Your SlideShare is downloading. ×
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
04_Cryptography.ppt
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

04_Cryptography.ppt

1,279

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,279
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
72
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Service Oriented Architecture Lecture 4 Web Service Security, XML Signature and XML Encryption Mike McCarthy Notes adapted from “Web Services Security”, Bilal Siddiqui
  • 2. Web Services & Cryptography
    • Bob and Alice – Want to exchange SOAP messages.
    • Eve is always watching.
    • Mallory is always trying to cause trouble.
  • 3. What’s going on?
    • Web Services Security (WSS) specification from OASIS
    • Message confidentiality
    • Message identification (Who are you?)
    • Message authentication (Can you prove it?)
    • Authorization (What are you allowed to do?)
    • End-to-end (not just point-to-point)
  • 4. The WS Cryptography Stack XML Web Services Security SAML (Security Assertion ML),XKMS (XML Key Management Specification), XACML (eXtensible Access Control Markup Language) XMLDSIG (W3C) XMLENC (W3C) .NET Crypto API’s Java Security API’s
  • 5. Tools Becoming common
    • Apache’s WSS4J (Web Services Security)
    • Java’s JCE and JCA
    • C# Crypto API’s
    • Active Endpoints supports security if you purchase their product
    • IBM’s WebSphere
    • Microsoft, Oracle…
  • 6. The Need For Web Services
    • Application integration within the enterprise
    • Application integration across enterprise boundaries
    • customers
    • partners
    • suppliers
  • 7. A Tourism Supply Chain Tourists Tour Operator Car Rental Hotel Hotel Car Rental Hotel RoomRentInfoForAll() RoomRentInfoForPartnersOnly() Without WSS - coarse-grained protection provided by firewalls - SSL provides point-to-point encryption and authentication With WSS - fine grained security decisions Anyone may call Restricted callers
  • 8. Service Oriented Architecture Hotel RoomRentInfoForAll() RoomRentInfoForPartnersOnly() SOAP Server SOAP over HTTP
  • 9. Listing 1 SOAP Request POST /Vendors HTTP/1.1 Host: www.myHotel.com Content-Type: text/xml;Charset=utf-8 Content-Length: 350 SOAPACtion:&quot;&quot; <?xml version='1.0'?>    <SOAP-ENV:Envelope       xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' >       <SOAP-Env:Body>          <s:GetSpecialDiscountedBookingForPartners             xmlns:s='http://www.MyHotel.com/partnerservice/' >          <!--Parameters passed with the method call-->          </s:GetSpecialDiscountedBookingForPartners>       </SOAP-Env:Body> </SOAP-Env:Envelope>
  • 10. Listing 2 SOAP Response HTTP/1.0 200 OK Content-Type: text/xml; charset=utf-8 Content-Length: 1474 <?xml version=&quot;1.0&quot;> <SOAP-ENV:Envelope    xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' >    <SOAP-ENV:Body>       <m:GetSpecialDiscountedBookingForPartnersResponse          xmlns:m=&quot;http://www.MyHotel.com/partnerservice/&quot; >            <!-- Booking confirmation details-->       </m:GetSpecialDiscountedBookingForPartnersResponse>    </SOAP-ENV:Body> </SOAP-ENV:Envelope>
  • 11. 1 st Generation Web Services SOAP Client SOAP Server Hotel Class RDBMS
  • 12. 2 ND Generation Web Services SOAP Server Hotel Class RDBMS SOAP Client SOAP Server Tour Planning Class
  • 13. 3 RD Generation Web Services SOAP Server Hotel Class RDBMS SOAP Client SOAP Server Tour Planning Class SOAP Server Plane Class RDBMS SOAP Server Tour Planning Class WS-Transaction/WS-Security
  • 14. WS Security SOAP Client SOAP Server Hotel Class RDBMS
    • SOAP Server (SOAP Aware Firewall)
    • inspect SOAP message
    • match user roles with access lists
    • XML Signature (not SOAP specific)
    • XML Encryption (not SOAP specific)
    • WSS (SOAP specific use of XMLEnc and XMLDsig)
    • Security Access Markup Language (SAML) for
    • single sign on replacing HTTP cookies
    • XACML (extensible Access Control Markup Language)
    • to express authorization and access policies
  • 15. XML Signature An IETF/W3C Recommendation
  • 16. XML Digital Signatures
    • First, some fundamental ideas:
    • Message Digest
    • -message m + digest algorithm da ->
    • hash value h = h da (m)
    • -impossible to go from h(m) back to m
    • -very hard to find m’ so that h da (m’) =
    • h(m)
    • Alice transmits (da,m,h(m)) triple.
