11

WS-Security WS-Security Clement SongClement Song

02-09-0402-09-04

22

OutlineOutline

What is WS-Security?What is WS-Security?

Why WS-Security?Why WS-Security?

Terminology Terminology

How to Secure? How to Secure?

Code Code

Demos Demos

ReferenceReference

33

What is WS-Security?What is WS-Security?

WS-Security:WS-Security: soap message protection through message soap message protection through message

integrity, confidentiality, and single message integrity, confidentiality, and single message authentication authentication

extensible and flexible (multiple security extensible and flexible (multiple security tokens, trust domains, signature formats, and tokens, trust domains, signature formats, and encryption technologies. )encryption technologies. )

a flexible set of mechanisms that can be used a flexible set of mechanisms that can be used to construct a range of security protocols to construct a range of security protocols

Source: WS-Security version 1.0. ref[1]

44

Why WS-Security?Why WS-Security?

Secure soap message exchangeSecure soap message exchange

55

Terminology ReferenceTerminology Reference

ClaimClaim - A - A claimclaim is a statement that a requestor makes is a statement that a requestor makes (e.g. name, identity, key, group, privilege, capability, etc). (e.g. name, identity, key, group, privilege, capability, etc). Security TokenSecurity Token - A - A security tokensecurity token represents a represents a collection of claims. collection of claims. Signed Security TokenSigned Security Token - A - A signed security tokensigned security token is a is a security token that is asserted and cryptographically security token that is asserted and cryptographically endorsed by a specific authority (e.g. an X.509 certificate endorsed by a specific authority (e.g. an X.509 certificate or a Kerberos ticket). or a Kerberos ticket). Proof-of-PossessionProof-of-Possession - The - The proof-of-possessionproof-of-possession information is data that is used in a proof process to information is data that is used in a proof process to demonstrate the sender's knowledge of information that demonstrate the sender's knowledge of information that should only be known to the claiming sender of a should only be known to the claiming sender of a security token. security token.

66

Terminology ReferenceTerminology Reference

DigestDigest - A - A digestdigest is a cryptographic checksum of an is a cryptographic checksum of an octet stream octet stream SignatureSignature - A - A signaturesignature is a cryptographic binding of a is a cryptographic binding of a proof-of-possession and a digest. This covers both proof-of-possession and a digest. This covers both symmetric key-based and public key-based signatures. symmetric key-based and public key-based signatures. Consequently, non-repudiation Consequently, non-repudiation Non-repudiation - Non-repudiation - means to ensure that a transferred means to ensure that a transferred message has been sent and received by the parties message has been sent and received by the parties claiming to have sent and received the message. A way claiming to have sent and received the message. A way to guarantee that the sender of a message cannot later to guarantee that the sender of a message cannot later deny having sent the message and that the recipient deny having sent the message and that the recipient cannot deny having received the message. cannot deny having received the message.

77

How to Secure?How to Secure?

Integrity - information is not modified in Integrity - information is not modified in transit transit XML signature in conjunction with security XML signature in conjunction with security

tokens tokens Multiple signature, multiple actors, additional Multiple signature, multiple actors, additional

signature formats signature formats

88

How to Secure?How to Secure?

Confidentiality - only authorized actors or Confidentiality - only authorized actors or security token owners can view the datasecurity token owners can view the data XML encryption in conjunction with security XML encryption in conjunction with security

tokenstokens Multiple encryption processes, multiple actorsMultiple encryption processes, multiple actors

99

How to Secure?How to Secure?

Authentication – you are whom you said you areAuthentication – you are whom you said you are Security Tokens Security Tokens

1010

SyntaxSyntax

<S:Envelope> <S:Header> ... <Security S:actor="...“ S:mustUnderstand="..."> ... </Security> ... </S:Header>

<S:Body>… </S:Body></S:Envelope>

1111

UsernameToken ElementUsernameToken Element

<UsernameToken Id="..."> <UsernameToken Id="..."> <Username>...</Username> <Username>...</Username>

<Password Type="...">...</Password> <Password Type="...">...</Password> </UsernameToken> </UsernameToken>

Types:Types:

wsse:PasswordText wsse:PasswordText (default) (default)

