Service Oriented Architecture - PowerPoint PPT Presentation

About This Presentation
Title:

Service Oriented Architecture

Description:

Service Oriented Architecture Lecture 4 Web Service Security, XML Signature and XML Encryption Mike McCarthy Notes adapted from Web Services Security , – PowerPoint PPT presentation

Number of Views:29
Avg rating:3.0/5.0
Slides: 82
Provided by: Office20041844
Category:

less

Transcript and Presenter's Notes

Title: Service Oriented Architecture


1
Service Oriented Architecture
Lecture 4 Web Service Security, XML Signature
and XML Encryption
Mike McCarthy
  • Notes adapted from Web
    Services Security,
  • Bilal Siddiqui

2
Web Services Cryptography
  • Bob and Alice Want to exchange SOAP messages.
  • Eve is always watching.
  • Mallory is always trying to cause trouble.

3
Whats going on?
  • Web Services Security (WSS) specification from
    OASIS
  • Message confidentiality
  • Message identification (Who are you?)
  • Message authentication (Can you prove it?)
  • Authorization (What are you allowed to do?)
  • End-to-end (not just point-to-point)

4
The WS Cryptography Stack
XML Web Services Security SAML (Security
Assertion ML),XKMS (XML Key Management
Specification), XACML (eXtensible Access Control
Markup Language)
XMLDSIG (W3C) XMLENC (W3C)
.NET Crypto APIs
Java Security APIs
5
Tools Becoming common
  • Apaches WSS4J (Web Services Security)
  • Javas JCE and JCA
  • C Crypto APIs
  • Active Endpoints supports security if you
    purchase their product
  • IBMs WebSphere
  • Microsoft, Oracle

6
The Need For Web Services
  • Application integration within the enterprise
  • Application integration across enterprise
    boundaries
  • customers
  • partners
  • suppliers

7
A Tourism Supply Chain
Hotel
Hotel
Tourists
Tour Operator
Car Rental
Car Rental
Without WSS - coarse-grained protection
provided by firewalls - SSL provides
point-to-point encryption and
authentication
Hotel
Anyone may call
RoomRentInfoForAll()
With WSS - fine grained security decisions
Restricted callers
RoomRentInfoForPartnersOnly()
8
Service Oriented Architecture
SOAP over HTTP
SOAP Server
Hotel
RoomRentInfoForAll()
RoomRentInfoForPartnersOnly()
9
Listing 1 SOAP Request
POST /Vendors HTTP/1.1Host www.myHotel.comConte
nt-Type text/xmlCharsetutf-8Content-Length
350SOAPACtion"" lt?xml version'1.0'?gt  
ltSOAP-ENVEnvelope       xmlnsSOAP-ENV'http//s
chemas.xmlsoap.org/soap/envelope/' gt     
ltSOAP-EnvBodygt         ltsGetSpecialDiscountedBo
okingForPartners             xmlnss'http//www.
MyHotel.com/partnerservice/' gt        
lt!--Parameters passed with the method
call--gt         lt/sGetSpecialDiscountedBookingFo
rPartnersgt      lt/SOAP-EnvBodygt
lt/SOAP-EnvEnvelopegt
10
Listing 2 SOAP Response
HTTP/1.0 200 OKContent-Type text/xml
charsetutf-8Content-Length 1474lt?xml
version"1.0"gtltSOAP-ENVEnvelope   
xmlnsSOAP-ENV'http//schemas.xmlsoap.org/soap/en
velope/' gt   ltSOAP-ENVBodygt     
ltmGetSpecialDiscountedBookingForPartnersResponse
         xmlnsm"http//www.MyHotel.com/partnerse
rvice/" gt           lt!-- Booking
confirmation details--gt      lt/mGetSpecialDiscou
ntedBookingForPartnersResponsegt  
lt/SOAP-ENVBodygtlt/SOAP-ENVEnvelopegt
11
1st Generation Web Services

SOAP Server
Hotel Class
RDBMS
SOAP Client
12
2ND Generation Web Services

SOAP Server
Hotel Class
RDBMS
SOAP Server
Tour Planning Class
SOAP Client
13
3RD Generation Web Services

SOAP Server
Plane Class
RDBMS
SOAP Server
Hotel Class
RDBMS
WS-Transaction/WS-Security
SOAP Server
Tour Planning Class
SOAP Client
SOAP Server
Tour Planning Class
14
WS Security

SOAP Server
Hotel Class
RDBMS
SOAP Client
  • SOAP Server (SOAP Aware Firewall)
  • inspect SOAP message
  • match user roles with access lists
  • XML Signature (not SOAP specific)
  • XML Encryption (not SOAP specific)
  • WSS (SOAP specific use of XMLEnc and XMLDsig)
  • Security Access Markup Language (SAML) for
  • single sign on replacing HTTP cookies
  • XACML (extensible Access Control Markup
    Language)
  • to express authorization and access policies

15
XML SignatureAn IETF/W3C Recommendation

16
XML Digital Signatures
  • First, some fundamental ideas
  • Message Digest
  • -message m digest algorithm da -gt
  • hash value h hda(m)
  • -impossible to go from h(m) back to m
  • -very hard to find m so that hda(m)
  • h(m)
  • Alice transmits (da,m,h(m)) triple.
  • Very useful for checking if errors occurred
    during transmission

17
XML Digital Signatures
  • Problem
  • Mallory might replace the message, hash value
    pair with her own message, hash value pair. She
    has access to
  • digest algorithms just like everyone else. Bob
    checks the arriving triple and everything looks
    great. No errors during transmission?