    • Very useful for checking if errors occurred during transmission
  • 17. XML Digital Signatures
    • Problem:
    • Mallory might replace the message, hash value pair with her own message, hash value pair. She has access to
    • digest algorithms just like everyone else. Bob checks the arriving triple and everything looks great. No errors during transmission?
  • 18. XML Digital Signatures
    • Solution: Get a secret key involved in the calculation
    • of the hash.
    • Given a message m, compute a hash of m. h = h da (m).
    • Alice encrypts the hash with a private
    • key. E = E priv (h).
    • Alice Transmit (da,m,E).
    • Mallory doesn’t know the private key.
    • Bob verifies by decrypting E using the secret key
    • (which he shares with Alice). He now has h which he
    • compares with his own hash of m using the same
    • digest algorithm. If they are equal he has good reason to
    • believe that m was from Alice and that it has not been
    • manipulated by Mallory.
  • 19. What Are XML Signatures?
    • XML Signatures are digital signatures used in XML transactions
    • May be used to sign only a portion of an XML document. The document might have a long history with different parts holding different signatures
    • The signature may apply to XML or non-XML data
  • 20. Referencing What is Signed
    • An XML Signature can be used to sign a message outside of the document itself.
    • Or, it can be used to sign parts of the document itself.
  • 21. XMLDsig General Form The Components of an XML Signature                                                                                                                  
  • 22. The <Reference> Element
    • Each signed resource is specified with a <Reference> element
    • A typical <Reference> element will contain
    • - a pointer to what is signed
    • - a digest method (for example
    • SHA1)
    • - and a digest value of the message
    • in base 64 notation
  • 23. The <Reference> Element
    • <Reference URI =“ http://.../ po.xml ”>
    • <DigestMethod>….</DigestMethod>
    • <DigestValue> calculated digest of
    • po.xml
    • </DigestValue>
    • </Reference>
    This is the location of the document being signed.
  • 24. We may have many references
    • <Reference>
    • pointer, digest method, digest value
    • </Reference>
    • :
    • <Reference>
    • pointer, digest method, digest value
    • </Reference>
  • 25. Place Within a SignedInfo Element
    • <SignedInfo>
    • <CanonicalizationMethod> algorithm used on
    • SignedInfo
    • element
    • <SignatureMethod> for example dsa-sha1
    • <Reference>
    • pointer, digest method, digest value
    • </Reference>
    • <Reference>
    • pointer, digest method, digest value
    • </Reference>
    • </SignedInfo>
  • 26. Compute Digest of SignedInfo
    • <SignedInfo>
    • <CanonicalizationMethod> algorithm used on
    • SignedInfo element
    • <SignatureMethod> for example dsa-sha1
    • <Reference>
    • pointer, digest method, digest value
    • </Reference>
    • <Reference>
    • pointer, digest method, digest value
    • </Reference>
    • </SignedInfo>
  • 27. Sign the digest and place value in a SignatureValue element…
    • <SignedInfo>
    • <CanonicalizationMethod> algorithm used on SignedInfo
    • element
    • <SignatureMethod> for example dsa-sha1
    • <Reference>
    • pointer, digest method, digest value
    • </Reference>
    • <Reference>
    • pointer, digest method, digest value
    • </Reference>
    • </SignedInfo>
    • <SignatureValue>Base 64 signature of the SignedInfo Element m.
    • E priv (h da (m))
    • </SignatureValue>
  • 28. Enclose in a Signature Element
    • <SignedInfo>
    • <CanonicalizationMethod> algorithm used on SignedInfo
    • element
    • <SignatureMethod> for example dsa-sha1
    • <Reference>
    • pointer, method, digest value
    • </Reference>
    • <Reference>
    • pointer, method, digest value
    • </Reference>
    • </SignedInfo>
    • <SignatureValue>Signature in Base 64
    • </SignatureValue>
    <Signature> </Signature>
  • 29. We may include KeyInfo
    • <SignedInfo>
    • <Canonicalization>
    • <SignatureMethod>
    • <Reference>…
    • <Reference>…
    • </SignedInfo>
    • <SignatureValue>Base 64 signature of the SignedInfo Element
    • </SignatureValue>
    • <KeyInfo>
    • <X509Data>
    • <X509SubjectName>CN=Cristina McCarthy, O=CMU,…
    • <X509Certificate> base 64 public key and identity signed by a CA
    • </X509Certificate>
    • </X509Data>
    • </KeyInfo>
    <Signature> </Signature>
  • 30. What Can Mallory Do?
