XML and Web Services Security Provisions

1
XML and Web Services Security Provisions

• Andrew Mulroney
• Delbert Harry

2
Web Services Security Defined

• Web-Services Security Quality of Protection
• How actors are to be authenticated, using what
  mechanisms and with what parameter value ranges,
• Which XML elements are to be encrypted, for what
  individual recipients, recipient roles or keys,
  using what algorithms and key sizes,
• Which XML elements are to be integrity protected,
  using what mechanisms, with which algorithms and
  key sizes, and
• What additional qualifications the service
  consumer must demonstrate in order to
  successfully access the API".

3
Web Services Security Defined

• Need to provide end-to-end protection at
  communication and application layers.
• Elements
• Privacy (retention period, intended usage,
  further disclosure),
• Trust (initial parameters of the signature
  validation procedure, including those keys or
  authorities that are trusted directly, policy
  identifiers, maximum trust path length), and
• Non-repudiation (requirements for notarization
  and time-stamping).

4

• What Menaces do Web Services face?

• Message alteration
• Attachment alteration
• Confidentiality
• Falsified messages
• Man in the middle
• Principal spoofing
• Repudiation
• Forged claims
• Replay of message parts
• Replay
• Denial of service - amplifier

5
Is SSL sufficient?

• For some applications
• Yes . . . When only transport level protection is
  needed.
• As Infrastructure
• No
• SSL Only supports data in transit, not in storage
• SSL does not support multi-party transactions
• SSL is all or nothing
• Messages are opaque to firewalls
• SSL does not support non-Repudiation

6
Is SSL sufficient?
Commerce Site
Credit Company
User
XML
XML
SSL
SSL
7
What is SAML / What is WS-Security?

• SAML (Security Assertion Markup Language).
• SAML was developed by OASIS (Organization for the
  Advancement of Structured Information Standards),
  and is being supported by Liberty Alliance. SAML
  does not directly provide message integrity or
  confidentiality it relies on XML Signature to
  protect integrity and on SSL/TLS for
  confidentiality. Single Sign On (SSO) can assert
  authorization across multiple services.
• WS-Security
• Developed by the Web Services Interoperability
  Organization (IBM, Microsoft and Verisign)
  enhances SOAP with methods to protect message
  integrity and confidentiality and to exchange
  security information. WS-Security specifically
  protects a single SOAP exchange.

8

• WS-Security

• SOAP Message Level Security
• Confidentiality
• Integrity
• Authentication
• Builds on XML Standards
• XML Signature Encryption

9
XML Encryption
XML Encryption defines a protocol for encrypting
portions of a SOAP transmission,
including canonicalization identifying the node
to encrypt, perhaps with XPATH producing an
encrypted version of the node substituting the
encrypted node for the plaintext node you could
perform all the XML manipulation yourself in
.net, this is the only alternative open to
you however, in Java there are toolkits to do
both encryption and signatures, e.g., open source
Apache WSS4J (a subproject of WS-FX) commercial
IBM WSDK as one example

• XML Encryption defines a protocol for encrypting
  portions of a SOAP transmission, including
  canonicalization
• identifying the node to encrypt, perhaps with
  XPATH
• produce an encrypted version of the node
• substituting the encrypted node for the plaintext
  node you could perform all the XML manipulation
  yourself
• .NET Must code manually
• Java there are toolkits to do both encryption
  and signatures, e.g.,
• qopen source Apache WSS4J (a subproject of
  WS-FX)
• commercial IBM WSDK as one example

10
XML Encryption
lt?xml version1.0?gt ltPaymentInfo
xmlnshttp//www.page3.com/examplegt
ltNamegtCapn Crunch lt/Namegt lt/PaymentInfogt
ltEncryptionData typehttp//www.w3c.org/2001/
04/xmlencElement xmlnshttp//www.w3c.org/2
001/04/xmlencgt ltCipherDatagt
ltCipherValuegt A23B45C56 lt/CipherValuegt
lt/CipherDatagt lt/EncryptionDatagt
11
XML Signature

• XML Signature (xml-dsig) allows us to add
  signing information to an XML document
• compute a digest on a block of XML data
• add the digest to a SOAP header element
• optionally include our certificate, to aid the
  receiver in validating the digest