18
XML Digital Signatures
  • Solution Get a secret key involved in the
    calculation
  • of the hash.
  • Given a message m, compute a hash of m. h
    hda(m).
  • Alice encrypts the hash with a private
  • key. E Epriv(h).
  • Alice Transmit (da,m,E).
  • Mallory doesnt know the private key.
  • Bob verifies by decrypting E using the
    secret key
  • (which he shares with Alice). He now has h
    which he
  • compares with his own hash of m using the
    same
  • digest algorithm. If they are equal he has
    good reason to
  • believe that m was from Alice and that it
    has not been
  • manipulated by Mallory.

19
What Are XML Signatures?
  • XML Signatures are digital signatures used in XML
    transactions
  • May be used to sign only a portion of an XML
    document. The document might have a long history
    with different parts holding different signatures
  • The signature may apply to XML or non-XML data

20
Referencing What is Signed
  • An XML Signature can be used to sign a message
    outside of the document itself.
  • Or, it can be used to sign parts of the document
    itself.

21
XMLDsig General Form
The Components of an XML Signature
                                                  
                                                  
            
22
The ltReferencegt Element
  • Each signed resource is specified with a
    ltReferencegt element
  • A typical ltReferencegt element will contain
  • - a pointer to what is signed
  • - a digest method (for example
  • SHA1)
  • - and a digest value of the message
  • in base 64 notation

23
The ltReferencegt Element
This is the location of the document being signed.
  • ltReference URI http//.../po.xmlgt
  • ltDigestMethodgt.lt/DigestMethodgt
  • ltDigestValuegt calculated digest of
  • po.xml
  • lt/DigestValuegt
  • lt/Referencegt

24
We may have many references
  • ltReferencegt
  • pointer, digest
    method, digest value
  • lt/Referencegt
  • ltReferencegt
  • pointer, digest
    method, digest value
  • lt/Referencegt

25
Place Within a SignedInfo Element
  • ltSignedInfogt
  • ltCanonicalizationMethodgt algorithm used
    on

  • SignedInfo

  • element
  • ltSignatureMethodgt for example dsa-sha1
  • ltReferencegt
  • pointer, digest
    method, digest value
  • lt/Referencegt
  • ltReferencegt
  • pointer, digest
    method, digest value
  • lt/Referencegt
  • lt/SignedInfogt

26
Compute Digest of SignedInfo
  • ltSignedInfogt
  • ltCanonicalizationMethodgt algorithm used
    on

  • SignedInfo element
  • ltSignatureMethodgt for example dsa-sha1
  • ltReferencegt
  • pointer, digest
    method, digest value
  • lt/Referencegt
  • ltReferencegt
  • pointer, digest
    method, digest value
  • lt/Referencegt
  • lt/SignedInfogt

27
Sign the digest and place value in a
SignatureValue element
  • ltSignedInfogt
  • ltCanonicalizationMethodgt algorithm used
    on SignedInfo

  • element
  • ltSignatureMethodgt for example dsa-sha1
  • ltReferencegt
  • pointer, digest
    method, digest value
  • lt/Referencegt
  • ltReferencegt
  • pointer, digest
    method, digest value
  • lt/Referencegt
  • lt/SignedInfogt
  • ltSignatureValuegtBase 64 signature of the
    SignedInfo Element m.
  • Epriv(hda(m))
  • lt/SignatureValuegt

28
Enclose in a Signature Element
ltSignaturegt
  • ltSignedInfogt
  • ltCanonicalizationMethodgt algorithm used
    on SignedInfo

  • element
  • ltSignatureMethodgt for example dsa-sha1
  • ltReferencegt
  • pointer, method,
    digest value
  • lt/Referencegt
  • ltReferencegt
  • pointer, method,
    digest value
  • lt/Referencegt
  • lt/SignedInfogt
  • ltSignatureValuegtSignature in Base 64
  • lt/SignatureValuegt

lt/Signaturegt
29
We may include KeyInfo
ltSignaturegt
  • ltSignedInfogt
  • ltCanonicalizationgt
  • ltSignatureMethodgt
  • ltReferencegt
  • ltReferencegt
  • lt/SignedInfogt
  • ltSignatureValuegtBase 64 signature of the
    SignedInfo Element
  • lt/SignatureValuegt
  • ltKeyInfogt
  • ltX509Datagt
  • ltX509SubjectNamegtCNCristina
    McCarthy, OCMU,
  • ltX509Certificategt base 64 public
    key and identity signed by a CA
  • lt/X509Certificategt
  • lt/X509Datagt
  • lt/KeyInfogt

lt/Signaturegt
30
What Can Mallory Do?
  • Can she modify the CA signed certificate so that
    someone else appears to have signed the document?
  • Can she modify what is being pointed by the
    reference element?
  • Can she change the canonicalization method?
  • Can she change the contents of the signature
    method tag?

