XML and Web Service

Security Survey

Lili Sun
sun@usq.edu.au
 Outline
• Introduction
• What is security?
• XML-based Web services security
standards
XML signatures,
XML encryption,
XML Key Management Specification,
Extensible Access Control Markup Language,
Security Assertion Markup Language,
WS-Security.
• How they work together
• Conclusion
20/06/09 2
 Introduction
• Meeting security requirements for privacy, confidentiality
and integrity is essential in order to move business
online.
• XML has been widely used in e-services, M-services.
• XML has emerged as a prevalent standard for document
representation and exchange on the Web.
• The following example shows a credit card message
from a bank in XML document that can be accessed by
anyone if there is no protective security.
<?xml version="1.0" encoding="ISO-8859-1"?>
<PaymentInfo xmlns=“http://example.org/paymentv2>
<name>John Smith</name>
<CreditCard Limit=‘$5000’>
<Number>1234 5678 9012</Number>
<Issuer> Bank </Issuer>
<Expiration>11/07</Expiration>
</CreditCard>
< /PaymentInfo>

20/06/09 3
• Current security technologies provide several
specifications for web service applications. Such
as SSL, TLS

In this topic, I will introduce the standards

for XML and Web service security.

20/06/09 4
 What is Security
Concrete Forms of Security:
• Confidentiality: can prying eyes see it?
• Authentication: are you who you say you are?
• Trust: have I agreed to work with you?
• Non-repudiation: can you claim you didn’t send
it even if you really did?
• Integrity: was it changed before I got it?
• Authorization: are you allowed to have it?

20/06/09 5
 Issues with Current Web Security
Schemes

SSL/TLS/HTTPS

• Transport level security (not message level security)

• Point-to-point security only, does not handle end-to-
end multi-hopped messaging security
• Security only when data is in transition, does not
secure data off transition
• HTTPS doesn’t support non-repudiation
• No element-wise signing and encryption

20/06/09 6
New opportunities

• The web services security infrastructure

can take advantage of XML’s granularity
- Encrypt or sign the selected portions
- Act on and rewrite individual headers
- Hardware appliances could accelerate these
functions

20/06/09 7
 XML &Web Services Security
Standards
 XML Digital Signature
 XML Encryption
 XKMS( XML Key Management Specification)
 XACML (eXtensible Access Control Markup
 Language)
 SAML (Security Assertion Markup Language)
 WS-Security

20/06/09 8
Standards Framework

20/06/09 9
 XML Signature
• Digital signatures are an important
element in electronic security because
they can be used to ensure the integrity,
authentication, and non-repudiation of
data.
- XML syntax for representing signature of web

resources and portions

- Procedures for computing and verifying such
signatures
- Canonicalization of XML data
20/06/09 10
 Why XML Digital Signature
• Very flexible, thus can support diverse set
of internet transaction models
 Can sign individual items of an XML document
 Can sign multiple items
 Can sign both local and remote objects
 Can sign both XML and non-XML contents
 Allows multiple levels of signing to same content

20/06/09 11
XML Signature Types
There are three types of XML Signature:
Enveloped: The XML Signature is included in the XML document. It is
a child element of the XML document.
For example, <document>
<signature> ….</signature>
</document>

Signed Document

Signature

SignedInfo
Reference

Figure1 __ Enveloped Signature

20/06/09 12
XML Signature Types

Enveloping: The XML document is included in the XML Signature, It is

a child element of the XML signature.
• For example, <signature>
<document>….</document>
</signature>
Signature

SignedInfo

Reference

Object
Signed Data

Figure2 __ Enveloping Signature

20/06/09 13
XML Signature Types
Detached: The XML Signature is included in a separate document
from the signed document.
For example, <signature>…</signature>

XML Document Signed

data

Signed Data

Signature

SignedInfo
Reference

Reference

Figure 3 __ Detached Signature

20/06/09 14
The structure of XML Signature

The following shows the structure of XML Signature.

<Signature ID>
<SignedInfo> It is the information that is actually signed
<CanonicalizationMethod/> Contains the algorithm name used to
transform the data into canonical XML.
<SignatureMethod/> Contains the algorithm used to generate the
signature
(<Reference URI> Contains the method used to generate the digest
and the result digest value.
<DigestMethod>
<DigestValue>
</Reference>)
</SignedInfo>
<SignatureValue> Contains the actual signature value
(<KeyInfo>) Contains an indication of the key that must be used to
signature.
</Signature>

20/06/09 15
Example XML Signature

<Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">

<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-
20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<Reference URI=“PurchaseOrder">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>MC0CFFrVLtRlk=...</SignatureValue>
<KeyInfo>
<KeyValue>
<DSAKeyValue>
<P>...</P><Q>...</Q><G>...</G><Y>...</Y>
</DSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>

20/06/09 16
 XML Encryption
What is XML Encryption
The XML Encryption Syntax and Processing specification
defines an XML vocabulary and processing rules for
protecting confidentiality of XML document.
Defines:
– XML syntax for encrypted data
– Encrypting/decrypting such data
– Can encrypt only certain parts of document

