Santa Clara , CA




Secured SOA
By Prabath Siriwardena ~ WSO2
Securing a Web Service..???
People Can SEE What You Send
People Can ALTER What You Send
People Can ALTER What You Send
Anyone Can CALL Your Service
People SEE What’s On
People Can ALTER What’s On
People Can ALTER What’s On
HTTP is NOT Secured
S
HTTP
HTTPS is Transport Level
Security inherited
from the transport channel
Safe only while on the transport
Parts of the message
       CANNOT
         BE
      encrypted
Authenticating with HTTPS ?
BasicAuth
Mutual Authentication
SSL Handshake
CLIENT_HELLO
   Highest SSL Version,
    Ciphers Supported,
Data Compression Methods,
      SessionId = 0,
       Random D...
SERVER_HELLO
       Selected SSL Version,
         Selected Cipher,
Selected Data Compression Method,
       Assigned Sess...
CERTIFICATE
      Public Key,
Authentication Signature
CLIENT_CERT_REQUEST
      [Optional]
CLIENT_CERT
  [Optional]
CLIENT_KEY_EXCHANGE
CERTIFICATE_VERIFY
       [Optional]
CHANGE_CIPHER_SPEC
FINISHED
CHANGE_CIPHER_SPEC
FINISHED
MONDAY Morning
NOT Happy With HTTPS
Requires END To END Security
Parts of message
need to be Encrypted
<soap:Envelope >
      <soap:Body>
            <ns1:withdrawMoney >
                   <param1></ param1>
                ...
<soap:Envelope >
      <soap:Body>
            <ns1:withdrawMoney >
                   <param1></ param1>
                ...
Message Level Security
XML Encryption
XML Signature
WS - Security
Confidentiality
Integrity
NON - Repudiation
Authentication
UsernameToken
<wsse:UsernameToken wsu:Id="Example-1">
     <wsse:Username> ... </wsse:Username>
     <wsse:Password
          Type="..."...
NOBODY Can See the Message
   in Clear Text Other
than the Intended Recipient
NOBODY In the Middle
Can ALTER the Message
Only the Authenticated
Users Can Invoke the Service
Sign & Encrypt OR Encrypt & Sign
Sign & Encrypt

             MessgaeSignture
XML Signature defines
        THREE
 types of signatures
<Message>

  <Signature>

 </Signature>
</Message>
<Signature>

   <Message>
   </Message>

</Signature>
<Signature>

</Signature>

<Message>

</Message>
<Envelope>
   <Header>
       <Signature>

      </Signature>
   </Header>
   <Body>
       <Message>

       </Message>
 ...
Sign & Encrypt
     With
 WS-Security
1


    <Envelope>
       <Body>
           <Message>

           </Message>
       </Body>
    </Envelope>
2 <Envelope>
     <Header>
         <Signature>

         </Signature>
     </Header>
     <Body>
         <Message>

    ...
3 <Envelope>
     <Header>
         <Signature>

         </Signature>
     </Header>
     <Body>
         <EncryptedData>...
Encrypt & Sign
             MessgaeSignture
1


    <Envelope>
       <Body>
           <Message>

           </Message>
       </Body>
    </Envelope>
2


    <Envelope>
       <Body>
           <EncryptedData>

           </EncryptedData>
       </Body>
    </Envelope>
3 <Envelope>
     <Header>
         <Signature>

         </Signature>
     </Header>
     <Body>
         <EncryptedData>...
WS - Security




                   XML            Username       X.509 Token
XML Signature
                Encryption   ...
DONE with My First Assignment
BUT… Paul NOT Happy 
Authentication LIMITED
          to
  INTERNAL Users ONLY
Users OUT SIDE Our
Domain Need ACCESS
We DON’T Have Their
    Credentials
We Can’t Use
UsernameToken 
Delegate Authentication
to the External Domain
        itself
They Should Know How to
Authenticate Their Own
         Users
We TRUST What the
External Domain Says
WS-TRUST
<s:Envelope>
       <s:Header>
              <wsa:Action>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
     ...
<s:Envelope>
       <s:Header>
              <wsa:Action>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue
    ...
WS - Trust




                 WS - Security



                          Username   X.509
   XML        XML
            ...
Another Problem on
      HAND…
How Do We Communicate
    our Security
   Requirements to
     Outsiders ?
The Encryption
Algorithm We Use…
Key Size…
Token Types…
Elements to be Signed…
Elements to be
  Encrypted…
Use Symmetric Key or
  Asymmetric Key…
WS-Security Policy
Finally… all on the
   White Board…
http://wso2.com
http://wso2.com/about/contact
bizdev@wso2.com

prabath@wso2.com
Thank You…!!!
WSO2 SOA Security
WSO2 SOA Security
WSO2 SOA Security
WSO2 SOA Security
WSO2 SOA Security
WSO2 SOA Security
WSO2 SOA Security
WSO2 SOA Security
WSO2 SOA Security
WSO2 SOA Security
WSO2 SOA Security
WSO2 SOA Security
WSO2 SOA Security
WSO2 SOA Security
WSO2 SOA Security
Upcoming SlideShare
Loading in …5
×

WSO2 SOA Security

2,420 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,420
On SlideShare
0
From Embeds
0
Number of Embeds
32
Actions
Shares
0
Downloads
132
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

