WS - Security
Upcoming SlideShare
Loading in...5
×
 

WS - Security

on

  • 698 views

WS - Security

WS - Security

Statistics

Views

Total Views
698
Views on SlideShare
307
Embed Views
391

Actions

Likes
0
Downloads
12
Comments
0

1 Embed 391

http://blog.facilelogin.com 391

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    WS - Security WS - Security Presentation Transcript

    • WS - Security Prabath Siriwardena Director, Security Architecture
    • WS-Security • WS-Security – Authentication – Integrity and non-repudiation – Confidentiality • Initial effort of MSFT, IBM, Verisign, etc. • Standardized at : Organization for the Advancement of Structured Information Standards (OASIS)
    • WS-Security • Based on XML Encryption and XML Signature • Basic framework for message level security  Encryption  Signature  Security Tokens
    • Security Tokens • Security Tokens are pieces of information used for authentication and authorization. - UserNameToken [User name/password] - BinaryToken [ X.509 Tokens / Kerberos Tokens] - XML Token [SAML Tokens]
    • WS-Security • Provisions for “profiles” to support different crypto technologies  SAML Tokens  X. 509 Tokens  UsernameToken
    • Message Level Security • Authentication – UsernameToken – Use plain text password with a secure transport • Integrity and Non-repudiation – A detached XML-Signature used and one or more parts are signed • Confidentiality – Encrypt the SOAP Body or any other part of the message
    • WS-Security • For XML Encryption, the security header may hold an <EncryptedKey> element with a <ReferenceList> element pointing to the specific parts of the message that have been encrypted. • XML Signature, inside the security header , with its <Reference> elements points to the parts of the message that are being digitally signed.
    • WS-Security <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security xmlns:wsse="..."> <wsse:BinarySecurityToken ValueType=”’’ EncodingType="...#Base64Binary” wsu:Id=" MyID "> </wsse:BinarySecurityToken> <ds:Signature> </ds:Signature> <xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
    • <BinarySecurityToken /> • Can hold binary tokens – e.g. X509 tokens, Kerberos tokens. • Because these are binary tokens – should specify the EncodingType to represent them in XML. • ValueType indicates what the security token is. <wsse:BinarySecurityToken ValueType=”’’ EncodingType="...#Base64Binary” wsu:Id=" MyID "> </wsse:BinarySecurityToken>
    • WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> 1548 QQQ </tru:StockSymbol> </S11:Body> </S11:Envelope>
    • WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <ds:KeyInfo> <ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
    • WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security> <xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <ds:KeyInfo> <ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
    • QUESTION 1 Discuss the applicability of following child elements under <KeyInfo> with respect to the Example -1. <KeyName /> <KeyValue /><RetrievalMethod /> <X509Data />
    • WS-Security – Encryption Example - 2 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> 1548 QQQ </tru:StockSymbol> </S11:Body> </S11:Envelope>
    • WS-Security – Encryption Example - 2 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
    • WS-Security – Encryption Example - 2 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security> <xenc:EncryptedKey> <ds:KeyInfo> <wsse:SecurityTokenReference> <ds:X509IssuerSerial> <ds:X509IssuerName> </ds:X509IssuerName> <ds:X509SerialNumber> </ds:X509SerialNumber> </ds:X509IssuerSerial> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody"> <xenc:EncryptedData Id="bodyID"> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
    • Token References • Defines mechanisms for referencing security tokens. • Introduces the <SecurityTokenReferenece> as a standard way to refer to a security token regardless of their format.  Direct References  Key Identifiers  Key Names  Embedded References
    • Direct References • This allows references to include tokens using URI fragments and external tokens using full URIs
    • Direct Reference Example <S11:Envelope > <S11:Header> <wsse:Security> <wsse:BinarySecurityToken ValueType="...#X509v3” EncodingType="...#Base64Binary” wsu:Id="X509Token"> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... </wsse:BinarySecurityToken> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#myBody"> <ds:Transforms> <ds:Transform Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>EULddytSo1...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> BL8jdfToEb1l/vXcMZNNjPOV... </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </S11:Header> <S11:Body wsu:Id="myBody"> <tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> QQQ </tru:StockSymbol> </S11:Body> </S11:Envelope>
    • Key Identifiers • This allows tokens to be referenced using an opaque value that represents the token. • A KeyIdentifier is a value that can be used to uniquely identify a security token (e.g. a hash of the important elements of the security token).
    • Key Identifiers <wsse:SecurityTokenReference> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" > MIGfMa0GCSq </wsse:KeyIdentifier> </wsse:SecurityTokenReference>
    • Key Identifiers • Having an explicit ValueType removes ambiguity about the format of the KeyIdentifier. The Basic Security Profile restricts the value to that specified in the security token profile that is associated with the security token. The ValueType attribute in a KeyIdentifier is optional. This can cause ambiguity when it is not explicitly stated. Furthermore, interoperability is discouraged if a ValueType is specified but does not correspond to the value associated with that token as stated in its security token profile.
