Secured SOA
By Prabath Siriwardena ~ WSO2
November 01st, 2007
WSO2
NO: 59
Flower Road,
Colombo 07,
Sri Lanka
Ruchith Fernando
Security Lead
WSO2, 2006 – 2008

Now, PhD student
at University of
Purdue
First Assignment…
Securing a Web
Service..???
WHY Secure..???
People Can SEE What You Send
People Can ALTER What You Send
Anyone Can CALL Your Service
People SEE What’s On HTTP
People Can ALTER What’s On HTTP
HTTP is NOT Secured
S
HTTP
HTTPS is Transport Level
Security inherited
from the transport channel
Safe only while on the transport
Parts of the message
       CANNOT
         BE
      encrypted
Authenticating with HTTPS ?
BasicAuth
Mutual Authentication
SSL Handshake
CLIENT_HELLO
   Highest SSL Version,
    Ciphers Supported,
Data Compression Methods,
      SessionId = 0,
       Random D...
SERVER_HELLO
       Selected SSL Version,
         Selected Cipher,
Selected Data Compression Method,
       Assigned Sess...
CERTIFICATE
      Public Key,
Authentication Signature
CLIENT_CERT_REQUEST
      [Optional]
CLIENT_CERT
  [Optional]
CLIENT_KEY_EXCHANGE
CERTIFICATE_VERIFY
       [Optional]
CHANGE_CIPHER_SPEC
FINISHED
CHANGE_CIPHER_SPEC
FINISHED
MONDAY Morning
NOT Happy With HTTPS
Requires END To END Security
Parts of message
need to be Encrypted
<soap:Envelope >
      <soap:Body>
            <ns1:withdrawMoney >
                   <param1></ param1>
                ...
<soap:Envelope >
      <soap:Body>
            <ns1:withdrawMoney >
                   <param1></ param1>
                ...
Message Level Security
XML Encryption
XML Signature
WS - Security
Confidentiality
Integrity
NON - Repudiation
Authentication
UsernameToken
<wsse:UsernameToken wsu:Id="Example-1">
     <wsse:Username> ... </wsse:Username>
     <wsse:Password
          Type="..."...
NOBODY Can See the Message
   in Clear Text Other
than the Intended Recipient
NOBODY In the Middle
Can ALTER the Message
Only the Authenticated
Users Can Invoke the Service
WS - Security




                   XML            Username       X.509 Token
XML Signature
                Encryption   ...
DONE with My First Assignment
BUT… Paul NOT Happy 
Authentication LIMITED
          to
  INTERNAL Users ONLY
Users OUT SIDE Our
Domain Need ACCESS
We DON’T Have Their
    Credentials
We Can’t Use
UsernameToken 
Delegate Authentication
to the External Domain
        itself
They Should Know How to
Authenticate Their Own
         Users
We TRUST What the
External Domain Says
WS-TRUST
<s:Envelope>
       <s:Header>
              <wsa:Action>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
     ...
<s:Envelope>
       <s:Header>
              <wsa:Action>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue
    ...
WS - Trust




                 WS - Security



                          Username   X.509
   XML        XML
            ...
Another Problem on
      HAND…
How Do We Communicate
    our Security
   Requirements to
     Outsiders ?
The Encryption
Algorithm We Use…
Key Size…
Token Types…
Elements to be Signed…
Elements to be
  Encrypted…
Use Symmetric Key or
  Asymmetric Key…
WS-Security Policy
Finally… We All Moved
 to the White Board…
http://wso2.com
http://wso2.com/about/contact
bizdev@wso2.com

prabath@wso2.com
Thank You…!!!
Secured SOA
Secured SOA
Secured SOA
Secured SOA
Secured SOA
Secured SOA
Secured SOA
Secured SOA
Secured SOA
Upcoming SlideShare
Loading in...5
×

Secured SOA

1,458

Published on

Prabath Siriwardana - WSO2 SOA Security Architect, gives out a presentation on secured SOA at the SOA workshop in Colombo, Sri Lanka (September 17, 2009).