31
Verification
  • 1. Canonicalize the SignedInfo element.
  • 2. Compute the digest of the SignedInfo
  • element using the method described within it
  • 3. Compare the above value with that value
  • got from applying the shred secret (or
    signers public key) to the value in the
    SignatureValue element
  • 4. Compute digests of referenced items (after any
  • transformations) and compare those digests
  • found within each reference tag

32
XML Security Tools Abound
33
Sign a grade book
  • Gradebook.xml
  • lt?xml version"1.0" encoding"UTF-8"?gt
  • ltGradeBookgt
  • ltStudentgt
  • ltScoregt100lt/Scoregt
  • ltScoregt89lt/Scoregt
  • lt/Studentgt
  • lt/GradeBookgt

34
We need keys
  • D\..\95-804\IBMXMLSecuritySuite\SampleSign2gt
  • keytool -genkey -keyalg RSA -keystore
    test.keystore
  • -dname "CNMike McCarthy, OUHeinz School,
  • OCMU, LPgh, SPA, CUS" -alias mjm
  • -storepass sesame -keypass sesame

Creates test.keystore holding keys and a
self-signed certificate
35
Run XSS4Js SampleSign2
  • D\...\95-804\IBMXMLSecuritySuite\
  • SampleSign2gtjava SampleSign2 mjm
  • sesame sesame
  • -embxml gradebook.xml gt signature.xml
  • Key store test.keystore
  • Sign 851ms

36
Examine Signature.xml
  • ltSignature xmlns"http//www.w3.org/2000/09/xmldsi
    g"gt
  • ltSignedInfogt
  • ltCanonicalizationMethod Algorithm"http//www.
    w3.org/TR/2001/REC-xml-c14n-20010315"gtlt/Canonicali
    zationMethodgt
  • ltSignatureMethod Algorithm"http//www.w3.org/
    2000/09/xmldsigrsa-sha1"gtlt/SignatureMethodgt

37
We are signing resource 0
Transforms Prior to hashing
  • ltReference URI"Res0"gt
  • ltTransformsgt
  • ltTransform Algorithm
  • "http//www.w3.org/TR/2001/REC-xm
    l-

  • c14n-20010315"gt
  • lt/Transformgt
  • lt/Transformsgt
  • ltDigestMethod
    Algorithm"http//www.w3.org/2000/09/xmldsigsha1"
    gt
  • lt/DigestMethodgt
  • ltDigestValuegtm6f9xhOc4iEXokD/29V9EsdY3yI
  • lt/DigestValuegt
  • lt/Referencegt

38
  • lt/SignedInfogt
  • ltSignatureValuegt
  • Gll1H/uplOwfaX3j7ST6UqQlc92Hx2nsCdN2KWz32CW0
    D4hH64n32v/InkGux1dYgTya6S4s55iHqZEjDpH2I359H4PAxB
    YYXJj4LUBNxAFxUcDy6xrEUbLnKeutT5pf1DBSmxg9Cp3PO5Rs
    36nVN8GVfnFl1M86WQd19/RsAnA
  • lt/SignatureValuegt

39
  • ltKeyInfogt
  • ltKeyValuegt
  • ltRSAKeyValuegt
  • ltModulusgt
  • 7V5eyhVaw0clED11H6PTPoKQA1VxrLAugU3QxKA0hbb
    UOiavFbqCdc6ZFe9JZFMkS
  • IqdlkhwWwdAIsRyrN4V2DWm1fxyYQf6bdZgCaV
    VgkST1BpQxBTgNKRcS5VbLrXf
  • 4MXb5TbhAeo1Qbr2IjlV10aLbVhUk/gylagk
  • lt/Modulusgt
  • ltExponentgtAQABlt/Exponentgt
  • lt/RSAKeyValuegt
  • lt/KeyValuegt

40
  • ltX509Datagt
  • ltX509IssuerSerialgt
  • ltX509IssuerNamegtCNMike
  • McCarthy,OUHeinz
  • School,OCMU,LPgh,STPA,CUS
  • lt/X509IssuerNamegt
  • ltX509SerialNumbergt1049138061
  • lt/X509SerialNumbergt
  • lt/X509IssuerSerialgt
  • ltX509SubjectNamegtCNMike
    McCarthy,OUHeinz
  • School,OCMU,LPgh,STPA,CUS
  • lt/X509SubjectNamegt
  • ltX509Certificategt

41
  • MIICPDCCAaUCBD6Ik40wDQYJKoZIhvcNAQEEBQAwZTELMAkGA
  • UEBhMCVVMxCzAJBgNVBAgTAlBBMQwwCgYDVQQHEwNQZ2gx
  • DAKBgNVBAoTA0NNVTEVMBMGA1UECxMMSGVpbnogU2Nob29s
  • RYwFAYDVQQDEw1NaWtlIE1jQ2FydGh5MB4XDTAzMDMzMTE5M
  • QyMVoXDTAzMDYyOTE5MTQyMVowZTELMAkGA1UEBhMCVVMx
  • zAJBgNVBAgTAlBBMQwwCgYDVQQHEwNQZ2gxDDAKBgNVBAoT
  • 0NNVTEVMBMGA1UECxMMSGVpbnogU2Nob29sMRYwFAYDVQQ
  • Ew1NaWtlIE1jQ2FydGh5MIGfMA0GCSqGSIb3DQEBAQUA
  • A4GNADCBiQKBgQDtXl7KFVrDRyUQPXUfo9MgpADVXGssC6BT
  • DEoDSFttQ6Jq8VuoJ1zpn4V70lkUyRIip2X6SHBbB34AixHKs3
    hXYN
  • bV/7HJhB/pt1mAJpVWCRJPUGlDEFOA0pFxLlVsutd/gxdvl
  • NuED56jVBuvYiOVXXRottWFSTD7KVqD6QIDAQABMA0GCSqG
  • 3DQEBBAUAA4GBAMpUaA8Cw8mKQn408KuV4xrTciEEcTLNniDGn
  • 8d9W1fR4veqhKz8L88864bNS5Wih1oEC5k/da23QicpTdXf
    UyA1c
  • 9Zu3cGU4ulUfhFPWv0IgdpI63KQt9QwsuTxWck5dAta2KWWTv
    85I
  • ByHXgoaDlvJ65JjT87nAPAI3

