Вы находитесь на странице: 1из 35

Web services security

Suresh Inavolu
Agenda
Why Web services security
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
Why Web services security
1) Read the message pin number of Customer1
2) Change the message send money to CustomerX
3) Create a new message and send it as if Customer1 is
<Request
requesting.
custId=Customer1
pin=myQw6k3z>
<SendMoney
to=Customer2
amount=10000/>
</Request>

Security terms
1) Confidentiality None, other than the receiver, can understand the message
2) Integrity The message has not been changed in between
3) Authentication The message is send the original sender
Agenda
Why Web services security
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
Cryptography
Share key encryption
o Also called Symmetric key encryption

Public key encryption


o Also called Asymmetric key encryption
Shared key
Public key

Different keys
(Only private key is
kept secret)
Agenda
Why Web services security
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
XML Signatures
Used for authentication and data integrity.
Digital signatures
o Encrypt the hash of the message using private
key
Digital Signature

<Request <Request
custId=Customer1 custId=Customer1
pin=myQw6k3z> pin=myQw6k3z>
<SendMoney <SendMoney
to=Customer2 to=Customer2
amount=10000/> amount=10000/>
</Request> </Request>
m1eRh4!pQ(zcB6

Hash Algorithm Message with


like SHA1 Digital signature

50920620636403163 m1eRh4!pQ(zcB6

Hash Value Encrypt using Digest Value


Private key

Calculating Digital signature


Digital Signature
Message with
Digital signature
Hash Algorithm
<Request <Request like SHA1
custId=Customer1 custId=Customer1
pin=myQw6k3z> pin=myQw6k3z> 50920620636403163
<SendMoney <SendMoney
to=Customer2 to=Customer2 Hash Value
amount=10000/> amount=10000/>
</Request>
m1eRh4!pQ(zcB6 </Request>

Both Should match

m1eRh4!pQ(zcB6 50920620636403163

Decrypt using Hash Value


Senders public key

Verifying Digital Signatures


XML Signature
An extension to digital signatures to sign
XML messages
Ability to sign only specific portions of the
XML tree
Canonicalization
<Request custId=Customer1 pin=myQw6k3z xmlns="urn://bank/request">
<SendMoney to=Customer2 amount=10000/>
<Comments><![CDATA[Send it in two days to Progress.]]></Comments>
</Request>

<? xml version=1.0 ?>


<Request custId='Customer1' pin='myQw6k3z' xmlns="urn://bank/request>
<SendMoney
to='Customer2'
amount='10000
bank=abc>
</SendMoney>
<Comments xmlns="urn://bank/request>Send it in two days to &PRGS;.</Comments>
</Request>
However both these XML documents generate different hash value and
hence different digital signatures
XML Signature Structure
<Signature ID?>
<SignedInfo>
(CanonicalizationMethod)
(SignatureMethod)
(<Reference URI? >
(Transforms)?
(DigestMethod)
(DigestValue)
</Reference>)+
</SignedInfo>
(SignatureValue)
(KeyInfo)?
(Object ID?)*
</Signature>
Sample XML Signature
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo Id="foobar">
<CanonicalizationMethod Algorithm="www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<Reference URI=http://test/results.xml">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
</Reference>
<Reference URI=file:/C:/input.xml#message">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>UrXLDLBIta6skoV5/A8Q38GEw44=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>MC0E~LE=</SignatureValue>
<KeyInfo>
<X509Data>
<X509SubjectName>O=XMLSec Inc.,ST=OTTAWA,C=CA</X509SubjectName>
<X509Certificate> MIID5jCCA0+gA...lVN </X509Certificate>
Agenda
Why Web services security
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
XML Encryption
Ensuring Confidentiality of XML Messages
Encrypt data using Shared key technology
Shared key will be distributed
o Either by a separate channel
o Encrypt the shared key using public key of
receiver Digital Enveloping
XML Encryption Syntax
<EncryptedData Id? Type? MimeType? Encoding?>
<EncryptionMethod/>?
<ds:KeyInfo>?
</ds:KeyInfo>
<CipherData>
<CipherValue>?
<CipherReference URI?>?
</CipherData>
<EncryptionProperties>?
</EncryptedData>
Sample XML Encryption (using Digital
Enveloping)
<EncryptedData>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmlsig#">
<EncryptedKey>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa"/>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>CN=suresh,OU=Sonic,O=Progress,ST=AP,C=IN</ds:X509SubjectName>
</ds:X509Data>
</ds:KeyInfo>
<CipherData>
<CipherValue>QYJKoZIhvcNAQkBFhhz</CipherValue>
</CipherData>
</EncryptedKey>
</ds:KeyInfo>
<CipherData>
<CipherValue>DTA4MDQwOTA5NTUwNFoXDTA5MDQwOTA5NTUwNFowT</CipherValue>
</CipherData>
</EncryptedData>
Agenda
Why Web services security
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
WS-Policy
A framework for describing policy assertions.
Four elements: Policy, All, ExactlyOne,
PolicyReference and one attribute wsp:Optional
All: All policy assertions should be satisfied.
ExactlyOne: Only one policy assertion should be
satisfied.
Wsp:Optional: Policy assertion is an optional
feature.
Operations for processing policies; Normalize,
Merge, and Intersect
Policy example Reusing policy using PolicyReference
<Policy>
<All> <Policy id="common">
<mtom:OptimizedMimeSerialization wsp:Optional=true/> <All>
<wsap:UsingAddressing/> <mtom:OptimizedMimeSerialization wsp:Optional=true/>
<ExactlyOne> <wsap:UsingAddressing/>
<sp:TransportBinding>...</sp:TransportBindig> </All>
<sp:AsymmetricBinding>...</sp:AsymmetricBinding> </Policy>
</ExactlyOne>
</All> <Policy id="security">
</Policy> <All>
<PolicyReference="#common">
<ExactlyOne>
<sp:TransportBinding>...</sp:TransportBindig>
<sp:AsymmetricBinding>...</sp:AsymmetricBinding>
</ExactlyOne>
</All>
</Policy>
Normal Form for Policy
Expressions
<Policy>
<ExactlyOne>
<All>
<wsap:UsingAddressing/>
<sp:TransportBinding>...</sp:TransportBindig>
</All>
<Policy> <All>
<All> <wsap:UsingAddressing/>
<mtom:OptimizedMimeSerialization <sp:AsymmetricBinding>...</sp:AsymmetricBinding>
wsp:Optional=true/> </All>
<All>
<wsap:UsingAddressing/>
<mtom:OptimizedMimeSerialization/>
<ExactlyOne>
<wsap:UsingAddressing/>
<sp:TransportBinding>...</sp:TransportBindig> <sp:TransportBinding>...</sp:TransportBindig>
<sp:AsymmetricBinding>...</sp:AsymmetricBinding> </All>
</ExactlyOne> <All>
</All> <mtom:OptimizedMimeSerialization/>
<wsap:UsingAddressing/>
</Policy>
<sp:AsymmetricBinding>...</sp:AsymmetricBinding>
</All>
</ExactlyOne>
</Policy>
Compatible Policies
Only mutually compatible policies can interact with each others

