Professional Documents
Culture Documents
Sang Shin
Web Services sang.shin@sun.com
Security www.javapassion.com/webservices
Agenda
? What is security?
? Why new security schemes for Web
services?
? XML-based Web services security
initiatives
What is Security?
– XML signature
– XML encryption
– XKMS, XACML, SAML, WS-Security
– How they work together
2. send credit
business loan
credit score
1. request
Header A Header A Header A Header A
score
Header B Header B Header D Header D
4. aggregate data and
Header C Header C Header C send loan request
Business
in need of Bank
cash 6. send response to loan
request
SOAP body SOAP body SOAP body SOAP body
credit report company and the bank Confidentiality Key-based digital encryption and decryption
(authentication) Authentication Username/password, key-based digital signing and
signature verification, challenge-response, biometrics,
? The credit report company needs to know that smart cards, etc.
their paying customer won’t back out maliciously Trust Key-based digital signing and signature verification
after sending the request (non-repudiation)
Non-repudiation Key-based digital signing and signature verification,
? The credit report company needs to prove it message reliability
supplied the credit score itself (authentication) Integrity Message digest, itself authenticated with a digital
signature
? All the message content needs to reach its Authorization Application of policy, access control, digital rights
various destinations unchanged (integrity) and be management
safe from competitors’ eyes (confidentiality) Auditing Various forms of logging, themselves secured to avoid
tampering
? The bank needs to record the receipt of the
application (auditing) 15 16
03/29/2004
17 18
Security Frameworks
WS-Security QOP?
Kerberos X.509
20
03/29/2004
on top of WSDL
score
Sun™
Web Services Security Tech
Days
ID-FF 1.1
XACML
ID-WSF 1.0
ID-FF 1.2 SAML
Early Draft
XKMS
Mature Draft
C14N
V1 Complete
25
XML Signature
Types of XML Signature
<Reference URI=
"http://www.buy.com/books/purchaseWS"/>
...
</Signature>
<Signature> is XML Signature
external to the Structure of XML
content that is
signed Signature
Sun™
XML Signature Structure Tech
Days
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2000/..." />
• Parent element of XML Signature
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#PurchaseOrder">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
structure
<DigestValue>qZk+nkcGcWq6piVxeFdcbJzQ2JO=</DigestValue>
</Reference>
</SignedInfo>
• Contains
<SignatureValue>
• <SignedInfo>
IWijxQjUrcXBYc0ei4QxjWo9Kg8Dep9tlWoT4SdeRT87GH03dgh
</SignatureValue> • <SignatureValue>
<KeyInfo> • <KeyInfo>
<X509Data>
<X509SubjectName>CN=Alice Smith, STREET=742 Park Avenue,
L=New York, ST=NY, C=US</X509SubjectName>
• <Object>
</X509Data>
</KeyInfo>
</Signature>
37
Process of Validation
• Validate references by
• Applying transforms <Transforms> to data
source
• Calculating digest and then comparing it to
<DigestValue>
• Validate signature by
• Retrieving key from <KeyInfo> or other
XML Signature
source of key information JSR 105
• Validating <SignatureValue>
Sun™
JSR 105 – XML Signatures in Java Tech
Days
JSR 105 – XML Signatures in Java Example of Enveloped Signature Generation (1)
// First, create a DOM XMLSignatureFactory
XMLSignatureFactory fac = XMLSignatureFactory.getInstance(“DOM”);
? Important JSR 105 APIs
// Specify the algorithms for various things such as Canonicalization
? XMLSignatureFactory DigestMethod dm =
fac.newDigestMethod (DigestMethod.SHA1_URI,null);
? Abstract factory used to create XML Signatures from
CanonicalizationMethod cm = fac.newCanonicalizationMethod
scratch (CanonicalizationMethod.WITH_COMMENTS_URI, null);
?
Implementations support a specific XML mechanism (ex: SignatureMethod sm = fac.newSignatureMethod
“DOM”) (SignatureMethod.RSA_SHA1_URI, null);
?
XMLSignature Transform tm = fac.newTransform(Transform.ENVELOPED_URI, null);
? Contains methods for signing and validating // Create a Reference pointing to the document to be signed
Reference ref = fac.newReference
? XMLSignContext (“”, dm, Collections.singletonList(tm), null, null);
Sun™ Sun™
JSR 105 – XML Signatures in Java Tech
Days JSR 105 – XML Signatures in Java Tech
Days
Status
? W3C Recommendation (Feb. 2002)
? At least 10 vendor implementations
are available
– Java WSDP
– Apache Open source implementation
XML Signature – Most J2EE vendors will support this even
though it is not mandated in J2EE 1.4
Status ? JSR-105 work in progress
– Public review in progress (06/2003)
68
03/29/2004
XML –
–
Encrypting/decrypting such data
Can encrypt only certain parts of document
Encryption ?
?
