web services introduction ws-security xkms
TRANSCRIPT
1
© 2003 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
Web Service Security
Wolfgang WernerHPDecus Bonn 2003
Agenda
• Web Services Introduction• WS-Security• XKMS
2
Web Services IntroductionWhat is a Web Service ?
• Problem – taking different applications – running on different operating systems – built with different object models – using different programming languages – and turning them into Web applications.
Web Services IntroductionWhat is a Web Service ?
• Web services – are building blocks for constructing distributed Web-based
applications – allows a site to expose programmatic functionality via the
Internet– are based on open Internet standards such as HTTP,
XML, SOAP– can be consumed by applications implemented in any
language for any platform
3
Web Services Introduction:Example Web Service
<%@ WebService Language="C#" Class="HelloW" %>using System.Web.Services;
[WebService(Namespace="urn:HelloW")]public class HelloW : WebService {
[ WebMethod ]public string sayHelloTo(string name) {
return "Hello World " + name;}
}
Web Services Introduction:SOAP
• Today's distributed applications use binary protocolls like DCOM and CORBA/IIOP
• DCOM and CORBA/IIOP don't work in Internet scenarios
• HTTP is supported widely
4
Web Services Introduction:SOAP
• Simple Object Access Protocol (SOAP)• Provides the mechanism for Web Services to
communicate with clients and each other • 'RPC over the Internet'• SOAP uses
– HTTP as RPC-style transport– XML for data encoding
Web Services Introduction:SOAPPOST /string_server/Object17 HTTP/1.1Host: 209.110.197.2Content-Type: text/xmlContent-Length: 152SOAPMethodName: urn:strings-com:IString#sayHelloTo
<SOAP-ENV:Envelopexmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header></SOAP-ENV:Header><SOAP-ENV: Body>
<m:sayHelloTo xmlns:m='urn:strings-com:IString'><theString>Hello, World</theString>
</m: sayHelloTo></SOAP-ENV:Body>
</ SOAP-ENV:Envelope>
5
Web Services Introduction: Caveats of Webservices
• Reliability• Accounting• Performance• Trust• Security
Web Services Introduction: SSL
• Secure Sockets Layer– Open standard
• Establishes a secure channel between two parties • Uses strong encryption
– 128-bit keys• Transport Layer Security
– TLS Version 1.0 (RFC 2246) – the successor of SSL
6
Web Services Introduction: SSL
1 Client requests secure channel2 Server sends public key certificate3 Client verifies certificate and sends session key4 Client sends its public key certificate5 Server verifies certificate and sends session key6 Client and Server communicate secure with session key
myTravel.com Web Server
Web Service Introduction: SSL
• SSL only secures the transmission of the data• Integrity not maintained• No possibility to sign or encrypt only parts of a
document
7
Agenda
• Web Services Introduction• WS-Security• XKMS
WS-Security:Introduction
• Lack of standardized security– No cross-platform open communication
• Microsoft, IBM and Verisign designed a security modell called "Web Services Security" (WS-Security)
• Security for Web Services through message integrity, message confidentiality and message authentication
8
WS-Security:Introduction
• Message integrity– XML Signature (W3C)
• Message confidentiality– XML Encryption (W3C)
• Message authentication– User Name, X509 Certificates and Kerberos
WS-Security:Introduction
• WS-Security is an additional SOAP header<Soap:Envelope …>
<Soap:Header>...<Credentials…>
<UsernameToken...><Username>…</Username><Password Type=…>…</Password>
</UsernameToken></Credentials>...
</Soap:Header>...<Soap:Body>… </Soap:Body>
</Soap:Envelope>
9
WS-Security:Introduction
• Placing security related information into the header – enables the SOAP processor to handle the token
verification seperately– allows to pass and remove specific information to different
actors (receivers)• Keyinfo, DigestMethod,…
WS-Security:XML Signature
• The ability to digitally sign a document is not a new concept– Apply to the entire document– Focused on message transportation
• There is no standard mechanism to – sign only specific portions of a document – have multiple signatures on different parts of the
document– manage persistant signature information
10
WS-Security:XML Signature
• Goals:– Represent signatures in standard XML format– Support signing of specific portions of an XML document– Sign arbitrary digital content
• Including binary data such as JPEG images
WS-Security:XML Signature
• Signature creatiuon and validation must occur on the same bits
• Canonical XML (www.w3c.org)– Ensure identical physical representation of logically
equivalent XML documents– Serializing to a standard form
11
WS-Security:XML Signature<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethodAlgorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#StudentData"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>UAbcP0xOFEf0ta6/EVhV9shjXCs=</DigestValue>
</Reference></SignedInfo><SignatureValue>WE7ZXjb7kGX5d1MOW...</SignatureValue><Object Id="StudentData"><Loans>data here .
