WSEnhancements

1
WS-Enhancements

• WS-Security

2
Agenda

• XML Security Technologies
• Need for XML Security
• XML Signature
• XML Encryption
• WS-Security
• WS-Security Policy

3
Need for XML Security

• Current security technologies in common
  deployment are insufficient for securing business
  transactions on the Web.
• Most existing browser-based security mechanisms,
  generally adequate for low-value
  business-to-consumer transactions, do not provide
  the enhanced security or flexibility required for
  protecting high-value commercial transactions and
  the sensitive data exchanges that comprise them.

4
Need for XML Security(cont.)

• As important as protecting the confidentiality of
  business messages is
• Ensuring their long-term authenticity (who sent
  them?),
• Data integrity (have they been modified in
  transit?),
• Support for non-repudiation (can the sender deny
  sending them?)
• Two new security initiatives designed to both
  account for and take advantage of the special
  nature of XML data are
• XML Signature
• XML Encryption

5
XML Signature

• XML Signature is a method of associating a key
  with referenced data (octets).
• XML Signatures provide integrity, message
  authentication, and signer authentication
  services for data of any type, whether located
  within the XML that includes the signature or
  elsewhere.

6
How to Create an XML Signature

• Step 1 Determine which resources are to be
  signed.
• http//www.srdc.metu.edu.tr/ozgur/index.htm,
  references an HTML page
• http//www.abc.com/test.xml, references an XML
  file

7
How to Create an XML Signature (cont.)

• Step 2 Calculate the digest of each resource.
• (digest is a cryptographic hash that takes an
  arbitrary stream of bytes and converts it to a
  single fixed-size value. The most common hash
  mechanism is SHA1, the Secure Hash Algorithm
  created by the US Government)
• ltReference URI"http//www.srdc.metu.edu.tr/ozgur
  /index.htm"gt
• ltDigestMethod Algorithm"http//www.w3.org/2000/0
  9/xmldsigsha1"/gt ltDigestValuegtj6lwx3rvEPO0vKtMup
  4NbeVu8nklt/DigestValuegt
• lt/Referencegt
• ltReference URI"http//www.abc.com/test.xml"gt
• ltDigestMethod Algorithm"http//www.w3.org/2000/0
  9/xmldsigsha1"/gt
• ltDigestValuegtUrXLDLBIta6skoV5/A8Q38GEw44lt/Digest
  Valuegt
• lt/Referencegt

8
How to Create an XML Signature (cont.)

• Step 3 Collect the Reference elements.
• ltSignedInfo Id"foobar"gt
• ltCanonicalizationMethod
• Algorithm"http//www.w3.org/TR/2001/REC-xml-c14n
  -20010315"/gt
• ltSignatureMethod Algorithm"http//www.w3.org/200
  0/09/xmldsigdsa-sha1" /gt
• ltReference URI"http//www.srdc.metu.edu.tr/ozgu
  r/index.htm"gt
• ltDigestMethod Algorithm"http//www.w3.org/2000/
  09/xmldsigsha1"/gt ltDigestValuegtj6lwx3rvEPO0vKtMu
  p4NbeVu8nklt/DigestValuegt
• lt/Referencegt
• ltReference URI"http//www.abc.com/test.xml"gt
• ltDigestMethod Algorithm"http//www.w3.org/2000/
  09/xmldsigsha1"/gt
• ltDigestValuegtUrXLDLBIta6skoV5/A8Q38GEw44lt/Diges
  tValuegt
• lt/Referencegt
• lt/SignedInfogt

9
How to Create an XML Signature (cont.)

• Step 4 Signing
• ltSignatureValuegtMC0ELElt/SignatureValuegt
• Step 5 Add key information
• ltKeyInfogt
• ltX509Datagt ltX509SubjectNamegtCNEdSimon,OXMLS
  ecInc.,STOTTAWA,
• CCAlt/X509SubjectNamegt ltX509CertificategtMIID5jCC
  A0gA...lVNlt/X509Certificategt
• lt/X509Datagt
• lt/KeyInfogt