    • Can she modify the CA signed certificate so that someone else appears to have signed the document?
    • Can she modify what is being pointed by the reference element?
    • Can she change the canonicalization method?
    • Can she change the contents of the signature method tag?
  • 31. Verification
    • 1. Canonicalize the SignedInfo element.
    • 2. Compute the digest of the SignedInfo
    • element using the method described within it
    • 3. Compare the above value with that value
    • got from applying the shred secret (or signer’s public key) to the value in the SignatureValue element
    • 4. Compute digests of referenced items (after any
    • transformations) and compare those digests
    • found within each reference tag
  • 32. XML Security Tools Abound
  • 33. Sign a grade book
    • Gradebook.xml
    • <?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?>
    • <GradeBook>
    • <Student>
    • <Score>100</Score>
    • <Score>89</Score>
    • </Student>
    • </GradeBook>
  • 34. We need keys…
    • D:..95-804IBMXMLSecuritySuiteSampleSign2>
    • keytool -genkey -keyalg RSA -keystore test.keystore
    • -dname &quot;CN=Mike McCarthy, OU=Heinz School,
    • O=CMU, L=Pgh, S=PA, C=US&quot; -alias mjm
    • -storepass sesame -keypass sesame
    Creates test.keystore holding keys and a self-signed certificate
  • 35. Run XSS4J’s SampleSign2
    • D:...95-804IBMXMLSecuritySuite
    • SampleSign2>java SampleSign2 mjm
    • sesame sesame
    • -embxml gradebook.xml > signature.xml
    • Key store: test.keystore
    • Sign: 851ms
  • 36. Examine Signature.xml
    • <Signature xmlns=&quot;http://www.w3.org/2000/09/xmldsig#&quot;>
    • <SignedInfo>
    • <CanonicalizationMethod Algorithm=&quot;http://www.w3.org/TR/2001/REC-xml-c14n-20010315&quot;></CanonicalizationMethod>
    • <SignatureMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot;></SignatureMethod>
  • 37.
    • <Reference URI=&quot;#Res0&quot;>
    • <Transforms>
    • <Transform Algorithm=
    • &quot;http://www.w3.org/TR/2001/REC-xml-
    • c14n-20010315&quot;>
    • </Transform>
    • </Transforms>
    • <DigestMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#sha1&quot;>
    • </DigestMethod>
    • <DigestValue>m6f9xhOc4iEXokD/29V9EsdY3yI=
    • </DigestValue>
    • </Reference>
    We are signing resource 0 Transforms Prior to hashing
  • 38.
    • </SignedInfo>
    • <SignatureValue>
    • Gll1H/uplOwfaX3j7ST6UqQlc92Hx2nsCdN2KWz32CW0D4hH64n32v/InkGux1dYgTya6S4s55iHqZEjDpH2I359H4PAxBYYXJj4LUBNxAFxUcDy6xrEUbLnKeutT5pf1DBSmxg9Cp3PO5Rs36nVN8GVfnFl1M86WQd19/RsAnA=
    • </SignatureValue>
  • 39.
    • <KeyInfo>
    • <KeyValue>
    • <RSAKeyValue>
    • <Modulus>
    • 7V5eyhVaw0clED11H6PTPoKQA1VxrLAugU3QxKA0hbbUOiavFbqCdc6Z+Fe9JZFMkS
    • Iqdl+khwWwd+AIsRyrN4V2DWm1f+xyYQf6bdZgCaVVgkST1BpQxBTgNKRcS5VbLrXf
    • 4MXb5TbhA+eo1Qbr2IjlV10aLbVhUk/g+ylag+k=
    • </Modulus>
    • <Exponent>AQAB</Exponent>
    • </RSAKeyValue>
    • </KeyValue>
  • 40.
    • <X509Data>
    • <X509IssuerSerial>
    • <X509IssuerName>CN=Mike
    • McCarthy,OU=Heinz
    • School,O=CMU,L=Pgh,ST=PA,C=US
    • </X509IssuerName>
    • <X509SerialNumber>1049138061
    • </X509SerialNumber>
    • </X509IssuerSerial>
    • <X509SubjectName>CN=Mike McCarthy,OU=Heinz
    • School,O=CMU,L=Pgh,ST=PA,C=US
    • </X509SubjectName>
    • <X509Certificate>
  • 41.
