Web Services Security: Suresh Inavolu

Web services security
Suresh Inavolu
Agenda
Why Web services security
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion

<Request
custId=Customer1
pin=myQw6k3z>
<SendMoney
to=Customer2
amount=10000/>
</Request>
1) Read the message pin number of Customer1

2) Change the message send money to CustomerX
3) Create a new message and send it as if Customer1 is
requesting.
Security terms
1) Confidentiality None, other than the receiver, can understand the message
2) Integrity The message has not been changed in between
3) Authentication The message is send the original sender
Agenda
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
Cryptography
Share key encryption
o Also called Symmetric key encryption
Public key encryption

o Also called Asymmetric key encryption
Shared key
Public key
Different keys
(Only private key is
kept secret)
Agenda
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
XML Signatures
Used for authentication and data integrity.
Digital signatures
o Encrypt the hash of the message using private
key
Digital Signature
<Request
custId=Customer1
pin=myQw6k3z>
<SendMoney
to=Customer2
amount=10000/>
</Request>
<Request
custId=Customer1
pin=myQw6k3z>
<SendMoney
to=Customer2
amount=10000/>
</Request>
m1eRh4!pQ(zcB6
Hash Algorithm
like SHA1
Message with
Digital signature
50920620636403163
Hash Value
m1eRh4!pQ(zcB6
Encrypt using
Private key
Digest Value
Calculating Digital signature
Digital Signature
Message with
Digital signature
<Request
custId=Customer1
pin=myQw6k3z>
<SendMoney
to=Customer2
amount=10000/>
</Request>
m1eRh4!pQ(zcB6
<Request
custId=Customer1
pin=myQw6k3z>
<SendMoney
to=Customer2
amount=10000/>
</Request>
Hash Algorithm
like SHA1
50920620636403163
Hash Value
Both Should match
m1eRh4!pQ(zcB6
50920620636403163
Decrypt using
Senders public key
Verifying Digital Signatures
Hash Value
XML Signature
An extension to digital signatures to sign
XML messages
Ability to sign only specific portions of the
XML tree
Canonicalization
<Request custId=Customer1 pin=myQw6k3z xmlns="urn://bank/request">
<SendMoney to=Customer2 amount=10000/>
<Comments><![CDATA[Send it in two days to Progress.]]></Comments>
</Request>
<? xml version=1.0 ?>
<Request custId='Customer1' pin='myQw6k3z' xmlns="urn://bank/request>
<SendMoney
to='Customer2'
amount='10000
bank=abc>
</SendMoney>
<Comments xmlns="urn://bank/request>Send it in two days to &PRGS;.</Comments>
</Request>
However both these XML documents generate different hash value and
hence different digital signatures
XML Signature Structure

<Signature ID?>
<SignedInfo>
(CanonicalizationMethod)
(SignatureMethod)
(<Reference URI? >
(Transforms)?
(DigestMethod)
(DigestValue)
</Reference>)+
</SignedInfo>
(SignatureValue)
(KeyInfo)?
(Object ID?)*
</Signature>
Sample
XML
Signature
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo Id="foobar">
<CanonicalizationMethod Algorithm="www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<Reference URI=http://test/results.xml">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
</Reference>
<Reference URI=file:/C:/input.xml#message">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>UrXLDLBIta6skoV5/A8Q38GEw44=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>MC0E~LE=</SignatureValue>
<KeyInfo>
<X509Data>
<X509SubjectName>O=XMLSec Inc.,ST=OTTAWA,C=CA</X509SubjectName>
<X509Certificate> MIID5jCCA0+gA...lVN </X509Certificate>
Agenda
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
XML Encryption
Ensuring Confidentiality of XML Messages
Encrypt data using Shared key technology
Shared key will be distributed
o Either by a separate channel
o Encrypt the shared key using public key of
receiver Digital Enveloping
XML Encryption Syntax

<EncryptedData Id? Type? MimeType? Encoding?>
<EncryptionMethod/>?
<ds:KeyInfo>?
</ds:KeyInfo>
<CipherData>
<CipherValue>?
<CipherReference URI?>?
</CipherData>
<EncryptionProperties>?
</EncryptedData>
Sample XML Encryption (using Digital

Enveloping)
<EncryptedData>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmlsig#">
<EncryptedKey>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa"/>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>CN=suresh,OU=Sonic,O=Progress,ST=AP,C=IN</ds:X509SubjectName>
</ds:X509Data>
</ds:KeyInfo>
<CipherData>
<CipherValue>QYJKoZIhvcNAQkBFhhz</CipherValue>
</CipherData>
</EncryptedKey>
</ds:KeyInfo>
<CipherData>
<CipherValue>DTA4MDQwOTA5NTUwNFoXDTA5MDQwOTA5NTUwNFowT</CipherValue>
</CipherData>
</EncryptedData>
Agenda
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
WS-Policy
A framework for describing policy assertions.
Four elements: Policy, All, ExactlyOne,
PolicyReference and one attribute wsp:Optional