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,458
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
115
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Secured SOA

  1. 1. Secured SOA By Prabath Siriwardena ~ WSO2
  2. 2. November 01st, 2007
  3. 3. WSO2 NO: 59 Flower Road, Colombo 07, Sri Lanka
  4. 4. Ruchith Fernando Security Lead WSO2, 2006 – 2008 Now, PhD student at University of Purdue
  5. 5. First Assignment…
  6. 6. Securing a Web Service..???
  7. 7. WHY Secure..???
  8. 8. People Can SEE What You Send
  9. 9. People Can ALTER What You Send
  10. 10. Anyone Can CALL Your Service
  11. 11. People SEE What’s On HTTP
  12. 12. People Can ALTER What’s On HTTP
  13. 13. HTTP is NOT Secured
  14. 14. S HTTP
  15. 15. HTTPS is Transport Level
  16. 16. Security inherited from the transport channel
  17. 17. Safe only while on the transport
  18. 18. Parts of the message CANNOT BE encrypted
  19. 19. Authenticating with HTTPS ?
  20. 20. BasicAuth
  21. 21. Mutual Authentication
  22. 22. SSL Handshake
  23. 23. CLIENT_HELLO Highest SSL Version, Ciphers Supported, Data Compression Methods, SessionId = 0, Random Data
  24. 24. SERVER_HELLO Selected SSL Version, Selected Cipher, Selected Data Compression Method, Assigned Session Id, Random Data
  25. 25. CERTIFICATE Public Key, Authentication Signature
  26. 26. CLIENT_CERT_REQUEST [Optional]
  27. 27. CLIENT_CERT [Optional]
  28. 28. CLIENT_KEY_EXCHANGE
  29. 29. CERTIFICATE_VERIFY [Optional]
  30. 30. CHANGE_CIPHER_SPEC
  31. 31. FINISHED
  32. 32. CHANGE_CIPHER_SPEC
  33. 33. FINISHED
  34. 34. MONDAY Morning
  35. 35. NOT Happy With HTTPS
  36. 36. Requires END To END Security
  37. 37. Parts of message need to be Encrypted
  38. 38. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
  39. 39. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
  40. 40. Message Level Security
  41. 41. XML Encryption
  42. 42. XML Signature
  43. 43. WS - Security
  44. 44. Confidentiality
  45. 45. Integrity
  46. 46. NON - Repudiation
  47. 47. Authentication
  48. 48. UsernameToken
  49. 49. <wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>
  50. 50. NOBODY Can See the Message in Clear Text Other than the Intended Recipient
  51. 51. NOBODY In the Middle Can ALTER the Message
  52. 52. Only the Authenticated Users Can Invoke the Service
  53. 53. WS - Security XML Username X.509 Token XML Signature Encryption Token Profile Profile
  54. 54. DONE with My First Assignment
  55. 55. BUT… Paul NOT Happy 
  56. 56. Authentication LIMITED to INTERNAL Users ONLY
  57. 57. Users OUT SIDE Our Domain Need ACCESS
  58. 58. We DON’T Have Their Credentials
  59. 59. We Can’t Use UsernameToken 
  60. 60. Delegate Authentication to the External Domain itself
  61. 61. They Should Know How to Authenticate Their Own Users
  62. 62. We TRUST What the External Domain Says
  63. 63. WS-TRUST
  64. 64. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityToken> <wst:TokenType> http://example.org/mySpecialToken </wst:TokenType> <wst:RequestType> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue </wst:RequestType> </wst:RequestSecurityToken> </s:Body> </s:Envelope>
  65. 65. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityTokenResponseCollection> <wst:RequestSecurityTokenResponse> <wst:RequestedSecurityToken> <xyz:CustomToken xmlns:xyz="..."> </xyz:CustomToken> </wst:RequestedSecurityToken> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection> </s:Body> </s:Envelope>
  66. 66. WS - Trust WS - Security Username X.509 XML XML Token Token Signature Encryption Profile Profile
  67. 67. Another Problem on HAND…
  68. 68. How Do We Communicate our Security Requirements to Outsiders ?
  69. 69. The Encryption Algorithm We Use…
  70. 70. Key Size…
  71. 71. Token Types…
  72. 72. Elements to be Signed…
  73. 73. Elements to be Encrypted…
  74. 74. Use Symmetric Key or Asymmetric Key…
  75. 75. WS-Security Policy
  76. 76. Finally… We All Moved to the White Board…
  77. 77. http://wso2.com http://wso2.com/about/contact bizdev@wso2.com prabath@wso2.com
  78. 78. Thank You…!!!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×