Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 29 views

    Web Services Security: Suresh Inavolu

    Uploaded by

    isuresh249
    This document provides a summary of web services security concepts including cryptography, XML signatures, XML encryption, WS-Policy and WS-SecurityPolicy. It discusses why security is important for web services and outlines common security threats. It then covers cryptography approaches including shared key and public key encryption. It describes how XML signatures provide authentication and integrity by digitally signing message contents. XML encryption is explained for ensuring confidentiality. The roles of WS-Policy and WS-SecurityPolicy in defining security requirements and publishing security policies for web services are summarized. Key concepts like security bindings, protection assertions and token assertions are also overviewed.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd

    Web Services Security: Suresh Inavolu

    Uploaded by

    isuresh249
    29 views35 pages
    This document provides a summary of web services security concepts including cryptography, XML signatures, XML encryption, WS-Policy and WS-SecurityPolicy. It discusses why security is important for web services and outlines common security threats. It then covers cryptography approaches including shared key and public key encryption. It describes how XML signatures provide authentication and integrity by digitally signing message contents. XML encryption is explained for ensuring confidentiality. The roles of WS-Policy and WS-SecurityPolicy in defining security requirements and publishing security policies for web services are summarized. Key concepts like security bindings, protection assertions and token assertions are also overviewed.

    Original Description:

    Web Services Security

    Original Title

    WS Security

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides a summary of web services security concepts including cryptography, XML signatures, XML encryption, WS-Policy and WS-SecurityPolicy. It discusses why security is important for web services and outlines common security threats. It then covers cryptography approaches including shared key and public key encryption. It describes how XML signatures provide authentication and integrity by digitally signing message contents. XML encryption is explained for ensuring confidentiality. The roles of WS-Policy and WS-SecurityPolicy in defining security requirements and publishing security policies for web services are summarized. Key concepts like security bindings, protection assertions and token assertions are also overviewed.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    29 views35 pages

    Web Services Security: Suresh Inavolu

    Uploaded by

    isuresh249
    This document provides a summary of web services security concepts including cryptography, XML signatures, XML encryption, WS-Policy and WS-SecurityPolicy. It discusses why security is important for web services and outlines common security threats. It then covers cryptography approaches including shared key and public key encryption. It describes how XML signatures provide authentication and integrity by digitally signing message contents. XML encryption is explained for ensuring confidentiality. The roles of WS-Policy and WS-SecurityPolicy in defining security requirements and publishing security policies for web services are summarized. Key concepts like security bindings, protection assertions and token assertions are also overviewed.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    You are on page 1of 35

    Web services security

    Suresh Inavolu

    Agenda
    Why Web services security
    Cryptography
    o Shared key
    o Public key

    XML Signatures
    XML Encryption
    WS-Policy
    WS-SecurityPolicy
    Conclusion

    Why Web services security


    <Request
    custId=Customer1
    pin=myQw6k3z>
    <SendMoney
    to=Customer2
    amount=10000/>
    </Request>

    1) Read the message pin number of Customer1


    2) Change the message send money to CustomerX
    3) Create a new message and send it as if Customer1 is
    requesting.

    Security terms
    1) Confidentiality None, other than the receiver, can understand the message
    2) Integrity The message has not been changed in between
    3) Authentication The message is send the original sender

    Agenda
    Why Web services security
    Cryptography
    o Shared key
    o Public key

    XML Signatures
    XML Encryption
    WS-Policy
    WS-SecurityPolicy
    Conclusion

    Cryptography
    Share key encryption
    o Also called Symmetric key encryption

    Public key encryption


    o Also called Asymmetric key encryption

    Shared key

    Public key

    Different keys
    (Only private key is
    kept secret)

    Agenda
    Why Web services security
    Cryptography
    o Shared key
    o Public key

    XML Signatures
    XML Encryption
    WS-Policy
    WS-SecurityPolicy
    Conclusion

    XML Signatures
    Used for authentication and data integrity.
    Digital signatures
    o Encrypt the hash of the message using private

    key

    Digital Signature
    <Request
    custId=Customer1
    pin=myQw6k3z>
    <SendMoney
    to=Customer2
    amount=10000/>
    </Request>

