Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Service Security


Published on

  • Be the first to comment

Web Service Security

  1. 1. Web service security<br />
  2. 2. XML digital signature ( IETF and W3C)<br />XML Encryption ( W3C)<br />SAML (Secure Assertion Markup Language) ( OASIS)<br />WS-Security (Web Services Security) (OASIS)<br />WS-SecureConversation<br />WS-Federation<br />WS-Policy<br />WS-Trust<br />WS-Privacy<br />XACML (Extensible Access Control Markup Language) (OASIS)<br />Web service security standards<br />
  3. 3. When encrypting an XML element or element content the EncryptedData element replaces the element or content (respectively) in the encrypted version of the XML document<br /> <EncryptedDataId Type MimeType Encoding> <br /><EncryptionMethod/> <br /> <ds:KeyInfo> <br /> <EncryptedKey> <br /> <AgreementMethod> <br /> <ds:KeyName> <br /> <ds:RetrievalMethod> <br /> <ds:*> <br /> </ds:KeyInfo> <br /> <CipherData> <br /> <CipherValue> <br /> <CipherReferenceURI> <br /> </CipherData> <br /> <EncryptionProperties> <br /> </EncryptedData><br />XML Encryption<br />
  4. 4. <?xml version='1.0'?><br /><PaymentInfoxmlns=''><br /> <Name>John Smith</Name><br /> <CreditCard Limit='5,000' Currency='USD'><br /> <Number>4019 2445 0277 5567</Number><br /> <Issuer>Example Bank</Issuer><br /> <Expiration>04/02</Expiration><br /> </CreditCard><br /> </PaymentInfo><br />XML Encryption example<br /><?xml version='1.0'?> <br /> <PaymentInfoxmlns=''><br /> <Name>John Smith</Name><br /> <CreditCard Limit='5,000' Currency='USD'><br /> <Number><br /> <EncryptedDataxmlns=''<br /> Type=''><br /> <CipherData><br /> <CipherValue>A23B45C56</CipherValue><br /> </CipherData><br /> </EncryptedData><br /> </Number><br /> <Issuer>Example Bank</Issuer><br /> <Expiration>04/02</Expiration><br /> </CreditCard><br /> </PaymentInfo><br />
  5. 5. Data integrity, authenticity<br />Binds the sender’s identity (or “signing entity”) to an XML document<br />Signature verification can be done using asymmetric or symmetric keys<br />Ensures non-repudiation of the signing entity<br />Proves that messages have not been altered since they were signed<br />XML Signature<br />
  6. 6. XML digital signatures are represented by the Signature element <br /><Signature ID?> <br /> <SignedInfo><br /> <CanonicalizationMethod/><br /> <SignatureMethod/><br /> (<Reference URI ><br /> <Transforms><br /> <DigestMethod><br /> <DigestValue><br /> </Reference>)+<br /> </SignedInfo><br /> <SignatureValue> <br /> <KeyInfo><br /> <Object ID><br /> </Signature><br />Signature Element<br />
  7. 7. Signature Example<br /><Signature Id="MyFirstSignature" xmlns=""> <br /> <SignedInfo> <br /> <CanonicalizationMethod Algorithm=""/> <br /> <SignatureMethod Algorithm=""/> <br /> <Reference URI=""> <br /> <Transforms> <br /> <Transform Algorithm=""/> <br /> </Transforms> <br /> <DigestMethod Algorithm=""/> <br /> <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK.../DigestValue> <br /> </Reference> <br /> </SignedInfo> <br /> <SignatureValue>...</SignatureValue> <br /> <KeyInfo> <br /> <KeyValue><br /> <DSAKeyValue> <br /> <P>...</P><Q>...</Q><G>...</G><Y>...</Y> <br /> </DSAKeyValue> <br /> </KeyValue> <br /> </KeyInfo> <br /></Signature><br />
  8. 8. Developed by OASIS<br />An XML framework for exchanging authentication and authorization information<br />SAML assertions: (Assertion is declaration of a fact)<br />authentication<br />attribute<br />Authorization<br />SAML is for<br />Single sign-on (SSO)<br />Distributed transaction<br />Authorization service<br />SAML<br />
  9. 9. Used for SSO<br /><saml:Assertion …><br /> <saml:AuthenticationStatement<br />AuthenticationMethod=“password”<br />AuthenticationInstant=“2010-02-03”><br /> <saml:Subject><br /> <saml:NameIdentifier<br />SecurityDomain=“” Name=“ABCD” /><br /> <saml:ConfirmationMethod><br /> http://…<br /> </saml:ConfirmationMethod><br /> </saml:Subject><br /> </saml:AuthenticationStatement><br /></saml:Assertion><br />An issuing authority asserts that<br />subject S was authenticated<br />by means M<br />at time T<br />Authentication statement<br />