42
The resource 0 object
  • lt/X509Certificategt
  • lt/X509Datagt
  • lt/KeyInfogt
  • ltdsigObject xmlns""

  • xmlnsdsig"http//www.w3.org/2000/09/xmldsig"
  • Id"Res0"gt
  • ltGradeBookgt
  • ltStudentgt
  • ltScoregt100lt/Scoregt
  • ltScoregt89lt/Scoregt
  • lt/Studentgt
  • lt/GradeBookgt
  • lt/dsigObjectgt
  • lt/Signaturegt

43
Lets change the low grade!
  • ltdsigObject xmlns"" xmlnsdsig"http//www.w3.o
    rg/2000/09/xmldsig" Id"Res0"gt
  • ltGradeBookgt
  • ltStudentgt
  • ltScoregt100lt/Scoregt
  • ltScoregt100lt/Scoregt
  • lt/Studentgt
  • lt/GradeBookgtlt/dsigObjectgt

44
And run verify
  • D\McCarthy\www\95-804\IBMXMLSecuritySuite\SampleS
    ign2gtjava VerifyCUI lt signature.xml
  • The signature has a KeyValue element.
  • The signature has one or more X509Data elements.
  • Checks an X509Data
  • 1 certificate(s).

45
Certificate Information Version 1
Validity OK SubjectDN CNMike
McCarthy, OUHeinz School, OCMU, LPgh,
STPA, CUS IssuerDN CNMike McCarthy,
OUHeinz School, OCMU, LPgh, STPA,
CUS Serial 0x3e88938d Time to verify
521 msec Core Validity NG Signature Validity
OK 0 "Res0" NG Digest value mismatch
calculated tfVyHns8wRB6l/HDU2dXZkzf7Q Exceptio
n in thread "main" java.lang.RuntimeException
Core Validity NG at dsig.VerifyCUI.main(
VerifyCUI.java137)
46
Another Example PO.XML
  • lt?xml version"1.0" encoding"UTF-8"?gt
  • ltPurchaseOrder xmlns"urnpurchase-order"gt
  • ltCustomergt
  • ltNamegtRobert Smithlt/Namegt
  • ltCustomerIdgt788335lt/CustomerIdgt
  • lt/Customergt
  • ltItem partNum"C763"gt
  • ltProductIdgt6883-JF3lt/ProductIdgt
  • ltQuantitygt3lt/Quantitygt
  • ltShipDategt2002-09-03lt/ShipDategt
  • ltNamegtThinkPad X20lt/Namegt
  • lt/Itemgt
  • lt/PurchaseOrdergt

47
PO After Signing
  • lt?xml version'1.0' encoding'UTF-8'?gt
  • ltSignedPurchaseOrdergt
  • ltPurchaseOrder id"id0" xmlns"urnpurchase-o
    rder"gt
  • ltCustomergt
  • ltNamegtRobert Smithlt/Namegt
  • ltCustomerIdgt788335lt/CustomerIdgt
  • lt/Customergt
  • ltItem partNum"C763"gt
  • ltProductIdgt6883-JF3lt/ProductIdgt
  • ltQuantitygt3lt/Quantitygt
  • ltShipDategt2002-09-03lt/ShipDategt
  • ltNamegtThinkPad X20lt/Namegt
  • lt/Itemgt
  • lt/PurchaseOrdergt

48
  • ltSignature xmlns"http//www.w3.org/2000/09/xmldsi
    g"gt
  • ltSignedInfogt
  • ltCanonicalizationMethod Algorithm"http//www
    .w3.org/TR/2001/REC-xml-c14n-20010315"/gt
  • ltSignatureMethod Algorithm"http//www.w3.org/
    2000/09/xmldsigrsa-sha1"/gt
  • ltReference URI"id0"gt
  • ltDigestMethod Algorithm"http//www.w3.org/2
    000/09/xmldsigsha1"/gt
  • ltDigestValuegtUfeiscUCL7QkhZtRDLWDPWLpVlAlt/D
    igestValuegt
  • lt/Referencegt
  • lt/SignedInfogt

49
  • ltSignatureValuegt
  • Ptysg8WdHI2mxwryOOt5I9r9qZm/2gNFNOJyH1Wak4nCUe
    gRpe72tWnsigAKZyopmgUSH3TG
  • aGGQF1BTSvk3JUUY/ljrw5FpTpf3hgZBi7GSWf6WtXqZvM
    YGUKIlvR/421MZg7P9XRUyy37
  • ZUzQHtmCYkBorEkEx1J4CYB0G2c
  • lt/SignatureValuegt

