XML and Web Service Security Survey

1
XML and Web Service Security Survey

Lili Sun
sun_at_usq.edu.au
2

• Outline
• Introduction
• What is security?
• XML-based Web services security standards
• XML signatures,
• XML encryption,
• XML Key Management Specification,
• Extensible Access Control Markup Language,
• Security Assertion Markup Language,
• WS-Security.
• How they work together
• Conclusion

3
Introduction

• Meeting security requirements for privacy,
  confidentiality and integrity is essential in
  order to move business online.
• XML has been widely used in e-services,
  M-services.
• XML has emerged as a prevalent standard for
  document representation and exchange on the Web.
• The following example shows a credit card message
  from a bank in XML document that can be accessed
  by anyone if there is no protective security.
• lt?xml version"1.0" encoding"ISO-8859-1
  "?gt
• ltPaymentInfo xmlnshttp//example.org/p
  aymentv2gt
• ltnamegtJohn Smithlt/namegt
• ltCreditCard Limit5000gt
• ltNumbergt1234 5678
  9012lt/Numbergt
• ltIssuergt Bank lt/Issuergt
• ltExpirationgt11/07lt/Expira
  tiongt
• lt/CreditCardgt
• lt /PaymentInfogt

4

• Current security technologies provide several
  specifications for web service applications. Such
  as SSL, TLS
• In this topic, I will introduce the standards
  for XML and Web service security.

5
What is Security

• Concrete Forms of Security
• Confidentiality can prying eyes see it?
• Authentication are you who you say you are?
• Trust have I agreed to work with you?
• Non-repudiation can you claim you didnt send it
  even if you really did?
• Integrity was it changed before I got it?
• Authorization are you allowed to have it?

6

• Issues with Current Web Security Schemes
• SSL/TLS/HTTPS
• Transport level security (not message level
  security)
• Point-to-point security only, does not handle
  end-to-end multi-hopped messaging security
• Security only when data is in transition, does
  not secure data off transition
• HTTPS doesnt support non-repudiation
• No element-wise signing and encryption

7

• New opportunities
• The web services security infrastructure can take
  advantage of XMLs granularity
• - Encrypt or sign the selected portions
• - Act on and rewrite individual headers
• - Hardware appliances could accelerate these
• functions

8
XML Web Services Security Standards

• XML Digital Signature
• XML Encryption
• XKMS( XML Key Management Specification)
• XACML (eXtensible Access Control Markup
• Language)
• SAML (Security Assertion Markup Language)
• WS-Security

9

• Standards Framework

10
XML Signature

• Digital signatures are an important element in
  electronic security because they can be used to
  ensure the integrity, authentication, and
  non-repudiation of data.
• - XML syntax for representing signature of
  web
• resources and portions
• - Procedures for computing and verifying
  such
• signatures
• - Canonicalization of XML data

11
Why XML Digital Signature

• Very flexible, thus can support diverse set of
  internet transaction models
• Can sign individual items of an XML document
• Can sign multiple items
• Can sign both local and remote objects
• Can sign both XML and non-XML contents
• Allows multiple levels of signing to same content

12

• XML Signature Types
• There are three types of XML Signature
• Enveloped The XML Signature is included in the
  XML document. It is
• a child element of the XML
  document.
• For example, ltdocumentgt
• ltsignaturegt
  .lt/signaturegt
• lt/documentgt
• 
  
  

Figure1 __ Enveloped Signature
13

• XML Signature Types
• Enveloping The XML document is included in the
  XML Signature, It is
• a child element of the XML signature.
• For example, ltsignaturegt
• 
  ltdocumentgt.lt/documentgt
• lt/signaturegt

Figure2 __ Enveloping Signature
14

• XML Signature Types
• Detached The XML Signature is included in a
  separate document
• from the signed document.
• For example, ltsignaturegtlt/signaturegt

Figure 3 __ Detached Signature
15

• The structure of XML Signature
• The following shows the structure of XML
  Signature.
• ltSignature IDgt
• ltSignedInfogt It is the information that is
  actually signed
• ltCanonicalizationMethod/gt Contains the
  algorithm name used to
• 
  transform the data into canonical XML.
• ltSignatureMethod/gt Contains the
  algorithm used to generate the
• 
  signature
• (ltReference URIgt Contains the method
  used to generate the digest
• and the
  result digest value.
• ltDigestMethodgt
• ltDigestValuegt
• lt/Referencegt)
• lt/SignedInfogt
• ltSignatureValuegt Contains the actual
  signature value
• (ltKeyInfogt) Contains an indication of
  the key that must be used to
• signature.
• lt/Signaturegt

16

• Example XML Signature
• ltSignature Id"MyFirstSignature"
  xmlns"http//www.w3.org/2000/09/xmldsig"gt
• ltSignedInfogt
• ltCanonicalizationMethod
  Algorithm"http//www.w3.org/TR/2001/REC-xml-c14n-
  
• 
  20010315"/gt
• ltSignatureMethod Algorithm"http//www
  .w3.org/2000/09/xmldsigdsa-sha1"/gt
• ltReference URIPurchaseOrder"gt
• ltDigestMethod
  Algorithm"http//www.w3.org/2000/09/xmldsigsha1"
  /gt
• ltDigestValuegtj6lwx3rvEPO0vKtM
  up4NbeVu8nklt/DigestValuegt
• lt/Referencegt
• lt/SignedInfogt
• ltSignatureValuegtMC0CFFrVLtRlk...lt/SignatureVal
  uegt
• ltKeyInfogt
• ltKeyValuegt
• ltDSAKeyValuegt
• ltPgt...lt/PgtltQgt...lt/Q
  gtltGgt...lt/GgtltYgt...lt/Ygt
• lt/DSAKeyValuegt
• lt/KeyValuegt

