Web Service Security

5,857 views

Published on

Web Service Security

  1. 1. Web service security<br />
  2. 2. XML digital signature ( IETF and W3C)<br />XML Encryption ( W3C)<br />SAML (Secure Assertion Markup Language) ( OASIS)<br />WS-Security (Web Services Security) (OASIS)<br />WS-SecureConversation<br />WS-Federation<br />WS-Policy<br />WS-Trust<br />WS-Privacy<br />XACML (Extensible Access Control Markup Language) (OASIS)<br />Web service security standards<br />
  3. 3. When encrypting an XML element or element content the EncryptedData element replaces the element or content (respectively) in the encrypted version of the XML document<br /> <EncryptedDataId Type MimeType Encoding> <br /><EncryptionMethod/> <br /> <ds:KeyInfo> <br /> <EncryptedKey> <br /> <AgreementMethod> <br /> <ds:KeyName> <br /> <ds:RetrievalMethod> <br /> <ds:*> <br /> </ds:KeyInfo> <br /> <CipherData> <br /> <CipherValue> <br /> <CipherReferenceURI> <br /> </CipherData> <br /> <EncryptionProperties> <br /> </EncryptedData><br />XML Encryption<br />
  4. 4. <?xml version='1.0'?><br /><PaymentInfoxmlns='http://example.org/paymentv2'><br /> <Name>John Smith</Name><br /> <CreditCard Limit='5,000' Currency='USD'><br /> <Number>4019 2445 0277 5567</Number><br /> <Issuer>Example Bank</Issuer><br /> <Expiration>04/02</Expiration><br /> </CreditCard><br /> </PaymentInfo><br />XML Encryption example<br /><?xml version='1.0'?> <br /> <PaymentInfoxmlns='http://example.org/paymentv2'><br /> <Name>John Smith</Name><br /> <CreditCard Limit='5,000' Currency='USD'><br /> <Number><br /> <EncryptedDataxmlns='http://www.w3.org/2001/04/xmlenc#'<br /> Type='http://www.w3.org/2001/04/xmlenc#Content'><br /> <CipherData><br /> <CipherValue>A23B45C56</CipherValue><br /> </CipherData><br /> </EncryptedData><br /> </Number><br /> <Issuer>Example Bank</Issuer><br /> <Expiration>04/02</Expiration><br /> </CreditCard><br /> </PaymentInfo><br />
  5. 5. Data integrity, authenticity<br />Binds the sender’s identity (or “signing entity”) to an XML document<br />Signature verification can be done using asymmetric or symmetric keys<br />Ensures non-repudiation of the signing entity<br />Proves that messages have not been altered since they were signed<br />XML Signature<br />
  6. 6. XML digital signatures are represented by the Signature element <br /><Signature ID?> <br /> <SignedInfo><br /> <CanonicalizationMethod/><br /> <SignatureMethod/><br /> (<Reference URI ><br /> <Transforms><br /> <DigestMethod><br /> <DigestValue><br /> </Reference>)+<br /> </SignedInfo><br /> <SignatureValue> <br /> <KeyInfo><br /> <Object ID><br /> </Signature><br />Signature Element<br />
  7. 7. Signature Example<br /><Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#"> <br /> <SignedInfo> <br /> <CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> <br /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <br /> <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> <br /> <Transforms> <br /> <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> <br /> </Transforms> <br /> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <br /> <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK.../DigestValue> <br /> </Reference> <br /> </SignedInfo> <br /> <SignatureValue>...</SignatureValue> <br /> <KeyInfo> <br /> <KeyValue><br /> <DSAKeyValue> <br /> <P>...</P><Q>...</Q><G>...</G><Y>...</Y> <br /> </DSAKeyValue> <br /> </KeyValue> <br /> </KeyInfo> <br /></Signature><br />
  8. 8. Developed by OASIS<br />An XML framework for exchanging authentication and authorization information<br />SAML assertions: (Assertion is declaration of a fact)<br />authentication<br />attribute<br />Authorization<br />SAML is for<br />Single sign-on (SSO)<br />Distributed transaction<br />Authorization service<br />SAML<br />
  9. 9. Used for SSO<br /><saml:Assertion …><br /> <saml:AuthenticationStatement<br />AuthenticationMethod=“password”<br />AuthenticationInstant=“2010-02-03”><br /> <saml:Subject><br /> <saml:NameIdentifier<br />SecurityDomain=“myCompany.com” Name=“ABCD” /><br /> <saml:ConfirmationMethod><br /> http://…<br /> </saml:ConfirmationMethod><br /> </saml:Subject><br /> </saml:AuthenticationStatement><br /></saml:Assertion><br />An issuing authority asserts that<br />subject S was authenticated<br />by means M<br />at time T<br />Authentication statement<br />