The actual password for the username The actual password for the username

wsse:PasswordDigest wsse:PasswordDigest The digest of the password for the The digest of the password for the username. The value is a base64-encoded username. The value is a base64-encoded SHA1 hash value of the UTF8-encoded SHA1 hash value of the UTF8-encoded password password

1212

UsernameToken ExampleUsernameToken Example

<wsse:Security> <wsse:Security> <wsse:UsernameToken> <wsse:UsernameToken> <wsse:Username>Zoe<wsse:Username>Zoe </wsse:Username> </wsse:Username> <wsse:Password>ILoveDogs<wsse:Password>ILoveDogs </wsse:Password> </wsse:Password> </wsse:UsernameToken> </wsse:UsernameToken> </wsse:Security> </wsse:Security>

1313

Binary Security TokensBinary Security Tokens

<BinarySecurityToken Id=... EncodingType=... ValueType=.../><BinarySecurityToken Id=... EncodingType=... ValueType=.../>

wsse:Base64Binary wsse:Base64Binary base 64 encoding base 64 encoding

wsse:HexBinary wsse:HexBinary hex encoding hex encoding

EncodingType:

ValueType:wsse:X509v3 wsse:X509v3 X.509 v3 certificate X.509 v3 certificate

wsse:Kerberosv5TGT wsse:Kerberosv5TGT Kerberos v5 ticket, ticket Kerberos v5 ticket, ticket granting ticketgranting ticket

wsse:Kerberosv5ST wsse:Kerberosv5ST Kerberos v5 ticket, Kerberos v5 ticket, service ticketservice ticket

1414

Binary Security Tokens ExampleBinary Security Tokens Example

<wsse:BinarySecurityToken <wsse:BinarySecurityToken xmlns:wsse="http://schemas.xmlsoap.org/ws/20xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext" 02/04/secext"

Id="myToken" ValueType="wsse:X509v3" Id="myToken" ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary"> EncodingType="wsse:Base64Binary"> MIIEZzCCA9CgAwIBAgIQEmtJZc0...MIIEZzCCA9CgAwIBAgIQEmtJZc0...

</wsse:BinarySecurityToken> </wsse:BinarySecurityToken>

1515

SecurityTokenReferenceSecurityTokenReference

<SecurityTokenReference Id="..."> <Reference URI="..."/><SecurityTokenReference Id="..."> <Reference URI="..."/>

</SecurityTokenReference> </SecurityTokenReference>

Example: Example:

<wsse:SecurityTokenReference <wsse:SecurityTokenReference xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/sexmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> cext">

<wsse:Reference <wsse:Reference URI="http://www.fabrikam123.com/tokens/Zoe#X509tokeURI="http://www.fabrikam123.com/tokens/Zoe#X509token"/>n"/>

</wsse:SecurityTokenReference> </wsse:SecurityTokenReference>

1616

Username Token DemoUsername Token Demo

1717

Digital SigningDigital Signing

1818

XML SignatureXML Signature

<Signature ID?> <Signature ID?>

<SignedInfo> <SignedInfo>

<CanonicalizationMethod/> <CanonicalizationMethod/>

<SignatureMethod/> <SignatureMethod/>

(<Reference URI? > (<Transforms>)? (<Reference URI? > (<Transforms>)?

<DigestMethod> <DigestValue> </Reference>)+ <DigestMethod> <DigestValue> </Reference>)+

</SignedInfo> </SignedInfo>

<SignatureValue> <SignatureValue>

(<KeyInfo>)? (<Object ID?>)* (<KeyInfo>)? (<Object ID?>)*

</Signature> </Signature>

1919

XML Signature ExampleXML Signature Example<Signature Id="MyFirstSignature" <Signature Id="MyFirstSignature"

xmlns="http://www.w3.org/2000/09/xmldsig#"> xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod <SignedInfo> <CanonicalizationMethod

Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-<Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> 20000126/">

<Transforms> <Transform <Transforms> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </Transforms> </Transforms>

<DigestMethod <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> </Reference> </Reference>

</SignedInfo></SignedInfo><SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> <KeyInfo> <KeyValue> <DSAKeyValue>

