Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Secured SOA

1,399
views

Published on

Prabath Siriwardana - WSO2 SOA Security Architect, gives out a presentation on secured SOA at the SOA workshop in Colombo, Sri Lanka (September 17, 2009).

Prabath Siriwardana - WSO2 SOA Security Architect, gives out a presentation on secured SOA at the SOA workshop in Colombo, Sri Lanka (September 17, 2009).

Published in: Technology, News & Politics

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,399
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
115
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Secured SOA By Prabath Siriwardena ~ WSO2
  • 2. November 01st, 2007
  • 3. WSO2 NO: 59 Flower Road, Colombo 07, Sri Lanka
  • 4. Ruchith Fernando Security Lead WSO2, 2006 – 2008 Now, PhD student at University of Purdue
  • 5. First Assignment…
  • 6. Securing a Web Service..???
  • 7. WHY Secure..???
  • 8. People Can SEE What You Send
  • 9. People Can ALTER What You Send
  • 10. Anyone Can CALL Your Service
  • 11. People SEE What’s On HTTP
  • 12. People Can ALTER What’s On HTTP
  • 13. HTTP is NOT Secured
  • 14. S HTTP
  • 15. HTTPS is Transport Level
  • 16. Security inherited from the transport channel
  • 17. Safe only while on the transport
  • 18. Parts of the message CANNOT BE encrypted
  • 19. Authenticating with HTTPS ?
  • 20. BasicAuth
  • 21. Mutual Authentication
  • 22. SSL Handshake
  • 23. CLIENT_HELLO Highest SSL Version, Ciphers Supported, Data Compression Methods, SessionId = 0, Random Data
  • 24. SERVER_HELLO Selected SSL Version, Selected Cipher, Selected Data Compression Method, Assigned Session Id, Random Data
  • 25. CERTIFICATE Public Key, Authentication Signature
  • 26. CLIENT_CERT_REQUEST [Optional]
  • 27. CLIENT_CERT [Optional]
  • 28. CLIENT_KEY_EXCHANGE
  • 29. CERTIFICATE_VERIFY [Optional]
  • 30. CHANGE_CIPHER_SPEC
  • 31. FINISHED
  • 32. CHANGE_CIPHER_SPEC
  • 33. FINISHED
  • 34. MONDAY Morning
  • 35. NOT Happy With HTTPS
  • 36. Requires END To END Security
  • 37. Parts of message need to be Encrypted
  • 38. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
  • 39. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
  • 40. Message Level Security
  • 41. XML Encryption
  • 42. XML Signature
  • 43. WS - Security
  • 44. Confidentiality
  • 45. Integrity
  • 46. NON - Repudiation
  • 47. Authentication
  • 48. UsernameToken
  • 49. <wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>
  • 50. NOBODY Can See the Message in Clear Text Other than the Intended Recipient
  • 51. NOBODY In the Middle Can ALTER the Message
  • 52. Only the Authenticated Users Can Invoke the Service
  • 53. WS - Security XML Username X.509 Token XML Signature Encryption Token Profile Profile
  • 54. DONE with My First Assignment
  • 55. BUT… Paul NOT Happy 
  • 56. Authentication LIMITED to INTERNAL Users ONLY
  • 57. Users OUT SIDE Our Domain Need ACCESS
  • 58. We DON’T Have Their Credentials
  • 59. We Can’t Use UsernameToken 
  • 60. Delegate Authentication to the External Domain itself
  • 61. They Should Know How to Authenticate Their Own Users
  • 62. We TRUST What the External Domain Says
  • 63. WS-TRUST
  • 64. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityToken> <wst:TokenType> http://example.org/mySpecialToken </wst:TokenType> <wst:RequestType> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue </wst:RequestType> </wst:RequestSecurityToken> </s:Body> </s:Envelope>
  • 65. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityTokenResponseCollection> <wst:RequestSecurityTokenResponse> <wst:RequestedSecurityToken> <xyz:CustomToken xmlns:xyz="..."> </xyz:CustomToken> </wst:RequestedSecurityToken> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection> </s:Body> </s:Envelope>
  • 66. WS - Trust WS - Security Username X.509 XML XML Token Token Signature Encryption Profile Profile
  • 67. Another Problem on HAND…
  • 68. How Do We Communicate our Security Requirements to Outsiders ?
  • 69. The Encryption Algorithm We Use…
  • 70. Key Size…
  • 71. Token Types…
  • 72. Elements to be Signed…
  • 73. Elements to be Encrypted…
  • 74. Use Symmetric Key or Asymmetric Key…
  • 75. WS-Security Policy
  • 76. Finally… We All Moved to the White Board…
  • 77. http://wso2.com http://wso2.com/about/contact bizdev@wso2.com prabath@wso2.com
  • 78. Thank You…!!!