Presentation is loading. Please wait.

Presentation is loading. Please wait.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

Published byMark Hall Modified over 8 years ago

Similar presentations

Presentation on theme: "WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser."— Presentation transcript:

1 WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser

2 Web Service Security: SOAP Message Security WS-Security History -Many standards to secure web services -Microsoft, IBM, and VeriSign submitted security specifications to the Organization for the Advancement of Structured Information Standards (OASIS). -WS-Security is the leading web services standards to support, integrate and unify multiple security models. -WS Security: HTTP Message Security & XML Message Security (SOAP)

3 WS-Security: HTTP Message Security Advantages Mature Supported by most servers and clients Understood Simpler than message level security Disadvantages Point to point only Granularity, cannot have different security for messages in and messages out Only applies to HTTP

4 WS-Security: XML Message Security Advantages Allows the message to be self-protecting Selective, portions of the message can be secured to different parties Flexible, different security policy can be applied to request and response transport independent Disadvantages Immature, standards and tools Complex, contains many other standards including XML Encryption, XML Signature, X.509 certificates and more

5 WS-Security: XML (SOAP) Message Security Message Security Model : security tokens that encapsulate the message with digital signatures to protect and validate SOAP messages passed from other parties Token References : provides information location where the receivers can retrieve the entity from Signatures : provides information for the receivers so that they can find out if the message has been changed by someone else during message passing and if the message is the one that the receivers want to get from Encryption&Decryption : keeps data in a special form during message passing in which data will not be altered by someone else Time-Stamp : provides information for the receivers to know when the message is generated and when it is expired

6 Message Security Model Contains a collection of objects with two kinds security token (unsigned and signed), such as name, userID, to protect the SOAP messages.

7 Message Security Model: Security Header Overview of Security Header encapsulate information about what kinds of receivers allowed to interpret the message -At sender side, if a message needs to be received by different kinds of receivers, it must have multiple headers, either actor or role, whose values must be different -At the receiver side, it must generate an error message if it can not understand or the security header, and must signal an error if can not process the content of the security tokens, also it may ignore the meaning of the message if it has own security policy.

8 Message Security Model: Security Token There are three types of security tokens: User Name Token, Binary Security Tokens and XML Tokens. User name token is implemented in this way (Figure 3),, which may or may not be included in security header.

9 Message Security Model: Security Token Binary Security Tokens needs a special encoding rule, and has two attributes: valueType indicating what token is in the message (X.509 certificates or Kerbero), EncodingType indicating how the token is implemented.

10 Message Security Model: Security Token XML tokens have two standards: Security Assertion Markup Language (SAML) and Extensible rights Markup Language (XrML)

11 Token References Specified when a message delivers a collections of entities, sometimes, the object is located in somewhere else that receiver needs to get, these object locations are contained by Four mechanisms : -Direct Reference using full URL -Key Identfiers using an unique ID (referenced token id) -key names using token name -Embedded Reference using embedded token

12 Token Reference Examples

13 XML Signature Why XML Signature? give the functionalities of data integrity, authentication in web service application. enhance traditional digital signature, because digital signature only works in a way of sign an entire document, which is time consuming if an user only needs part of information in a document. With this technology, we can use XML signature to sign more than one type of resource, such as JPEG image and an HTML page

14 XML Signature Example

15 Encryption and Decryption Why XML Encryption & Decryption? XML Digital Signature specs did not define any standard mechanism for encrypting XML entities. The need for XML-based encryption is very important to secure web services. Encrypting and Decrypting Parts of a Document: existing technologies can encrypt a whole XML document. Performance: less time consuming process. Multiple encryption & decryption: the ability to apply multiple encryption treatments to different parts of the same document. Persistent Storage: important information can be left encrypted even in the databases.

16 XML Encryption & Decryption Example Before Encryption After Encryption under

17 Security Time Stamp Why need Security Time Stamp? Prevent relay attack -For example, an attacker resends the message to a targeted person for messing up its account information, with time stamp added, the targeted person can identify if the message has been received by checking the time stamp if its created time is the same as previous one. Example

18 Evaluation of Web Service Security: Solve Many Problems: replay attack message delayed XML document encrypted or decrypted using encrypting, decrypting and signing part of message content message verification

19 Conclusion: Current Technology and future :  involves too much computational operations of cryptography and memory demanding XML DOM processing -the signature processing: important to develop a new algorithm to reduce the processing time. -replay attack situation: important to develop a better approach to prevent that than using time stamp approach. be possible to be used in mobile networks -messages passed across mobile phones are more efficient and secured -less time to process XML message

20 Thank You!

Download ppt "WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser."

Similar presentations

Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.

Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
SOAP.

SOAP.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
Authentication & Kerberos

Authentication & Kerberos
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma

Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
Core Web Service Security Patterns

Core Web Service Security Patterns
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.

Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Similar presentations

Ads by Google