web services security
DESCRIPTION
Web Services Security. Maria Lizarraga CS691. Agenda. Problem Definition SOAP Messages Implementing Security Services Integrity Confidentiality Authentication Implementation. What is a web service?. - PowerPoint PPT PresentationTRANSCRIPT
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 2
Agenda
• Problem Definition• SOAP Messages• Implementing Security Services
– Integrity– Confidentiality– Authentication
• Implementation
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 3
What is a web service?
• A web service is a web software application available on the network that provides an interface for exchanging information with a client. – the software application– a method to interface to the application – URI associated with the application– a published document that gives visibility to the
world
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 6
Network Layer Firewall
• Firewall authenticates user• SOAP server cannot distinguish between
– Business Partner– Customer
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 7
Solution
• Make firewall XML and SOAP aware– SOAP message contains security information
• Intruders now stopped at the firewall
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 8
Simple Object Access Protocol, SOAP Message
• XML• Embedded into HTTP• Three parts
– Envelope– Header– Body
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 9
SOAP Request – Digital SignatureSOAP Message
POST /GradesService/services/GradesService HTTP/1.0Content-Type: text/xml; charset=utf-8Accept: application/soap+xml, application/dime,
multipart/related, text/*User-Agent: IBM WebServices/1.0Host: localhost:9080Cache-Control: no-cachePragma: no-cacheSOAPAction: ""Content-Length: 356
<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/ envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/ encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance"> <soapenv:Body> <getStudents xmlns="http://grades"/> </soapenv:Body></soapenv:Envelope>
Applicationpackage grades;public class GradesService{ final int NUMSTUDENTS = 4; String[] students; char[] grade; public GradesService ( ) { students = new String [] {"Mary", "Joe", "Sally", "Tim"}; grade = new char [] {'A', 'B', 'C', 'D'}; } // end constructor public char getStudentGrade (String student) { for (int i = 0; i < NUMSTUDENTS; i++) if (student.equals(students[i])) return grade[i]; return 'Z'; } // end getStudentGrade public String getStudent (int studentID) { return students[studentID]; } // end getStudent public String[] getStudents ( ) { return students; } // end getStudents public static void main(String[] args){ GradesService gs = new GradesService(); for (int i = 0; i < gs.NUMSTUDENTS; i++) System.out.println("Student: " + gs.getStudent (i) + "\tGrade:” + gs.getStudentGrade(gs.getStudent(i))); } // end main} // end class GradesService
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 10
ResponseHTTP/1.1 200 OKServer: WebSphere Application Server/5.1Content-Type: text/xml; charset=utf-8Content-Language: en-USConnection: close
<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
•
<soapenv:Body> <getStudentsResponse
xmlns="http://grades"> <getStudentsReturn> Mary </getStudentsReturn> <getStudentsReturn> Joe </getStudentsReturn> <getStudentsReturn> Sally </getStudentsReturn> <getStudentsReturn> Tim </getStudentsReturn> </getStudentsResponse> </soapenv:Body></soapenv:Envelope>
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 11
Security Services
• Confidentiality– XML Encryption
• Integrity– XML Digital Signature
• Authentication– Security Tokens
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 13
Integrity and Authentication Example
Goal• Message Integrity• Message Authentication• User Authentication
Process• Obtain the message digest of the message.• Encrypt message digest with sender’s private key.
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 14
XML Digital Signature• <BinarySecurityToken> -- This section is for specifying the encoding format for binary
encoded security tokens.– EncodingType -- Encoding used on Security Token– ValueType --– ID
• Encoded Digital Certificate• <Signature> -- Signature specific information. It contains the following three subsections:
– <SignedInfo> -- Processing information – How it is signed• <CanonicalizationMethod> -- Normalizing data algorithm• <SignatureMethod> -- Signature algorithm• <Reference> -- Points to signed content
– <Transforms> -- How to process data– <DigestMethod> -- Hashing algorithm used on <body>– <DigestValue>
– <SignatureValue> -- Value of the signed data– <KeyInfo> -- Optional key identifier (such as a public key/symmetric key)
• <wsse:SecurityTokenReference> – Reference -- Refers to public key inside
Digital Certificate
Digital Signature Request ExampleDigital Signature Response Example
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 15
Confidentiality Example
Goal• Only allow those who have “a need to know” see the
data
Process• Encrypt <body> with symmetric key• Encrypt symmetric key with recipient's public key
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 16
XML Encryption
• <EncryptedKey> -- Symmetric key information– <EncryptionMethod> -- Method of Encryption– <KeyInfo> -- Encrypted Key Identifier
• <SecurityTokenReference>– <KeyIdentifier>
– <CipherData> – <CiperValue> -- Encrypted Symmetric Key– <ReferenceList> -- Reference to the encrypted text
Encryption Request Example
Encryption Response Example
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 17
Other XML Encryption Options
• Encrypt entire message• Encrypt attachments• Encrypt any element• Encrypt an encrypted element
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 18
Basic Authentication Example
Goal• Identify the user
Process• Provide user name• Provide user password (not encrypted)
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 19
Basic Authentication
• < UsernameToken>– <Username>– <Password>
Basic Authentication Request Example
Basic Authentication Response Example
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 20
Security Tokens
Security Tokens used to Authenticate• Basic Authentication
– Login/Password• Digital Signature
– Public Key/Private Key• ID Assertion
– Single Sign-On• LTPA – Lightweight Third Party Authentication
– Single Sign-On– Forwardable Credentials
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 23
Hash Message Authentication Code (HMAC)
<wsse:UsernameToken wsu:Id=“LoanCenterUsernameToken">
<wsse:Username>
CompetitiveLoanService</wsse:Username> <wsse:Nonce>WS3Lhf6RpK...</wsse:Nonce> <wsu:Created>
2003-06-12T09:00:00Z
</wsu:Created>
</wsse:UsernameToken>
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 24
WebSphere ImplementationWizard support for:• XML Encryptions• XML Digital Signatures(One or the other, not both for <body> of message)
Without Wizardry:• Security Tokens
– Basic Authentication– Digital Signatures– Assertions– LTPA
• Multiple Encryption on any part of message• Multiple Digital Signatures on any part of message
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 25
Summary
• Web Service Architecture• SOAP• Implementing Security Services
– Integrity XML Digital Signature– Confidentiality XML Encryption– Authentication Security Tokens
04/19/23 Maria Lizarraga
Web
Service
s Security
Page 26
References
• XML Signature WG (specification), http://www.w3.org/Signature/
• XML Encryption WG (specification), http://www.w3.org/Encryption/2001/
• OASIS Security Services (SAML) TC, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
• OASIS eXtensible Access Control Markup Language (XACML) TC, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
• SOAP Tutorial, http://www.w3schools.com/soap• Specification: Web Services Security (WS-Security),
http://www-106.ibm.com/developerworks/webservices/library/ws-secure/