50
  • ltKeyInfogt
  • ltX509Datagt
  • ltX509Certificategt
  • MIIDGjCCAoOgAwIBAgICAQAwDQYJKoZIhvcNAQEFBQ
    AwXzELMAkGA1UEBhMCSlAxETAPBgNVBAgT
  • CEthbmFnYXdhMQ8wDQYDVQQHEwZZYW1hdG8xDDAKBg
    NVBAoTA0lCTTEMMAoGA1UECxMDVFJMMRAw
  • DgYDVQQDEwdUZXN0IENBMB4XDTAxMTAwMTA3MTYxMF
    oXDTExMTAwMTA3MTYxMFowUDELMAkGA1UE
  • BhMCSlAxETAPBgNVBAgTCEthbmFnYXdhMQwwCgYDVQ
    QKEwNJQk0xDDAKBgNVBAsTA1RSTDESMBAG
  • A1UEAxMJU2lnbmF0dXJlMIGfMA0GCSqGSIb3DQEBAQ
    UAA4GNADCBiQKBgQCvnFQiPEJnUZnkmzoc
  • MjsseD8ms9HBgasZR0VOAvsby5aajsm9CtB18dDCem
    DXZ2YjBdprXepfF4SLNP5ankfphhr9QXA
  • NJdCKpyF3jPoydckle7E7gI9w3Q4NDa4ryVOuIS2q
    ev6jlE7OVPqiXIDVlCH4u6GbIoJEpJ57yzx
  • dQIDAQABo4HzMIHwMAkGA1UdEwQCMAAwCwYDVR0PBAQ
    DAgXgMCwGCWCGSAGGEIBDQQfFh1PcGVu
  • U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ
    4EFgQUYapFv9MvQ9NNn1Q7zgzqka4XORsw
  • gYgGA1UdIwSBgDBgBR7FuT9bLBj3vVsgAzIeYa4hB
    UZBaFjpGEwXzELMAkGA1UEBhMCSlAxETAP
  • BgNVBAgTCEthbmFnYXdhMQ8wDQYDVQQHEwZZYW1hdG
    8xDDAKBgNVBAoTA0lCTTEMMAoGA1UECxMD
  • VFJMMRAwDgYDVQQDEwdUZXN0IENBggEAMA0GCSqGSI
    b3DQEBBQUAA4GBALFzGDXMzxJvOnCdJCMZ
  • 2NsZdz1wmoYyejB5J6Ch2ygdPeibMnW/CiYKCTWBh
    pEgxEqr1BNlgSVqA6nyvjHsVIvgBfwx37D
  • hJ5hz4azpWu1X22XqyU9fUqoQUtEAdM/MlLekBkprk
    JVb9uJXTFzzvm/3DoEiBkX/BT78YdM8eq0

51
Web Service Security
  • Describes how XMLDSig is used within the web
    service framework.
  • SOAP Headers are used to hold the signature

52
SOAP
  • ltEnvelopegt
  • ltHeadergt WS- specifications
  • are placed in the
  • header area and will be
  • lt/Headergt handles by intermediaries
  • ltBodygt
  • Message payload
    including
  • fault messages
  • lt/Bodygt as well-formed XML.
  • lt/Envelopegt

53
WSS XMLDSig Listing 1
  • lt?xml version1.0?gtltSOAP-ENVEnvelope    x
    mlns
  • SOAP-ENVhttp//schemas.xmlsoap.org/soap/e
    nvelope/gt    ltSOAP-ENVBodygt        ltsGetSpeci
    alDiscountedBookingForPartners            xmlnss
    http//www.MyHotel.com/partnerservice/gt       
              lt!--Parameters passed with the method
    call--gt         lt/sGetSpecialDiscountedBookingFo
    rPartnersgt    lt/SOAP-ENVBodygtlt/SOAP-ENVEnvelop
    egt

From Web Services Security, Bilal Siddiqui
54
Sign The SOAP Request
  • lt?xml version1.0?gtltSOAP-ENVEnvelope    
    xmlnsSOAP-ENVhttp//schemas.xmlsoap.org/soap/en
    velope/    xmlnsdshttp//www.w3.org/2000/09/x
    mldsiggt    ltSOAP-ENVHeadergt        ltdsSigna
    turegt lt! wraps all other XMLDS
    elements?             ltdsSignedInfogt
    lt! note the ds prefix ?             lt/dsSignedI
    nfogt lt! note three children of signedInfo
    ?             ltdsSignatureValuegt             lt/
    dsSignatureValuegt             ltdsKeyInfogt     
            lt/dsKeyInfogt        lt/dsSignaturegt    
    lt/SOAP-ENVHeadergt    ltSOAP-ENVBodygt        lts
    GetSpecialDiscountedBookingForPartners          
      xmlnsshttp//www.MyHotel.com/partnerservice/
    gt                 lt!--Parameters passed with the
    method call--gt         lt/sGetSpecialDiscountedBo
    okingForPartnersgt    lt/SOAP-ENVBodygtlt/SOAP-ENV
    Envelopegt