12
XML Signature

• ltenvHeadergt
• ltSignature xmlns"http//www.w3.org/2000/0
  9/xmldsig"gt
• ltSignedInfogt
•   ltCanonicalizationMethod
  Algorithm"http//www.w3.org/TR/2001/REC-xml-c14n-
  20010315" /gt
•   ltSignatureMethod
  Algorithm"http//www.w3.org/2000/09/xmldsigrsa-s
  ha1" /gt
• ltReference URI""gt
• ltTransformsgt
•   ltTransform
  Algorithm"http//www.w3.org/TR/2001/REC-xml-c14n-
  20010315" /gt
•   lt/Transformsgt
•   ltDigestMethod
  Algorithm"http//www.w3.org/2000/09/xmldsigsha1"
  /gt
•   ltDigestValuegtRjmqTulOiJrIu/GD
  C7CNUEAw9Alt/DigestValuegt
•  lt/Referencegt
• lt/SignedInfogt
•   ltSignatureValuegtoYtzba8fXmi5TTeqmR2XQV
  khtNZrflDNHoDCDJv1JtZDPi1iQcWFvQxQXDVGDRImIgAJhVN
  VSpP0wDUAdyKKBr0SCnETkgO7kgxhCeWTZSr
• hxJwAFMdW818HJaIAe14GP
  XDuUN7nPWszzmHxGWqcfGzsHlgPec8DjvstqCkglt/Signatu
  reValuegt
• ltKeyInfogt
• ltKeyValue xmlns"http//www.w3.org
  /2000/09/xmldsig"gt
• ltRSAKeyValuegt
•   ltModulusgtu0zEjEw9hPw5NmLTT
  AkX7DDtn0UJtXnE7S1c2ZN6I/PEnGdbPm/Z72rksGrG3QNoZy
  7rZlfgPiHfGywjdmpTZN7ixp5j4MGgBcf/3NJ

13

• What is SAML?

• XML based Framework
• set of XML vocabularies for
• Authentication Assertion
• Attribute Assertion
• AuthZ decision Assertion
• Session Assertion (Future)
• Credential Assertion (Future)

14

• What Is SAML?

• A standard message exchange protocol
• Clarity in orchestrating how you ask for and get
  the information you need
• How the messages ride on and in transport
  protocols
• For better interoperability
• Definition standard way of exchanging security
  related data across heterogeneous, distributed
  systems crossing domain (geographical, namespace,
  temporal, spatial, organizational,) boundaries

15
SAML Assertions

• Assertions are declarations of fact, according
  to someone
• SAML assertions are compounds of one or more of
  three kinds of statement about subject (human
  or program)
• Authentication
• Attribute
• Authorization decision
• You can extend SAML to make your own kinds of
  assertions and statements
• Assertions can be digitally signed

16

• Sample SAML

• ltAssertiongt
• ltConditions
• NotBefore"1730 23-MAY-2005"
• NotOnOrAfter"1800 23-MAY-2005"/gt
• ltAuthorizationDecisionStatement
• Resourcelove.doc"
• Decision"Permit"gt
• ltSubjectgt
• ltNameIdentifiergt
• Capn Crunch
• lt/NameIdentifiergt
• lt/Subjectgt
• ltActiongtDecryptlt/Actiongt
• lt/AuthorizationDecisionStatementgt
• ltSignaturegt
• 5E8C811270A26F615D1F6BFF899BAB46898CF546
• ltSignaturegt
• lt/Assertiongt

17
SAML and ebXML

• The SAML Protocol defines 2 primary entities
• Service Provider An entity that provides
  services to Principals
• Identity Provider A type of service provider
  that creates, maintains, and manages identity
  information for Principals
• An ebXML Registry can function as a SAML Service
  Provider
• Allows the registry to utilize an Identity
  Provider to perform client authentication on its
  behalf
• Avoids duplication of Identity Provider user
  database within registry

18
Weaknesses SAML

• Security of SAML conversation is not a
  stand-alone application depends on a trust
  model, typically PKI.
• Does not address privacy policies.
• Does not define any technology or approaches for
  Authentication.
• Only makes assertions about credentials does not
  authenticate or authorize users.

19
Weaknesses WS-Security

• Does not discuss how proof-of-possession must be
  implemented.
• Does not discuss how subject confirmations must
  be implemented.
• Not approved as a standard as of yet, there are
  not commercial web-services that use this
  specification as of yet.

20
Weaknesses Integration

• Implementation Management of relationships to
  interrelated specs ( SAML, WS-Trust etc. ), may
  be highly complex, hence difficult to
• Threats
• Vendor rivalries
• Limited industry for extensions

21

• Questions?

• Is Web Services security then exactly as secure
  as the encryption mechanisms employed on the
  documents?