10
How to Create an XML Signature (cont.)

• Step 4 Enclose in a Signature element
• lt?xml version"1.0" encoding"UTF-8"?gt
• ltSignature xmlns"http//www.w3.org/2000/09/xmldsi
  g"gt
• ltSignedInfo Id"foobar"gt
• ltCanonicalizationMethod
• Algorithm"http//www.w3.org/TR/2001/REC-xml-c14n
  -20010315"/gt
• ltSignatureMethod Algorithm"http//www.w3.org/200
  0/09/xmldsigdsa-sha1" /gt
• ltReference URI"http//www.srdc.metu.edu.tr/ozgu
  r/index.htm"gt
• ltDigestMethod Algorithm"http//www.w3.org/2000/
  09/xmldsigsha1"/gt ltDigestValuegtj6lwx3rvEPO0vKtMu
  p4NbeVu8nklt/DigestValuegt
• lt/Referencegt
• ltReference URI"http//www.abc.com/test.xml"gt
• ltDigestMethod Algorithm"http//www.w3.org/2000/
  09/xmldsigsha1"/gt
• ltDigestValuegtUrXLDLBIta6skoV5/A8Q38GEw44lt/Diges
  tValuegt
• lt/Referencegt
• lt/SignedInfogt

11
How to Create an XML Signature (cont.)

• ltSignatureValuegtMC0ELElt/SignatureValuegt
• ltKeyInfogt
• ltX509Datagt ltX509SubjectNamegtCNEdSimon,OXML
  SecInc.,STOTTAWA,
• CCAlt/X509SubjectNamegt ltX509CertificategtMIID5jC
  CA0gA...lVNlt/X509Certificategt
• lt/X509Datagt
• lt/KeyInfogt
• lt/Signaturegt

12
Verifying an XML Signature

• Step 1 Calculate the Current Hash-Value
• Step 2 Calculate the Original Hash-Value
• Step 3 Compare the Current and the Original
  Hash-Values

13
Creating an XML Signature
14
Verifying an XML Signature
15
XML Encryption

• Provides end-to-end security for applications
  that require secure exchange of structured data.
• Provides message confidentiality.
• Enable encrypting specific XML elements
• Arbitrary data (XML, HTML, JPG, etc.)
• Compatible with XML Digital Signatures.
• Supports a variety of encryption algorithms and
  techniques.

16
XML Encryption

• General Form 1
• ltEncryptedDatagt
• ltCipherDatagt
• ltCipherValuegt
• Cipher Text in Base 64
• lt/CipherValuegt
• lt/CipherDatagt
• lt/EncryptedDatagt

17
XML Encryption

• General Form 2
• ltEncryptedDatagt
• ltCipherDatagt
• ltCipherReferencegt
• pointer (URL)
• lt/CipherReferencegt
• lt/CipherDatagt
• lt/EncryptedDatagt

18
XML Encryption

• How to encrypt?
• Access the algorithm to be used for encryption.
• Get the key for the encryption.
• Encrypt the data
• get octets by serialising the data
• encrypt octets using algorithm
• unless data type is implicit for the decryptor
  then this should be provided (including Mime type
  and encoding)

19
XML Encryption

• EncryptedData is the core element
• Replaces the encrypted element or
• Serves as the new document root
• May contain a KeyInfo element that describes the
  key needed for decryption (borrowed from XML
  Digital Signature)

20
XML Encryption Example

• ltpurchaseOrdergt
• ltOrdergt
• ltItemgtbooklt/Itemgt
• ltIdgt123-958-74598lt/Idgt
• ltQuantitygt12lt/Quantitygt
• lt/Ordergt
• ltPaymentgt
• ltCardIdgt123654-8988889-9996874lt/CardI
  dgt
• ltCardNamegtvisalt/CardNamegt
• ltValidDategt20-7-2004lt/ValidDategt
• lt/Paymentgt
• lt/purchaseOrdergt

21
XML Encryption Example (cont.)

• Encrypting The Entire File
• lt?xml version'1.0' ?gt
• ltEncryptedData xmlns'http//www.w3.org/2001/04/xm
  lenc'gt
• ltCipherDatagt
• ltCipherValuegtA23B45C56lt/CipherValuegt
• lt/CipherDatagt
• lt/EncryptedDatagt