    • Key Names • This allows tokens to be referenced using a string that matches an identity assertion within the security token. • In any case where a security token would be referred to by Key Name, it would also be possible to refer to it by a more efficient and/or less ambiguous mechanism (e.g. Direct, Key Identifier and/or Issuer and Serial Number).
    • Key Names Example <!-- This example is incorrect because it uses a ds:KeyName element to refer to an X.509 certificate --> <wsse:SecurityTokenReference> <ds:KeyName>CN=Security WG, OU=BSP, O=WS-I, C=US</ds:KeyName> </wsse:SecurityTokenReference> KeyName references are prohibited by the WS-Security Basic Profile.
    • Embedded • This allows tokens to be embedded (as opposed to a pointer to a token that resides elsewhere). • Basic Security Profile 1.0 restricts embedded security tokens to contain exactly one security token element.
    • Embedded Token Example <wsse:SecurityTokenReference> <wsse:Embedded wsu:Id=“"> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Embedded> </wsse:SecurityTokenReference>
    • 1 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509SubjectKeyIdentifier"> MIGfMa0GCSq </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </wsse:Security>
    • 1 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap<!-- This example is incorrect because it refers to a wsse:BinarySecurityToken element which message-security-1.0#Base64Binary"> specifies a wsu:id lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> attribute using a wsse:KeyIdentifier element rather than a wsse:Reference or wsse:Embedded <wsse:SecurityTokenReference> element --> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509SubjectKeyIdentifier"> MIGfMa0GCSq </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </wsse:Security>
    • 2 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </wsse:Security>
    • 3 Reading SOAP is fun  <wsse:Security > <wsse:SecurityTokenReference> <wsse:Embedded wsu:Id="TheEmbeddedElementAroundSomeCert"> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Embedded> </wsse:SecurityTokenReference> </wsse:Security>
    • 4 Reading SOAP is fun  <wsse:Security > <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> XZEEVABD3L9G+VNTCDiDTE7WB1a4kILtz5f9FT747eE= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Security>
    • 4 Reading SOAP is fun  <wsse:Security > <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' <!-- This example is incorrect because the wsse:BinarySecurityToken with the wsu:Id of ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> SomeCert appears after it is </wsse:SecurityTokenReference> referenced from within the xenc:EncryptedKey element --> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> XZEEVABD3L9G+VNTCDiDTE7WB1a4kILtz5f9FT747eE= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Security>
    • 5 Reading SOAP is fun  <wsse:Security xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' xmlns:xenc='http://www.w3.org/2001/04/xmlenc#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#' > <wsse:SecurityTokenReference> <wsse:Reference URI='http://www.ws-i.org/CertStore/Examples/BSP.PEM' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </wsse:Security>
    • 6 Reading SOAP is fun  <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary"> lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference wsu:Id="TheFirstSTR"> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> <wsse:SecurityTokenReference> <wsse:Reference URI='#TheFirstSTR' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference>
    • 6 Reading SOAP is fun  <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security<!-- This example is incorrect because the second wsse:SecurityTokenReference element refers 1.0#Base64Binary"> to the lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... wsse:SecurityTokenReference with an wsu:Id of TheFirstSTR --> </wsse:BinarySecurityToken> <wsse:SecurityTokenReference wsu:Id="TheFirstSTR"> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> <wsse:SecurityTokenReference> <wsse:Reference URI='#TheFirstSTR' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference>
    • 7 Reading SOAP is fun  <wsse:Security > <wsu:Timestamp wsu:Id="timestamp1"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> <wsu:Timestamp wsu:Id="timestamp2"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> </wsse:Security>
    • 7 Reading SOAP is fun  <wsse:Security > <wsu:Timestamp wsu:Id="timestamp1"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> <!-- This example is </wsu:Timestamp> incorrect because Security header MUST NOT contain more than one TIMESTAMP--> <wsu:Timestamp wsu:Id="timestamp2"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> </wsse:Security>
    • 8 Reading SOAP is fun  <soap: Header> <wsse:Security > </wsse:Security> <wsse:Security > </wsse:Security> </soap: Header>
    • 8 Reading SOAP is fun  <soap: Header> <wsse:Security > <!– This</wsse:Security> Header MUST not have more than one Security header where the is incorrect. SOAP actor/role attribute omitted--> <wsse:Security > </wsse:Security> </soap: Header>
    • 9 Reading SOAP is fun  <soap: Header> <wsse:Security actor=“foo” > </wsse:Security> <wsse:Security actor=“foo” > </wsse:Security> </soap: Header>
    • 9 Reading SOAP is fun  <soap: Header> <wsse:Security actor=“foo” > <!– This is</wsse:Security> incorrect. SOAP Header MUST not have more than one Security header with the same actor/role <wsse:Security actor=“foo” > attribute omitted--> </wsse:Security> </soap: Header>
    • 10 Reading SOAP is fun  <ds:Signature Id='TheSig' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:Reference URI='#SigPropBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>i3qi5GjhHnfoBn/jOjQp2mq0Na4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>oxNwoqGbzqg1YBliz+PProgcjw8=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:SignatureProperties> <ds:SignatureProperty Id='SigPropBody' Target='#TheSig'> <SomeSecurityToken/> </ds:SignatureProperty> </ds:SignatureProperties> </ds:Object> </ds:Signature>