</Loans></Object>
</Signature>
WS-Security:XML Signature
<SignedInfo><KeyInfo><X.509Data xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Certificate>9EL4LqrfV8IRXU...bbHcsdMSeZn3En+htDHjM</X.509Certificate>
</X509Data></KeyInfo></SignedInfo>
12
WS-Security:XML Encryption
• Process to encrypt and decrypt digital content and represent the encrypted content in XML– Encrypt only specific portions of a document – Have multiple parties encrypt different parts of the
document– Peristant Storage
WS-Security:XML Encryption
• Supports encryption of– Entire XML documents– Elements– Contents of an element– Arbitrary data
• Builds on exisiting algorithms• Provides a standard representation format
13
WS-Security:XML Encryption
<?xml version="1.0" ?><EncryptedData
xmlns="http://www.w3.org/2001/04/xmlenc#"MimeType="text/xml">
<CipherData><CipherValue> yS3DHtac.. GDSb3 </CipherValue>
</CipherData></EncryptedData>
WS-Security:XML Encryption
<Observation doctor="Tim Smith" id="Bloodpressure"><EncryptedData
xmlns="http://www.w3.org/2001/04/cmlenc#"Type=" http://www.w3.org/2001/04/cmlenc#Content"><CipherData>
<CipherValue> yS3DHtac.. GDSb3 </CipherValue></CipherData>
</EncryptedData></Observation>
14
WS-Security:Message Authentication
• Security token propagation– Informs the web service who requires the service
• Username and password information– <UsernameToken>
• Binary formats (X.509 certificates, Kerberos tickets– <BinarySecurityToken>
WS-Security:Message Authentication
<Security><UsernameToken><Username>Peter</Username><Password type="PasswordDigest">
Q67vzYSMAKonUOFXy19TcMSq4U</Password></UsernameToken>
</Security><!--A digest is a base64 encoded SHA1 hash value -->
15
WS-Security:Message Authentication
<Security><BinarySecurityToken xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext" ValueType="X509v3" Id="myToken"EncodingType="Base64Binary"> MIIEZzCCA9CgAwIBAgIQEmtJZc0...</BinarySecurityToken> </Security><!-- ValueTypes:
X509v3 X.509 v3 certificate Kerberosv5TGT Kerberos v5 TGT ticket. Kerberosv5ST Kerberos v5 service ticket. -->
WS-Security:Summary
• Microsoft has released Web Services Enhancements 1.0 for Microsoft .NET, (WSE)
• WSE is a .NET library that utilize the WS-Security specification
• WSE has superseded the Web Services Development Kit (WSDK)
16
Agenda
• Web Services Introduction• WS-Security• XKMS
XKMS
• XKMS: XML Key Management Specification• XML Signature and XML Encryption are generally
based on PKI• PKI based on public and private key pairs(asymmetric
encryption)• Organizations who wish to communticate exchange
their public keys
17
XKMS
• Problems– Locating the public keys– Key verification– Handle multiple PKI implementations– No longer XML based– Increased complexity of applications
XKMS
• XKMS is a W3C initiative– Original input from Microsoft, Verisign and WebMethods
• Web service for management of PKI based cryptographic keys
• Applications delegate all PKI processing tasks to a third party trust service
18
XKMS
• Benefits– Simplifies usage of XML Signature and XML Encryption– Builds a layer of abstraction between the application and
multiple PKI implementations– Moves the complexety of managing PKI out to the
infrastructure level– Fits smoothly into the web service environment
XKMS
myTravel.com myHotel.com
PKI Database
XKMS Server
PKI Server
Encryted,signed message
Key registration
Locate myHotel.comPublic key
Locate and validatemyTravel.comPublic key
1 1
2 2
3
19
XKMS
• XKMS is comprised of two parts– XML Key Information Service Specification (XKISS)
• Locate service• Validate service
– XML Key Registration Service Specification (XKRSS)• Register service
XKMS
• XKISS– Direct processing support for the ds:KeyInfo element used
by XML Encryption and XML Signature– Based on any PKI like X.509, SPKI or PGP– Locate and validate public keys
20
XKMS
• XKISS Locate Service– Retrieve a public key registered– Resolve the ds:KeyInfo element and provide the client with
the required public key information– May use local data, relay the request to other servers or
act as a gateway to an underlying PKI infrastructure
XKMS
myTravel.com xkms.verisign.com PKI infrastructure
Get public key(proprietary
format)
<SOAP:Envelope><LocateRequest><KeyInfoQuery><ds:KeyName>myHotel.com</ds:KeyName></KeyInfoQuery></LocateRequest></SOAP:Envelope>
<SOAP:Envelope><LocateResult><ds:KeyInfo><ds:KeyName>myHotel.com</ds:KeyName><ds:KeyValue>...AfG7We7...</ds:KeyValue></dsKeyInfo></LocateResult></SOAP:Envelope>
21
XKMS
• XKISS Validate Service provides the functionallity of the Locate Service and key validation– Key - name binding– Key status
• Validity period• Key usage• Not revoked
XKMS
• XKISS security issues– Communication between the client and the trust service
must be secure• Authenticity• Integrity• Correspondance
• XKISS specification recommends– Digital signatures– Transport layer security– Packet layer security
22
XKMS
• XKRSS Register Service– Support for registration and further management of public
key information• Generate or register public/private key pairs• Support for the entire certificate life cycle
XKMS
• The generation of public and private keys can– be delegated to the XKRSS service to generate a public
and private key pair• Advantage: the responsibility of maintaining a private key
goes with the service provider• Disadvantage: the private key information is exposed to the
service provider.– ??? be completed at the client's end ???
23
XKMS
• Support for the entire certificate life cycle– Register– Reissue– Revocation– Recovery
XKMS
• Client authentication:– XKRSS specification does not specify any authentication
policy– Left to the trust service provider– Shared secret most commonly used
24
XKMS:Implementations
• Entrust– http://xkms.entrust.com/xkms/index.htm
• Verisign– http://www.verisign.com/developer/xml/xkms.html
• Phaos– http://www.phaos.com
• XKMS & .Net– www.xmltrustcenter.org/xkms/dotnet/index.htm
Not covered...
• XACML• XTAML• SAML• Liberty Alliance• Passport• P3P• authXML
• WS-Policy• WS-Trust• WS-SecureConversation• WS-SecurityPolicy• ...