Cryptography and Network Security
advertisement
Cryptography and Security Services: Mechanisms and Applications Chapter 13 Web Services Security Manuel Mogollon m_mogollon@verizon.net M. Mogollon – 0 Session 11 – Contents • Web Services • Extensible Markup Language (XML) • Simple Object Access Protocol (SOAP) • Universal Discovery, Description, and Integration, UDDI • Web Services Description Language ( WSDL) • XML Encryption • XML Signature • XML Key Management Specification • Security Assertion Markup Language (SAML) • Web Services Security Language (WS-Security) Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 1 TCP/IP Stack and Security Related Protocols • • • • • Application Layer HTTP, SMTP, Telnet, FTP, Gopher Transport Layer TCP Network Layer Data Layer Web Services XML IP RARP Ethernet, Token-Ring, FDDI, X.25, Wireless, Async, ATM, SNA...Data Layer XMLEnc XMLSig • Web Services • SOCKS V5 • SSL, TLS UDP ARP S/MIME PGP S-HTTP IPSec (ISAKMP) SET XKMS • IPSec (AH, ESP) • Packet Filtering • Tunneling Protocols • PPP-EAP, IEEE 802.1X, CHAP, PAP, MS-CHAP SAML WS-Security M. Mogollon – 2 Application Integration • Typical examples of software application are databases. • B2B requires companies to share, modify, or add information by integrating their applications. • For more than 20 years, companies have been developing computer-to-computer communication, i.e., distributed computing. • Distributed computing protocols such as DCOM, CORBA, Distributed Smalltalk, and RMI were developed for services to agree on programming languages and shared context. • None of these protocols operates effectively over the Web. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 3 Electronic Services • Service Oriented Architecture (SOA) is also about distributed computing, but it provides a way to create sets of services and with such granularity that each service can be invoked, published, and discovered. Examples of such services include the following: — Purchasing an airline ticket; renting a car — Accessing a seat assignment data base to get an assigned seat. — Requesting part inventory information from a buyer to restock. • With SOA, only one software is necessary to buy airline tickets or to rent a car, but SOA does not use standard Internet protocols. • Virtually all companies have presence and are invested on the Web to exchange information with other companies or consumers. • Web services provide application integration through the Web. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 4 Web Services • The common aspect of all services is that the information resides in databases. — Stored in specialized data servers, using proprietary formats that make them difficult to access or to connect to other databases. — Web servers only accessible through hyper scripting languages. • Web services represent the convergence between Service Oriented Architecture (SOA) and the Web. • Web services are accessed via ubiquitous Web protocols. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 5 Web Services • Web services allow computers running on different operating platforms to access and share each other’s databases by using open standards. — Extensible Markup Language (XML) — Simple Object Access Protocol, SOAP • A Web service is an application that — Can be identified by a Uniform Resource Identity. — Can be defined and located. — Is able to interact with other software applications. • Web services can make databases available across the Web. — Unlock databases and make their information available to other databases, workstations, or kiosks. — Provide true application sharing required for server-to-server (S2S) access. — Can be used by other departments within a company, as well as by customers, vendors, suppliers, or by the public in general. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 6 Web Services Interactions Function Web Web Services Search Engine UDDI Search Engine Description WSDL Transport protocol HTTP SOAP Data format HTML XML Web site location Web site description UDDI Universal Description, Discovery and Integration WSDL Web Services Description Language SOAP Simple Object Access Protocol XML Extensible Markup Language Web Services XML XMLEnc UDDI finds the WSDL description of a queried service, as well as the access point of the service, and provides this information to the service consumer. WSDL is the language used to describe what information is available at the Web service and the procedures for how to call the information from the database. SOAP allows XML messages to be sent over HTTP. XML recognizes data in a field. XMLSig XKMS SAML WS-Security M. Mogollon – 7 Web Services Interactions 3 The UDDI Registry points to and describes services. UDDI Registry The Web service consumer queries the UDDI registry for a service. 1 A Web service provider registers the service. 2 Web service consumer invokes, requests, service. 