Presentation is loading. Please wait.

Presentation is loading. Please wait.

WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.

Published byLillian Green Modified over 8 years ago

Similar presentations

Presentation on theme: "WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in."— Presentation transcript:

1 WS-Security Additional Material

2 Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in SOAP u Password must be protected against eavesdroppers (enc) and replay (timestamp/nonce) n BinarySecurityToken block u Encloses binary data u An X.509 certificate or a Kerberos ticket u Has an identifier (Id), a value (ValueType), and an encoding (EncodingType) u XML Signature KeyInfo may point to a certificate used in signing using a Reference to its Id. u Similar for XML Encryption. n So we can sign/encrypt data with a certificate in the header.

3 ID References n A new global attribute: wsu:Id attribute u.. u Note that the SOAP processor needs to support this u wsu:id a WS-Security namespace (wssecurity- secext-1.0.xsd) u Recipients do not need to understand the full schema of the message for processing the security elements u Two wsu:Id attributes within an XML document MUST NO have the same value n Recommended that wsu:Id is used instead of a more general transformation, especially XPath

4 Signatures n Does not use the Enveloped Signature Transform u So sig does not envelope signed data u Due to mutability of SOAP header n Does not use the Enveloping Signature u So sig is not appended as a child to the document n The sig is appended to the security block n Explicitly include the elements to be signed u Allows for extensions, multiple signatures, etc.

5 Signing Messages n Multiple signature entries MAY be added into a single SOAP Envelope within one header block u MUST be prepended to the existing content n elements contained in the signature should refer to a resource within the enclosing SOAP envelope n u How to locate a key in a security token? u Extensible mechanism that provides an open content model for referencing security tokens u Specification considers only use in a header block n New reference option for XML signature u STR Deference Transform F Applied to a SecurityTokenreference F Means that the output is the token referenced by the element, not the element itself F You can conveniently locate and sign security tokens anywhere in the header

6 XML Encryption Example

7 Encryption Public keyPrivate key Asymmetric Key Pair EncryptDecrypt

8 XML Encryption ? ? ? ?

9 Example n SOAP Envelope u SOAP Header F WS Security Security token (a certificate) Encryption key (passing symmetric key) Signature u SOAP Body F Encrypted content

10 Overall message structure......... Security block 1. 2. 3. 4.

11 1. Binary security token 2001-09-13T08:42:00Z <wsse:BinarySecurityToken ValueType="...#X509v3" wsu:Id="X509Token" EncodingType="...#Base64Binary"> ABCDEF.......

12 2. Passing encryption key <wsse:KeyIdentifier EncodingType="...#Base64Binary" ValueType="...#X509v3"> ABCDEF....... We are using another certificate for asymmetric crypto. This one is for symmetric Encrypted symmetric key Reference to cipher data

13 3. Actual signature <ds:CanonicalizationMethod algorithm="http://...-exc-c14n#"/>... …...... Exclusive canonicalization References & digests to data Reference to certificate.

14 <ds:CanonicalizationMethod Algorithm="http://...-exc-c14n#"/>...... 3. SignedInfo in more detail

15 4. Actual message body <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" wsu:Id="enc1"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>...

16 SAML Examples

17 Attribute assertion n An issuing authority asserts that: u subject S u is associated with attributes A,B,.. u with values ”a”,”b”,… n Typically this would be gotten from an LDAP repository u ”john.doe” in ”example.com” u is associated with attribute ”Department” u with value ”Human Resources”

18 Example attribute assertion <saml:NameIdentifier SecurityDomain="example.com" Name="johndoe" /> <saml:Attribute AttributeName="PaidStatus" AttributeNameSpace="http://example.com"> PaidUp

19 Authorization decision assertion n An issuing authority decides whether to grant the request u by subject S u for access type A u to resource R u given evidence E n The subject could be a human or a program n The resource could be a web page or a web service, for example

20 Example authorization decision assertion <saml:AuthorizationStatement Decision="Permit" Resource="http://example.com/res123"> <saml:NameIdentifier SecurityDomain="example.com" Name="johndoe" />

Download ppt "WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in."

Similar presentations

On and use=document|rpc, style=literal|encoded A personal opinion Sanjiva Weerawarana IBM Research September 9-11, 2002.

On and use=document|rpc, style=literal|encoded A personal opinion Sanjiva Weerawarana IBM Research September 9-11, 2002.
SOAP.

SOAP.
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
CIS 375—Web App Dev II SOAP.

CIS 375—Web App Dev II SOAP.
SOAP SOAP is a protocol for accessing a Web Service. SOAP stands for Simple Object Access Protocol * SOAP is a communication protocol * SOAP is for communication.

SOAP SOAP is a protocol for accessing a Web Service. SOAP stands for Simple Object Access Protocol * SOAP is a communication protocol * SOAP is for communication.
XML Encryption Prabath Siriwardena Director, Security Architecture.

XML Encryption Prabath Siriwardena Director, Security Architecture.
Portable Identity & WS - Trust Prabath Siriwardena Director, Security Architecture.

Portable Identity & WS - Trust Prabath Siriwardena Director, Security Architecture.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.

Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
Web services security I

Web services security I
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju
1 Web Services Security XML Encryption, XML Signature and WS-Security.

1 Web Services Security XML Encryption, XML Signature and WS-Security.
1 Simple Object Access Protocol (SOAP) by Kazi Huque.

1 Simple Object Access Protocol (SOAP) by Kazi Huque.

Similar presentations

Ads by Google