Secured SOA

1,205 views
1,163 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,205
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
42
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Secured SOA

  1. 1. Santa Clara , CA Secured SOA By Prabath Siriwardena ~ WSO2
  2. 2. Securing a Web Service..???
  3. 3. People Can SEE What You Send
  4. 4. People Can ALTER What You Send
  5. 5. People Can ALTER What You Send
  6. 6. Anyone Can CALL Your Service
  7. 7. People SEE What’s On
  8. 8. People Can ALTER What’s On
  9. 9. People Can ALTER What’s On
  10. 10. HTTP is NOT Secured
  11. 11. S HTTP
  12. 12. HTTPS is Transport Level
  13. 13. Security inherited from the transport channel
  14. 14. Safe only while on the transport
  15. 15. Parts of the message CANNOT BE encrypted
  16. 16. Authenticating with HTTPS ?
  17. 17. BasicAuth
  18. 18. Mutual Authentication
  19. 19. SSL Handshake
  20. 20. CLIENT_HELLO Highest SSL Version, Ciphers Supported, Data Compression Methods, SessionId = 0, Random Data
  21. 21. SERVER_HELLO Selected SSL Version, Selected Cipher, Selected Data Compression Method, Assigned Session Id, Random Data
  22. 22. CERTIFICATE Public Key, Authentication Signature
  23. 23. CLIENT_CERT_REQUEST [Optional]
  24. 24. CLIENT_CERT [Optional]
  25. 25. CLIENT_KEY_EXCHANGE
  26. 26. CERTIFICATE_VERIFY [Optional]
  27. 27. CHANGE_CIPHER_SPEC
  28. 28. FINISHED
  29. 29. CHANGE_CIPHER_SPEC
  30. 30. FINISHED
  31. 31. MONDAY Morning
  32. 32. NOT Happy With HTTPS
  33. 33. Requires END To END Security
  34. 34. Parts of message need to be Encrypted
  35. 35. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
  36. 36. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
  37. 37. Message Level Security
  38. 38. XML Encryption
  39. 39. XML Signature
  40. 40. WS - Security
  41. 41. Confidentiality
  42. 42. Integrity
  43. 43. NON - Repudiation
  44. 44. Authentication
  45. 45. UsernameToken
  46. 46. <wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>
  47. 47. NOBODY Can See the Message in Clear Text Other than the Intended Recipient
  48. 48. NOBODY In the Middle Can ALTER the Message
  49. 49. Only the Authenticated Users Can Invoke the Service
  50. 50. Sign & Encrypt OR Encrypt & Sign
  51. 51. Sign & Encrypt MessgaeSignture
  52. 52. XML Signature defines THREE types of signatures
  53. 53. <Message> <Signature> </Signature> </Message>
  54. 54. <Signature> <Message> </Message> </Signature>
  55. 55. <Signature> </Signature> <Message> </Message>
  56. 56. <Envelope> <Header> <Signature> </Signature> </Header> <Body> <Message> </Message> </Body> </Envelope>
  57. 57. Sign & Encrypt With WS-Security
  58. 58. 1 <Envelope> <Body> <Message> </Message> </Body> </Envelope>
  59. 59. 2 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <Message> </Message> </Body> </Envelope>
  60. 60. 3 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
  61. 61. Encrypt & Sign MessgaeSignture
  62. 62. 1 <Envelope> <Body> <Message> </Message> </Body> </Envelope>
  63. 63. 2 <Envelope> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
  64. 64. 3 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
  65. 65. WS - Security XML Username X.509 Token XML Signature Encryption Token Profile Profile
  66. 66. DONE with My First Assignment
  67. 67. BUT… Paul NOT Happy 
  68. 68. Authentication LIMITED to INTERNAL Users ONLY
  69. 69. Users OUT SIDE Our Domain Need ACCESS
  70. 70. We DON’T Have Their Credentials
  71. 71. We Can’t Use UsernameToken 
  72. 72. Delegate Authentication to the External Domain itself
  73. 73. They Should Know How to Authenticate Their Own Users
  74. 74. We TRUST What the External Domain Says
  75. 75. WS-TRUST
  76. 76. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityToken> <wst:TokenType> http://example.org/mySpecialToken </wst:TokenType> <wst:RequestType> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue </wst:RequestType> </wst:RequestSecurityToken> </s:Body> </s:Envelope>
  77. 77. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityTokenResponseCollection> <wst:RequestSecurityTokenResponse> <wst:RequestedSecurityToken> <xyz:CustomToken xmlns:xyz="..."> </xyz:CustomToken> </wst:RequestedSecurityToken> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection> </s:Body> </s:Envelope>
  78. 78. WS - Trust WS - Security Username X.509 XML XML Token Token Signature Encryption Profile Profile
  79. 79. Another Problem on HAND…
  80. 80. How Do We Communicate our Security Requirements to Outsiders ?
  81. 81. The Encryption Algorithm We Use…
  82. 82. Key Size…
  83. 83. Token Types…
  84. 84. Elements to be Signed…
  85. 85. Elements to be Encrypted…
  86. 86. Use Symmetric Key or Asymmetric Key…
  87. 87. WS-Security Policy
  88. 88. Finally… all on the White Board…
  89. 89. http://wso2.com http://wso2.com/about/contact bizdev@wso2.com prabath@wso2.com
  90. 90. Thank You…!!!

×