WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser

Web Service Security: SOAP Message Security WS-Security History -Many standards to secure web services -Microsoft, IBM, and VeriSign submitted security specifications to the Organization for the Advancement of Structured Information Standards (OASIS). -WS-Security is the leading web services standards to support, integrate and unify multiple security models. -WS Security: HTTP Message Security & XML Message Security (SOAP)

WS-Security: HTTP Message Security Advantages Mature Supported by most servers and clients Understood Simpler than message level security Disadvantages Point to point only Granularity, cannot have different security for messages in and messages out Only applies to HTTP

WS-Security: XML Message Security Advantages Allows the message to be self-protecting Selective, portions of the message can be secured to different parties Flexible, different security policy can be applied to request and response transport independent Disadvantages Immature, standards and tools Complex, contains many other standards including XML Encryption, XML Signature, X.509 certificates and more

WS-Security: XML (SOAP) Message Security Message Security Model : security tokens that encapsulate the message with digital signatures to protect and validate SOAP messages passed from other parties Token References : provides information location where the receivers can retrieve the entity from Signatures : provides information for the receivers so that they can find out if the message has been changed by someone else during message passing and if the message is the one that the receivers want to get from Encryption&Decryption : keeps data in a special form during message passing in which data will not be altered by someone else Time-Stamp : provides information for the receivers to know when the message is generated and when it is expired

Message Security Model Contains a collection of objects with two kinds security token (unsigned and signed), such as name, userID, to protect the SOAP messages.

Message Security Model: Security Header Overview of Security Header encapsulate information about what kinds of receivers allowed to interpret the message -At sender side, if a message needs to be received by different kinds of receivers, it must have multiple headers, either actor or role, whose values must be different -At the receiver side, it must generate an error message if it can not understand or the security header, and must signal an error if can not process the content of the security tokens, also it may ignore the meaning of the message if it has own security policy.

Message Security Model: Security Token There are three types of security tokens: User Name Token, Binary Security Tokens and XML Tokens. User name token is implemented in this way (Figure 3),, which may or may not be included in security header.

Message Security Model: Security Token Binary Security Tokens needs a special encoding rule, and has two attributes: valueType indicating what token is in the message (X.509 certificates or Kerbero), EncodingType indicating how the token is implemented.

Message Security Model: Security Token XML tokens have two standards: Security Assertion Markup Language (SAML) and Extensible rights Markup Language (XrML)

Token References Specified when a message delivers a collections of entities, sometimes, the object is located in somewhere else that receiver needs to get, these object locations are contained by Four mechanisms : -Direct Reference using full URL -Key Identfiers using an unique ID (referenced token id) -key names using token name -Embedded Reference using embedded token

Token Reference Examples

XML Signature Why XML Signature? give the functionalities of data integrity, authentication in web service application. enhance traditional digital signature, because digital signature only works in a way of sign an entire document, which is time consuming if an user only needs part of information in a document. With this technology, we can use XML signature to sign more than one type of resource, such as JPEG image and an HTML page

XML Signature Example

Encryption and Decryption Why XML Encryption & Decryption? XML Digital Signature specs did not define any standard mechanism for encrypting XML entities. The need for XML-based encryption is very important to secure web services. Encrypting and Decrypting Parts of a Document: existing technologies can encrypt a whole XML document. Performance: less time consuming process. Multiple encryption & decryption: the ability to apply multiple encryption treatments to different parts of the same document. Persistent Storage: important information can be left encrypted even in the databases.

XML Encryption & Decryption Example Before Encryption After Encryption under

Security Time Stamp Why need Security Time Stamp? Prevent relay attack -For example, an attacker resends the message to a targeted person for messing up its account information, with time stamp added, the targeted person can identify if the message has been received by checking the time stamp if its created time is the same as previous one. Example

Evaluation of Web Service Security: Solve Many Problems: replay attack message delayed XML document encrypted or decrypted using encrypting, decrypting and signing part of message content message verification

Conclusion: Current Technology and future :  involves too much computational operations of cryptography and memory demanding XML DOM processing -the signature processing: important to develop a new algorithm to reduce the processing time. -replay attack situation: important to develop a better approach to prevent that than using time stamp approach. be possible to be used in mobile networks -messages passed across mobile phones are more efficient and secured -less time to process XML message

Thank You!