    • 10 Reading SOAP is fun  <ds:Signature Id='TheSig' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:Reference URI='#SigPropBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>i3qi5GjhHnfoBn/jOjQp2mq0Na4=</ds:DigestValue> </ds:Reference> <!– This is incorrect. Must used Detached Signature. Enveloping or Enveloped </ds:SignedInfo> allowed.--> <ds:SignatureValue>oxNwoqGbzqg1YBliz+PProgcjw8=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:SignatureProperties> <ds:SignatureProperty Id='SigPropBody' Target='#TheSig'> <SomeSecurityToken/> </ds:SignatureProperty> </ds:SignatureProperties> </ds:Object> </ds:Signature> Signatures are not
    • 11 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/TR/1999/REC-xpath-19991116'> <ds:XPath>/soap:Envelope/soap:Body/*</ds:XPath> </ds:Transform> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /></ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
    • 11 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/TR/1999/REC-xpath-19991116'> <ds:XPath>/soap:Envelope/soap:Body/*</ds:XPath> A signature reference to an element that does not have an ID attribute MUST contain a </ds:Transform> TRANSFORM with an Algorithm attribute value of "http://www.w3.org/2002/06/xmldsig-filter2" <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /></ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
    • 12 Reading SOAP is fun  <wsse:Security > <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2002/06/xmldsig-filter2' xmlns:dsxp='http://www.w3.org/2002/06/xmldsig-filter2'> <dsxp:XPath Filter='intersect'>/soap:Envelope/soap:Body/*</dsxp:XPath> </ds:Transform> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'> <xc14n:InclusiveNamespaces xmlns:xc14n='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert” ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
    • 13 Reading SOAP is fun  <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#' > <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> Any Signature/Encryption KeyInfo MUST contain a SecurityTokenReference child element and that is the only child element.
    • 14 Reading SOAP is fun  <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI='#TheManifest’></ds:Reference> </ds:SignedInfo> <ds:SignatureValue>L7X0Zw23/zYQnX4+Z+p0gCygKQ0=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:Manifest Id='TheManifest'> <ds:Reference URI='#TheBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>+VTJraRYFT3pl7Z4uAWhmr5+bf4=</ds:DigestValue> </ds:Reference> </ds:Manifest> </ds:Object> </ds:Signature>
    • 14 Reading SOAP is fun  <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI='#TheManifest’></ds:Reference> </ds:SignedInfo> <ds:SignatureValue>L7X0Zw23/zYQnX4+Z+p0gCygKQ0=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> A Signature MUST NOT contain a ds:Manifest descendant element. </ds:KeyInfo> <ds:Object> <ds:Manifest Id='TheManifest'> <ds:Reference URI='#TheBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>+VTJraRYFT3pl7Z4uAWhmr5+bf4=</ds:DigestValue> </ds:Reference> </ds:Manifest> </ds:Object> </ds:Signature>
    • 15 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“"> </wsse:BinarySecurityToken> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security>
    • 15 Reading SOAP is fun  <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“"> </wsse:BinarySecurityToken> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> Any EncryptedKey MUST precede any EncryptedData in This is incorrect. <xenc:EncryptedKey> header referenced by the associated ReferenceList. <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> the same Security
    • 16 Reading SOAP is fun  <wsse:Security ' > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert’ ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </wsse:Security>
    • 16 Reading SOAP is fun  <wsse:Security ' > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert’ ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> <!-- This example is incorrect because the xenc:EncryptedKey element is missing an <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> xenc:ReferenceList child element --> </xenc:CipherData> </xenc:EncryptedKey> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </wsse:Security>
    • <wsse11:SignatureConfirmation /> Ensure that a received SOAP message was generated in response to the original request sent by the web client. The client request is typically signed but does not have to be. In this mechanism, the web service adds a <SignatureConfirmation> element to the security header element, and the web client can check that <SignatureConfirmation> element <wsse11:SignatureConfirmation wsu:Id="..." Value="..." />
    • <wsse11:EncryptedHeader /> WSS 1.1 introduced a new <EncryptedHeader /> mechanism to encrypt headers. When it is required that an entire SOAP header block including the top-level element and its attributes be encrypted, the original header block is replaced with an <EncryptedHeader /> . Where an <EncryptedHeader /> element exists, it contains a child <EncryptedData /> element that is the result of encrypting the header block.
    • STR-Transform <wsse:SecurityTokenReference wsu:Id="Str1"> </wsse:SecurityTokenReference> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:Reference URI="#Str1"> <ds:Transforms> <ds:Transform Algorithm="...#STR-Transform"> <wsse:TransformationParameters> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> </wsse:TransformationParameters> </ds:Transform> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue></ds:SignatureValue> </ds:Signature> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
    • STR-Transform This transform is specified by the URI #STR-Transform and when applied to a <wsse:SecurityTokenReference> element it means that the output is the token referenced by the <wsse:SecurityTokenReference> element not the element itself.
    • lean . enterprise . middleware