WSSecurity

1
WS-Security
2
WS-Security History

• Many standards to secure web services.
• Microsoft, IBM, and VeriSign submitted security
  specifications to the Organization for the
  Advancement of Structured Information Standards
  (OASIS).
• WS-Security is the leading web services standards
  to support, integrate and unify multiple security
  models.

3
What is WS-Security?

• Groups many of WS security technologies.
• WS-Security specifies a SOAP mechanism for
  signing and sealing parts of a SOAP message.
• WS Specifications are a collection XML specs
  bunched together in the context of a SOAP
  message.

4
Design Principles

• Decentralization using the existing namespace
  system of XML and the Internet.
• Modularity is one of the key factors for the
  success of SOAP. WS-Security promotes that
  through extended metadata, which express the
  policies of web services.
• Transport Neutrality WS-Security act at the SOAP
  message level communication, without requiring an
  RPC style request/ reply message pattern.
  WS-Security specs does not rely on the syntax or
  semantics of any protocol like HTTP for carrying
  the security related information.

5
WS-Security overview

• WS-Security provides three security mechanisms
• Security Token.
• Message integrity.
• Message confidentiality.
• WS-Security structure it has a root element
  called Security, which contain four elements
• licenseLocation This element can take elements
  of any type. Is intended to be used within the
  KeyInfo tag in XML Signature.
• Integrity is based on XML Digital Signature.
• Confidentiality is based on XML Encryption.
• Credentials Can only contain one sub-element,
  which can take a sequence of limitless elements
  of any types.

6
The Security Element

• The security header element provides a mechanism
  for attaching security related to this element.
• The security header element can be present
  multiple times in a SOAP message.
• The three main elements of Security are
• Message Integrity.
• Message Confidentiality.
• Credentials.

7
Message Integrity

• The Integrity element provides a security token
  for the message that assures that the message has
  originated from the specified sender.
• It also assures that the message has not been
  tampered with during its transmission.
• The Integrity element uses the XML Signature
  syntax.
• XML Signature in SOAP
• Signature Element.
• Transforms.
• Algorithm for Digital Signature.
• The KeyInfo Element.

8
Preventing Replay Attacks

• WS-Security uses ltTimestampgt element to prevent
  replay attacks.
• Issues with Timestamp??

ltSHeadergt ltwsuTimestampgt ltwsuCreatedgt
20-02-06 1345lt/wsuCreatedgt ltwsuExpiresgt
21-02-06 1344lt/wsuExpiresgt ltwsuRecevied
Actorhttp//me.com Delay60000gt 20-02-06
1349 lt/wsuCreatedgt lt/wsuTimestampgt lt/SHe
adergt
9
Credential Element

• Security Token represent a collection of claims,
  and has the following types
• Username Token is a way of providing a username
  and optional password information.
• Binary Security Token it require a special
  encoding format for inclusion such as with X.509
  certificate.
• Security Token Reference element provides an
  extensible mechanism for referencing security
  token.

10
Advantages of WS-Security

• Encrypting only what needs to be encrypted (from
  XML Encryption).
• Out line a road map and additional set of
  proposed web services security capabilities.
• A modular approach to web services security.
• WS-Security fills the gap for all web services
  security technologies.