  10. 10. Used for distributed transactions<br /><saml:Assertion …><br /> <saml:AttributeStatement><br /> <saml:Subject>..Sang..</saml:Subject><br /> <saml:Attribute<br />AttributeName=“PaymentStatus” <br />AttributeNamespace=“http://myshop.com”><br /> <saml:AttributeValue> PaidUp </saml:AttributeValue><br /> </saml:Attribute><br /> <saml:Attribute<br />AttributeName=“CreditLimit” <br />AttributeNamespace=“http://myshop.com”><br /> <saml:AttributeValue>500.00</saml:AttributeValue><br /> </saml:Attribute><br /> </saml:AttributeStatement><br /></saml:Assertion><br />An issuing authority asserts that<br />subject S is associated with<br />Attributes A,B,… with values ‘a’, ‘b’,…<br />Attribute statement<br />
  11. 11. Used for authorization service<br /><saml:Assertion …><br /> <saml:AuthorizationStatement<br />Decision=“Allow”<br />Resource=http://mycompany.com/empdetails><br /> <saml:Subject>…</saml:Subject><br /> <saml:Actions<br />ActionNamespace=“http://…”><br /> <saml:Action>Read</saml:Action><br /> </saml:Actions><br /> </saml:AuthorizationStatement><br /></saml:Assertion><br />An issuing authority decides<br />Whether to grant the request by subject S<br />for access type A to resource R<br />given evidence E<br />Authorization statement<br />
  12. 12. Extension to SOAP to apply security to Web services<br />Defines how to attach XML Signature and XML Encryption headers to SOAP messages<br />WS Security specification allows<br />X.509 certificates <br />Kerberos tickets <br />UserID/Password credentials <br />SAML-Assertion <br />Custom defined token <br />WS Security<br />
  13. 13. WS Security with SAML example<br /><SOAP-ENV:Envelope><br /> <SOAP-ENV:Header><br /> <wsse:Security><br /> <saml:Assertion> - - - </saml:Assertion><br /> </wsse:Security><br /> </SOAP-ENV:Header><br /> <SOAP-ENV:Body> - - - </SOAP-ENV:Body><br /></SOAP-ENV:Envelope><br />
  14. 14. Framework for<br />Issuing, renewing, and validating security tokens<br />Brokering trust relationships within different trust domains<br />WS Trust<br />
  15. 15. 1.WSIT client runtime requests security meta-data from the service provider (transparent to the application)<br />2. The service indicates that the client needs a security token from a particular STS<br />3. The client requests security meta-data from the STS<br />4. The STS responds with type of security token to be used for further communication<br />5. The client requests security token from STS<br />6. The client receives security token issued by STS<br />7. The client invokes the service using the issued token<br />8. The service provider verifies token and performs the service<br />WS-Trust: Security Token Service<br />
  16. 16. WS-SecureConversation defines the creation and sharing of security contexts between communicating parties <br />The <SecurityContextToken> (SCT) element supports the requirements of security contexts<br />An SCT involves a shared secret used to sign and/or encrypt messages<br />Derived keys are used for signing and encrypting messages associated with the security context<br />WS-SecureConversation defines how derived keys are computed and passed<br />WS-SecureConversation<br />
  17. 17. It is a declarative access control policy language implemented in XML and a processing model, describing how to interpret the policies.<br />Policies are defined with a collection of Rules<br />XACML<br />Access control rule<br />Allow access<br /> to resource with attribute WebService<br /> if subject is Employee and action is read or write.<br />Administration control rule<br />Allow delegation of access control rule #1<br /> to subjects with attribute Consultant.<br />Conditions: <br /> delegation must expire within 6 months,<br /> resource must not have attribute StrictlyInternal<br />
  18. 18. One standard access control policy language can replace dozens of application-specific languages <br />Administrators save time and money because they don't need to rewrite their policies in many different languages <br />XACML is flexible enough to accommodate most access control policy needs and extensible so that new requirements can be supported. <br />One XACML policy can cover many resources. This helps avoid inconsistent policies on different resources. <br />XACML allows one policy to refer to another. This is important for large organizations. For instance, a site-specific policy may refer to a company-wide policy and a country-specific policy. <br />XACML benefits<br />

×