4 SOAP 5 Web Service Provider Web Services XML Web service provides requested service. XMLEnc XMLSig Web Service Consumer XKMS SAML WS-Security M. Mogollon – 8 XML– Extensible Markup Language • HTML was designed to display data and to focus on how data looks; when HTML is used to display data, the data is stored inside HTML. • XML was developed to recognize structure information. As long as two databases have the same fields, for example, first name, last name, and telephone number, XML can extract information from both databases. • Converting data to XML allows incompatible database systems to exchange information. • XML is a standard language for web services and document sharing. Information encoded in XML can be read by many different types of applications using only a text editor. • XML can be used not only to share data, but also to store data. • XML is particularly vulnerable to security compromises. — Any XML message, including SOAP messages, should be enhanced with security features including encryption, digital signatures, authentication mechanisms, and privacy controls. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 9 XML Syntax <?xml version="1.0" encoding="ISO-8859-1"standalone="no"?> [1] <NameAndAdress Role=”Supplier”> [1a] <CompanyName>Plano Hammers and Nails</CompanyName> [1b] <AddressLine>101 Some Street</AddressLine> • An XML document contains one [1c] <City>Plano</City> or more root elements, delimited [1d] <State>TX</State> by start-tags and end-tags. [1e] <ZipCode>75075</ZipCode> • The name in the start-tags and [1f] <CountryCode>US</Countrycode> end-tags gives the element's </NameAndAddress> type. [2] <Catalog> • All XML documents must contain [2a] <Hammer> a single tag pair defining a root [2a1] <Description>Five-inch hammer </Description> element; all other elements must [2a2] <SKU>301245AB</SKU> be within this root element. [2a3] <Price>$2.45</Price> • All root elements can have sub </Hammer> elements (child elements). [2b] <Nail> • All information is in clear. [2b1] <Description>One-inch </Description> [2b2] <SKU>253648AA</SKU> [2b3] <Price>$2.45</Price> </Nail> </Catalog> Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 10 Simple Object Access Protocol (SOAP) • Is the standard communications protocol for Web services. • Is independent of any programming language or operating systems. • Provides a way for applications to communicate with one another over the Internet, independent of platform. • Consist of an envelope, the header and the body. • The communication is peer-to-peer between an initial SOAP sender and the SOAP receiver. It involves multiple message exchanges between these two nodes in request/response, solicit/response, and notification formats. • SOAP protocol is designed to support one or more intermediaries that can forward or reroute SOAP messages based upon information either in the SOAP header or in the HTTP header. • The Organization for the Advancement of Structured Information Standards (OASIS) has two security specifications to secure SOAP: The Security Assertion Markup Languages (SAML) and Web Services Security (WS-Sec). Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 11 Universal Discovery, Description, and Integration (UDDI) • Companies that want to publish their services on the Internet use a UDDI registry to register the information about the service they offer. • Currently Microsoft and IBM in the US and SAP in Germany are among the companies that act as public UDDI operators. • UDDI specifies the following: — The description and discovery of businesses, organizations, and other Web services providers. — The Web services they make available — The technical interfaces which may be used to access those services. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 12 Registering a Service in UDDI • Business Entity: Company name, address, business identifiers. • Business Service: Type of Web services offered. • Binding Template: Information for finding, accessing and using a particular Web service. • tModel (Technical model): A reusable concept, such as a Web service type, a protocol used by Web services, or a category system offered by multiple businesses. For example, several companies offering weather reports can use the same tModel. • Publisher Assertion: Relationship that the Business Entity has with another Business Entity, e.g., supplier, distributor. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 13 Web Services Description Language (WSDL) • WSDL is a document written in XML that describes the messages that must be exchanged to successfully interact with a Web Service. • The WSDL message defines the where and how of getting a service. — — — — • The name and location of the Web service. The type of data the Web service uses How the request for a service should be sent How to put together and bind all the information. The WSDL Specification is divided into six major components: — Definition: Defines the name of the Web service. — Message: Defines and describes the message. — PortType: Defines the Web service, the intended recipient of a message, the messages themselves, and how the operations can be performed. — Types: Describes all the types of data used between the client and the Web service server. — Binding: Defines the message format and protocol details for each port. — Service: Defines where the services are located and provides the addresses for invoking them. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 14 Web Services Security • • Web services is about the free exchange high-value data. XML is a text-based, platform-independent standard. — Anyone who has access to an XML document can easily read the document. — In a man-in-the-middle attack, a hacker could change the information in XML. • • Web services should be reliable and secure. Web services security provides the following security services: — XML Encryption is used to encipher data or to securely transport encrypting keys. — XML Signature is used to provide integrity, message authentication, and /or signer authentication services for data of any type. — XML Key Management Specification (XKMS) is used to register, locate, and validate public keys used in XML Signatures. It manages the life cycle of public keys and certificates and allows PKI as a trusted Web service. — Security Association Markup Language (SAML) provides portable identity, authentication and authorization using credentials called assertions. SAML solves the problem of Web Single Sign-On by allowing users to gain access to website resources in multiple domains without having to re-authenticate after initially logging on to the first domain. — Web Services Security (ws-security) describes how to attach security tokens to the SOAP message header. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 15 XML Encryption • XML Encryption specifies a process for encrypting data and representing the result in XML. • Data to be encrypted may be arbitrary data (including an XML document), an XML element, or XML element content. • The main role element in XML encryption is EncryptedType from which two role elements are derived. — EncryptedData which contains all the information to encipher the XML data. — EncryptedKey which contains the information to encipher keys. • CipherData is the XML Encryption element that contains or references the enciphered data. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 16 XML Encryption Data 3DES, AES Block Encryption 3DES AES, 128, 192, 256 Wrapping the Key Diffie-Hellman Key Exchange ZZ Data Object Stream Cipher RSA-v1.5 RSA-OAEP Transporting the Key Encryption Method Element Encrypted Key Keying Material Agreement Method Encryption 3DES, AES Encrypted Data Element Key Info Element Key Name Or Retrieval Method Encrypted Key Element Cipher Value Cipher Reference Cipher Data Element Encryption Properties Element Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 17 XML Encryption Data Syntax <EncryptedData Id? Type? MimeType? Encoding?> [1] <EncryptionMethod/>? [2] <ds:KeyInfo> EncryptedData contains all the information needed to encipher XML data. EncryptedKey contains the information to encipher keys. [2a] <EncryptedKey>? [2b] <AgreementMethod>? [2c] <ds:KeyName>? [2d] <ds:RetrievalMethod>? [2e] <ds:*>? The KeyInfo element provides information on how the secret key is sent to the recipient. The secret key is the key used to encipher the data. </ds:KeyInfo>? [3] <CipherData> [3a] <CipherValue>? [3b] <CipherReference URI?>? </CipherData> [4] <EncryptionProperties>? </EncryptedData> Web Services XML XMLEnc The EncryptionMethod element describes the encryption algorithm used to encipher the data. XMLSig The CipherData element provides the enciphered data. In the CipherData, either the enciphered data is included in the CipherValue element, or a reference to an external location in the CipherReference element is provided. XKMS SAML WS-Security M. Mogollon – 18 EncryptionMethod • An optional element that describes the encryption algorithm used to encipher the data. • Depending of the encryption algorithms used, the syntax is one as one of the followings: — <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc'/> — <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc# aes128-cbc'/> — <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc# aes256-cbc'/> — <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc# aes192-cbc'/> Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 19 Getting Key Information • Parties who have not exchanged secret keys previously. — Encipher or wrap the secret key for transport using a public key system. — Use EncryptedKey. • Parties who have not exchanged secret keys previously. — Use Diffie-Hellman for key agreement. — Use AgreementMethod. • When secret keys have already been loaded in both parties’ systems and every loaded secret key is associated with a name. — Send the name of the secret key that will be used to encipher the XML information. — Use KeyName. • When the secret key is located at a specific location. — Provide a link to identify and locate the keys. — Use RetrievalMethod. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 20 Encrypted Key – Wrapping the Key Use shared key-encrypting-key to wrap (encipher) a session key Web Service Requester Web Service Provider Shared key-encrypting key Shared Key-Encrypting Key Session key Decipher Encipher Shared keyencrypting key Session key Block 1 Session key Block n + + IV 3DES or AES 3DES or AES Enciphered Session key Block 1 Enciphered Session key Block n Web Services XML Enciphered Session key Block n Enciphered Session key Block 1 + + 3DES or AES 3DES or AES Session key Block n Session key Block 1 Use 3DES or AES to encipher and decipher a session key XMLEnc Session key XMLSig XKMS SAML IV Shared keyencrypting key WS-Security M. Mogollon – 21 Encrypted Key – Transporting the Key Use a public key algorithm to transport the session key Web Service Requester Service Provider’s Public Key Web Services XML Session Key Session Key RSAES-v1.5 or RSAES-OAEP .Algorithm RSAES-v1.5 or RSAES-OAEP .Algorithm Enciphering Deciphering XMLEnc XMLSig XKMS Web Service Provider Service Provider’s Private Key SAML WS-Security M. Mogollon – 22 Key Agreement Use Diffie-Hellman to calculate ZZ and RFC-2631 Key Agreement Method to generate key material. Web Service Requester Web Service Provider Diffie-Hellman Key Exchange Diffie-Hellman Key Exchange Pre Master Key (ZZ) Pre Master Key (ZZ) Key Material Generation Keying Material = KM(1) || KM(2) || KM(3) || ... KM(counter) = Hash ( ZZ || counter || EncryptionAlg || KA-Nonce || KeySize ) Session Key Session Key Web Services XML Key Material Generation XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 23 Key Info – Key Name Web Service Requester The secret keys have been loaded into both servers, so only the name associated with the key needs to be sent. Secret Key Table Web Service Provider Secret Key Table Key Name Web Services Secret Key Secret Key Key Name Key Name Type of Encryption Algorithm Type of Encryption Algorithm XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 24 XML Signature Syntax [1] [1a] [1b] [1c] [1c1] [1c2] [1c3] [2] [3] [3a] [3b] [3c] [3d] [3e] [3f] [4] <Signature ID?> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> <Reference URI? > (<Transforms>)? <DigestMethod> <DigestValue> </Reference>)+ </SignedInfo> <SignatureValue> <KeyInfo>)? <KeyName> <KeyValue> <RetrievalMethod> <X509Data> <PGPData> <SPKIData> </KeyInfo> <Object ID?>)* </Signature> Web Services XML XMLEnc XMLSig The SignedInfo element identifies all cryptographic functions involved in the signature operation (e.g., hashing, public key algorithms, MACs, padding, etc.). The SignatureMethod provides the name of the algorithm used to convert the canonicalized SignedInfo into the SignatureValue. The SignatureValue shows the digital signature value. The KeyInfo identifies the key to be used to validate the signature. Possible forms for identification include certificates, key names, and key agreement algorithms information, among others. XKMS SAML WS-Security M. Mogollon – 25 XML Signature Canonicalization Method Message Authentication (HMAC) Signature Signature Method Algorithm (DSA, RSASSA-PKCS 1) Digest Value Transform Elements Signed Info Signed Info Element Canonicalized Signed Info Element Hash Function Digest Reference Method Element Encryption Signature Value Signature ID Element Digital Signature Key Name Digest Value Retrieval Method Digest (SHA-1, SHA-224, Function SHA-256, SHA-384, SHA-512) Data Object Web Services XML Key Info Element Key Info Key Value (DSAKey, RSAKey, X.509Data, PGPData, SPKI Data, Mgmdata) XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 26 XML Signatures • Provide integrity, message authentication, and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere. • Specify XML syntax and processing rules for creating and representing digital signatures. • Can be applied to any digital content (data object), including XML. • Constitute a method of associating a key with referenced data (octets). • Are applied to arbitrary digital content (data objects) in the same way as digital signatures are. — A hash function is applied to a data object, the resulting value is cryptographically signed by enciphering with the sender’s private key. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 27 XML Key Management (XKMS) • XML Key Management specifies protocols for distributing and registering public keys. — Defines the different phases of certificates and keys in XML Signature. • The XML Key Management Specification consist of two parts: — XML Key Information Service Specification (X-KISS), which defines the specifications to locate (retrieve) and validate certificates. — XML Key Registration Service Specification (X-KRSS), which describes a protocol for registration and subsequent management of public key life cycle. