ws-secureconversation xiuduan fang. 2 agenda introduction security context token establishing...
TRANSCRIPT
![Page 1: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/1.jpg)
WS-SecureConversation WS-SecureConversation
Xiuduan FangXiuduan Fang
![Page 2: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/2.jpg)
22
AgendaAgenda
• Introduction
• Security Context Token
• Establishing Security Context
• Deriving Keys
• SecureCoversation in Action
• Conclusion
• References
![Page 3: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/3.jpg)
33
Introduction to WS-Introduction to WS-SecureConversationSecureConversation
• Why introduce WS-SecureConversation?
• Consider the functions of WS-Security– message integrity– message confidentiality– single message authentication
![Page 4: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/4.jpg)
44
Introduction to WS-Introduction to WS-SecureConversationSecureConversation
• What if senders and receivers need to exchange multiple messages?
![Page 5: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/5.jpg)
55
Introduction to WS-Introduction to WS-SecureConversationSecureConversation
• A Feasible Solution– Encrypt all messages with a security token issued by a token issuing service.
• Drawback: the size of each message can become a performance bottleneck.
![Page 6: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/6.jpg)
66
Introduction to WS-Introduction to WS-SecureConversationSecureConversation
• A Better Solution
– WS-SecureConvsation • Similar to SSL• Introduce a security context
• A SecurityContextToken is applied. Once created, the messages are smaller and can be processed faster by both ends.
![Page 7: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/7.jpg)
77
Introduction to WS-Introduction to WS-SecureConversationSecureConversation
• Goals
– Define how security contexts are established
– Specify how derived keys are computed and passed
• Non-Goals
– Define how trust is established or determined—that is done by WS-Trust
![Page 8: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/8.jpg)
88
IntroductionIntroduction
• Introduction
• Security Context Token
• Establishing Security Context
• Deriving Keys
• SecureConversation in Action
• Conclusion
• References
![Page 9: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/9.jpg)
99
Security Context TokenSecurity Context Token
<SecurityContextToken> describes a security context.
![Page 10: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/10.jpg)
1010
Syntax of Security Context TokenSyntax of Security Context Token<wsse:SecurityContextToken wsu:Id="...">
<wsu:Identifier>...</wsu:Identifier> <wsu:Created>...</wsu:Created> <wsu:Expires>...</wsu:Expires>
<wsse:Keys>
<xenc:EncryptedKey Id=“…”>…
</xenc:EncryptedKey> <wsse:SecurityTokenReference>...
</wsse:SecurityTokenReference>
...
</wsse:Keys>
</wsse:SecurityContextToken>
![Page 11: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/11.jpg)
1111
Security Context Token ExampleSecurity Context Token Example
<wsse:SecurityContextToken wsu:Id="SecurityToken-
f3dfe69f-4bd6-41f9-b198-bb6247d14780"> <wsu:Identifier>uuid:f1971e12-f402-433d-bf7d-
29c78a0a81eb
</wsu:Identifier>
<wsu:Created>2003-07-08T02:52:55Z</wsu:Created> <wsu:Expires>2003-07-08T06:52:55Z</wsu:Expires>
</wsse:SecurityContextToken>
![Page 12: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/12.jpg)
1212
AgendaAgenda
• Introduction
• Security Context Token
• Establishing Security Context
• Deriving Keys
• SecureCoversation in Action
• Conclusion
• References
![Page 13: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/13.jpg)
1313
Establishing Security ContextEstablishing Security Context
• A security context needs to be created and shared by the communicating parties before being used.
• How?1. created by a security token service (STS) 2. created by one of the communicating parties and propagated
with a message
3. created through negotiation
![Page 14: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/14.jpg)
1414
Way 1: Created by STSWay 1: Created by STS
![Page 15: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/15.jpg)
1515
<RequestSecurityToken> Example<RequestSecurityToken> Example
<S:Body wsu:Id="req"> <RequestSecurityToken>
<TokenType>wsse:SecurityContextToken</TokenType> <RequestType>wsse:ReqIssue</RequestType> </RequestSecurityToken>
</S:Body>
![Page 16: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/16.jpg)
1616
<RequestSecurityTokenResponse> <RequestSecurityTokenResponse> ExampleExample
<S:Body> <RequestSecurityTokenResponse> <RequestedSecurityToken>
<wsse:SecurityContextToken> <wsu:Identifier>uuid:...</wsu:Identifier> </wsse:SecurityContextToken>
</RequestedSecurityToken> <RequestedProofToken>
<xenc:EncryptedKey Id="newProof"> ...