    • MIICPDCCAaUCBD6Ik40wDQYJKoZIhvcNAQEEBQAwZTELMAkGA
    • UEBhMCVVMxCzAJBgNVBAgTAlBBMQwwCgYDVQQHEwNQZ2gx
    • DAKBgNVBAoTA0NNVTEVMBMGA1UECxMMSGVpbnogU2Nob29s
    • RYwFAYDVQQDEw1NaWtlIE1jQ2FydGh5MB4XDTAzMDMzMTE5M
    • QyMVoXDTAzMDYyOTE5MTQyMVowZTELMAkGA1UEBhMCVVMx
    • zAJBgNVBAgTAlBBMQwwCgYDVQQHEwNQZ2gxDDAKBgNVBAoT
    • 0NNVTEVMBMGA1UECxMMSGVpbnogU2Nob29sMRYwFAYDVQQ
    • Ew1NaWtlIE1jQ2FydGh5MIGfMA0GCSqGSIb3DQEBAQUA
    • A4GNADCBiQKBgQDtXl7KFVrDRyUQPXUfo9M+gpADVXGssC6BT
    • DEoDSFttQ6Jq8VuoJ1zpn4V70lkUyRIip2X6SHBbB34AixHKs3hXYN
    • bV/7HJhB/pt1mAJpVWCRJPUGlDEFOA0pFxLlVsutd/gxdvl
    • NuED56jVBuvYiOVXXRottWFST+D7KVqD6QIDAQABMA0GCSqG
    • 3DQEBBAUAA4GBAMpUaA8Cw8mKQn408KuV4xrTciEEcTLNniDGn
    • 8d9W1fR4veqhKz8L8+886+4bNS5Wih+1oEC5k/da23QicpTdXfUyA1c
    • 9Zu3cGU4ulUfhFPWv0IgdpI63KQt9QwsuTxWck5dAta2+KWWTv85I
    • ByHXgoaDlvJ65JjT87nAPAI3
  • 42.
    • </X509Certificate>
    • </X509Data>
    • </KeyInfo>
    • <dsig:Object xmlns=&quot;&quot;
    • xmlns:dsig=&quot;http://www.w3.org/2000/09/xmldsig#&quot;
    • Id=&quot;Res0&quot;>
    • <GradeBook>
    • <Student>
    • <Score>100</Score>
    • <Score>89</Score>
    • </Student>
    • </GradeBook>
    • </dsig:Object>
    • </Signature>
    The resource 0 object
  • 43. Let’s change the low grade!
    • <dsig:Object xmlns=&quot;&quot; xmlns:dsig=&quot;http://www.w3.org/2000/09/xmldsig#&quot; Id=&quot;Res0&quot;>
    • <GradeBook>
    • <Student>
    • <Score>100</Score>
    • <Score> 100 </Score>
    • </Student>
    • </GradeBook></dsig:Object>
  • 44. And run verify…
    • D:McCarthywww95-804IBMXMLSecuritySuiteSampleSign2>java VerifyCUI < signature.xml
    • The signature has a KeyValue element.
    • The signature has one or more X509Data elements.
    • Checks an X509Data:
    • 1 certificate(s).
  • 45. Certificate Information: Version: 1 Validity: OK SubjectDN: CN=Mike McCarthy, OU=Heinz School, O=CMU, L=Pgh, ST=PA, C=US IssuerDN: CN=Mike McCarthy, OU=Heinz School, O=CMU, L=Pgh, ST=PA, C=US Serial#: 0x3e88938d Time to verify: 521 [msec] Core Validity: NG Signature Validity: OK [0] &quot;#Res0&quot; NG: Digest value mismatch: calculated: tfVyHns8wRB6l/HDU2dXZkzf+7Q= Exception in thread &quot;main&quot; java.lang.RuntimeException: Core Validity: NG at dsig.VerifyCUI.main(VerifyCUI.java:137)
  • 46. Another Example PO.XML
    • <?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?>
    • <PurchaseOrder xmlns=&quot;urn:purchase-order&quot;>
    • <Customer>
    • <Name>Robert Smith</Name>
    • <CustomerId>788335</CustomerId>
    • </Customer>
    • <Item partNum=&quot;C763&quot;>
    • <ProductId>6883-JF3</ProductId>
    • <Quantity>3</Quantity>
    • <ShipDate>2002-09-03</ShipDate>
    • <Name>ThinkPad X20</Name>
    • </Item>
    • </PurchaseOrder>
  • 47. PO After Signing
    • <?xml version='1.0' encoding='UTF-8'?>
    • <SignedPurchaseOrder>
    • <PurchaseOrder id=&quot;id0&quot; xmlns=&quot;urn:purchase-order&quot;>
    • <Customer>
    • <Name>Robert Smith</Name>
    • <CustomerId>788335</CustomerId>
    • </Customer>
    • <Item partNum=&quot;C763&quot;>
    • <ProductId>6883-JF3</ProductId>
    • <Quantity>3</Quantity>
    • <ShipDate>2002-09-03</ShipDate>
    • <Name>ThinkPad X20</Name>
    • </Item>
    • </PurchaseOrder>
  • 48.