22
XML Encryption Example (cont.)

• Encrypting The Payment
• lt?xml version'1.0' ?gt
• ltPurchaseOrdergt
• ltOrdergt
• ltItemgtbooklt/Itemgt
• ltIdgt123-958-74598lt/Idgt
• ltQuantitygt12lt/Quantitygt
• lt/Ordergt
• ltEncryptedData
• Type'http//www.w3.org/2001/04/xm
  lencElement'
• xmlns'http//www.w3.org/2001/04/
  xmlenc'gt
• ltCipherDatagt
• ltCipherValuegtA23B45C564587lt/
  CipherValuegt
• lt/CipherDatagt
• lt/EncryptedDatagt
• lt/PurchaseOrdergt

23

• WS-Security

24
What is WS-Security

• Describes enhancements to SOAP messaging to
  provide quality of protection through message
  integrity, message confidentiality, and single
  message authentication.
• Can be used as a suite for a wide variety of
  security models and encryption technologies.

25
WS-Security - Architecture

26
WS-Security

• Point-to-point (host-to-host) security
• End-to-end security

27
WS-Security

• Security Element
• The ltSecuritygt header block provides a mechanism
  for attaching security-related information
  targetted at a pecific receiver(SOAP Actor).
• A message may have multiple ltSecuritygt header
  blocks if they are targetted for seperate
  receivers.

28
WS-Security Token Elements

• UsernameToken Element
• A means of proving a username and optional
  password information
• Example
• ltUsernameToken Id...gt
• ltUsernamegt...lt/Usernamegt
• ltPassword Type...lt/Passwordgt
• lt/UsernameTokengt

29
WS-Security Token Elements

• BinarySecurityToken Element
• A means of including x.509 and Kerberos tickets
• Example
• ltwsseBinarySecurityToken xmlnswsse"http//schem
  as.xmlsoap.org/ws/2002/04/secext" Id"myToken"
  ValueType"wsseX509v3" EncodingType"wsseBase64B
  inary"gt
• MIIEZzCCA9CgAwIBAgIQEmtJZc0...
• lt/wsseBinarySecurityTokengt

30
WS-Security Token Elements

• SecurityTokenReference Element
• Provides an extensible mechanism for referencing
  security tokens.
• ltSecurityTokenReference Id"..."gt
• ltReference URI"..."/gt
• lt/SecurityTokenReferencegt

31
WS-Security Example

• lt?xml version"1.0" encoding"utf-8"?gt
• ltSEnvelope xmlnsS"http//www.w3.org/2001/12/soa
  p-envelope"
• xmlnsds"http//www.w3.org/2000/09/xm
  ldsig"
• xmlnswsse"http//schemas.xmlsoap.org
  /ws/2002/04/secext"
• xmlnsxenc"http//www.w3.org/2001/04/
  xmlenc"gt
• ltSHeadergt
• ltmpath xmlnsm"http//schemas.xmlsoap.org/
  rp"gt
• ltmactiongthttp//fabrikam123.com/getQuote
  lt/mactiongt
• ltmtogthttp//fabrikam123.com/stockslt/mto
  gt
• ltmfromgtmailtojohnsmith_at_fabrikam123.comlt
  /mfromgt
• ltmidgtuuid84b9f5d0-33fb-4a81-b02b-5b7606
  41c1d6lt/midgt
• lt/mpathgt
• ltwsseSecuritygt
• ltwsseBinarySecurityToken
• ValueType"wsseX509v3"
• EncodingType"wsseBase64Bina
  ry"
• Id"X509Token"gt
• MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh
  5i...
• lt/wsseBinarySecurityTokengt

32
WS-Security Example

• ltdsSignaturegt
• ltdsSignedInfogt
• ltdsCanonicalizationMethod
  Algorithm
• "http//www.w3.org/2001/10/xm
  l-exc-c14n"/gt
• ltdsSignatureMethod Algorithm
• "http//www.w3.org/2000/09/xm
  ldsigrsa-sha1"/gt
• ltdsReferencegt
• ltdsTransformsgt
• ltdsTransform Algorithm
• "http//...RoutingTran
  sform"/gt
• ltdsTransform Algorithm
• "http//www.w3.org/2001
  /10/xml-exc-c14n"/gt
• lt/dsTransformsgt
• ltdsDigestMethod Algorithm
• "http//www.w3.org/2000/09/
  xmldsigsha1"/gt
• ltdsDigestValuegtEULddytSo1...lt/d
  sDigestValuegt
• lt/dsReferencegt
• lt/dsSignedInfogt