    <Request
    custId=Customer1
    pin=myQw6k3z>
    <SendMoney
    to=Customer2
    amount=10000/>
    </Request>
    m1eRh4!pQ(zcB6

    Hash Algorithm
    like SHA1

    Message with
    Digital signature

    50920620636403163

    Hash Value

    m1eRh4!pQ(zcB6

    Encrypt using
    Private key

    Digest Value

    Calculating Digital signature

    Digital Signature
    Message with
    Digital signature
    <Request
    custId=Customer1
    pin=myQw6k3z>
    <SendMoney
    to=Customer2
    amount=10000/>
    </Request>
    m1eRh4!pQ(zcB6

    <Request
    custId=Customer1
    pin=myQw6k3z>
    <SendMoney
    to=Customer2
    amount=10000/>
    </Request>

    Hash Algorithm
    like SHA1
    50920620636403163

    Hash Value

    Both Should match

    m1eRh4!pQ(zcB6

    50920620636403163

    Decrypt using
    Senders public key

    Verifying Digital Signatures

    Hash Value

    XML Signature
    An extension to digital signatures to sign
    XML messages
    Ability to sign only specific portions of the
    XML tree

    Canonicalization
    <Request custId=Customer1 pin=myQw6k3z xmlns="urn://bank/request">
    <SendMoney to=Customer2 amount=10000/>
    <Comments><![CDATA[Send it in two days to Progress.]]></Comments>
    </Request>
    <? xml version=1.0 ?>
    <Request custId='Customer1' pin='myQw6k3z' xmlns="urn://bank/request>
    <SendMoney
    to='Customer2'
    amount='10000
    bank=abc>
    </SendMoney>
    <Comments xmlns="urn://bank/request>Send it in two days to &PRGS;.</Comments>
    </Request>

    However both these XML documents generate different hash value and
    hence different digital signatures

    XML Signature Structure


    <Signature ID?>
    <SignedInfo>
    (CanonicalizationMethod)
    (SignatureMethod)
    (<Reference URI? >
    (Transforms)?
    (DigestMethod)
    (DigestValue)
    </Reference>)+
    </SignedInfo>
    (SignatureValue)
    (KeyInfo)?
    (Object ID?)*
    </Signature>

    Sample
    XML
    Signature
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo Id="foobar">
    <CanonicalizationMethod Algorithm="www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
    <Reference URI=http://test/results.xml">
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
    </Reference>
    <Reference URI=file:/C:/input.xml#message">
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <DigestValue>UrXLDLBIta6skoV5/A8Q38GEw44=</DigestValue>
    </Reference>
    </SignedInfo>
    <SignatureValue>MC0E~LE=</SignatureValue>
    <KeyInfo>
    <X509Data>
    <X509SubjectName>O=XMLSec Inc.,ST=OTTAWA,C=CA</X509SubjectName>
    <X509Certificate> MIID5jCCA0+gA...lVN </X509Certificate>

    Agenda
    Why Web services security
    Cryptography
    o Shared key
    o Public key

    XML Signatures
    XML Encryption
    WS-Policy
    WS-SecurityPolicy
    Conclusion

    XML Encryption
    Ensuring Confidentiality of XML Messages
    Encrypt data using Shared key technology
    Shared key will be distributed
    o Either by a separate channel
    o Encrypt the shared key using public key of

    receiver Digital Enveloping

    XML Encryption Syntax


    <EncryptedData Id? Type? MimeType? Encoding?>
    <EncryptionMethod/>?
    <ds:KeyInfo>?
    </ds:KeyInfo>
    <CipherData>
    <CipherValue>?
    <CipherReference URI?>?
    </CipherData>
    <EncryptionProperties>?
    </EncryptedData>