    • <Signature xmlns=&quot;http://www.w3.org/2000/09/xmldsig#&quot;>
    • <SignedInfo>
    • <CanonicalizationMethod Algorithm=&quot;http://www.w3.org/TR/2001/REC-xml-c14n-20010315&quot;/>
    • <SignatureMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot;/>
    • <Reference URI=&quot;#id0&quot;>
    • <DigestMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#sha1&quot;/>
    • <DigestValue>UfeiscUCL7QkhZtRDLWDPWLpVlA=</DigestValue>
    • </Reference>
    • </SignedInfo>
  • 49.
    • <SignatureValue>
    • Ptysg8WdHI2mxwryOOt5I9r9qZm/2gNFNOJyH1Wak4nCUegRpe72tWnsigAKZyopmgUSH3TG
    • aGGQF1BTSvk3JUUY/ljrw+5FpTpf3hgZBi7GSWf6WtXqZvMYGUKIlvR/421MZg7P9XRUyy37
    • ZUzQHtmCYkBorEkEx1J4CYB0G2c=
    • </SignatureValue>
  • 50.
    • <KeyInfo>
    • <X509Data>
    • <X509Certificate>
    • MIIDGjCCAoOgAwIBAgICAQAwDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCSlAxETAPBgNVBAgT
    • CEthbmFnYXdhMQ8wDQYDVQQHEwZZYW1hdG8xDDAKBgNVBAoTA0lCTTEMMAoGA1UECxMDVFJMMRAw
    • DgYDVQQDEwdUZXN0IENBMB4XDTAxMTAwMTA3MTYxMFoXDTExMTAwMTA3MTYxMFowUDELMAkGA1UE
    • BhMCSlAxETAPBgNVBAgTCEthbmFnYXdhMQwwCgYDVQQKEwNJQk0xDDAKBgNVBAsTA1RSTDESMBAG
    • A1UEAxMJU2lnbmF0dXJlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvnFQiPEJnUZnkmzoc
    • MjsseD8ms9HBgasZR0VOAvsby5aajsm9CtB18dDCemDXZ2YjBdprX+epfF4SLNP5ankfphhr9QXA
    • NJdCKpyF3jPoydckle7E7gI9w3Q4NDa4ryVOuIS2qev6jlE7OVPqiXIDVlCH4u6GbIoJEpJ57yzx
    • dQIDAQABo4HzMIHwMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIBDQQfFh1PcGVu
    • U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUYapFv9MvQ9NNn1Q7zgzqka4XORsw
    • gYgGA1UdIwSBgDB+gBR7FuT9bLBj3vVsgAzIeYa4hBUZBaFjpGEwXzELMAkGA1UEBhMCSlAxETAP
    • BgNVBAgTCEthbmFnYXdhMQ8wDQYDVQQHEwZZYW1hdG8xDDAKBgNVBAoTA0lCTTEMMAoGA1UECxMD
    • VFJMMRAwDgYDVQQDEwdUZXN0IENBggEAMA0GCSqGSIb3DQEBBQUAA4GBALFzGDXMzxJvOnCdJCMZ
    • 2NsZdz1+wmoYyejB5J6Ch2ygdPeibMnW/CiYKCTWBhpEgxEqr1BNlgSVqA6nyvjHsVIvgBfwx37D
    • hJ5hz4azpWu1X22XqyU9fUqoQUtEAdM/MlLekBkprkJVb9uJXTFzzvm/3DoEiBkX/BT78YdM8eq0
    • </X509Certificate>
    • </X509Data>
    • </KeyInfo>
    • </Signature>
    • </SignedPurchaseOrder>
  • 51. Web Service Security
    • Describes how XMLDSig is used within the web service framework.
    • SOAP Headers are used to hold the signature
  • 52. SOAP
    • <Envelope>
    • <Header> WS-* specifications
    • : are placed in the
    • header area and will be
    • </Header> handles by intermediaries
    • <Body>
    • : Message payload including
    • fault messages
    • </Body> as well-formed XML.