W3C Recommendation now
JSR 106
70
75
03/29/2004
<Name>John Smith</Name>
• Encrypting an XML element <CreditCard Limit='5,000' Currency='USD'>
<Number>4019 2445 0277 5567</Number>
• Encrypting XML Elements containing other <Issuer>Example Bank</Issuer>
<Expiration>04/02</Expiration>
elements </CreditCard>
</PaymentInfo>
• Encrypting XML Element containing
character data
• Encrypting arbitrary data and XML
documents
• Encrypting EncryptedData (Super
Encryption)
03/29/2004
Encrypting <EncryptedData>
Super Encryption
<pay:PaymentInfo
xmlns:pay='http://example.org/paymentv2'>
<EncryptedData Id='ED2'
xmlns='http://www.w3.org/2001/04/xmlenc#'
Type='http://www.w3.org/2001/04/xmlenc#Element'>
<CipherData>
<CipherValue>
newEncryptedData
</CipherValue> Here <CipherValue>
</CipherData>
</EncryptedData>
'newEncryptedData' is the XML Encryption
</pay:PaymentInfo> base64 encoding of the
encrypted octet sequence JSR 106
resulting from encrypting the
<EncryptedData> element
with ID='ED1'
03/29/2004
– www.w3.org/Encryption/
Management Spec.)
99
03/29/2004
Sun™ Sun™
What is XKMS? Tech
Days
Why XKMS? Tech
Days
Sun™
XKMS Specifications Tech
Days
107
03/29/2004
What is SAML?
? Define an XML framework for
exchanging authentication and
Office.com
03/29/2004
WS-Security Specification
• Set of SOAP extensions for end-to-end SOAP
messaging security
– Security schemes at message level
• Signing and encrypting SOAP messages by
attaching security tokens to SOAP messages
WS-Security – Any combination of message parts: Header blocks,
body, attachments
130
WS-Security
• Multiple security models
– username/password
– certificate
• Multiple security technologies
– Kerberos How They Work
– PKI
Resources
? W3C XML Digital Signature
– www.w3.org/Signature/
? W3C XML Encryption
– www.w3.org/Encryption/
? XKMS
Resources ?
– www.w3.org/TR/xkms/
XACML
– www.oasis-open.org/committees/xacml/
? SAML
– oasis-open.org/committees/security
138
Resources
? WS-Security
– www.oasisopen.org/committees/wss/
? ebXML Message Services
– www.ebxml.org
? Liberty Project
– www.projectliberty.org Thank You!
139
03/29/2004
Sun™
JAX-RPC Message-Level Security Tech
Days
Sang Shin
Technology Evangelist
03/29/2004
Sun™
Tech
JAX-RPC Message Level Security Days
• Point-to-Point :
• Data Chunks are
Protects the “pipe” protected
• Ubiquitous
• Standards still under
development
? dump
? prints out both the client and server request and response
SOAP messages
? sign
? the response is signed by the server and verified by the client
? sign2
? the client signs the request, the message is dumped out, the
message travels over the network, the server verifies the
signature, the business method is called, the server signs the
response, the message travels back over the network, and
the client verifies the response
? retrieves calling client identity
03/29/2004
Sun™
Steps of Signing (at the Client) Tech
Days
// Sign the request and then dump the message for debugging
cch.addSignRequest().addDumpRequest();
...
}
}
SunNetworkSM Conference 2002
Centralized • Overview
Open Federated Model
Model Financial Svcs
– “User” & Nodes enroll with ID operator
Customer –
Single Identity Community ID operator issues (GUID) global unique identifier
Operator – “User” can access all operator sites
Online Wireless
Community Community
• Pros
– Single source of control/auditability
Retail
Telecommunications Community • Cons
Community
– Security/Privacy controlled by one operator
Travel – Operator controls some profile data
Entertainment Community
Community – Profile sharing/tracking possible without permission
– Single point of security failure
– Danger for "Tollgateíng"
BANK
YOU PORTAL
– Account chaining based
– “User” & Nodes need explicit linking
– No common GUID
• Pros
– User has complete control on who/what to share
– Businesses have complete on “user” profile data
–
–
Incremental profile sharing possible
Creates market opportunity for identity service Liberty Project
providers
• Cons
– Expensive to do without standards
– Profile data inconsistency possible
SunNetworkSM Conference 2002
Liberty Project Liberty Alliance*
• Create an open standard for identity,
authentication and authorization
• Objective: lower costs, accelerate commercial
opportunities, and increase customer satisfaction
• Federated standard will enable every
business to:
• Maintain their own customer/employee/device
data
• Tie data to an individual’s or business’s identity
• Share data with partners according to its business
objectives, and customer’s preferences
* today. And growing.
News
News
Source
Trust NI Source
Evolution
Authority Enabled Service
(e.g., my airline)
Merchants Aggregator
Primary
Trust
Authority
(e.g., my bank) Friends & External
Home NI Services
Family
Profile
Name: Enabled Notification
ID
Preferences:
Services External
…… . Services
External
Consumer Circles of Trust Services