17
XML Encryption

• What is XML Encryption
• The XML Encryption Syntax and Processing
  specification
• defines an XML vocabulary and processing rules
  for
• protecting confidentiality of XML document.
• Defines
• XML syntax for encrypted data
• Encrypting/decrypting such data
• Can encrypt only certain parts of document

18

• XML Encryption and SSL
• SSL encrypts all the data transmitted through
  an SSL channel
• XML Encryption can encrypt the portions of
  data selectively
• for example A specific element within an XML
  document

19
XML Encryption Structure

• ltEncryptedDatagt
  Encryption Element
• ltEncryptionMethodgt
  Encryption algorithm
  
• ltdsKeyInfogt Key
  information
• ltEncryptedKeygt
• ltAgreementMethordgt
• ltdsKeyNamegt
• lt/dsKeyInfogt
• ltCipherDatagt Raw encrypted data
• ltCipherValuegt
• ltCipherReferencegt
• lt/ CipherData gt
• ltEncryptionPropertiesgt
• lt/EncryptedDatagt
• ltEncryptedDatagt element is core element in the
  syntax. It contains
• ltEncryptionMethordgt
• ltdsKeyInfogt
• ltCipherDatagt
• ltEncryptionPropertiesgt

20
Example of Encryption

• In this example only encrypts the elements of
  ltCreditCardgt element
• lt?xml version"1.0" encoding"ISO-8859-1"?gt
• ltPaymentInfo xmlnshttp//example.org/p
  aymentv2gt
• ltnamegtJohn Smithlt/namegt
• ltCreditCard Limit5000gt
• ltEncryptedData
• xmlnshttp//www.w3.org/
  2001/04/xmlenc
• Typehttp//www.w3.org/2
  001/04/xmlencContentgt
• ltCipherDatagt
• 
  ltCipherValuegtA23B45C67lt/CipherValuegt
• lt/CipherDatagt
• lt/EncryptedDatagt
• lt/ CreditCardgt
• lt /PaymentInfogt

21
XKMS(XML Key Management Specification)

• What is XKMS?
• XKMS defines protocol between XKMS client and
  XKMS server for performing public-key
  infrastructure (PKI) operations.
• public key registration
• public key validation
• public key discovery
• public key revocation
• XKMS server provides trust service in the form of
  a Web service
• Used along with XML digital signing and
  encryption

22

• Why XKMS?
• PKI is very important to Web services
  E-commerce
• PKI operations are too expensive to small devices
• XKMS reduces the processing burden by moving
  it to an XKMS server
• PKI operations are too complex to many
  applications
• XKMS eases the integration of PKI by moving
  the complexity of PKI operation to an XKMS sever

23

• XKMS Specifications
• XKISS XML Key Information Service Specification
• Defines a protocol for validation of public
  keys
• XKRSS XML Key Registration Service Specification
• Defines a protocol for registration,
  revocation,
• recovery of public keys

24
XACML (eXtensible Access Control Markup Language)

• XACML is an XML specification for expressing
  fine-grained information access policies in XML
  documents or any other electronic resources
• Access control lists in XACML are 4-tuples
  subjects, target objects, permitted action,
  provision

25

• Why XACML?
• Standardize access control language in XML
• - Extensible language with flexible
  semantics
• Lower costs
• - No need to write policy in several
  languages
• Simpler
• - Admins only need to understand one language
• Policy composition
• - Policies written by different parties can
  be combined

26

• XACML Use Case
• A patient has patient record including mental
  problem notes.
• The patient grants access right to mental problem
  notes only to primary care doctor.
• The primary care doctor grants access to patient
  record to associate doctor with access
  restriction so that associate doctor has no
  access to mental problem notes.

27
SAML (Security Assertion Markup Language)

• What SAML?
• - SAML defines an XML framework for
  exchanging
• authentication and authorization
  information.
• - SAML can be used to realize single sign-on
  (SSO) between different systems and platforms.

28

• Why SAML?
• Standards are emerging for many things of
  collaborative e-commerce, such as
• - Business transactions
• - Software interactions
• SAML developed to sharing security
  information through SAML

29

• SAML Use case
• Web single sign-on (SSO)
• A general requirement when using multiple
  networked systems is "single sign-on" -
  authenticating once and then sharing the result
  of authentication with multiple systems to avoid
  repeated authentication.
• For example, Logged-in (authenticated) users
  of Smith.com are allowed to access to sister site
  Johns.com without relogin.

30
WS-Security

• WS-Security Specification
• Defines new SOAP extensions to provide
  pre-message authentication, as well as end-to-end
  message confidentiality using XML Encryption and
  end-to-end message integrity using XML Digital
  Signature in a Web services environment.

31
How they work together

• SAML and Other Standards
• SAML and XML digital signature
• XML Digital signature is used to sign and
  canonical SAML assertions
• SAML and XML Encryption
• XML Encryption is used for encrypting and
  decrypting SAML assertions
• SAML AND XKMS
• SAML could be secured by XKMS-based PKI

32

• SAML and Other Standards
• SAML and XACML
• XACML could be used to define access control
  /policy as a basis for handling SAML assertion
  request
• SAML and WS-Security
• SAML assertions can be carried as security token
  defined in WS-Security

33
Conclusion

• This topic has presented a brief introduction to
  XML and Web services security standards and how
  they work together.
• The XML Security standards define XML languages
  and processing rules for meeting common security
  requirements. For the most part, these standards
  incorporate with the use of the other XML
  Security standards, especially the core XML
  Digital Signature and XML Encryption standards.