    Sample XML Encryption (using Digital


    Enveloping)
    <EncryptedData>
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmlsig#">
    <EncryptedKey>
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa"/>
    <ds:KeyInfo>
    <ds:X509Data>
    <ds:X509SubjectName>CN=suresh,OU=Sonic,O=Progress,ST=AP,C=IN</ds:X509SubjectName>
    </ds:X509Data>
    </ds:KeyInfo>
    <CipherData>
    <CipherValue>QYJKoZIhvcNAQkBFhhz</CipherValue>
    </CipherData>
    </EncryptedKey>
    </ds:KeyInfo>
    <CipherData>
    <CipherValue>DTA4MDQwOTA5NTUwNFoXDTA5MDQwOTA5NTUwNFowT</CipherValue>
    </CipherData>
    </EncryptedData>

    Agenda
    Why Web services security
    Cryptography
    o Shared key
    o Public key

    XML Signatures
    XML Encryption
    WS-Policy
    WS-SecurityPolicy
    Conclusion

    WS-Policy
    A framework for describing policy assertions.
    Four elements: Policy, All, ExactlyOne,

    PolicyReference and one attribute wsp:Optional


    All: All policy assertions should be satisfied.
    ExactlyOne: Only one policy assertion should be

    satisfied.
    Wsp:Optional: Policy assertion is an optional

    feature.
    Operations for processing policies; Normalize,
    Merge, and Intersect

    Policy example

    Reusing policy using PolicyReference

    <Policy>
    <All>

    <Policy id="common">

    <mtom:OptimizedMimeSerialization wsp:Optional=true/>

    <All>

    <wsap:UsingAddressing/>

    <mtom:OptimizedMimeSerialization wsp:Optional=true/>

    <ExactlyOne>

    <wsap:UsingAddressing/>

    <sp:TransportBinding>...</sp:TransportBindig>

    </All>

    <sp:AsymmetricBinding>...</sp:AsymmetricBinding>

    </Policy>

    </ExactlyOne>
    </All>

    <Policy id="security">

    </Policy>

    <All>
    <PolicyReference="#common">
    <ExactlyOne>
    <sp:TransportBinding>...</sp:TransportBindig>
    <sp:AsymmetricBinding>...</sp:AsymmetricBinding>
    </ExactlyOne>
    </All>
    </Policy>

    Normal Form for Policy


    Expressions
    <Policy>
    <All>
    <mtom:OptimizedMimeSerialization
    wsp:Optional=true/>
    <wsap:UsingAddressing/>
    <ExactlyOne>
    <sp:TransportBinding>...</sp:TransportBindig>
    <sp:AsymmetricBinding>...</sp:AsymmetricBinding>
    </ExactlyOne>
    </All>
    </Policy>

    <Policy>
    <ExactlyOne>
    <All>
    <wsap:UsingAddressing/>
    <sp:TransportBinding>...</sp:TransportBindig>
    </All>
    <All>
    <wsap:UsingAddressing/>
    <sp:AsymmetricBinding>...</sp:AsymmetricBinding>
    </All>
    <All>
    <mtom:OptimizedMimeSerialization/>
    <wsap:UsingAddressing/>
    <sp:TransportBinding>...</sp:TransportBindig>
    </All>
    <All>
    <mtom:OptimizedMimeSerialization/>
    <wsap:UsingAddressing/>
    <sp:AsymmetricBinding>...</sp:AsymmetricBinding>
    </All>
    </ExactlyOne>
    </Policy>

    Compatible
    Policies
    Only mutually compatible policies can interact with each others
    Normalized Providers policy

    Normalized Requestor policy

    <Policy>
    <ExactlyOne>
    <All>
    <wsap:UsingAddressing/>
    <sp:TransportBinding>...</sp:TransportBindig>
    </All>
    <All>
    <wsap:UsingAddressing/>
    <sp:AsymmetricBinding>...</sp:AsymmetricBinding>
    </All>
    <All>
    <mtom:OptimizedMimeSerialization/>
    <wsap:UsingAddressing/>
    <sp:TransportBinding>...</sp:TransportBindig>
    </All>
    <All>
    <mtom:OptimizedMimeSerialization/>
    <wsap:UsingAddressing/>
    <sp:AsymmetricBinding>...</sp:AsymmetricBinding>
    </All>
    </ExactlyOne>

