWBhpEgxEqr1BNlgSVqA6nyvjHsVIvgBfwx37D hJ5hz4azpWu1X22XqyU9fUqoQUtEAdM/MlLekBkprkJVb9uJXTFzzvm/3DoEiBkX/BT78YdM8eq0 </X509Certificate> </X509Data> </KeyInfo> </Signature> </SignedPurchaseOrder> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 50 Web Service Security • Describes how XMLDSig is used within the web service framework. • SOAP Headers are used to hold the signature 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 51 SOAP <Envelope> <Header> : </Header> <Body> : </Body> </Envelope> WS-* specifications are placed in the header area and will be handles by intermediaries Message payload including fault messages as well-formed XML. 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 52 WSS XMLDSig Listing 1 <?xml version=”1.0”?> <SOAP-ENV:Envelope xmlns: SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”> <SOAP-ENV:Body> <s:GetSpecialDiscountedBookingForPartners xmlns:s=“http://www.MyHotel.com/partnerservice/”> <!--Parameters passed with the method call--> </s:GetSpecialDiscountedBookingForPartners> </SOAP-ENV:Body> </SOAP-ENV:Envelope> From “Web Services Security”, Bilal Siddiqui 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 53 Sign The SOAP Request <?xml version=”1.0”?> <SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”> <SOAP-ENV:Header> <ds:Signature> <!– wraps all other XMLDS elements <ds:SignedInfo> <!– note the ds prefix </ds:SignedInfo> <!– note three children of signedInfo <ds:SignatureValue> </ds:SignatureValue> <ds:KeyInfo> </ds:KeyInfo> </ds:Signature> </SOAP-ENV:Header> <SOAP-ENV:Body> <s:GetSpecialDiscountedBookingForPartners xmlns:s=“http://www.MyHotel.com/partnerservice/”> <!--Parameters passed with the method call--> </s:GetSpecialDiscountedBookingForPartners> </SOAP-ENV:Body> </SOAP-ENV:Envelope> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 54 After Signing (1) <?xml version=”1.0”?> <SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”> <SOAP-ENV:Header> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#GetSpecialDiscountedBookingForPartners"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> 95-843: Service Oriented Architecture 55 Master of Information System Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Management After Signing (2) <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue> BIUddkjKKo2... </ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> halHJghyf765.... </ds:SignatureValue> <ds:KeyInfo> <!– the key name for signature verification <ds:KeyName>MyKeyIdentifier</ds:KeyName> </ds:KeyInfo> <!– application dependent, perhaps a symmetric key ID </ds:Signature> </SOAP-ENV:Header> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 56 After Signing (3) <SOAP-ENV:Body> <s:GetSpecialDiscountedBookingForPartners xmlns:s=“http://www.MyHotel.com/partnerservice/” ID="GetSpecialDiscountedBookingForPartners"> <!--Parameters passed with the method call--> </s:GetSpecialDiscountedBookingForPartners> </SOAP-ENV:Body> </SOAP-ENV:Envelope> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 57 Validation Procedure (1) Canonicalize the SignedInfo element. (2) Check message integrity. We’ll need a. the data to be digested b. any transforms to perform first c. the digest algorithm (3) If the digests compare equal verify the signature (continued) 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 58 Validation Procedure (3) If the digests compare equal verify the signature a. get the signer’s key (public key or shared secret) perhaps by consulting the <keyInfo> element. b. read the signature method used to compute the signature c. Attempt to verify and if we have a match call GetSpecialDiscountedBookingForPartners 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 59 XML Encryption & Web Service Security 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 60 XML Encryption • W3C Recommendation 10 December 2002 • JSR 105 XMLDSig proposed final draft • JSR 106 XMLEnc is in progress • JWSDP1.5 supports Web Services Security V1.0 • .Net supports XMLEnc out of the box • Some notes from http://www-106.ibm.com/developerworks/library/xencrypt/index.html by Bilal Siddiqui And “Secure XML” by Eastlake and Niles Addison Wesley 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 61 General Form 1 <EncryptedData> <CipherData> <CipherValue> cipher text in Base 64 </CipherValue> </CipherData> </EncryptedData> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 62 General Form 2 <EncryptedData> <CipherData> <CipherReference> pointer (URL) to cipher text </CipherReference> </CipherData> </EncryptedData> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 63 EncryptedData is the core element • Replaces the encrypted element or • Serves as the new document root • May contain a KeyInfo element that describes the key needed for decryption (borrowed from XML Digital Signature) or signature verification 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 64 General Example (1) <MedInfo> <ID> <Name> <Address> </ID> <Medical>…</Medical> <Financial>…</Financial> </MedInfo> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 65 General Example (2) <MedInfo> <ID>….</ID> <EncryptedData> <KeyInfo> <KeyName>Medical </KeyInfo> <CipherData> <CipherValue> cipher text </EncryptedData> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 66 General Example (3) <Financial> <EncryptedData> <KeyInfo> <KeyName>Pay </KeyInfo> <CipherData> <CipherValue> cipher text </EncryptedData> </Finacial> </MedInfo> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 67 Detailed Example (Listing 1) <purchaseOrder> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> </Order> <Payment> <CardId>123654-8988889-9996874</CardId> <CardName>visa</CardName> <ValidDate>12-10-2004</ValidDate> </Payment> </purchaseOrder> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 68 Encrypting the Entire File (Listing 2) <?xml version='1.0' ?> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.isi.edu/innotes/iana/assignments/media-types/text/xml'> <CipherData> <CipherValue>bd347ba…</CipherValue> </CipherData> </EncryptedData> IANA = Internet Assigned Numbers Authority a function of The Internet Corporation for Assigned Names and Numbers 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 69 Encrypting The Payment (Listing 3) <?xml version='1.0' ?> <PurchaseOrder> <Order> <Item>book</Item> <Id>123-958-74598</Id> One element <Quantity>12</Quantity> </Order> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C564587…</CipherValue> </CipherData> </EncryptedData> </PurchaseOrder> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 70 Encrypting Only the CardId (Listing 4) <?xml version='1.0' ?> <PurchaseOrder> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> Element content </Order> <Payment> <CardId> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Content' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData> </CardId> <CardName>visa</CardName> <ValidDate>12-10-2004</CardName> </Payment> </PurchaseOrder> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 71 Encrypting Non-XML Data (Listing 5) <?xml version='1.0' ?> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlen#' Type='http://www.isi.edu/innotes/iana/assignments/media-types/jpeg' > <CipherData> <CipherValue>A23B45C56…</CipherValue> </CipherData> </EncryptedData> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 72 Web Services Security Using Sun’s Application Server 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 73 No Security SOAP Going to Service Running the simple.TestClient program.... Service URL=http://localhost:8080/securesimple/Ping About to ping Apr 9, 2005 10:17:52 AM com.sun.xml.wss.filter.DumpFilter process INFO: ==== Sending Message Start ==== <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns0:Ping> <ns0:ticket>SUNW</ns0:ticket> <ns0:text>Hello!</ns0:text> </ns0:Ping> </env:Body> </env:Envelope> 95-843: Service Oriented Architecture 74 Master of Information System Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Management SOAP Response <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns0:PingResponse> <ns0:text>Hello! Mike!</ns0:text> </ns0:PingResponse> </env:Body> </env:Envelope> Ping complete 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 75 Configure The Client to Encrypt <xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config"> <xwss:Service> <xwss:SecurityConfiguration dumpMessages="true"> <!-Since no targets have been specified below, the contents of the soap body would be encrypted by default. --> <xwss:Encrypt> <xwss:X509Token certificateAlias="s1as"/> </xwss:Encrypt> </xwss:SecurityConfiguration> </xwss:Service> <xwss:SecurityEnvironmentHandler> com.sun.xml.wss.sample.SecurityEnvironmentHandler </xwss:SecurityEnvironmentHandler> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System </xwss:JAXRPCSecurity> Management 76 Configure The Server To Require Encryption <xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config"> <xwss:Service> <xwss:SecurityConfiguration dumpMessages="true"> <!-Encryption requirement. As no target is specified, the contents of the soap body of the request are expected to be encrypted. --> <xwss:RequireEncryption/> </xwss:SecurityConfiguration> </xwss:Service> <xwss:SecurityEnvironmentHandler> com.sun.xml.wss.sample.SecurityEnvironmentHandler </xwss:SecurityEnvironmentHandler> </xwss:JAXRPCSecurity> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 77 Encrypted Request <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss env:mustUnderstand="1"> <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x5 wsu:Id="Id-6842673312555922560">MIIDWTCCAsKgAwIBAgIBATANBgk G9w0BAQQFADB0MQswCQYDVQQ Large truncation for slides 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 78 </wsse:BinarySecurityToken> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <wsse:Reference URI="#Id-6842673312555922560" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-w </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>KB79tvoF6Bu7JeL2Re6iGG8 BhdhOFcZiNDJrJNe8lV3GE6 Sk+s453IF3GFpmkmQttPhzH1D HKQ+2nFjIWPdyZObK3cVyDf rox7Ysjbfuo4TNwElHvKtnGVNb cQIGWiwyxHIZCjqCdF8LM8E1 gCZgYSaRh3V48VMlOsfZ8RCR Vjw= </xenc:CipherValue> </xenc:CipherData> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 79 <xenc:ReferenceList> <xenc:DataReference URI="#Id7870285788177789579"/> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> </env:Header> <env:Body> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="Id7870285788177789579" Type="http://www.w3.org/2001/04/xmlenc#Content"> <xenc:EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <xenc:CipherData> <xenc:CipherValue> SL1G08+bGFaqEOefJWtBpOipgkvs8i7JWNwoGum5TO EyZkStSKav/lYygoC5/ji11rccnQWNq/Tg1eYX52UTalAS Large truncation for slides </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </env:Body> 95-843: Service Oriented Architecture </env:Envelope> 80 Master of Information System Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Management SOAP Response <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env= "http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns0:PingResponse> <ns0:text>Hello! Mike!</ns0:text> </ns0:PingResponse> </env:Body> </env:Envelope> 95-843: Service Oriented Architecture Quic kTime™ and a TIFF (Unc ompres sed) dec ompres sor are needed to see this pic ture. Master of Information System Management 81