55
After Signing (1)
lt?xml version1.0?gtltSOAP-ENVEnvelope    xmlns
SOAP-ENVhttp//schemas.xmlsoap.org/soap/envelop
e/    xmlnsdshttp//www.w3.org/2000/09/xmldsi
ggt    ltSOAP-ENVHeadergt        ltdsSignaturegt
             ltdsSignedInfogt                 
ltdsCanonicalizationMethod                     
Algorithm"http//www.w3.org/2001/10/xml-exc-c14n
"/gt                  ltdsSignatureMethod        
              Algorithm"http//www.w3.org/2000/09
/xmldsigrsa-sha1"/gt                 
ltdsReference URI"GetSpecialDiscountedBookingFor
Partners"gt                     
ltdsTransformsgt                         
ltdsTransform                             
Algorithm"http//www.w3.org/2001/10/xml-exc-c14n
"/gt                      lt/dsTransformsgt       
              
56
After Signing (2)
ltdsDigestMethod             
             Algorithm"http//www.w3.org/2000/09/
xmldsigsha1"/gt                     
ltdsDigestValuegt                         
BIUddkjKKo2...                     
lt/dsDigestValuegt                 
lt/dsReferencegt             lt/dsSignedInfogt    
         ltdsSignatureValuegt                 halH
Jghyf765....             lt/dsSignatureValuegt   
          ltdsKeyInfogt lt! the key name for
signature verification ?                 ltdsKeyN
amegtMyKeyIdentifierlt/dsKeyNamegt             lt/ds
KeyInfogt lt! application dependent, perhaps
a symmetric key ID?         lt/dsSignaturegt    lt
/SOAP-ENVHeadergt
57
After Signing (3)
    ltSOAP-ENVBodygt        ltsGetSpecialDiscounte
dBookingForPartners            xmlnsshttp//ww
w.MyHotel.com/partnerservice/            ID"Get
SpecialDiscountedBookingForPartners"gt            
     lt!--Parameters passed with the method
call--gt         lt/sGetSpecialDiscountedBookingFo
rPartnersgt    lt/SOAP-ENVBodygtlt/SOAP-ENVEnvelo
pegt
58
Validation Procedure
  • (1) Canonicalize the SignedInfo element.
  • (2) Check message integrity. Well need
  • a. the data to be digested
  • b. any transforms to perform first
  • c. the digest algorithm
  • (3) If the digests compare equal verify the
  • signature (continued)

59
Validation Procedure
  • (3) If the digests compare equal verify the
  • signature
  • a. get the signers key (public key or
  • shared secret) perhaps by consulting
  • the ltkeyInfogt element.
  • b. read the signature method used to
  • compute the signature
  • c. Attempt to verify and if we have a match
    call
  • GetSpecialDiscountedBookingForPartners

60
XML Encryption Web Service Security
61
XML Encryption
  • W3C Recommendation 10 December 2002
  • JSR 105 XMLDSig proposed final draft
  • JSR 106 XMLEnc is in progress
  • JWSDP1.5 supports Web Services Security V1.0
  • .Net supports XMLEnc out of the box
  • Some notes from
  • http//www-106.ibm.com/developerworks/library/x-e
    ncrypt/index.html
  • by Bilal Siddiqui
  • And Secure XML by Eastlake and Niles
    Addison Wesley

62
General Form 1
  • ltEncryptedDatagt
  • ltCipherDatagt
  • ltCipherValuegt
  • cipher text in Base 64
  • lt/CipherValuegt
  • lt/CipherDatagt
  • lt/EncryptedDatagt

63
General Form 2
  • ltEncryptedDatagt
  • ltCipherDatagt
  • ltCipherReferencegt
  • pointer (URL) to cipher
  • text
  • lt/CipherReferencegt
  • lt/CipherDatagt
  • lt/EncryptedDatagt

64
EncryptedData is the core element
  • Replaces the encrypted element or
  • Serves as the new document root
  • May contain a KeyInfo element that describes the
    key needed for decryption (borrowed from XML
    Digital Signature) or
  • signature verification

65
General Example (1)
  • ltMedInfogt
  • ltIDgt
  • ltNamegt
  • ltAddressgt
  • lt/IDgt
  • ltMedicalgtlt/Medicalgt
  • ltFinancialgtlt/Financialgt
  • lt/MedInfogt

66
General Example (2)
  • ltMedInfogt
  • ltIDgt.lt/IDgt
  • ltEncryptedDatagt
  • ltKeyInfogt
  • ltKeyNamegtMedical
  • lt/KeyInfogt
  • ltCipherDatagt
  • ltCipherValuegt cipher text
  • lt/EncryptedDatagt

67
General Example (3)
  • ltFinancialgt
  • ltEncryptedDatagt
  • ltKeyInfogt
  • ltKeyNamegtPay
  • lt/KeyInfogt
  • ltCipherDatagt
  • ltCipherValuegt cipher text
  • lt/EncryptedDatagt
  • lt/Finacialgt
  • lt/MedInfogt

68
Detailed Example (Listing 1)
  • ltpurchaseOrdergt
  • ltOrdergt
  • ltItemgtbooklt/Itemgt
  • ltIdgt123-958-74598lt/Idgt
  • ltQuantitygt12lt/Quantitygt
  • lt/Ordergt
  • ltPaymentgt
  • ltCardIdgt123654-8988889-9996874lt/CardI
    dgt
  • ltCardNamegtvisalt/CardNamegt
  • ltValidDategt12-10-2004lt/ValidDategt
  • lt/Paymentgt
  • lt/purchaseOrdergt