  10. 10. Used for distributed transactions<br /><saml:Assertion …><br /> <saml:AttributeStatement><br /> <saml:Subject>..Sang..</saml:Subject><br /> <saml:Attribute<br />AttributeName=“PaymentStatus” <br />AttributeNamespace=“”><br /> <saml:AttributeValue> PaidUp </saml:AttributeValue><br /> </saml:Attribute><br /> <saml:Attribute<br />AttributeName=“CreditLimit” <br />AttributeNamespace=“”><br /> <saml:AttributeValue>500.00</saml:AttributeValue><br /> </saml:Attribute><br /> </saml:AttributeStatement><br /></saml:Assertion><br />An issuing authority asserts that<br />subject S is associated with<br />Attributes A,B,… with values ‘a’, ‘b’,…<br />Attribute statement<br />
  11. 11. Used for authorization service<br /><saml:Assertion …><br /> <saml:AuthorizationStatement<br />Decision=“Allow”<br />Resource=><br /> <saml:Subject>…</saml:Subject><br /> <saml:Actions<br />ActionNamespace=“http://…”><br /> <saml:Action>Read</saml:Action><br /> </saml:Actions><br /> </saml:AuthorizationStatement><br /></saml:Assertion><br />An issuing authority decides<br />Whether to grant the request by subject S<br />for access type A to resource R<br />given evidence E<br />Authorization statement<br />
  12. 12. Extension to SOAP to apply security to Web services<br />Defines how to attach XML Signature and XML Encryption headers to SOAP messages<br />WS Security specification allows<br />X.509 certificates <br />Kerberos tickets <br />UserID/Password credentials <br />SAML-Assertion <br />Custom defined token <br />WS Security<br />
  13. 13. WS Security with SAML example<br /><SOAP-ENV:Envelope><br /> <SOAP-ENV:Header><br /> <wsse:Security><br /> <saml:Assertion> - - - </saml:Assertion><br /> </wsse:Security><br /> </SOAP-ENV:Header><br /> <SOAP-ENV:Body> - - - </SOAP-ENV:Body><br /></SOAP-ENV:Envelope><br />
  14. 14. Framework for<br />Issuing, renewing, and validating security tokens<br />Brokering trust relationships within different trust domains<br />WS Trust<br />
  15. 15. 1.WSIT client runtime requests security meta-data from the service provider (transparent to the application)<br />2. The service indicates that the client needs a security token from a particular STS<br />3. The client requests security meta-data from the STS<br />4. The STS responds with type of security token to be used for further communication<br />5. The client requests security token from STS<br />6. The client receives security token issued by STS<br />7. The client invokes the service using the issued token<br />8. The service provider verifies token and performs the service<br />WS-Trust: Security Token Service<br />
  16. 16. WS-SecureConversation defines the creation and sharing of security contexts between communicating parties <br />The <SecurityContextToken> (SCT) element supports the requirements of security contexts<br />An SCT involves a shared secret used to sign and/or encrypt messages<br />Derived keys are used for signing and encrypting messages associated with the security context<br />WS-SecureConversation defines how derived keys are computed and passed<br />WS-SecureConversation<br />
  17. 17. It is a declarative access control policy language implemented in XML and a processing model, describing how to interpret the policies.<br />Policies are defined with a collection of Rules<br />XACML<br />Access control rule<br />Allow access<br /> to resource with attribute WebService<br /> if subject is Employee and action is read or write.<br />Administration control rule<br />Allow delegation of access control rule #1<br /> to subjects with attribute Consultant.<br />Conditions: <br /> delegation must expire within 6 months,<br /> resource must not have attribute StrictlyInternal<br />
  18. 18. One standard access control policy language can replace dozens of application-specific languages <br />Administrators save time and money because they don't need to rewrite their policies in many different languages <br />XACML is flexible enough to accommodate most access control policy needs and extensible so that new requirements can be supported. <br />One XACML policy can cover many resources. This helps avoid inconsistent policies on different resources. <br />XACML allows one policy to refer to another. This is important for large organizations. For instance, a site-specific policy may refer to a company-wide policy and a country-specific policy. <br />XACML benefits<br />