<P>...</P><Q>...</Q><G>...</G><Y>...</Y> </DSAKeyValue> <P>...</P><Q>...</Q><G>...</G><Y>...</Y> </DSAKeyValue> </KeyValue> </KeyInfo> </Signature> </KeyValue> </KeyInfo> </Signature>

2020

XML signature in WS-SecurityXML signature in WS-Security<wsse:Security> <wsse:Security> <wsse:BinarySecurityToken ValueType="wsse:X509v3" <wsse:BinarySecurityToken ValueType="wsse:X509v3"

EncodingType="wsse:Base64Binary" Id="X509Token"> EncodingType="wsse:Base64Binary" Id="X509Token"> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... </wsse:BinarySecurityToken> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... </wsse:BinarySecurityToken>

<ds:Signature> <ds:Signature> <ds:SignedInfo> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-<ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-

c14n#"/>c14n#"/> <ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-<ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-

sha1"/> sha1"/> <ds:Reference> <ds:Reference> <ds:Transforms> <ds:Transform Algorithm= "http://...#RoutingTransform"/> <ds:Transforms> <ds:Transform Algorithm= "http://...#RoutingTransform"/>

<ds:Transform Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:Transform Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm= </ds:Transforms> <ds:DigestMethod Algorithm=

"http://www.w3.org/2000/09/xmldsig#sha1"/> "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>EULddytSo1...</ds:DigestValue><ds:DigestValue>EULddytSo1...</ds:DigestValue> </ds:Reference></ds:Reference> </ds:SignedInfo> </ds:SignedInfo> <ds:SignatureValue> BL8jdfToEb1l/vXcMZNNjPOV... </ds:SignatureValue> <ds:SignatureValue> BL8jdfToEb1l/vXcMZNNjPOV... </ds:SignatureValue>

<ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo>URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo>

</ds:Signature> </ds:Signature> </wsse:Security> </wsse:Security>

2121

Digital-Signing DemoDigital-Signing Demo

2222

XML EncryptionXML Encryption

<EncryptedData Id? Type? MimeType? Encoding?> <EncryptedData Id? Type? MimeType? Encoding?> <EncryptionMethod/>? <EncryptionMethod/>? <ds:KeyInfo> <ds:KeyInfo> <EncryptedKey>? <EncryptedKey>? <AgreementMethod>? <AgreementMethod>? <ds:KeyName>? <ds:KeyName>? <ds:RetrievalMethod>? <ds:RetrievalMethod>? <ds:*>? <ds:*>? </ds:KeyInfo>? </ds:KeyInfo>? <CipherData> <CipherData> <CipherValue>? <CipherReference URI?>? <CipherValue>? <CipherReference URI?>? </CipherData> </CipherData> <EncryptionProperties>? <EncryptionProperties>? </EncryptedData> </EncryptedData>

2323

ExampleExample

2424

RSA Algorithm DemoRSA Algorithm Demo(optional)(optional)

2525

Primary ReferencesPrimary References

1. WS-Security Specification 1. WS-Security Specification http://msdn.microsoft.com/webservices/understhttp://msdn.microsoft.com/webservices/understanding/advancedwebservices/default.aspx?anding/advancedwebservices/default.aspx?pull=/library/en-us/dnglobspec/html/ws-pull=/library/en-us/dnglobspec/html/ws-security.aspsecurity.asp

2. WS-Security AppNotes (examples and guidance 2. WS-Security AppNotes (examples and guidance to implementers) to implementers) http://www-106.ibm.com/developerworks/http://www-106.ibm.com/developerworks/library/ws-secapp/library/ws-secapp/

2626

Secondary ReferencesSecondary References

1. 1. XML signature (Syntax and processing)XML signature (Syntax and processing)

http://www.w3.org/TR/2002/REC-xmldsig-core-http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/20020212/

2. XML encryption (Syntax and processing)2. XML encryption (Syntax and processing)

http://www.w3.org/TR/xmlenc-core/http://www.w3.org/TR/xmlenc-core/

2. RSA encryption Demo (Explain how RSA works)2. RSA encryption Demo (Explain how RSA works)http://intercom.virginia.edu/crypto/crypto.html http://intercom.virginia.edu/crypto/crypto.html