69
Encrypting the Entire File (Listing 2)
  • lt?xml version'1.0' ?gt
  • ltEncryptedData xmlns'http//www.w3.org/2001/04/xm
    lenc' Type'http//www.isi.edu/in-notes/iana/assi
    gnments/media-types/text/xml'gt
  • ltCipherDatagt
  • ltCipherValuegtbd347balt/CipherValuegt
  • lt/CipherDatagt
  • lt/EncryptedDatagt

IANA Internet Assigned Numbers Authority a
function of The Internet Corporationfor
Assigned Names and Numbers
70
Encrypting The Payment (Listing 3)
  • lt?xml version'1.0' ?gt
  • ltPurchaseOrdergt
  • ltOrdergt
  • ltItemgtbooklt/Itemgt
  • ltIdgt123-958-74598lt/Idgt
  • ltQuantitygt12lt/Quantitygt
  • lt/Ordergt
  • ltEncryptedData
  • Type'http//www.w3.org/2001/04/xm
    lencElement'
  • xmlns'http//www.w3.org/2001/04/
    xmlenc'gt
  • ltCipherDatagt
  • ltCipherValuegtA23B45C564587lt
    /CipherValuegt
  • lt/CipherDatagt
  • lt/EncryptedDatagt
  • lt/PurchaseOrdergt

One element
71
Encrypting Only the CardId (Listing 4)
  • lt?xml version'1.0' ?gt
  • ltPurchaseOrdergt
  • ltOrdergt
  • ltItemgtbooklt/Itemgt
  • ltIdgt123-958-74598lt/Idgt
  • ltQuantitygt12lt/Quantitygt
  • lt/Ordergt
  • ltPaymentgt
  • ltCardIdgt
  • ltEncryptedData
  • Type'http//www.w3.org/2001/04/x
    mlencContent'
  • xmlns'http//www.w3.o
    rg/2001/04/xmlenc'gt
  • ltCipherDatagt
  • ltCipherValuegtA23B45C564587lt
    /CipherValuegt
  • lt/CipherDatagt
  • lt/EncryptedDatagt
  • lt/CardIdgt
  • ltCardNamegtvisalt/CardNamegt
  • ltValidDategt12-10-2004lt/CardNamegt

Element content
72
Encrypting Non-XML Data (Listing 5)
  • lt?xml version'1.0' ?gt
  • ltEncryptedData xmlns'http//www.w3.org/2001/04/xm
    len'
  • Type'http//www.isi.edu/in-notes/iana/assig
    nments/media-types/jpeg' gt
  • ltCipherDatagt
  • ltCipherValuegtA23B45C56lt/CipherVal
    uegt
  • lt/CipherDatagt
  • lt/EncryptedDatagt

73
Web Services SecurityUsing Suns Application
Server
74
No Security SOAP Going to Service
Running the simple.TestClient program....
Service URLhttp//localhost8080/securesimp
le/Ping About to ping Apr 9, 2005
101752 AM com.sun.xml.wss.filter.DumpFilter
process INFO Sending Message Start
lt?xml version"1.0"
encoding"UTF-8"?gt ltenvEnvelope
xmlnsenv"http//schemas.xmlsoap.org/soap/envelop
e/"
xmlnsenc"http//schemas.xmlsoap.org/soap/encodin
g/"
xmlnsns0"http//xmlsoap.org/Ping"
xmlnsxsd"http//www.w3.org/2001
/XMLSchema"
xmlnsxsi"http//www.w3.org/2001/XMLSchema-instan
ce"gt ltenvBodygt ltns0Pinggt
ltns0ticketgtSUNWlt/ns0ticketgt
ltns0textgtHello!lt/ns0textgt lt/ns0Pinggt
lt/envBodygt lt/envEnvelopegt
75
SOAP Response
lt?xml version"1.0" encoding"UTF-8"?gt
ltenvEnvelope xmlnsenv"http//schemas.xmlso
ap.org/soap/envelope/"
xmlnsenc"http//schemas.xmlsoap.org/soap/en
coding/"
xmlnsns0"http//xmlsoap.org/Ping"
xmlnsxsd"http//www.w3.org/200
1/XMLSchema"
xmlnsxsi"http//www.w3.org/2001/XMLSchema-instan
ce"gt ltenvBodygt
ltns0PingResponsegt ltns0textgtHello!
Mike!lt/ns0textgt lt/ns0PingResponsegt
lt/envBodygt lt/envEnvelopegt
Ping complete
76
Configure The Client to Encrypt
ltxwssJAXRPCSecurity xmlnsxwss"http//java.sun.c
om/xml/ns/xwss/config"gt ltxwssServicegt
ltxwssSecurityConfiguration dumpMessages"true"gt
lt!-- Since no targets
have been specified below, the contents of
the soap body would be encrypted by
default. --gt
ltxwssEncryptgt ltxwssX509Token
certificateAlias"s1as"/gt
lt/xwssEncryptgt lt/xwssSecurityConfigurati
ongt lt/xwssServicegt ltxwssSecurityEnviron
mentHandlergt com.sun.xml.wss.sample.Securi
tyEnvironmentHandler lt/xwssSecurityEnvironmen
tHandlergt lt/xwssJAXRPCSecuritygt
77
Configure The Server To Require Encryption
ltxwssJAXRPCSecurity xmlnsxwss"http//java.sun.c
om/xml/ns/xwss/config"gt ltxwssServicegt
ltxwssSecurityConfiguration dumpMessages"true"gt
lt!-- Encryption
requirement. As no target is specified, the
contents of the soap body of the
request are expected to be encrypted.
--gt ltxwssRequireEncryption/gt
lt/xwssSecurityConfigurationgt
lt/xwssServicegt ltxwssSecurityEnvironmentHand
lergt com.sun.xml.wss.sample.SecurityEnviro
nmentHandler lt/xwssSecurityEnvironmentHandler
gt lt/xwssJAXRPCSecuritygt
78
Encrypted Request
lt?xml version"1.0" encoding"UTF-8"?gt
ltenvEnvelope xmlnsenv"http//schemas.xmls
oap.org/soap/envelope/"
xmlnsenc"http//schemas.xmlsoap.org/soap/
encoding/"
xmlnsns0"http//xmlsoap.org/Ping"
xmlnsxsd"http//www.w3.org/20
01/XMLSchema"
xmlnsxsi"http//www.w3.org/2001/XMLSchema-instan
ce"gt ltenvHeadergt
ltwsseSecurity xmlnswsse"http//docs.oasis-open.
org/wss/2004/01/oasis-200401-wss-wssecurity-secext
-1.0.xsd"
envmustUnderstand"1"gt
ltwsseBinarySecurityToken
xmlnswsu"http//docs.oasis-open.org/wss
/2004/01/oasis-200401-wss-wssecurity-utility-1.0.x
sd"
EncodingType"http//docs.oasis-open.org/wss/2004/
01/oasis-200401-wss-soap-message-security-1.0Base
64Binary"
ValueType"http//docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-x509-token-profile-1.0X509v3"
wsuId"Id-684267331
2555922560"gtMIIDWTCCAsKgAwIBAgIBATANBgkqhki