    • </Envelope>
  • 53. WSS XMLDSig Listing 1
    • <?xml version=”1.0”?> <SOAP-ENV:Envelope     xmlns:
    • SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”>     <SOAP-ENV:Body>         < s:GetSpecialDiscountedBookingForPartners             xmlns:s=“http://www.MyHotel.com/partnerservice/”>                  <!--Parameters passed with the method call-->          </s:GetSpecialDiscountedBookingForPartners>     </SOAP-ENV:Body> </SOAP-ENV:Envelope>
    From “Web Services Security”, Bilal Siddiqui
  • 54. Sign The SOAP Request
    • <?xml version=”1.0”?> <SOAP-ENV:Envelope     xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”     xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>     <SOAP-ENV:Header>         <ds:Signature> <!– wraps all other XMLDS elements               <ds:SignedInfo> <!– note the ds prefix               </ds:SignedInfo> <!– note three children of signedInfo               <ds:SignatureValue>              </ds:SignatureValue>              <ds:KeyInfo>              </ds:KeyInfo>         </ds:Signature>     </SOAP-ENV:Header>     <SOAP-ENV:Body>         <s: GetSpecialDiscountedBookingForPartners             xmlns:s=“http://www.MyHotel.com/partnerservice/”>                  <!--Parameters passed with the method call-->          </s:GetSpecialDiscountedBookingForPartners>     </SOAP-ENV:Body> </SOAP-ENV:Envelope>
  • 55. After Signing (1) <?xml version=”1.0”?> <SOAP-ENV:Envelope     xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”     xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>     <SOAP-ENV:Header>         <ds:Signature>              <ds:SignedInfo>                   <ds:CanonicalizationMethod                       Algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot;/>                   <ds:SignatureMethod                       Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot;/>                   <ds:Reference URI =&quot;#GetSpecialDiscountedBookingForPartners &quot;>                       <ds:Transforms>                           <ds:Transform                               Algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot;/>                       </ds:Transforms>                      
  • 56. After Signing (2) <ds:DigestMethod                           Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#sha1&quot;/>                       <ds:DigestValue>                           BIUddkjKKo2...                       </ds:DigestValue>                   </ds:Reference>              </ds:SignedInfo>              <ds:SignatureValue>                  halHJghyf765....              </ds:SignatureValue>              <ds:KeyInfo> <!– the key name for signature verification                   <ds:KeyName>MyKeyIdentifier</ds:KeyName>              </ds:KeyInfo> <!– application dependent, perhaps a symmetric key ID          </ds:Signature>     </SOAP-ENV:Header>
  • 57. After Signing (3)      <SOAP-ENV:Body>         <s:GetSpecialDiscountedBookingForPartners             xmlns:s=“http://www.MyHotel.com/partnerservice/”              ID=&quot;GetSpecialDiscountedBookingForPartners &quot;>                  <!--Parameters passed with the method call-->          </s:GetSpecialDiscountedBookingForPartners>     </SOAP-ENV:Body> </SOAP-ENV:Envelope>
  • 58. Validation Procedure
    • (1) Canonicalize the SignedInfo element.
    • (2) Check message integrity. We’ll need
    • a. the data to be digested
    • b. any transforms to perform first
    • c. the digest algorithm
    • (3) If the digests compare equal verify the
    • signature (continued)
  • 59. Validation Procedure
    • (3) If the digests compare equal verify the
    • signature
    • a. get the signer’s key (public key or
    • shared secret) perhaps by consulting
    • the <keyInfo> element.
    • b. read the signature method used to
    • compute the signature
    • c. Attempt to verify and if we have a match call
    • GetSpecialDiscountedBookingForPartners
  • 60. XML Encryption & Web Service Security
  • 61. XML Encryption
    • W3C Recommendation 10 December 2002
    • JSR 105 XMLDSig proposed final draft
    • JSR 106 XMLEnc is in progress
    • JWSDP1.5 supports Web Services Security V1.0
    • .Net supports XMLEnc out of the box
    • Some notes from
    • http://www-106.ibm.com/developerworks/library/x-encrypt/index.html
    • by Bilal Siddiqui
    • And “Secure XML” by Eastlake and Niles Addison Wesley
  • 62. General Form 1
    • <EncryptedData>
    • <CipherData>
    • <CipherValue>
    • cipher text in Base 64
    • </CipherValue>
    • </CipherData>
    • </EncryptedData>
  • 63. General Form 2
    • <EncryptedData>
    • <CipherData>
    • <CipherReference>
    • pointer (URL) to cipher
    • text
    • </CipherReference>
    • </CipherData>
    • </EncryptedData>
  • 64.
