ws-security: soap message security web-enhanced information management (whim) justin r. wang...
TRANSCRIPT
WS-Security: SOAP Message Security
Web-enhanced Information Management (WHIM)
Justin R. Wang Professor Kaiser
Web Service Security: SOAP Message Security
WS-Security History
-Many standards to secure web services-Microsoft, IBM, and VeriSign submitted security specifications to the Organization for the Advancement of Structured Information Standards (OASIS).-WS-Security is the leading web services standards to support, integrate and unify multiple security models.
-WS Security: HTTP Message Security & XML
Message Security (SOAP)
WS-Security: HTTP Message Security
Advantages Mature Supported by most servers and clients Understood Simpler than message level security
Disadvantages Point to point only Granularity, cannot have different security
for messages in and messages out Only applies to HTTP
WS-Security: XML Message Security
Advantages Allows the message to be self-protecting Selective, portions of the message can be
secured to different parties Flexible, different security policy can be applied
to request and response transport independent Disadvantages
Immature, standards and tools Complex, contains many other standards
including XML Encryption, XML Signature, X.509 certificates and more
WS-Security: XML (SOAP) Message Security
Message Security Model: security tokens that encapsulate the message with digital signatures to protect and validate SOAP messages passed from other parties
Token References:provides information location where the receivers can retrieve the entity from
Signatures:provides information for the receivers so that they can find out if the message has been changed by someone else during message passing and if the message is the one that the receivers want to get from
Encryption&Decryption:keeps data in a special form during message passing in which data will not be altered by someone else
Time-Stamp:provides information for the receivers to know when the message is generated and when it is expired
Message Security Model
Contains a collection of objects with two kinds security token (unsigned and signed), such as name, userID, to protect the SOAP messages.
Message Security Model: Security Header
Overview of Security Header encapsulate information about what kinds of receivers allowed
to interpret the message
-At sender side, if a message needs to be received by different kinds
of receivers, it must have multiple headers, either actor or role,
whose values must be different
-At the receiver side, it must generate an error message if it can not
understand or the security header, and must signal an error if can
not process the content of the security tokens, also it may ignore the
meaning of the message if it has own security policy.
Message Security Model: Security Token There are three types of security tokens: User Name Token,
Binary Security Tokens and XML Tokens. User name token is implemented in this way (Figure 3), <wsse: UsernameToken>, which may or may not be included in security header.
Message Security Model: Security Token
Binary Security Tokens needs a special encoding rule, and has two attributes: valueType indicating what token is in the message (X.509 certificates or Kerbero), EncodingType indicating how the token is implemented.
Message Security Model: Security Token
XML tokens have two standards: Security Assertion Markup Language (SAML) and
Extensible rights Markup Language (XrML)
Token References Specified when a message delivers a collections of entities,
sometimes, the object is located in somewhere else that receiver needs to get, these object locations are contained by <wsse:SecurityTokenReference>
Four mechanisms : -Direct Reference using full URL -Key Identfiers using an unique ID (referenced token id) -key names using token name -Embedded Reference using embedded token
Token Reference Examples
XML Signature
Why XML Signature? give the functionalities of data integrity, authentication in
web service application. enhance traditional digital signature, because digital
signature only works in a way of sign an entire document, which is time consuming if an user only needs part of information in a document. With this technology, we can use XML signature to sign more than one type of resource, such as JPEG image and an HTML page
XML Signature Example
Encryption and Decryption
Why XML Encryption & Decryption? XML Digital Signature specs did not define any standard
mechanism for encrypting XML entities. The need for XML-based encryption is very important to secure
web services. Encrypting and Decrypting Parts of a Document: existing
technologies can encrypt a whole XML document. Performance:less time consuming process. Multiple encryption & decryption: the ability to apply multiple
encryption treatments to different parts of the same document.
Persistent Storage: important information can be left encrypted even in the databases.
XML Encryption & Decryption Example
Before Encryption
After Encryption under <Observation>
Security Time Stamp
Why need Security Time Stamp? Prevent relay attack -For example, an attacker resends the message to a
targeted person for messing up its account information, with
time stamp added, the targeted person can identify if the message
has been received by checking the time stamp if its created time
is the same as previous one. Example
Evaluation of Web Service Security:
Solve Many Problems:• replay attack• message delayed• XML document encrypted or decrypted using
encrypting, decrypting and signing part of message content
• message verification
Conclusion:
Current Technology and future : involves too much computational operations of cryptography
and memory demanding XML DOM processing -the signature processing: important to develop a new algorithm to reduce the processing time. -replay attack situation: important to develop a better approach to prevent that than using time stamp
approach. be possible to be used in mobile networks -messages passed across mobile phones are more
efficient and secured -less time to process XML message
Thank You!