Presentation on theme: "Web Service Security CS409 Application Services Even Semester 2007."— Presentation transcript:
Web Service Security CS409 Application Services Even Semester 2007
2 Confidentiality –Guarantees that exchanged information is protected against eavesdroppers (proof-of-possession). Integrity –Assurance that the message is NOT modified while in transit. Authentication –Guarantees that access is restricted to those who can provide proof-of-identity. Nonrepudiation –Guarantees that the sender CANNOT deny having sent the message. Compulsory Security Requirements
3 Web Service Security Model Requester Policy Security Token Claims Security Token Service Policy Security Token Claims Web Service Policy Security Token Claims Fig 1. Security Model for Web Services
4 Web Service Security Model (2) 1.Client wants to invoke web service and has claims (statement) such as its identity and privileges. 2.Web service has policy that requires message encryption and requestor authentication. 3.Client must send message that meets the security policy.
5 Web Service Security Model (3) 4.Claims are included in security token that is attached to the request message, e.g. assert sender’s identity or authorized role. 5.Some security tokens must be issued by a third party (security token service or STS). 6.STS is a web service as well and has its own policies, claims, and security tokens.
6 Web Service Security Specification WS- SecureConversationWS- FederationWS- Authorization WS- PolicyWS- TrustWS- Privacy WS- Security SOAP Foundation Fig 2. Roadmap of Web Services Security Specifications
7 Web Service Security Specification (2) 1.WS-Security –Defines how to include security tokens in SOAP message. –How to protect message with digital signature and encryption. 2.WS-Policy –Provides a framework for describing web services meta-data information. 3.WS-Trust –Interaction protocol to access Security Token Services.
12 Digital Signature (2) Determine whether a message was altered in transit. Verify that message was sent by possessor of particular security token. CanonicalizationMethod is a way to guarantee that two equivalent bits of XML are represented the same so that they can be signed.
13 Processing Digital Signature Define target to be signed ( header or body ). Translate the target using CanonicalizationMethod (XML-C14N or EXC-C14N) to check if the XMLs are semantically equivalent. Calculate digest value using algorithm specified in DigestMethod. Signed the SignedInfo element using algorithm specified in SignatureMethod. The calculated signature is then inserted into SignatureValue element.
14 Verifying Digital Signature Check the value in DigestValue element according to DigestMethod and Transform algorithms. Calculate the digest value for the SignedInfo subtree. Compare the digest value with the value in SignatureValue.
15 Encryption u3AA1M+... OKBck= cdkffgkf...
16 Encryption (2) cdkffgkf
17 Encryption (3) The XML Encryption specification defines a means to do selective-encryption on XML document. The descriptor of the encrypted portion is not necessarily the receiver of message. Encrypt elements with key. Encrypt key with recipient’s key. Embed in header.
20 Security Token (3) BinarySecurityToken is defined to contain binary data such as X.509 certificates and Kerberos tickets. ValueType indicates the kind of token, e.g. X509v3, Kerberos5ST, etc. EncodingType specifies the encoding format for the binary data, e.g. base 64.
21 Other Security Specifications in The Roadmap Please read: Building Web Services with Java : Making Sense of XML, SOAP, WSDL, and UDDI, (2nd Edition) by Steve Graham, et al. Chapter 9, page 474 to 495.
22 Newer Security Specifications Such as: XACML = Extensible Access Control Markup Language. XrML = Extensible Rights Markup Language. XKMS = XML Key Management Specification. SAML = Security Assertion Markup Language. etc...
23 XACML XACML is an OASIS standard that describes both a policy language and an access control decision request/response language (both encoded in XML). The policy language is used to describe general access control requirements, and has standard extension points for defining new functions, data types, combining logic, etc.
24 XrML XrML is the Digital Rights Language of choice that provides a universal method for securely specifying and managing rights and conditions associated with all kinds of resources including digital content as well as services.
25 XKMS Specification that defines a protocol for distributing and registering public keys. Using this technology, developers will be able to take advantage of XKMS to integrate authentication, digital signature, and encryption services, such as certificate processing and revocation status-checking.
26 SAML Is a derivative of XML which is designed for the exchange of authentication and authorization data. The purpose is to enable Single Sign-On for web applications. SAML utilizes TLS (Transport Layer Security) to ensure the confidentiality of authentication and authorization data during transit.