Your SlideShare is downloading. ×
Web Service Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Web Service Security

4,106
views

Published on


0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,106
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
69
Comments
0
Likes
6
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Web service security
  • 2. XML digital signature ( IETF and W3C)
    XML Encryption ( W3C)
    SAML (Secure Assertion Markup Language) ( OASIS)
    WS-Security (Web Services Security) (OASIS)
    WS-SecureConversation
    WS-Federation
    WS-Policy
    WS-Trust
    WS-Privacy
    XACML (Extensible Access Control Markup Language) (OASIS)
    Web service security standards
  • 3. When encrypting an XML element or element content the EncryptedData element replaces the element or content (respectively) in the encrypted version of the XML document
    <EncryptedDataId Type MimeType Encoding>
    <EncryptionMethod/>
    <ds:KeyInfo>
    <EncryptedKey>
    <AgreementMethod>
    <ds:KeyName>
    <ds:RetrievalMethod>
    <ds:*>
    </ds:KeyInfo>
    <CipherData>
    <CipherValue>
    <CipherReferenceURI>
    </CipherData>
    <EncryptionProperties>
    </EncryptedData>
    XML Encryption
  • 4. <?xml version='1.0'?>
    <PaymentInfoxmlns='http://example.org/paymentv2'>
    <Name>John Smith</Name>
    <CreditCard Limit='5,000' Currency='USD'>
    <Number>4019 2445 0277 5567</Number>
    <Issuer>Example Bank</Issuer>
    <Expiration>04/02</Expiration>
    </CreditCard>
    </PaymentInfo>
    XML Encryption example
    <?xml version='1.0'?>
    <PaymentInfoxmlns='http://example.org/paymentv2'>
    <Name>John Smith</Name>
    <CreditCard Limit='5,000' Currency='USD'>
    <Number>
    <EncryptedDataxmlns='http://www.w3.org/2001/04/xmlenc#'
    Type='http://www.w3.org/2001/04/xmlenc#Content'>
    <CipherData>
    <CipherValue>A23B45C56</CipherValue>
    </CipherData>
    </EncryptedData>
    </Number>
    <Issuer>Example Bank</Issuer>
    <Expiration>04/02</Expiration>
    </CreditCard>
    </PaymentInfo>
  • 5. Data integrity, authenticity
    Binds the sender’s identity (or “signing entity”) to an XML document
    Signature verification can be done using asymmetric or symmetric keys
    Ensures non-repudiation of the signing entity
    Proves that messages have not been altered since they were signed
    XML Signature
  • 6. XML digital signatures are represented by the Signature element
    <Signature ID?>
    <SignedInfo>
    <CanonicalizationMethod/>
    <SignatureMethod/>
    (<Reference URI >
    <Transforms>
    <DigestMethod>
    <DigestValue>
    </Reference>)+
    </SignedInfo>
    <SignatureValue>
    <KeyInfo>
    <Object ID>
    </Signature>
    Signature Element
  • 7. Signature Example
    <Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
    <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">
    <Transforms>
    <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK.../DigestValue>
    </Reference>
    </SignedInfo>
    <SignatureValue>...</SignatureValue>
    <KeyInfo>
    <KeyValue>
    <DSAKeyValue>
    <P>...</P><Q>...</Q><G>...</G><Y>...</Y>
    </DSAKeyValue>
    </KeyValue>
    </KeyInfo>
    </Signature>
  • 8. Developed by OASIS
    An XML framework for exchanging authentication and authorization information
    SAML assertions: (Assertion is declaration of a fact)
    authentication
    attribute
    Authorization
    SAML is for
    Single sign-on (SSO)
    Distributed transaction
    Authorization service
    SAML
  • 9. Used for SSO
    <saml:Assertion …>
    <saml:AuthenticationStatement
    AuthenticationMethod=“password”
    AuthenticationInstant=“2010-02-03”>
    <saml:Subject>
    <saml:NameIdentifier
    SecurityDomain=“myCompany.com” Name=“ABCD” />
    <saml:ConfirmationMethod>
    http://…
    </saml:ConfirmationMethod>
    </saml:Subject>
    </saml:AuthenticationStatement>
    </saml:Assertion>
    An issuing authority asserts that
    subject S was authenticated
    by means M
    at time T
    Authentication statement
  • 10. Used for distributed transactions
    <saml:Assertion …>
    <saml:AttributeStatement>
    <saml:Subject>..Sang..</saml:Subject>