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 28 XKMS Registration Service (Certificate Authority) Trust Service (Repository Site) X-KRSS • Register • Recover • Reissue • Revoke X-KISS • Locate • Validate Client (End-Entity) Client (End-Entity) The Client registers, or requests to recover, reissue, or revoke his public keys and certificates. Web Services PKI Services XML XMLEnc Locate: What are the public key values of a specific user and how they can be used? Validate: What is the binding status between a public-key and a specific user? XMLSig XKMS SAML WS-Security M. Mogollon – 29 XKMS X-KISS Locate LocateResult LocateRequest • Locate ID Number • Locate ID Number • ResultMajor="Success" • Respond With • Request ID – KeyName • Unverified Key Binding – KeyValue – X509Cert • ID – X509Chain • KeyInfo – PGPWeb – KeyValue – PGP – X509Certificate • Query Key Binding • KeyUsage – KeyUsage – Signature – Key Used with Application =“xxxxx“? – Encryption – Owner of the Key ="bob@bobcorp.test" – Exchange • Key Use with Application=“xxxxxxx" • Owner of the Key ="bob@bobcorp.test" Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 30 XKMS X-KISS Validate ValidateResult ValidateRequest • • • • • • • Validation ID Number • QueryKeyBinding • KeyUsage • Key Use with Application =“xxxxx“? • Owner of the Key ="bob@bobcorp.test" • • • • • Web Services XML XMLEnc XMLSig Validate ID Number ResultMajor="Success" Request ID Key Binding ID KeyInfo – KeyValue – X509Certificate KeyUsage – Signature – Encryption – Exchange Key Used with Application=“xxxxxxx" Owner of the Key =bob@bobcorp.test Status Value="Valid"> ValidReason=IssuerTrust …. XKMS SAML WS-Security M. Mogollon – 31 XKMS X-KRSS Registration RegistrationResult RegistrationRequest • Registration ID Number • Respond With type of certificate (X.509, …) • Registration ID Number • KeyInfo (Information submitted) • ResultMajor="Success" – KeyValue • Request ID – KeyUsage • KeyInfo – Key Use with Application =“xxxxx“? – KeyValue – Authentication – KeyUsage – KeyBinding – Key Used with Application=“xxxxxxx" – DigestMethod • Status – DigestValue – ValidReason – Proof of Possession The Key Registration Service supports key registration, recovery, reissue, and revocation. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 32 Security Assertion Markup Language (SAML) • SAML addresses the issue of Web services access authentication and authorization. — Certificate authorities issue certificates as means of authentication. — SAML uses assertions (credentials) about subjects (individual or an entity). • Assertions are issued by authentication authorities, attribute authorities and policy decision points; they can be passed to other web domains. • SAML provides portable identity authentication and authorization. — Subject is granted or denied access to a specified web domain resource. • Web domains can challenge the assertions, and there should be ways to prove the assertions. • SAML solves the problem of Web Single Sign-On by allowing users to gain access to website resources in multiple domains without having to reauthenticate after initially logging on to the first domain. • SAML is flexible, so it can be used with any XML file transferred within the enterprise or the Internet. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 33 SAML Components Profile How the SAML assertions, protocols and bindings are combined to support a defined use case. Bindings How the SAML protocol maps onto the messaging or communications transport protocols. Protocol How assertions are obtained using Request and Response pairs. Assertions What subject information about authentication, attribute and authorization is contained in Assertion Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 34 SAML Push and Pull Profile Models Relying Party www.myhotel.com Asserting Party www.mytravel.com Relying Party www.myhotel.com Asserting Party www.mytravel.com Assertion User Browser/Artifact Profile (Push) Web Services XML XMLEnc User Browser/POST Profile (Pull) XMLSig XKMS SAML WS-Security M. Mogollon – 35 SAML Artifact (Push) Profile Model Asserting Party Source Site (www.mytravel.com) Authentication Authority Application Portal SAML Request Responder Inter-Site Transfer Service 7 8 SAML Response Destination Site (www.myhotel.com) Artifact Receiver Service Remote Application Access Check 2 Access Check 4 Display Remote Application Links Credential Challenge 1 3 Access Source Site 6 5 User Login Select Remote Application Redirect to Destination + Cookie 9 Redirect with SAML Artifact User’s Browser Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 36 SAML Posted (Pull) Profile Models Asserting Party Destination Site (www.myhotel.com) Source Site (www.mytravel.com) Authentication Authority Application Portal Inter-Site Transfer Service Assertion Consumer Remote Application Access Check Access Check 2 4 Credential Challenge 1 3 Access Local Site 6 Display Remote Application Links 5 User Login SAML Response with Assertion in HTPP Form Select Remote Application Redirect to Destination + Cookie 7 8 POST Form with Direct Assertion User’s Browser Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 37 Web Services Security Model WS-Secure Conversation WS-Federation WSAuthorization WS-Policy WS-Trust WS-Privacy WS-Security SOAP Foundation • • Security model was proposed by IBM and Microsoft in April 2002. • Security model brings together formerly incompatible security technologies such as public key infrastructure, Kerberos, and others. • It also provides a broad set of specifications that cover security technologies, including authentication, authorization, privacy, trust, integrity, confidentiality, secure communications and auditing, across a wide spectrum of application and business topologies. Also proposed was a road map for developing a set of Web Service Security specifications to protect SOAP messages exchange in a Web service environment. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 38 Web Services Security Language • Describes how to attach signature and encryption headers to SOAP messages. • Describes how to attach security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages. • Web Services are designed to work over any transport protocol, HTTP, TCP, UDP, email (SMTP), FTP. • Provides security when a message flows over different transport protocols and through multiple servers. • Portions of the message can be secure for different parties. Specific recipients of the message are allow to see certain parts of the message. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 39 SOAP Message Security SOAP Message HTTP Originator Intermediary SOAP Message TCP Recipient End-to-end SOAP security • Intermediary should not be able to — Alter the message (Insertion, Deletion, Modification) — Read the message (Confidentiality) — Falsify messages • Originator and recipient should not be able to repudiate the message. • Recipient should be able to determine if the message has changed (Integrity) Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 40 WS-Security Syntax [1] [1a] [2] [2a] [3] [3a] [4] [4a] <S:Envelope xmlns:S11="..." xmlns:wsse="..."> <S:Header> <wsse:Security> <wsse:UsernameToken> <wsse:Username>Zoe</wsse:Username> </wsse:UsernameToken> <ds:Signature> <ds:Reference URI=#body”> <ds:Signature> <xenc:ReferenceList> <xenc:DataReference URI=”body”/> <xenc:ReferenceList> </wsse:Security> </S:Header> <S:Body> <xenc:EncryptedData Id=body” ype=”content”> </xenc:EncryptedData> </S:Body> </S:Envelope> Web Services XML XMLEnc XMLSig SOAP Envelope SOAP Security Header Security Header Block Security Tokens, XML Signatures, Key Reference List or Encrypted Key Security Header Block SOAP Body Encrypted Data XKMS SAML WS-Security M. Mogollon – 41 WS-Security – Security Tokens • Security Tokens are access mechanisms and methods used for authentication and authorization. • Passwords are a type of unsigned security tokens. • Signed security tokens are security tokens that are asserted and cryptographically signed by a specific authority (e.g., an X.509 certificate or a Kerberos ticket). • Security Tokens in WS-Security are grouped in the following way: — UserName Token (User ID and password) — BinarySecurity Token (X.509 certificates and Kerberos) — XML Tokens Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 42 WS-Security – XML Signature • Signature in WS-Security is simply the XML Signature placed in the security header of a SOAP message. • XML Signature in WS-Security can be used by the message recipient to — Authenticate or verify the security token, such as an X.509 certificate or SAML assertion. — Verify that the message has not been modified in transit, for message integrity. • It is possible to sign a message before encryption or to encrypt it first and then sign it. The way in which it is done needs to be indicated in the syntax by placing either the encryption or the signing element first in the syntax. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 43 WS-Security – Referent List or Encrypted Key. • ReferenceList points out which part of the message body was encrypted. — Used when the sender and the receiver of the SAML message use a shared secret key to encipher the message body, and there is a need to send the key. • EncryptedKey is used when the parties have not exchanged secret keys previously and it is necessary to transport the secret key in a secure manner. — Encipher or wrap the secret key for transport using a public key system. — A randomly generated symmetric key is encrypted using the recipient’s public key. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 44 References • Atkinson, B., et al. (2002). Web Services Security (WS-Security). Retrieved August 31, 2004, from http://www106.ibm.com/developerworks/webservices/library/ws-secure/ • Bartel, M., et, al. (2002). XML-Signature Syntax and Processing. Retrieved September 2, 2004, from http://www.w3.org/TR/xmldsig-core/. • Bellwood, T., et al. (2003). UDDI Version 3.0.1 Technical Specification. Retrieved September 14, 2004, from http://uddi.org/pubs/uddi_v3.htm • Bray, T., et al. (2004). Extensible Markup Language (XML) 1.0 (Third Edition). Retrieved August 23, 2004, from http://www.w3.org/TR/2004/RECxml-20040204/ • Chinnici, R., et al. (2004). Web Services Description Language (WSDL) Version 2.0. Retrieved September 27, 2004, from http://www.w3.org/TR/wsdl20/ • Hallam-Baker, P., et al. (2004). XML Key Management Specification (XKMS 2.0). Retrieved October 7, 2004 from http://www.w3.org/TR/xkms2/ • Hughes, J., et al. (2004). Security Assertion Markup Language (SAML) 2.0 Technical Overview, Working Draft 01. (Retrieved October 5, 2004, from http://xml.coverpages.org/SAML-TechOverviewV20-Draft7874.pdf Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 45 References • Imamura, T., Dillaway, B., Simon, E., (2002). XML Encryption Syntax and Processing. Retrieved August 25, 2004, from http://www.w3.org/TR/xmlenc-core/ • Mitra, N., et al. (2003). SOAP Version 1.2 Part 0: Primer. Retrieved September 23, 2004 from http://www.w3.org/TR/2003/REC-soap12-part0-20030624/ • Nadalin, A., et al. (2004). Web Services Security: SOAP Message Security 1.0. Retrieved October 1, 2004, from http://docs.oasis-open.org/wss/2004/01/oasis200401-wss-soap-message-security-1.0.pdf • O’Neill, M., et al. (2003). Web Services Security. Berkeley, California:McGrawHill/Osborne. • Rosenberg, J., Remy, D. (2004). Securing Web Services with WS-Security. Indianapolis, Indiana: SAMS Publishing. • Security in a Web Services World: A Proposed Architecture and Roadmap. Version 1.0 A Joint White Paper from IBM Corporation and Microsoft Corporation, April 7, 2002. Retrieved October 8, 2004, from http://msdn.microsoft.com/library/default.asp?url=/library/enus/dnwssecur/html/securitywhitepaper.asp • Wolter, R. (2001). XML Web Services Basics. Microsoft Corporation. Retrieved September 13, 2004, from http://msdn.microsoft.com/library/default.asp?url=/library/enus/Dnwebsrv/html/webservbasics.asp?frame=true Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 46 To Probe Further • Digital signatures for SOAP messages, a developerWorks tutorial by Jayanthi Suryanarayana, explains how to digitally sign and encrypt your SOAP messages for security. • The XML Security Suite: Increasing the security of e-business by Doug Tidwell presents some basics of Web security, describes the components of the XML Security Suite, and gives examples that illustrate how the technologies in the XML Security Suite increase the security of Web commerce. • The OASIS consortium site includes The XML Cover Pages: XML and Encryption, Robin Cover' active diary of activities and publications relevant to these issues. The site also features a draft document specifying the Security Assertion Markup Language (SAML). • The W3C working draft XML Encryption Requirements lists the design principles, scope, and requirements for the XML Encryption. It includes requirements as they relate to the encryption syntax, data model, format, cryptographic processing, and external requirements and coordination. • XML-Signature Requirements lists the design principles, scope, and requirements for the XML Digital Signature specification. It includes requirements as they relate to the signature syntax, data model, format, cryptographic processing, and external requirements and coordination. • Decryption Transform for XML signature specifies the "decryption transform," which enables XML signatures verification even if both signature and encryption operations are performed on an XML document. Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 47 Distributing Computing Service Oriented Architecture (SOA) Web Services (Convergence between SOA and the Web) XML Encrypti on XML Signatur e XML Key Manage ment SAML Artifact Profile (Push) SAML Extensible Markup Language (XML) SAML (Addresses the issue of Web services access authentication and authorization) SOAP (Defines the XML message format. Web Services XML XMLEnc XMLSig POST Profile (Pull) Web Services Security Model (How to attach signature and encryption headers to SOAP messages) XKMS SAML XML Key Informati on XML Key Registra tion Security Tokens Signatur e WS-Security M. Mogollon – 48 XML Encryption Encrypted Type Encrypted Data Encrypted Key Encrypting Method Block Encryption 3DES AES, 128, 192, 256 Stream Cipher Key Info Encrypted Key Agreement Method Wrapping the Transporting Key the Key 3DES RSA-v1.5 AES, 128, 192, 256 RSA-OAEP Key Name Retrieval Method Cipher Data Cipher Value Cipher Reference Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 49 XML Key Registration Service Register Service Client Register Request The Web Service Provider or the Web Service Requester registers, or requests to recover, reissue or revoke their public keys and certificates. Register Response Recover Request Recover Response Reissue Request Reissue Response Revoke Request Revoke Response Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 50 XML Key Information Service X-KISS PKI Services Trust Service Client Locate Request Locate Result Validate Request Validate Response The Web Service Requester requests the location and validation of the public keys and certificates of service Web Services XML XMLEnc XMLSig XKMS SAML WS-Security M. Mogollon – 51
![[#CARBON-13743] Key store password of catalina](http://s3.studylib.net/store/data/007841975_2-b5be293be17dfbfd4fa5374476b625ea-300x300.png)
