web services security

Web Services Security

Maria Lizarraga

CS691

04/19/23 Maria Lizarraga

Web

Service

s Security

Agenda

• Problem Definition• SOAP Messages• Implementing Security Services

– Integrity– Confidentiality– Authentication

• Implementation


Web

Service

s Security

What is a web service?

• A web service is a web software application available on the network that provides an interface for exchanging information with a client. – the software application– a method to interface to the application – URI associated with the application– a published document that gives visibility to the

world


Web

Service

s Security

Architecture


Web

Service

s Security

Maria’s Competitive Loan Service


Web

Service

s Security

Network Layer Firewall

• Firewall authenticates user• SOAP server cannot distinguish between

– Business Partner– Customer


Web

Service

s Security

Solution

• Make firewall XML and SOAP aware– SOAP message contains security information

• Intruders now stopped at the firewall


Web

Service

s Security

Simple Object Access Protocol, SOAP Message

• XML• Embedded into HTTP• Three parts

– Envelope– Header– Body


Web

Service

s Security

SOAP Request – Digital SignatureSOAP Message

POST /GradesService/services/GradesService HTTP/1.0Content-Type: text/xml; charset=utf-8Accept: application/soap+xml, application/dime,

multipart/related, text/*User-Agent: IBM WebServices/1.0Host: localhost:9080Cache-Control: no-cachePragma: no-cacheSOAPAction: ""Content-Length: 356

<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/ envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/ encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance"> <soapenv:Body> <getStudents xmlns="http://grades"/> </soapenv:Body></soapenv:Envelope>

Applicationpackage grades;public class GradesService{ final int NUMSTUDENTS = 4; String[] students; char[] grade; public GradesService ( ) { students = new String [] {"Mary", "Joe", "Sally", "Tim"}; grade = new char [] {'A', 'B', 'C', 'D'}; } // end constructor public char getStudentGrade (String student) { for (int i = 0; i < NUMSTUDENTS; i++) if (student.equals(students[i])) return grade[i]; return 'Z'; } // end getStudentGrade public String getStudent (int studentID) { return students[studentID]; } // end getStudent public String[] getStudents ( ) { return students; } // end getStudents public static void main(String[] args){ GradesService gs = new GradesService(); for (int i = 0; i < gs.NUMSTUDENTS; i++) System.out.println("Student: " + gs.getStudent (i) + "\tGrade:” + gs.getStudentGrade(gs.getStudent(i))); } // end main} // end class GradesService


Web

Service

s Security

ResponseHTTP/1.1 200 OKServer: WebSphere Application Server/5.1Content-Type: text/xml; charset=utf-8Content-Language: en-USConnection: close

<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope

xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

•

<soapenv:Body> <getStudentsResponse

xmlns="http://grades"> <getStudentsReturn> Mary </getStudentsReturn> <getStudentsReturn> Joe </getStudentsReturn> <getStudentsReturn> Sally </getStudentsReturn> <getStudentsReturn> Tim </getStudentsReturn> </getStudentsResponse> </soapenv:Body></soapenv:Envelope>


Web

Service

s Security

Security Services

• Confidentiality– XML Encryption

• Integrity– XML Digital Signature

• Authentication– Security Tokens


Web

Service

s Security

Client Application


Web

Service

s Security

Integrity and Authentication Example

Goal• Message Integrity• Message Authentication• User Authentication

Process• Obtain the message digest of the message.• Encrypt message digest with sender’s private key.


Web

Service

s Security

XML Digital Signature• <BinarySecurityToken> -- This section is for specifying the encoding format for binary

encoded security tokens.– EncodingType -- Encoding used on Security Token– ValueType --– ID

• Encoded Digital Certificate• <Signature> -- Signature specific information. It contains the following three subsections:

– <SignedInfo> -- Processing information – How it is signed• <CanonicalizationMethod> -- Normalizing data algorithm• <SignatureMethod> -- Signature algorithm• <Reference> -- Points to signed content

– <Transforms> -- How to process data– <DigestMethod> -- Hashing algorithm used on <body>– <DigestValue>

– <SignatureValue> -- Value of the signed data– <KeyInfo> -- Optional key identifier (such as a public key/symmetric key)

• <wsse:SecurityTokenReference> – Reference -- Refers to public key inside

Digital Certificate

Digital Signature Request ExampleDigital Signature Response Example

http://cs.uccs.edu/~cs691/studentproj/projS2005/mclizarr/doc/DigitalSignatureRequest.txt


Web

Service

s Security

Confidentiality Example

Goal• Only allow those who have “a need to know” see the

data

Process• Encrypt <body> with symmetric key• Encrypt symmetric key with recipient's public key


Web

Service

s Security

XML Encryption

• <EncryptedKey> -- Symmetric key information– <EncryptionMethod> -- Method of Encryption– <KeyInfo> -- Encrypted Key Identifier

• <SecurityTokenReference>– <KeyIdentifier>

– <CipherData> – <CiperValue> -- Encrypted Symmetric Key– <ReferenceList> -- Reference to the encrypted text

Encryption Request Example

Encryption Response Example


Web

Service

s Security

Other XML Encryption Options

• Encrypt entire message• Encrypt attachments• Encrypt any element• Encrypt an encrypted element


Web

Service

s Security

Basic Authentication Example

Goal• Identify the user

Process• Provide user name• Provide user password (not encrypted)


Web

Service

s Security

Basic Authentication

• < UsernameToken>– <Username>– <Password>

Basic Authentication Request Example

Basic Authentication Response Example


Web

Service

s Security

Security Tokens

Security Tokens used to Authenticate• Basic Authentication

– Login/Password• Digital Signature

– Public Key/Private Key• ID Assertion

– Single Sign-On• LTPA – Lightweight Third Party Authentication

– Single Sign-On– Forwardable Credentials


Web

Service

s Security

Assertions


Web

Service

s Security

LTPA


Web

Service

s Security

Hash Message Authentication Code (HMAC)

<wsse:UsernameToken wsu:Id=“LoanCenterUsernameToken">

<wsse:Username>

CompetitiveLoanService</wsse:Username> <wsse:Nonce>WS3Lhf6RpK...</wsse:Nonce> <wsu:Created>

2003-06-12T09:00:00Z

</wsu:Created>

</wsse:UsernameToken>


Web

Service

s Security

WebSphere ImplementationWizard support for:• XML Encryptions• XML Digital Signatures(One or the other, not both for <body> of message)

Without Wizardry:• Security Tokens

– Basic Authentication– Digital Signatures– Assertions– LTPA

• Multiple Encryption on any part of message• Multiple Digital Signatures on any part of message


Web

Service

s Security

Summary

• Web Service Architecture• SOAP• Implementing Security Services

– Integrity XML Digital Signature– Confidentiality XML Encryption– Authentication Security Tokens


Web

Service

s Security

References

• XML Signature WG (specification), http://www.w3.org/Signature/

• XML Encryption WG (specification), http://www.w3.org/Encryption/2001/

• OASIS Security Services (SAML) TC, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security

• OASIS eXtensible Access Control Markup Language (XACML) TC, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml

• SOAP Tutorial, http://www.w3schools.com/soap• Specification: Web Services Security (WS-Security),

http://www-106.ibm.com/developerworks/webservices/library/ws-secure/

http://www.w3.org/Signature/

http://www.w3.org/Encryption/2001/

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security



http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml




http://www.w3schools.com/soap



web services security

Documents