    • Replaces the encrypted element or
    • Serves as the new document root
    • May contain a KeyInfo element that describes the key needed for decryption (borrowed from XML Digital Signature) or
    • signature verification
    EncryptedData is the core element
  • 65. General Example (1)
    • <MedInfo>
    • <ID>
    • <Name>
    • <Address>
    • </ID>
    • <Medical>…</Medical>
    • <Financial>…</Financial>
    • </MedInfo>
  • 66. General Example (2)
    • <MedInfo>
    • <ID>….</ID>
    • <EncryptedData>
    • <KeyInfo>
    • <KeyName>Medical
    • </KeyInfo>
    • <CipherData>
    • <CipherValue> cipher text
    • </EncryptedData>
  • 67. General Example (3)
    • <Financial>
    • <EncryptedData>
    • <KeyInfo>
    • <KeyName>Pay
    • </KeyInfo>
    • <CipherData>
    • <CipherValue> cipher text
    • </EncryptedData>
    • </Finacial>
    • </MedInfo>
  • 68. Detailed Example (Listing 1)
    • <purchaseOrder>
    • <Order>
    • <Item>book</Item>
    • <Id>123-958-74598</Id>
    • <Quantity>12</Quantity>
    • </Order>
    • <Payment>
    • <CardId>123654-8988889-9996874</CardId>
    • <CardName>visa</CardName>
    • <ValidDate>12-10-2004</ValidDate>
    • </Payment>
    • </purchaseOrder>
  • 69. Encrypting the Entire File (Listing 2)
    • <?xml version='1.0' ?>
    • <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type= 'http://www.isi.edu/in-notes/iana/assignments/media-types/text/xml'>
    • <CipherData>
    • <CipherValue>bd347ba…</CipherValue>
    • </CipherData>
    • </EncryptedData>
    IANA = Internet Assigned Numbers Authority a function of The Internet Corporation for Assigned Names and Numbers
  • 70. Encrypting The Payment (Listing 3)
    • <?xml version='1.0' ?>
    • <PurchaseOrder>
    • <Order>
    • <Item>book</Item>
    • <Id>123-958-74598</Id>
    • <Quantity>12</Quantity>
    • </Order>
    • <EncryptedData
    • Type='http://www.w3.org/2001/04/xmlenc #Element '
    • xmlns='http://www.w3.org/2001/04/xmlenc#'>
    • <CipherData>
    • <CipherValue>A23B45C564587…</CipherValue>
    • </CipherData>
    • </EncryptedData>
    • </PurchaseOrder>
    One element
  • 71. Encrypting Only the CardId (Listing 4)
    • <?xml version='1.0' ?>
    • <PurchaseOrder>
    • <Order>
    • <Item>book</Item>
    • <Id>123-958-74598</Id>
    • <Quantity>12</Quantity>
    • </Order>
    • <Payment>
    • <CardId>
    • <EncryptedData
    • Type='http://www.w3.org/2001/04/xmlenc #Content '
    • xmlns='http://www.w3.org/2001/04/xmlenc#'>
    • <CipherData>
    • <CipherValue>A23B45C564587</CipherValue>
    • </CipherData>
    • </EncryptedData>
    • </CardId>
    • <CardName>visa</CardName>
    • <ValidDate>12-10-2004</CardName>
    • </Payment>
    • </PurchaseOrder>
    Element content
  • 72. Encrypting Non-XML Data (Listing 5)
    • <?xml version='1.0' ?>
    • <EncryptedData xmlns='http://www.w3.org/2001/04/xmlen#'
    • Type='http:// www.isi.edu/in-notes/iana/assignments/media-types/jpeg' >
    • <CipherData>
    • <CipherValue>A23B45C56…</CipherValue>
    • </CipherData>
    • </EncryptedData>
  • 73. Web Services Security Using Sun’s Application Server
  • 74. No Security SOAP Going to Service Running the simple.TestClient program.... Service URL=http://localhost:8080/securesimple/Ping About to ping Apr 9, 2005 10:17:52 AM com.sun.xml.wss.filter.DumpFilter process INFO: ==== Sending Message Start ==== <?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?> <env:Envelope xmlns:env=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:enc=&quot;http://schemas.xmlsoap.org/soap/encoding/&quot; xmlns:ns0=&quot;http://xmlsoap.org/Ping&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;> <env:Body> <ns0:Ping> <ns0:ticket>SUNW</ns0:ticket> <ns0:text>Hello!</ns0:text> </ns0:Ping> </env:Body> </env:Envelope>