</xenc:EncryptedKey> </RequestedProofToken> </RequestSecurityTokenResponse>
</S:Body>
![Page 17: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/17.jpg)
1717
Way 2: Way 2: Created by One of The Created by One of The Communicating PartiesCommunicating Parties
• Process– The initiator creates a security context token
and sends it to the other parties in a message– The recipient can then choose whether or not
to accept the security context token
• Application– This model works when the sender is trusted
to always create a new security context token.
![Page 18: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/18.jpg)
1818
Way 3: Way 3: Created through Created through NegotiationNegotiation
• Process– The initiating party sends a <RequestSecurityToken>
request to the other party – A <RequestSecurityTokenResponse> is returned.– Repeat the above 2 steps until a final response
containing a <SecurityTokenReference> and a <ProofTokenReference> is received.
• Application– There is a need to negotiate among the participants
on the contents of the security context token, such as the shared secret
![Page 19: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/19.jpg)
1919
AgendaAgenda
• Introduction
• Security Context Token
• Establishing Security Context
• Deriving Keys
• SecureCoversation in Action
• Conclusion
• References
![Page 20: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/20.jpg)
2020
Deriving KeysDeriving Keys• Once the context and secret have been
established (authenticated), Derived Keys Mechanism can be used to compute derived keys for each key usage in the secure context.
• Example– Four keys may be derived so that two parties
can sign and encrypt using separate keys.
![Page 21: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/21.jpg)
2121
Deriving KeysDeriving Keys
• Algorithms– Using a common secret, parties may define
different key derivations to use – Default: P_SHA-1 function (referred to as
wsse:PSHA1)
P_SHA1 (secret, label + seed)
![Page 22: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/22.jpg)
2222
Deriving KeysDeriving Keys
• The <DerivedKeyToken> element is used to indicate that the key for a specific security token is generated from the function of P_SHA-1.
• Example<DerivedKeyToken>
<SecurityTokenReference>
<Reference URI=".../ctx1"/> </SecurityTokenReference> <Generation>2</Generation>
</DerivedKeyToken>
![Page 23: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/23.jpg)
2323
Subsequent Derivation ExampleSubsequent Derivation Example<DerivedKeyToken>
<Properties>
<Name>.../derivedKeySource</Name>
<Label>NewLabel</Label>
<Nonce>FHFE...</Nonce>
</Properties>
<Generation>3</Generation>
</DerivedKeyToken>
<DerivedKeyToken wsu:Id="newKey">
<SecurityTokenReference>
<Reference URI=".../derivedKeySource"/>
</SecurityTokenReference>
<Generation>0</Generation>
</DerivedKeyToken>
![Page 24: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/24.jpg)
2424
AgendaAgenda
• Introduction
• Security Context Token
• Establishing Security Context
• Deriving Keys
• SecureCoversation in Action
• Conclusion
• References
![Page 25: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/25.jpg)
2525
SecureConversation In ActionSecureConversation In Action
• Web Service Enhancements (WSE) 2.0 for .NET 2.0 improves the implementation of secure conversations in Web services architecture.
• Demonstration
![Page 26: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/26.jpg)
2626
Predefined Security Tokens in Predefined Security Tokens in WSE 2.0 WSE 2.0
![Page 27: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/27.jpg)
2727
AgendaAgenda
• Introduction
• Security Context Token
• Establishing Security Context
• Deriving Keys
• SecureCoversation in Action
• Conclusion
• References
![Page 28: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/28.jpg)
2828
Conclusion of WS-Conclusion of WS-SecureConversationSecureConversation
• The WS-SecureConversation specification defines extensions to allow security context establishment and sharing, and session key derivation.
![Page 29: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/29.jpg)
2929
AgendaAgenda
• Introduction
• Security Context Token
• Establishing Security Context
• Deriving Keys
• SecureCoversation in Action
• Conclusion
• References
![Page 30: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/30.jpg)
3030
Primary ReferencesPrimary References
• http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/html/ws-secureconversation.asp
– Official specification describing WS-SecureConversation
• http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/wssecdrill.asp
– A good reference that explains how to use Web Services Enhancements 2.0 to implement security, trust, and secure conversations in Web services architecture.
![Page 31: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/31.jpg)
3131
Secondary ReferencesSecondary References
• http://www.microsoft.com/downloads/details.aspx?FamilyId=21FB9B9A-C5F6-4C95-87B7-FC7AB49B3EDD&displaylang=en
– The WSE 2.0 technology preview provides early access to new advanced Web services capabilities.
• http://msdn.microsoft.com/webservices/building/wse/default.aspx– The latest advanced Web services capabilities to keep pace
with the evolving Web services protocol specifications.
![Page 32: WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action](https://reader036.vdocument.in/reader036/viewer/2022062404/551b4d4c550346ae7a8b50af/html5/thumbnails/32.jpg)
Questions?Questions?