The document discusses the importance of securing web services to protect data from potential exposure and alteration by unauthorized users, emphasizing that HTTPS only provides transport-level security. It outlines methods for enhancing security at the message level using XML encryption, signatures, and WS-Security protocols to ensure confidentiality, integrity, and authentication. Additionally, the document highlights the challenges of managing authentication for external users and communicating security requirements with external domains.

1. Secured SOA
By Prabath Siriwardena ~ WSO2

2. November 01st, 2007

3. WSO2
NO: 59
Flower Road,
Colombo 07,
Sri Lanka

4. Ruchith Fernando
Security Lead
WSO2, 2006 – 2008
Now, PhD student
at University of
Purdue

5. First Assignment…

6. Securing a Web
Service..???

7. WHY Secure..???

8. People Can SEE What You Send

9. People Can ALTER What You Send

10. Anyone Can CALL Your Service

11. People SEE What’s On HTTP

12. People Can ALTER What’s On HTTP

13. HTTP is NOT Secured

14. S
HTTP

15. HTTPS is Transport Level

18. Security inherited
from the transport channel

19. Safe only while on the transport

20. Parts of the message
CANNOT
BE
encrypted

22. Authenticating with HTTPS ?

23. BasicAuth

27. Mutual Authentication

28. SSL Handshake

29. CLIENT_HELLO
Highest SSL Version,
Ciphers Supported,
Data Compression Methods,
SessionId = 0,
Random Data

30. SERVER_HELLO
Selected SSL Version,
Selected Cipher,
Selected Data Compression Method,
Assigned Session Id,
Random Data

31. CERTIFICATE
Public Key,
Authentication Signature

32. CLIENT_CERT_REQUEST
[Optional]

33. CLIENT_CERT
[Optional]

34. CLIENT_KEY_EXCHANGE

35. CERTIFICATE_VERIFY
[Optional]

36. CHANGE_CIPHER_SPEC

37. FINISHED

38. CHANGE_CIPHER_SPEC

39. FINISHED

40. MONDAY Morning

41. NOT Happy With HTTPS

42. Requires END To END Security

43. Parts of message
need to be Encrypted

44. <soap:Envelope >
<soap:Body>
<ns1:withdrawMoney >
<param1></ param1>
<param2></ param2>
<param3></ param3>
</ ns1:withdrawMoney >
</soap:Body>
</soap:Envelope>

45. <soap:Envelope >
<soap:Body>
<ns1:withdrawMoney >
<param1></ param1>
<param2></ param2>
<param3></ param3>
</ ns1:withdrawMoney >
</soap:Body>
</soap:Envelope>

46. Message Level Security

47. XML Encryption

48. XML Signature

49. WS - Security

50. Confidentiality

51. Integrity

52. NON - Repudiation

53. Authentication

54. UsernameToken

55. <wsse:UsernameToken wsu:Id="Example-1">
<wsse:Username> ... </wsse:Username>
<wsse:Password
Type="..."> ... </wsse:Password>
<wsse:Nonce
EncodingType="..."> ... </wsse:Nonce>
<wsu:Created> ... </wsu:Created>
</wsse:UsernameToken>

56. NOBODY Can See the Message
in Clear Text Other
than the Intended Recipient

57. NOBODY In the Middle
Can ALTER the Message

58. Only the Authenticated
Users Can Invoke the Service

59. WS - Security
XML Username X.509 Token
XML Signature
Encryption Token Profile Profile

60. DONE with My First Assignment

61. BUT… Paul NOT Happy 

62. Authentication LIMITED
to
INTERNAL Users ONLY

63. Users OUT SIDE Our
Domain Need ACCESS

64. We DON’T Have Their
Credentials

65. We Can’t Use
UsernameToken 

66. Delegate Authentication
to the External Domain
itself

67. They Should Know How to
Authenticate Their Own
Users

68. We TRUST What the
External Domain Says

70. WS-TRUST

71. <s:Envelope>
<s:Header>
<wsa:Action>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
</wsa:Action>
</s:Header>
<s:Body>
<wst:RequestSecurityToken>
<wst:TokenType>
http://example.org/mySpecialToken
</wst:TokenType>
<wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
</wst:RequestType>
</wst:RequestSecurityToken>
</s:Body>
</s:Envelope>

72. <s:Envelope>
<s:Header>
<wsa:Action>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue
</wsa:Action>
</s:Header>
<s:Body>
<wst:RequestSecurityTokenResponseCollection>
<wst:RequestSecurityTokenResponse>
<wst:RequestedSecurityToken>
<xyz:CustomToken xmlns:xyz="...">
</xyz:CustomToken>
</wst:RequestedSecurityToken>
</wst:RequestSecurityTokenResponse>
</wst:RequestSecurityTokenResponseCollection>
</s:Body>
</s:Envelope>

73. WS - Trust
WS - Security
Username X.509
XML XML
Token Token
Signature Encryption
Profile Profile

74. Another Problem on
HAND…

75. How Do We Communicate
our Security
Requirements to
Outsiders ?

76. The Encryption
Algorithm We Use…

77. Key Size…

78. Token Types…

79. Elements to be Signed…

80. Elements to be
Encrypted…

81. Use Symmetric Key or
Asymmetric Key…

82. WS-Security Policy

83. Finally… We All Moved
to the White Board…

86. http://wso2.com
http://wso2.com/about/contact
bizdev@wso2.com
prabath@wso2.com

87. Thank You…!!!