Search

WSO2 SOA Security

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    Notes on slide 1

    Favorites, Groups & Events

    WSO2 SOA Security - Presentation Transcript

    1. Santa Clara , CA Secured SOA By Prabath Siriwardena ~ WSO2
    2. Securing a Web Service..???
    3. People Can SEE What You Send
    4. People Can ALTER What You Send
    5. People Can ALTER What You Send
    6. Anyone Can CALL Your Service
    7. People SEE What’s On
    8. People Can ALTER What’s On
    9. People Can ALTER What’s On
    10. HTTP is NOT Secured
    11. S HTTP
    12. HTTPS is Transport Level
    13. Security inherited from the transport channel
    14. Safe only while on the transport
    15. Parts of the message CANNOT BE encrypted
    16. Authenticating with HTTPS ?
    17. BasicAuth
    18. Mutual Authentication
    19. SSL Handshake
    20. CLIENT_HELLO Highest SSL Version, Ciphers Supported, Data Compression Methods, SessionId = 0, Random Data
    21. SERVER_HELLO Selected SSL Version, Selected Cipher, Selected Data Compression Method, Assigned Session Id, Random Data
    22. CERTIFICATE Public Key, Authentication Signature
    23. CLIENT_CERT_REQUEST [Optional]
    24. CLIENT_CERT [Optional]
    25. CLIENT_KEY_EXCHANGE
    26. CERTIFICATE_VERIFY [Optional]
    27. CHANGE_CIPHER_SPEC
    28. FINISHED
    29. CHANGE_CIPHER_SPEC
    30. FINISHED
    31. MONDAY Morning
    32. NOT Happy With HTTPS
    33. Requires END To END Security
    34. Parts of message need to be Encrypted
    35. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
    36. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
    37. Message Level Security
    38. XML Encryption
    39. XML Signature
    40. WS - Security
    41. Confidentiality
    42. Integrity
    43. NON - Repudiation
    44. Authentication
    45. UsernameToken
    46. <wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>
    47. NOBODY Can See the Message in Clear Text Other than the Intended Recipient
    48. NOBODY In the Middle Can ALTER the Message
    49. Only the Authenticated Users Can Invoke the Service
    50. Sign & Encrypt OR Encrypt & Sign
    51. Sign & Encrypt MessgaeSignture
    52. XML Signature defines THREE types of signatures
    53. <Message> <Signature> </Signature> </Message>
    54. <Signature> <Message> </Message> </Signature>
    55. <Signature> </Signature> <Message> </Message>
    56. <Envelope> <Header> <Signature> </Signature> </Header> <Body> <Message> </Message> </Body> </Envelope>
    57. Sign & Encrypt With WS-Security
    58. 1 <Envelope> <Body> <Message> </Message> </Body> </Envelope>
    59. 2 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <Message> </Message> </Body> </Envelope>
    60. 3 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
    61. Encrypt & Sign MessgaeSignture
    62. 1 <Envelope> <Body> <Message> </Message> </Body> </Envelope>
    63. 2 <Envelope> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
    64. 3 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
    65. WS - Security XML Username X.509 Token XML Signature Encryption Token Profile Profile
    66. DONE with My First Assignment
    67. BUT… Paul NOT Happy 
    68. Authentication LIMITED to INTERNAL Users ONLY
    69. Users OUT SIDE Our Domain Need ACCESS
    70. We DON’T Have Their Credentials
    71. We Can’t Use UsernameToken 
    72. Delegate Authentication to the External Domain itself
    73. They Should Know How to Authenticate Their Own Users
    74. We TRUST What the External Domain Says
    75. WS-TRUST
    76. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityToken> <wst:TokenType> http://example.org/mySpecialToken </wst:TokenType> <wst:RequestType> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue </wst:RequestType> </wst:RequestSecurityToken> </s:Body> </s:Envelope>
    77. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityTokenResponseCollection> <wst:RequestSecurityTokenResponse> <wst:RequestedSecurityToken> <xyz:CustomToken xmlns:xyz="..."> </xyz:CustomToken> </wst:RequestedSecurityToken> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection> </s:Body> </s:Envelope>
    78. WS - Trust WS - Security Username X.509 XML XML Token Token Signature Encryption Profile Profile
    79. Another Problem on HAND…
    80. How Do We Communicate our Security Requirements to Outsiders ?
    81. The Encryption Algorithm We Use…
    82. Key Size…
    83. Token Types…
    84. Elements to be Signed…
    85. Elements to be Encrypted…
    86. Use Symmetric Key or Asymmetric Key…
    87. WS-Security Policy
    88. Finally… all on the White Board…
    89. http://wso2.com http://wso2.com/about/contact bizdev@wso2.com prabath@wso2.com
    90. Thank You…!!!
    SlideShare Zeitgeist 2009

    + WSO2WSO2 Nominate

    custom

    108 views, 0 favs, 0 embeds more stats

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 108
      • 108 on SlideShare
      • 0 from embeds
    • Comments 0
    • Favorites 0
    • Downloads 5
    Most viewed embeds

    more

    All embeds

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories

    -->
    Search
    RSS Feed
    What's new?

    © 2009 SlideShare Inc. All Rights Reserved