Web Services Security INFOSYS 290, Section 3 Web Services: Concepts, Design and Implementation Adam Blum

Slides:

Advertisements

Similar presentations

Web Service Security CS409 Application Services Even Semester 2007.

Advertisements

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

WS-Security TC Christopher Kaler Kelvin Lawrence.

Core Web Service Security Patterns

Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

© 2007 Charteris plc20 June Extending Web Service Security with WS-* Presented by Chris Seary MVP Charteris plc, Bartholomew Close, London.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Web services security I

Prashanth Kumar Muthoju

Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

1 Web Services Security XML Encryption, XML Signature and WS-Security.

Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.

X.509 Certificate management in.Net By, Vishnu Kamisetty

Implementation Of XML DIGITAL SIGNATURES Using Microsoft.NET.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.

Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.

Web Services Security. Introduction Developing standards for Web Services security – XML Key Management Specification (XKMS) – XML Signature – XML Encryption.

XML Signature Prabath Siriwardena Director, Security Architecture.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.

Secure Systems Research Group - FAU Web Services Cryptographic Patterns Presented by Keiko Hashizume Advisor: Prof. Eduardo Fernandez.

Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.

WS-Security Protocol Ramkumar Chandrasekharan CS 265.

Random Logic l Forum.NET l Web Services Enhancements for Microsoft.NET (WSE) Forum.NET ● October 4th, 2006.

Web305 Security Practices for Web Services (Part 1) : Now I Understand Eric Schmidt Technical Evangelist Platform Strategy & Partner Group Microsoft Corporation.

Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.

 A Web service is a method of communication between two electronic devices over World Wide Web.

Lifecycle Metadata for Digital Objects October 18, 2004 Transfer / Authenticity Metadata.

Csci5233 computer security & integrity 1 Cryptography: an overview.

1 Normal executable Infected executable Sequence of program instructions Entry Original program Entry Jump Replication and payload Viruses.

WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.

Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.

Computer and Network Security - Message Digests, Kerberos, PKI –

7.6 Secure Network Security / G.Steffen1. In This Section Threats to Protection List Overview of Encrypted Processing Example.

Lifecycle Metadata for Digital Objects October 9, 2002 Transfer / Authenticity Metadata.

Web Services Security Mike Shaw Architectural Engineer.

Web Services Security with WSE 2.0 Muhammad Saqib Ilyas

1 WS-Security Yosi Taguri Microsoft Israel

Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.

Secure Instant Messenger in Android Name: Shamik Roy Chowdhury.

CRYPTOGRAPHY Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original.

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

Cryptography: an overview

Cryptography: an overview

Unit 3 Section 6.4: Internet Security

Computer Communication & Networks

Web Services Security.

S/MIME T ANANDHAN.

NET 311 Information Security

11/9/2018 Web Services Security Maria Lizarraga CS691.

Cryptography: an overview

Presentation transcript:

Web Services Security INFOSYS 290, Section 3 Web Services: Concepts, Design and Implementation Adam Blum

Agenda Security Issues with Web Services WS-Security –XML Signature –XML Encryption Tool Support

Security Issues Addressed by WS-Security Identity –Authentication –Authorization Integrity Confidentiality

Terms Proof-of-possession – data to demonstrate knowledge by sender that should only be known by claimed sender Integrity – process to guarantee no modification in transit Confidentiality - process by which data is protected such that only authorized actors can view data Digest - cryptographic checksum of content Signature - binding of proof of possession and digest

Message with Token Zoe

…a Digital Signature LyLsF0Pi4wPU... DJbchm5gK...

…and a Body – QQQ –

Identity

Message Security Model Security tokens - assert claims Signatures –Provide mechanism for proving sender’s knowledge of key –Associate signature with claims in the security token Endorsed Claims –Represented as security tokens signed by a trusted authority –X.509 certificate claims a binding between one’s identity and a public key Unendorsed claims –Can be trusted if there is trust relationship between sender and receiver –Proof of possession claim – e.g. username/password

Username Token Example... ablum lauren......

Security Tokens Binary Security Tokens MIIEZzCCA9CgAwIBAgIQEmtJZc or X509 (note that there is thus no guarantee of interoperability) Security Token References

Integrity

Signatures determine whether a message was altered in transit Verify that message was sent by possessor of particular security token

XML Signature ( ( )? )+ ( )? ( )*

CanonicalizationMethod A way to guarantee that two equivalent bits of XML are represented the same so that they can be signed Algorithms used for this Identifier for REQUIRED Canonical XML (omits comments): – Identifier for Canonical XML with Comments: – An example of an XML canonicalization element is:

SignatureMethod Algorithm used to create digital signature Required –Secure Hash Algorithm-1 with Digital Signature Algorithm

Reference Element Digest algorithm Digest value Optional identifier of object being signed Optional transforms applied prior to digesting With SOAP –Signed parts of SOAP message –Base64-encoded –SHA1 algorithm

Elements Outside SignedInfo SignatureValue –Base64 encoded bytes making up digital signature KeyInfo –Indicates what key should be used to validate signature –Can be embedded, referenced or left out entirely

Signature Example [s02] [s10] j6lwx3rvEPO0vKtMup4NbeVu8nk= MC0CFFrVLtRlk=... [s15c]

Confidentiality

Encryption Components xenc:ReferenceList –Manifest of encrypted elements in message xenc:EncryptedData –Contains encrypted elements

Encryption Example (Shared Secret) CN=Hiroshi Maruyama, C=JP...

Encrypting Keys Encrypt elements with key Encrypt key with recipient’s key Embed in header E.g. encrypting with randomly generated symmetric key that is encrypted with recipients public key

Encrypting with Encrypted Key CN=Hiroshi Maruyama, C=JP... /wsse:Security> CN=Hiroshi Maruyama, C=JP...

WS-Security Specs WS-Security – 128.ibm.com/developerworks/webservices/libr ary/ws-secure/ 128.ibm.com/developerworks/webservices/libr ary/ws-secure/ XML Signature –

Microsoft WSE 3.0 Turnkey Security Scenarios –Username over Transport –Username over Certificate –Anonymous over Certificate –Mutual Certificate –Kerberos (Windows)

WSE 3.0 Named Policies [WebService(Namespace = " [Policy("ServerPolicy")] public class WSSecurityUsernameService : System.Web.Services.WebService { – public WSSecurityUsernameService() { } –[WebMethod] public List StockQuoteRequest([XmlArray(), XmlArrayItem("Symbol"] string[] symbols) { // Business logic here –} }