Your SlideShare is downloading. ×
  • Like

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

WSO2 SOA Security

  • 1,849 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,849
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
112
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Santa Clara , CA Secured SOA By Prabath Siriwardena ~ WSO2
  • 2. Securing a Web Service..???
  • 3. People Can SEE What You Send
  • 4. People Can ALTER What You Send
  • 5. People Can ALTER What You Send
  • 6. Anyone Can CALL Your Service
  • 7. People SEE What’s On
  • 8. People Can ALTER What’s On
  • 9. People Can ALTER What’s On
  • 10. HTTP is NOT Secured
  • 11. S HTTP
  • 12. HTTPS is Transport Level
  • 13. Security inherited from the transport channel
  • 14. Safe only while on the transport
  • 15. Parts of the message CANNOT BE encrypted
  • 16. Authenticating with HTTPS ?
  • 17. BasicAuth
  • 18. Mutual Authentication
  • 19. SSL Handshake
  • 20. CLIENT_HELLO Highest SSL Version, Ciphers Supported, Data Compression Methods, SessionId = 0, Random Data
  • 21. SERVER_HELLO Selected SSL Version, Selected Cipher, Selected Data Compression Method, Assigned Session Id, Random Data
  • 22. CERTIFICATE Public Key, Authentication Signature
  • 23. CLIENT_CERT_REQUEST [Optional]
  • 24. CLIENT_CERT [Optional]
  • 25. CLIENT_KEY_EXCHANGE
  • 26. CERTIFICATE_VERIFY [Optional]
  • 27. CHANGE_CIPHER_SPEC
  • 28. FINISHED
  • 29. CHANGE_CIPHER_SPEC
  • 30. FINISHED
  • 31. MONDAY Morning
  • 32. NOT Happy With HTTPS
  • 33. Requires END To END Security
  • 34. Parts of message need to be Encrypted
  • 35. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
  • 36. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
  • 37. Message Level Security
  • 38. XML Encryption
  • 39. XML Signature
  • 40. WS - Security
  • 41. Confidentiality
  • 42. Integrity
  • 43. NON - Repudiation
  • 44. Authentication
  • 45. UsernameToken
  • 46. <wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>
  • 47. NOBODY Can See the Message in Clear Text Other than the Intended Recipient
  • 48. NOBODY In the Middle Can ALTER the Message
  • 49. Only the Authenticated Users Can Invoke the Service
  • 50. Sign & Encrypt OR Encrypt & Sign
  • 51. Sign & Encrypt MessgaeSignture
  • 52. XML Signature defines THREE types of signatures
  • 53. <Message> <Signature> </Signature> </Message>
  • 54. <Signature> <Message> </Message> </Signature>
  • 55. <Signature> </Signature> <Message> </Message>
  • 56. <Envelope> <Header> <Signature> </Signature> </Header> <Body> <Message> </Message> </Body> </Envelope>
  • 57. Sign & Encrypt With WS-Security
  • 58. 1 <Envelope> <Body> <Message> </Message> </Body> </Envelope>
  • 59. 2 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <Message> </Message> </Body> </Envelope>
  • 60. 3 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
  • 61. Encrypt & Sign MessgaeSignture
  • 62. 1 <Envelope> <Body> <Message> </Message> </Body> </Envelope>
  • 63. 2 <Envelope> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
  • 64. 3 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
  • 65. WS - Security XML Username X.509 Token XML Signature Encryption Token Profile Profile
  • 66. DONE with My First Assignment
  • 67. BUT… Paul NOT Happy 
  • 68. Authentication LIMITED to INTERNAL Users ONLY
  • 69. Users OUT SIDE Our Domain Need ACCESS
  • 70. We DON’T Have Their Credentials
  • 71. We Can’t Use UsernameToken 
  • 72. Delegate Authentication to the External Domain itself
  • 73. They Should Know How to Authenticate Their Own Users
  • 74. We TRUST What the External Domain Says
  • 75. WS-TRUST
  • 76. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityToken> <wst:TokenType> http://example.org/mySpecialToken </wst:TokenType> <wst:RequestType> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue </wst:RequestType> </wst:RequestSecurityToken> </s:Body> </s:Envelope>
  • 77. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityTokenResponseCollection> <wst:RequestSecurityTokenResponse> <wst:RequestedSecurityToken> <xyz:CustomToken xmlns:xyz="..."> </xyz:CustomToken> </wst:RequestedSecurityToken> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection> </s:Body> </s:Envelope>
  • 78. WS - Trust WS - Security Username X.509 XML XML Token Token Signature Encryption Profile Profile
  • 79. Another Problem on HAND…
  • 80. How Do We Communicate our Security Requirements to Outsiders ?
  • 81. The Encryption Algorithm We Use…
  • 82. Key Size…
  • 83. Token Types…
  • 84. Elements to be Signed…
  • 85. Elements to be Encrypted…
  • 86. Use Symmetric Key or Asymmetric Key…
  • 87. WS-Security Policy
  • 88. Finally… all on the White Board…
  • 89. http://wso2.com http://wso2.com/about/contact bizdev@wso2.com prabath@wso2.com
  • 90. Thank You…!!!