20/06/09 17
XML Encryption and SSL
– SSL encrypts all the data transmitted
through an SSL channel
– XML Encryption can encrypt the portions
of data selectively
for example: A specific element within an XML
document

20/06/09 18
 XML Encryption Structure
<EncryptedData> Encryption Element
<EncryptionMethod> Encryption algorithm

<ds:KeyInfo> Key information

<EncryptedKey>
<AgreementMethord>
<ds:KeyName>
</ds:KeyInfo>
<CipherData> Raw encrypted data
<CipherValue>
<CipherReference>
</ CipherData >
<EncryptionProperties>
</EncryptedData>

<EncryptedData> element is core element in the syntax. It contains:

– <EncryptionMethord>
– <ds:KeyInfo>
– <CipherData>
– <EncryptionProperties>

20/06/09 19
 Example of Encryption
In this example only encrypts the elements of <CreditCard> element

<?xml version="1.0" encoding="ISO-8859-1"?>

<PaymentInfo xmlns=“http://example.org/paymentv2>
<name>John Smith</name>
<CreditCard Limit=‘$5000’>
<EncryptedData
xmlns=‘http://www.w3.org/2001/04/xmlenc#’
Type=‘http://www.w3.org/2001/04/xmlenc#Content’>
<CipherData>
<CipherValue>A23B45C67</CipherValue>
</CipherData>
</EncryptedData>
</ CreditCard>
< /PaymentInfo>

20/06/09 20
 XKMS(XML Key Management
Specification)
What is XKMS?
– XKMS defines protocol between XKMS client and XKMS
server for performing public-key infrastructure (PKI)
operations.
public key registration
public key validation
public key discovery
public key revocation
– XKMS server provides trust service in the form of a Web
service
– Used along with XML digital signing and encryption

20/06/09 21
Why XKMS?

 PKI is very important to Web services & E-commerce

 PKI operations are too expensive to small devices

XKMS reduces the processing burden by moving it to an
XKMS server

 PKI operations are too complex to many applications

XKMS eases the integration of PKI by moving the
complexity of PKI operation to an XKMS sever

20/06/09 22
XKMS Specifications

– XKISS: XML Key Information Service

Specification
Defines a protocol for validation of public keys
– XKRSS: XML Key Registration Service
Specification
Defines a protocol for registration, revocation,
recovery of public keys

20/06/09 23
XACML (eXtensible Access Control
Markup Language)
• XACML is an XML specification for
expressing fine-grained information
access policies in XML documents or any
other electronic resources
• Access control lists in XACML are 4-
tuples: subjects, target objects, permitted
action, provision

20/06/09 24
Why XACML?
 Standardize access control language in
XML
- Extensible language with flexible semantics
 Lower costs
- No need to write policy in several languages
 Simpler
- Admins only need to understand one language
 Policy composition
- Policies written by different parties can be combined
20/06/09 25
 XACML Use Case
2. A patient has patient record including mental
problem notes.
3. The patient grants access right to mental
problem notes only to primary care doctor.
4. The primary care doctor grants access to
patient record to associate doctor with
access restriction so that associate doctor
has no access to mental problem notes.

20/06/09 26
 SAML (Security Assertion Markup
Language)
What SAML?
- SAML defines an XML framework for exchanging
authentication and authorization information.

- SAML can be used to realize single sign-on (SSO)

between different systems and platforms.

20/06/09 27
Why SAML?

Standards are emerging for many things of

collaborative e-commerce, such as:
- Business transactions
- Software interactions
SAML developed to sharing security
information through SAML

20/06/09 28
SAML Use case

• Web single sign-on (SSO)

A general requirement when using multiple networked
systems is "single sign-on" - authenticating once and
then sharing the result of authentication with multiple
systems to avoid repeated authentication.

For example, Logged-in (authenticated) users of

Smith.com are allowed to access to sister site
Johns.com without relogin.

20/06/09 29
 WS-Security
WS-Security Specification
• Defines new SOAP extensions to provide
pre-message authentication, as well as
end-to-end message confidentiality using
XML Encryption and end-to-end message
integrity using XML Digital Signature in a
Web services environment.

20/06/09 30
 How they work together
SAML and Other Standards
• SAML and XML digital signature
– XML Digital signature is used to sign and canonical SAML
assertions
• SAML and XML Encryption
– XML Encryption is used for encrypting and decrypting SAML
assertions
• SAML AND XKMS
– SAML could be secured by XKMS-based PKI

20/06/09 31
SAML and Other Standards
• SAML and XACML
– XACML could be used to define access control /policy as a basis for
handling SAML assertion request

• SAML and WS-Security

– SAML assertions can be carried as security token defined in WS-
Security

20/06/09 32
 Conclusion
• This topic has presented a brief introduction to
XML and Web services security standards and
how they work together.

• The XML Security standards define XML

languages and processing rules for meeting
common security requirements. For the most
part, these standards incorporate with the use of
the other XML Security standards, especially the
core XML Digital Signature and XML Encryption
standards.

20/06/09 33