Secured SOA

1,637 views
1,537 views

Published on

Prabath Siriwardana - WSO2 SOA Security Architect, gives out a presentation on secured SOA at the SOA workshop in Colombo, Sri Lanka (September 17, 2009).

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,637
On SlideShare
0
From Embeds
0
Number of Embeds
132
Actions
Shares
0
Downloads
119
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Secured SOA

  1. 1. Secured SOA By Prabath Siriwardena ~ WSO2
  2. 2. November 01st, 2007
  3. 3. WSO2 NO: 59 Flower Road, Colombo 07, Sri Lanka
  4. 4. Ruchith Fernando Security Lead WSO2, 2006 – 2008 Now, PhD student at University of Purdue
  5. 5. First Assignment…
  6. 6. Securing a Web Service..???
  7. 7. WHY Secure..???
  8. 8. People Can SEE What You Send
  9. 9. People Can ALTER What You Send
  10. 10. Anyone Can CALL Your Service
  11. 11. People SEE What’s On HTTP
  12. 12. People Can ALTER What’s On HTTP
  13. 13. HTTP is NOT Secured
  14. 14. S HTTP
  15. 15. HTTPS is Transport Level
  16. 16. Security inherited from the transport channel
  17. 17. Safe only while on the transport
  18. 18. Parts of the message CANNOT BE encrypted
  19. 19. Authenticating with HTTPS ?
  20. 20. BasicAuth
  21. 21. Mutual Authentication
  22. 22. SSL Handshake
  23. 23. CLIENT_HELLO Highest SSL Version, Ciphers Supported, Data Compression Methods, SessionId = 0, Random Data
  24. 24. SERVER_HELLO Selected SSL Version, Selected Cipher, Selected Data Compression Method, Assigned Session Id, Random Data
  25. 25. CERTIFICATE Public Key, Authentication Signature
  26. 26. CLIENT_CERT_REQUEST [Optional]
  27. 27. CLIENT_CERT [Optional]
  28. 28. CLIENT_KEY_EXCHANGE
  29. 29. CERTIFICATE_VERIFY [Optional]
  30. 30. CHANGE_CIPHER_SPEC
  31. 31. FINISHED
  32. 32. CHANGE_CIPHER_SPEC
  33. 33. FINISHED
  34. 34. MONDAY Morning
  35. 35. NOT Happy With HTTPS
  36. 36. Requires END To END Security
  37. 37. Parts of message need to be Encrypted
  38. 38. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
  39. 39. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
  40. 40. Message Level Security
  41. 41. XML Encryption
  42. 42. XML Signature
  43. 43. WS - Security
  44. 44. Confidentiality
  45. 45. Integrity
  46. 46. NON - Repudiation
  47. 47. Authentication
  48. 48. UsernameToken
  49. 49. <wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>
  50. 50. NOBODY Can See the Message in Clear Text Other than the Intended Recipient
  51. 51. NOBODY In the Middle Can ALTER the Message
  52. 52. Only the Authenticated Users Can Invoke the Service
  53. 53. WS - Security XML Username X.509 Token XML Signature Encryption Token Profile Profile
  54. 54. DONE with My First Assignment
  55. 55. BUT… Paul NOT Happy 
  56. 56. Authentication LIMITED to INTERNAL Users ONLY
  57. 57. Users OUT SIDE Our Domain Need ACCESS
  58. 58. We DON’T Have Their Credentials
  59. 59. We Can’t Use UsernameToken 
  60. 60. Delegate Authentication to the External Domain itself
  61. 61. They Should Know How to Authenticate Their Own Users
  62. 62. We TRUST What the External Domain Says
  63. 63. WS-TRUST
  64. 64. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityToken> <wst:TokenType> http://example.org/mySpecialToken </wst:TokenType> <wst:RequestType> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue </wst:RequestType> </wst:RequestSecurityToken> </s:Body> </s:Envelope>
  65. 65. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityTokenResponseCollection> <wst:RequestSecurityTokenResponse> <wst:RequestedSecurityToken> <xyz:CustomToken xmlns:xyz="..."> </xyz:CustomToken> </wst:RequestedSecurityToken> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection> </s:Body> </s:Envelope>
  66. 66. WS - Trust WS - Security Username X.509 XML XML Token Token Signature Encryption Profile Profile
  67. 67. Another Problem on HAND…
  68. 68. How Do We Communicate our Security Requirements to Outsiders ?
  69. 69. The Encryption Algorithm We Use…
  70. 70. Key Size…
  71. 71. Token Types…
  72. 72. Elements to be Signed…
  73. 73. Elements to be Encrypted…
  74. 74. Use Symmetric Key or Asymmetric Key…
  75. 75. WS-Security Policy
  76. 76. Finally… We All Moved to the White Board…
  77. 77. http://wso2.com http://wso2.com/about/contact bizdev@wso2.com prabath@wso2.com
  78. 78. Thank You…!!!

×