WSO2 SOA Security

  1. 1. Santa Clara , CA Secured SOA By Prabath Siriwardena ~ WSO2
  2. 2. Securing a Web Service..???
  3. 3. People Can SEE What You Send
  4. 4. People Can ALTER What You Send
  5. 5. People Can ALTER What You Send
  6. 6. Anyone Can CALL Your Service
  7. 7. People SEE What’s On
  8. 8. People Can ALTER What’s On
  9. 9. People Can ALTER What’s On
  10. 10. HTTP is NOT Secured
  11. 11. S HTTP
  12. 12. HTTPS is Transport Level
  13. 13. Security inherited from the transport channel
  14. 14. Safe only while on the transport
  15. 15. Parts of the message CANNOT BE encrypted
  16. 16. Authenticating with HTTPS ?
  17. 17. BasicAuth
  18. 18. Mutual Authentication
  19. 19. SSL Handshake
  20. 20. CLIENT_HELLO Highest SSL Version, Ciphers Supported, Data Compression Methods, SessionId = 0, Random Data
  21. 21. SERVER_HELLO Selected SSL Version, Selected Cipher, Selected Data Compression Method, Assigned Session Id, Random Data
  22. 22. CERTIFICATE Public Key, Authentication Signature
  23. 23. CLIENT_CERT_REQUEST [Optional]
  24. 24. CLIENT_CERT [Optional]
  25. 25. CLIENT_KEY_EXCHANGE
  26. 26. CERTIFICATE_VERIFY [Optional]
  27. 27. CHANGE_CIPHER_SPEC
  28. 28. FINISHED
  29. 29. CHANGE_CIPHER_SPEC
  30. 30. FINISHED
  31. 31. MONDAY Morning
  32. 32. NOT Happy With HTTPS
  33. 33. Requires END To END Security
  34. 34. Parts of message need to be Encrypted
  35. 35. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
  36. 36. <soap:Envelope > <soap:Body> <ns1:withdrawMoney > <param1></ param1> <param2></ param2> <param3></ param3> </ ns1:withdrawMoney > </soap:Body> </soap:Envelope>
  37. 37. Message Level Security
  38. 38. XML Encryption
  39. 39. XML Signature
  40. 40. WS - Security
  41. 41. Confidentiality
  42. 42. Integrity
  43. 43. NON - Repudiation
  44. 44. Authentication
  45. 45. UsernameToken
  46. 46. <wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>
  47. 47. NOBODY Can See the Message in Clear Text Other than the Intended Recipient
  48. 48. NOBODY In the Middle Can ALTER the Message
  49. 49. Only the Authenticated Users Can Invoke the Service
  50. 50. Sign & Encrypt OR Encrypt & Sign
  51. 51. Sign & Encrypt MessgaeSignture
  52. 52. XML Signature defines THREE types of signatures
  53. 53. <Message> <Signature> </Signature> </Message>
  54. 54. <Signature> <Message> </Message> </Signature>
  55. 55. <Signature> </Signature> <Message> </Message>
  56. 56. <Envelope> <Header> <Signature> </Signature> </Header> <Body> <Message> </Message> </Body> </Envelope>
  57. 57. Sign & Encrypt With WS-Security
  58. 58. 1 <Envelope> <Body> <Message> </Message> </Body> </Envelope>
  59. 59. 2 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <Message> </Message> </Body> </Envelope>
  60. 60. 3 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
  61. 61. Encrypt & Sign MessgaeSignture
  62. 62. 1 <Envelope> <Body> <Message> </Message> </Body> </Envelope>
  63. 63. 2 <Envelope> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
  64. 64. 3 <Envelope> <Header> <Signature> </Signature> </Header> <Body> <EncryptedData> </EncryptedData> </Body> </Envelope>
  65. 65. WS - Security XML Username X.509 Token XML Signature Encryption Token Profile Profile
  66. 66. DONE with My First Assignment
  67. 67. BUT… Paul NOT Happy 
  68. 68. Authentication LIMITED to INTERNAL Users ONLY
  69. 69. Users OUT SIDE Our Domain Need ACCESS
  70. 70. We DON’T Have Their Credentials
  71. 71. We Can’t Use UsernameToken 
  72. 72. Delegate Authentication to the External Domain itself
  73. 73. They Should Know How to Authenticate Their Own Users
  74. 74. We TRUST What the External Domain Says
  75. 75. WS-TRUST
  76. 76. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityToken> <wst:TokenType> http://example.org/mySpecialToken </wst:TokenType> <wst:RequestType> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue </wst:RequestType> </wst:RequestSecurityToken> </s:Body> </s:Envelope>
  77. 77. <s:Envelope> <s:Header> <wsa:Action> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue </wsa:Action> </s:Header> <s:Body> <wst:RequestSecurityTokenResponseCollection> <wst:RequestSecurityTokenResponse> <wst:RequestedSecurityToken> <xyz:CustomToken xmlns:xyz="..."> </xyz:CustomToken> </wst:RequestedSecurityToken> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection> </s:Body> </s:Envelope>
  78. 78. WS - Trust WS - Security Username X.509 XML XML Token Token Signature Encryption Profile Profile
  79. 79. Another Problem on HAND…
  80. 80. How Do We Communicate our Security Requirements to Outsiders ?
  81. 81. The Encryption Algorithm We Use…
  82. 82. Key Size…
  83. 83. Token Types…
  84. 84. Elements to be Signed…
  85. 85. Elements to be Encrypted…
  86. 86. Use Symmetric Key or Asymmetric Key…
  87. 87. WS-Security Policy
  88. 88. Finally… all on the White Board…
  89. 89. http://wso2.com http://wso2.com/about/contact bizdev@wso2.com prabath@wso2.com
  90. 90. Thank You…!!!

×