33
WS-Security Example

• ltdsSignatureValuegt
• BL8jdfToEb1l/vXcMZNNjPOV...
• lt/dsSignatureValuegt
• ltdsKeyInfogt
• ltwsseSecurityTokenReferencegt
• ltwsseReference
  URIX509Token"/gt
• lt/wsseSecurityTokenReferencegt
• lt/dsKeyInfogt
• lt/dsSignaturegt
• lt/wsseSecuritygt
• lt/SHeadergt
• ltSBodygt
• lttruStockSymbol xmlnstru"http//fabrikam1
  23.com/payloads"gt
• QQQ
• lt/truStockSymbolgt
• lt/SBodygt
• lt/SEnvelopegt

34

• WS-Security Policy

35
WS-Security Policy

• WS-SecurityPolicy defines how to describe
  policies related to features defined in
  WS-Security.
• Example of policy
• This Web service accepts X.509 certificates and
  Kerberos tickets, but you must choose exactly one
  of these and X.509 certificates are the preferred
  mechanism
• Policy Assertion represents an individual
  preference, requirement, capability, or other
  property
• This Web service accepts X.509 certificates
• This Web service accepts Kerberos tickets

36
WS-Security Policy

• Types of assertions
• SecurityToken assertion Specifies security
  token types required/accepted by a Web service
• Integrity assertion Specifies that specific
  portions of a message must be signed, and
  specific algorithms/keys to be used (ex SHA-1
  algorithm, RSA key)
• Confidentiality assertion Specifies that
  specific portions of a message must be encrypted,
  and a specific algorithm to be used (ex AES,
  3DES)
• Visibility assertion Indicates portions of a
  message that must be visible to an intermediary
  or endpoint (i.e. unencrypted)
• Message age assertion Specifies the acceptable
  time period before messages are declared stale
  and discarded

37
WS-Security Policy

• SecurityToken Assertion
• ltwsseSecurityToken TokenTypewsseX509v3
  
• wspUsage"wspRequired" wspPreference50
  /gt

38
WS-Security Policy

• Integrity Assertion
• ltwsseIntegrity wspUsage"wspRequired"gt
• ltwsseSecurityTokengt
• ltwsseTokenTypegtwsseX509v3lt/wsseTokenTypegt
• lt/wsseSecurityTokengt
• ltMessageParts
• Dialect"http//schemas.xmlsoap.org/2002/12/wsse
  soap"gt
• ElementName
• lt/MessagePartsgt
• lt/wsseIntegritygt

39
WS-Security Policy

• Confidentiality Assertion
• ltwsseConfidentiality wspUsage"wspRequired"gt
• ltwsseAlgorithm Type"wsseAlgEncryption
• URI"http//www.w3.org/2001/04/xmlenc3des-cbc"/gt
  
• ltMessagePartsgt
• ElementName
• lt/MessagePartsgt
• lt/wsseConfidentialitygt

40
WS-Security Policy

• Visibility Assertion
• ltwsseVisibility wspUsage"wspRequired"gt
• ltMessagePartsgt
• ElementName
• lt/MessagePartsgt
• lt/wsseVisibilitygt

41
WS-Security Policy

• MessageAge Assertion
• ltwsseMessageAge wsseUsage"wspRequired"
  Age"3600"/gt

42
WS-Security issues to discuss

• WS-Security is built on SOAP foundation and SOAP
  messaging environment targeting end-to-end
  message security
• Whats the benefit comparing to SSL/TLS or IPSec?
• What additional services/enhancements should be
  enabled in current/traditional network
  infrastructure?

43
Conclusions

• The Global XML Web Services architecture is
  poised to play a major role in advancing the
  adoption of Web services through its robust
  specification of mechanisms for Web services such
  as security, policy, coordination, federation,
  and routing.
• Several specifications (WS-Security and others)
  appear to be plausible likely candidates for
  inclusion in W3Cs upcoming Language
  Specification.