G9w0BAQQFADB0MQswCQYDVQQGEw

Large truncation for slides

79
lt/wsseBinarySecurityTokengt
ltxencEncryptedKey xmlnsxenc"http//www.w3.org/2
001/04/xmlenc"gt
ltxencEncryptionMethod Algorithm"http//www.w3.or
g/2001/04/xmlencrsa-oaep-mgf1p"/gt
ltdsKeyInfo xmlnsds"http//www.w3.org/2000/09/xm
ldsig"gt ltwsseSecurityTokenRef
erencegt ltwsseReference
URI"Id-6842673312555922560"
ValueType"http//docs.oasis-open.org/wss
/2004/01/oasis-200401-wss-x509-token-profile-1.0X
509v3"/gt lt/wsseSecurityTokenR
eferencegt lt/dsKeyInfogt
ltxencCipherDatagt
ltxencCipherValuegtKB79tvoF6Bu7JeL2Re6iGG8

BhdhOFcZiNDJrJNe8lV3GE6
Sks453IF3GFpmkmQttPhzH1D

HKQ2nFjIWPdyZObK3cVyDf
rox7Ysjbfuo4TNwElHvKtnGVNb

cQIGWiwyxHIZCjqCdF8LM8E1
gCZgYSaRh3V48VMlOsfZ8RCR
Vjw
lt/xencCipherValuegt
lt/xencCipherDatagt
80
ltxencReferenceListgt
ltxencDataReference URI"Id7870285788177789579"/gt
lt/xencReferenceListgt
lt/xencEncryptedKeygt lt/wsseSecuritygt
lt/envHeadergt ltenvBodygt
ltxencEncryptedData xmlnsxenc"http//www.w3.org/
2001/04/xmlenc"
Id"Id7870285788177789579"
Type"http//www.w3.org/2001/04/xmlencContent"gt
ltxencEncryptionMethod
Algorithm
"http//www.w3.org/2001/04/xmlenctripledes-cb
c"/gt ltxencCipherDatagt
ltxencCipherValuegt

SL1G08bGFaqEOefJWtBpOipgkvs8i7JWNwoGum5TO

EyZkStSKav/lYygoC5/ji11rccnQWNq/Tg1eYX52UTalAS
Large
truncation for slides
lt/xencCipherValuegt
lt/xencCipherDatagt
lt/xencEncryptedDatagt lt/envBodygt
lt/envEnvelopegt
81
SOAP Response
lt?xml version"1.0"
encoding"UTF-8"?gt ltenvEnvelope
xmlnsenv
"http//schemas.xmlsoap.org/soap/envelope/"
xmlnsenc"http//schem
as.xmlsoap.org/soap/encoding/"
xmlnsns0"http//xmlsoap.org/Ping"

xmlnsxsd"http//www.w3.org/2001/XMLSchema"
xmlnsxsi"http//www.
w3.org/2001/XMLSchema-instance"gt
ltenvBodygt ltns0PingResponsegt
ltns0textgtHello! Mike!lt/ns0textgt
lt/ns0PingResponsegt lt/envBodygt
lt/envEnvelopegt
Write a Comment
User Comments (0)
About PowerShow.com