    <Policy>
    <ExactlyOne>
    <All>
    <sp:TransportBinding>...</sp:TransportBindig>
    </All>
    <All>
    <sp:TransportBinding>...</sp:TransportBindig>
    <wsap:UsingAddressing/>
    </All>
    </ExactlyOne>
    </Policy>

    WS-PolicyAttachment
    To attach a Policy to a WSDL document
    o Using PolicyReference tag (RECOMMENDED)
    <wsdl:binding name="SecureBinding" type="tns:RealTimeDataInterface" >
    <wsp:PolicyReference URI="#secure" />
    <wsdl:operation name="GetRealQuote" >...</wsdl:operation>
    ...
    </wsdl:binding>

    o Using PolicyURIs attribute


    <wsdl:binding name="SecureBinding" type="tns:RealTimeDataInterface"
    wsp:PolicyURIs=www.localhost:8080/policies/policy.xml#secure" >
    <wsdl:operation name="GetRealQuote" >...</wsdl:operation>
    ...
    </wsdl:binding>

    o Using PolicyAttachment
    <wsp:PolicyAttachment>
    <wsp:AppliesTo>
    <wsa:EndpointReference xmlns:fabrikam="" >
    <wsa:Address>http://www.fabrikam123.example.com/acct</wsa:Address>
    </wsa:EndpointReference>
    </wsp:AppliesTo>
    <wsp:PolicyReference URI=#secure" />
    </wsp:PolicyAttachment>

    Effective Policy

    Agenda
    Why Web services security
    Cryptography
    o Shared key
    o Public key

    XML Signatures
    XML Encryption
    WS-Policy
    WS-SecurityPolicy
    Conclusion

    WS-SecurityPolicy
    Standard way to define how to secure
    messages exchanged between Web services
    and clients
    Used to publish security requirements and
    constrains of a Web service using the WSDL
    specification
    Assertions: Security binding assertions,
    Protection assertions, Token assertions,
    Protocol assertions

    Sonic Create policy wizard


    Security Binding
    Assertion

    Protection Assertion
    Token Assertion and
    Protocol assertions

    Security binding assertions


    Three types of Security Binding assertions
    Transport binding assertion (HTTPS)
    Asymmetric binding assertion (Public Key)
    Symmetric binding assertion (Shared Key)

    Token Assertion

    Specify the types of the tokens to be used to protect messages like X509
    Properties on tokens
    o Token Inclusion property (Never, Once, AlwaysToRecipient, Always)

    <wsp:Policy>
    <sp:X509Token IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'></sp:X509Token>
    </wsp:Policy>

    Protection Assertions
    Defines which message parts or SOAP headers are protected

    Sample WS Policy

    <wsp:Policy wsu:Id="TransferMoney"
    xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext"
    xmlns:wsrmp="http://schemas.xmlsoap.org/ws/2005/02/rm/policy"
    xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy' >
    <wsp:ExactlyOne>
    <wsp:All alternative-id="TransferMoneyAlternative">
    <sp:AsymmetricBinding>
    <wsp:Policy>
    <sp:IncludeTimestamp></sp:IncludeTimestamp>
    <sp:EncryptBeforeSigning></sp:EncryptBeforeSigning>
    <sp:Layout>
    <wsp:Policy>
    <sp:Lax></sp:Lax>
    </wsp:Policy>
    </sp:Layout>
    <sp:AlgorithmSuite>
    <wsp:Policy>
    <sp:TripleDesRsa15></sp:TripleDesRsa15>
    </wsp:Policy>
    </sp:AlgorithmSuite>
    <sp:RecipientToken>
    <wsp:Policy>
    <sp:X509Token
    IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never'></sp:X509Token>
    </wsp:Policy>
    </sp:RecipientToken>
    <sp:InitiatorToken>
    <wsp:Policy>
    <sp:X509Token
    IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'></sp:X509Token>
    </wsp:Policy>
    </sp:InitiatorToken>
    </wsp:Policy>
    </sp:AsymmetricBinding>
    <sp:EncryptedParts>

    Agenda
    Why Web services security
    Cryptography
    o Shared key
    o Public key

    XML Signatures
    XML Encryption
    WS-Policy
    WS-SecurityPolicy
    Conclusion

    Conclusion

    You might also like