  • 75. SOAP Response <?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?> <env:Envelope xmlns:env=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:enc=&quot;http://schemas.xmlsoap.org/soap/encoding/&quot; xmlns:ns0=&quot;http://xmlsoap.org/Ping&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;> <env:Body> <ns0:PingResponse> <ns0:text>Hello! Mike!</ns0:text> </ns0:PingResponse> </env:Body> </env:Envelope> Ping complete
  • 76. Configure The Client to Encrypt <xwss:JAXRPCSecurity xmlns:xwss=&quot;http://java.sun.com/xml/ns/xwss/config&quot;> <xwss:Service> <xwss:SecurityConfiguration dumpMessages=&quot;true&quot;> <!-- Since no targets have been specified below, the contents of the soap body would be encrypted by default. --> <xwss:Encrypt> <xwss:X509Token certificateAlias=&quot;s1as&quot;/> </xwss:Encrypt> </xwss:SecurityConfiguration> </xwss:Service> <xwss:SecurityEnvironmentHandler> com.sun.xml.wss.sample.SecurityEnvironmentHandler </xwss:SecurityEnvironmentHandler> </xwss:JAXRPCSecurity>
  • 77. Configure The Server To Require Encryption <xwss:JAXRPCSecurity xmlns:xwss=&quot;http://java.sun.com/xml/ns/xwss/config&quot;> <xwss:Service> <xwss:SecurityConfiguration dumpMessages=&quot;true&quot;> <!-- Encryption requirement. As no target is specified, the contents of the soap body of the request are expected to be encrypted. --> <xwss:RequireEncryption/> </xwss:SecurityConfiguration> </xwss:Service> <xwss:SecurityEnvironmentHandler> com.sun.xml.wss.sample.SecurityEnvironmentHandler </xwss:SecurityEnvironmentHandler> </xwss:JAXRPCSecurity>
  • 78. Encrypted Request <?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?> <env:Envelope xmlns:env=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:enc=&quot;http://schemas.xmlsoap.org/soap/encoding/&quot; xmlns:ns0=&quot;http://xmlsoap.org/Ping&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;> <env:Header> <wsse:Security xmlns:wsse=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd&quot; env:mustUnderstand=&quot;1&quot;> <wsse:BinarySecurityToken xmlns:wsu=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd&quot; EncodingType=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary&quot; ValueType=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3&quot; wsu:Id=&quot;Id-6842673312555922560&quot;>MIIDWTCCAsKgAwIBAgIBATANBgkqhki G9w0BAQQFADB0MQswCQYDVQQGEw Large truncation for slides
  • 79. </wsse:BinarySecurityToken> <xenc:EncryptedKey xmlns:xenc=&quot;http://www.w3.org/2001/04/xmlenc#&quot;> <xenc:EncryptionMethod Algorithm=&quot;http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p&quot;/> <ds:KeyInfo xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot;> <wsse:SecurityTokenReference> <wsse:Reference URI=&quot;#Id-6842673312555922560&quot; ValueType=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3&quot;/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>KB79tvoF6Bu7JeL2Re6iGG8 BhdhOFcZiNDJrJNe8lV3GE6 Sk+s453IF3GFpmkmQttPhzH1D HKQ+2nFjIWPdyZObK3cVyDf rox7Ysjbfuo4TNwElHvKtnGVNb cQIGWiwyxHIZCjqCdF8LM8E1 gCZgYSaRh3V48VMlOsfZ8RCR Vjw= </xenc:CipherValue> </xenc:CipherData>
  • 80. <xenc:ReferenceList> <xenc:DataReference URI=&quot;#Id7870285788177789579&quot;/> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> </env:Header> <env:Body> <xenc:EncryptedData xmlns:xenc=&quot;http://www.w3.org/2001/04/xmlenc#&quot; Id=&quot;Id7870285788177789579&quot; Type=&quot;http://www.w3.org/2001/04/xmlenc#Content&quot;> <xenc:EncryptionMethod Algorithm= &quot;http://www.w3.org/2001/04/xmlenc#tripledes-cbc&quot;/> <xenc:CipherData> <xenc:CipherValue> SL1G08+bGFaqEOefJWtBpOipgkvs8i7JWNwoGum5TO EyZkStSKav/lYygoC5/ji11rccnQWNq/Tg1eYX52UTalAS Large truncation for slides </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </env:Body> </env:Envelope>
  • 81. SOAP Response <?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?> <env:Envelope xmlns:env= &quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:enc=&quot;http://schemas.xmlsoap.org/soap/encoding/&quot; xmlns:ns0=&quot;http://xmlsoap.org/Ping&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;> <env:Body> <ns0:PingResponse> <ns0:text>Hello! Mike!</ns0:text> </ns0:PingResponse> </env:Body> </env:Envelope>

×