    <saml:Attribute
    AttributeName=“PaymentStatus”
    AttributeNamespace=“http://myshop.com”>
    <saml:AttributeValue> PaidUp </saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute
    AttributeName=“CreditLimit”
    AttributeNamespace=“http://myshop.com”>
    <saml:AttributeValue>500.00</saml:AttributeValue>
    </saml:Attribute>
    </saml:AttributeStatement>
    </saml:Assertion>
    An issuing authority asserts that
    subject S is associated with
    Attributes A,B,… with values ‘a’, ‘b’,…
    Attribute statement
  • 11. Used for authorization service
    <saml:Assertion …>
    <saml:AuthorizationStatement
    Decision=“Allow”
    Resource=http://mycompany.com/empdetails>
    <saml:Subject>…</saml:Subject>
    <saml:Actions
    ActionNamespace=“http://…”>
    <saml:Action>Read</saml:Action>
    </saml:Actions>
    </saml:AuthorizationStatement>
    </saml:Assertion>
    An issuing authority decides
    Whether to grant the request by subject S
    for access type A to resource R
    given evidence E
    Authorization statement
  • 12. Extension to SOAP to apply security to Web services
    Defines how to attach XML Signature and XML Encryption headers to SOAP messages
    WS Security specification allows
    X.509 certificates
    Kerberos tickets
    UserID/Password credentials
    SAML-Assertion
    Custom defined token
    WS Security
  • 13. WS Security with SAML example
    <SOAP-ENV:Envelope>
    <SOAP-ENV:Header>
    <wsse:Security>
    <saml:Assertion> - - - </saml:Assertion>
    </wsse:Security>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body> - - - </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
  • 14. Framework for
    Issuing, renewing, and validating security tokens
    Brokering trust relationships within different trust domains
    WS Trust
  • 15. 1.WSIT client runtime requests security meta-data from the service provider (transparent to the application)
    2. The service indicates that the client needs a security token from a particular STS
    3. The client requests security meta-data from the STS
    4. The STS responds with type of security token to be used for further communication
    5. The client requests security token from STS
    6. The client receives security token issued by STS
    7. The client invokes the service using the issued token
    8. The service provider verifies token and performs the service
    WS-Trust: Security Token Service
  • 16. WS-SecureConversation defines the creation and sharing of security contexts between communicating parties
    The <SecurityContextToken> (SCT) element supports the requirements of security contexts
    An SCT involves a shared secret used to sign and/or encrypt messages
    Derived keys are used for signing and encrypting messages associated with the security context
    WS-SecureConversation defines how derived keys are computed and passed
    WS-SecureConversation
  • 17. It is a declarative access control policy language implemented in XML and a processing model, describing how to interpret the policies.
    Policies are defined with a collection of Rules
    XACML
    Access control rule
    Allow access
    to resource with attribute WebService
    if subject is Employee and action is read or write.
    Administration control rule
    Allow delegation of access control rule #1
    to subjects with attribute Consultant.
    Conditions:
    delegation must expire within 6 months,
    resource must not have attribute StrictlyInternal
  • 18. One standard access control policy language can replace dozens of application-specific languages
    Administrators save time and money because they don't need to rewrite their policies in many different languages
    XACML is flexible enough to accommodate most access control policy needs and extensible so that new requirements can be supported.
    One XACML policy can cover many resources. This helps avoid inconsistent policies on different resources.
    XACML allows one policy to refer to another. This is important for large organizations. For instance, a site-specific policy may refer to a company-wide policy and a country-specific policy.
    XACML benefits

×