Normalized Providers policy Normalized Requestor policy

<Policy> <Policy>
<ExactlyOne> <ExactlyOne>
<All> <All>
<wsap:UsingAddressing/> <sp:TransportBinding>...</sp:TransportBindig>
<sp:TransportBinding>...</sp:TransportBindig> </All>
</All> <All>
<All> <sp:TransportBinding>...</sp:TransportBindig>
<wsap:UsingAddressing/> <wsap:UsingAddressing/>
<sp:AsymmetricBinding>...</sp:AsymmetricBinding> </All>
</All> </ExactlyOne>
<All> </Policy>
<mtom:OptimizedMimeSerialization/>
<wsap:UsingAddressing/>
<sp:TransportBinding>...</sp:TransportBindig>
</All>
<All>
<mtom:OptimizedMimeSerialization/>
<wsap:UsingAddressing/>
<sp:AsymmetricBinding>...</sp:AsymmetricBinding>
</All>
</ExactlyOne>
WS-PolicyAttachment
To attach a Policy to a WSDL document
o Using PolicyReference tag (RECOMMENDED)
<wsdl:binding name="SecureBinding" type="tns:RealTimeDataInterface" >
<wsp:PolicyReference URI="#secure" />
<wsdl:operation name="GetRealQuote" >...</wsdl:operation>
...
</wsdl:binding>
o Using PolicyURIs attribute
<wsdl:binding name="SecureBinding" type="tns:RealTimeDataInterface"
wsp:PolicyURIs=www.localhost:8080/policies/policy.xml#secure" >
<wsdl:operation name="GetRealQuote" >...</wsdl:operation>
...
</wsdl:binding>
o Using PolicyAttachment
<wsp:PolicyAttachment>
<wsp:AppliesTo>
<wsa:EndpointReference xmlns:fabrikam="" >
<wsa:Address>http://www.fabrikam123.example.com/acct</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wsp:PolicyReference URI=#secure" />
</wsp:PolicyAttachment>
Effective Policy
Agenda
Why Web services security
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
WS-SecurityPolicy
Standard way to define how to secure
messages exchanged between Web services
and clients
Used to publish security requirements and
constrains of a Web service using the WSDL
specification
Assertions: Security binding assertions,
Protection assertions, Token assertions,
Protocol assertions
Sonic Create policy wizard

Security Binding
Assertion

Protection Assertion

Token Assertion and


Protocol assertions
Security binding assertions
Three types of Security Binding assertions
Transport binding assertion (HTTPS)
Asymmetric binding assertion (Public Key)
Symmetric binding assertion (Shared Key)
Token Assertion
Specify the types of the tokens to be used to protect messages like X509
Properties on tokens
o Token Inclusion property (Never, Once, AlwaysToRecipient, Always)

<wsp:Policy>
<sp:X509Token IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'></sp:X509Token>
</wsp:Policy>
Protection Assertions
Defines which message parts or SOAP headers are protected
Sample WS Policy
<wsp:Policy wsu:Id="TransferMoney"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wsrmp="http://schemas.xmlsoap.org/ws/2005/02/rm/policy"
xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy' >
<wsp:ExactlyOne>
<wsp:All alternative-id="TransferMoneyAlternative">
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:IncludeTimestamp></sp:IncludeTimestamp>
<sp:EncryptBeforeSigning></sp:EncryptBeforeSigning>
<sp:Layout>
<wsp:Policy>
<sp:Lax></sp:Lax>
</wsp:Policy>
</sp:Layout>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15></sp:TripleDesRsa15>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never'></sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'></sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:EncryptedParts>
Agenda
Why Web services security
Cryptography
o Shared key
o Public key
XML Signatures
XML Encryption
WS-Policy
WS-SecurityPolicy
Conclusion
Conclusion