All: All policy assertions should be satisfied.
ExactlyOne: Only one policy assertion should be
satisfied.
Wsp:Optional: Policy assertion is an optional
feature.
Operations for processing policies; Normalize,
Merge, and Intersect
Policy example
Reusing policy using PolicyReference
<Policy>
<All>
<Policy id="common">
<mtom:OptimizedMimeSerialization wsp:Optional=true/>
<All>
<wsap:UsingAddressing/>
<mtom:OptimizedMimeSerialization wsp:Optional=true/>
<ExactlyOne>
<sp:TransportBinding>...</sp:TransportBindig>
</All>
<sp:AsymmetricBinding>...</sp:AsymmetricBinding>
</Policy>
</ExactlyOne>
</All>
<Policy id="security">
</Policy>
<All>
<PolicyReference="#common">
<ExactlyOne>
</ExactlyOne>
</All>
</Policy>
Normal Form for Policy

Expressions
<Policy>
<All>
<mtom:OptimizedMimeSerialization
wsp:Optional=true/>
<ExactlyOne>
</ExactlyOne>
</All>
</Policy>
<Policy>
<ExactlyOne>
<All>
</All>
<All>
</All>
<All>
<mtom:OptimizedMimeSerialization/>
</All>
<All>
</All>
</ExactlyOne>
</Policy>
Compatible
Policies
Only mutually compatible policies can interact with each others
Normalized Providers policy
Normalized Requestor policy
<Policy>
<ExactlyOne>
<All>
</All>
<All>
</All>
<All>
</All>
<All>
</All>
</ExactlyOne>
<Policy>
<ExactlyOne>
<All>
</All>
<All>
</All>
</ExactlyOne>
</Policy>
WS-PolicyAttachment
To attach a Policy to a WSDL document
o Using PolicyReference tag (RECOMMENDED)
<wsdl:binding name="SecureBinding" type="tns:RealTimeDataInterface" >
<wsp:PolicyReference URI="#secure" />
<wsdl:operation name="GetRealQuote" >...</wsdl:operation>
...
</wsdl:binding>
o Using PolicyURIs attribute

<wsdl:binding name="SecureBinding" type="tns:RealTimeDataInterface"
wsp:PolicyURIs=www.localhost:8080/policies/policy.xml#secure" >
<wsdl:operation name="GetRealQuote" >...</wsdl:operation>
...
</wsdl:binding>
o Using PolicyAttachment
<wsp:PolicyAttachment>
<wsp:AppliesTo>
<wsa:EndpointReference xmlns:fabrikam="" >
<wsa:Address>http://www.fabrikam123.example.com/acct</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wsp:PolicyReference URI=#secure" />
</wsp:PolicyAttachment>
Effective Policy
Agenda
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
WS-SecurityPolicy
Standard way to define how to secure
messages exchanged between Web services
and clients
Used to publish security requirements and
constrains of a Web service using the WSDL
specification
Assertions: Security binding assertions,
Protection assertions, Token assertions,
Protocol assertions
Sonic Create policy wizard

Security Binding
Assertion
Protection Assertion
Token Assertion and
Protocol assertions
Security binding assertions

Three types of Security Binding assertions
Transport binding assertion (HTTPS)
Asymmetric binding assertion (Public Key)
Symmetric binding assertion (Shared Key)
Token Assertion
Specify the types of the tokens to be used to protect messages like X509
Properties on tokens
o Token Inclusion property (Never, Once, AlwaysToRecipient, Always)
<wsp:Policy>
<sp:X509Token IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'></sp:X509Token>
</wsp:Policy>
Protection Assertions
Defines which message parts or SOAP headers are protected
Sample WS Policy
<wsp:Policy wsu:Id="TransferMoney"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wsrmp="http://schemas.xmlsoap.org/ws/2005/02/rm/policy"
xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy' >
<wsp:ExactlyOne>
<wsp:All alternative-id="TransferMoneyAlternative">
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:IncludeTimestamp></sp:IncludeTimestamp>
<sp:EncryptBeforeSigning></sp:EncryptBeforeSigning>
<sp:Layout>
<wsp:Policy>
<sp:Lax></sp:Lax>
</wsp:Policy>
</sp:Layout>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15></sp:TripleDesRsa15>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never'></sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'></sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:EncryptedParts>
Agenda
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
Conclusion

Web Services Security: Suresh Inavolu

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Web Services Security: Suresh Inavolu

Uploaded by

Copyright:

Available Formats

Web services security

Why Web services security

1) Read the message pin number of Customer1

Public key encryption

Calculating Digital signature

Both Should match

Verifying Digital Signatures

XML Signature Structure

receiver Digital Enveloping

XML Encryption Syntax

Sample XML Encryption (using Digital

PolicyReference and one attribute wsp:Optional

Reusing policy using PolicyReference

Normal Form for Policy

Normalized Requestor policy

o Using PolicyURIs attribute

Sonic Create policy wizard

Security binding assertions

You might also like