Distributed system Distributed File System Nguyen Huu Tuong Vinh Huynh Thi Thu Thuy Dang Trang Tri.
1 Thuy, Le Huu | Pentalog VN Web Services Security.
-
Upload
easter-preston -
Category
Documents
-
view
218 -
download
0
Transcript of 1 Thuy, Le Huu | Pentalog VN Web Services Security.
1Thuy, Le Huu | Pentalog VN
Web Services Security
2
Agenda
• Cryptography Concepts– Cryptographic Algorithms
• Cryptographic Operations– Data Privacy– Data Integrity, Authenticity, and Non-repudiation
• Basics of Digital Certificates and Certificate Authority– What is a Digital Certificate– Certificate Purposes
• Create Your Own Certificate and CA• WS Security Implementation Using Apache CXF and
Spring
3
Cryptography Concepts
• Cryptography is the art and science of keeping data secure. Cryptographic services help ensure data privacy, maintain data integrity, authenticate communicating parties, and prevent repudiation (when a party refutes having sent a message). Three major areas of concern: privacy, authentication, and integrity are addressed using Cryptography.
4
Cryptography Concepts
• Basic encryption allows you to store information or to communicate with other parties while preventing non-involved parties from understanding the stored information or understanding the communication
• Encryption transforms understandable text (plaintext) into an unintelligible piece of data (ciphertext). Decryption restores the understandable text from the unintelligible data
• Both functions involve a mathematical formula (the algorithm) and secret data (the key).
5
Cryptographic Algorithms
• Symmetric key algorithm– With a secret or symmetric key algorithm, the key is a
shared secret between two communicating parties. Encryption and decryption both use the same key
6
Cryptographic Algorithms
• Asymmetric key algorithm– One of the keys, the private key, is kept secret and not
shared with anyone. The other key, the public key, is not secret and can be shared with anyone
7
Cryptographic Algorithms
8
Cryptographic Operations
• Data Privacy– Encryption/Decryption
• Field/Message level encryption: The user application completely controls key generation, selection, distribution, and what data to encrypt
• Session level encryption: SSL or HTTPS is such sesion level encryption
• Link Level encryption: Usually by specialized hardware. Bank ATM networks may implement hardware encryption
– Translate• The translate operation is used to decrypt data from encryption
under one key to encryption under another key. This is done in one step to avoid exposing the plaintext data within the application program
9
Cryptographic Operations
• Data Integrity, Authenticity, and Non-repudiation– Hash (Message Digest)
10
Cryptographic Operations
• Data Integrity, Authenticity, and Non-repudiation– HMAC (Hash MAC), MAC (Message Authentication Code)
11
Cryptographic Operations
• Data Integrity, Authenticity, and Non-repudiation– Sign/Verify
12
Basics of Digital Certificates and Certificate Authority
• What is a Digital Certificate– Digital certificates are electronic credentials that are used to
assert the online identities of individuals, computers, and other entities on a network.
– Digital certificates function similarly to identification cards such as passports and drivers licenses.
– Most commonly they contain a public key and the identity of the owner. They are issued by certification authorities (CAs) that must validate the identity of the certificate-holder both before the certificate is issued and when the certificate is used.
– Common uses include business scenarios requiring authentication, encryption, and digital signing
13
Digital Certificate
14
Digital Certificate
15
Certificate Purposes
• Encryption. A certificate with this purpose will contain cryptographic keys for encryption and decryption.
• Signature. A certificate with this purpose will contain cryptographic keys for signing data only.
• Signature and encryption. A certificate with this purpose covers all primary uses of a certificate’s cryptographic key, including encryption of data, decryption of data, initial logon, or digitally signing data.
• Signature and smartcard logon. A certificate with this purpose allows for initial logon with a smart card, and digitally signing data; it cannot be used for data encryption.
16
Create Your Own Certificate and CA
• Java Keytool: Generate a Key Pair, Your Self-Signed Certificate
• OpenSSL: Set Up a Certificate Authority
keytool -genkey -alias client -keystore /pressf5/ClientKeyStore.jks -keyalg RSA -sigalg SHA1withRSA//password: client-pass and key-passkeytool -genkey -alias server -keystore /pressf5/ServerKeyStore.jks -keyalg RSA -sigalg SHA1withRSA//password: server-pass and key-passkeytool -export -alias client -file /pressf5/certfile.cer -keystore /pressf5/ClientKeyStore.jkskeytool -export -alias server -file /pressf5/scertfile.cer -keystore /pressf5/ServerKeyStore.jks
keytool -import -alias server -file /pressf5/scertfile.cer -keystore /pressf5/ClientKeyStore.jkskeytool -import -alias client -file /pressf5/certfile.cer -keystore /pressf5/ServerKeyStore.jks
openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca
17
WS Security Implementation
• Apache CXF 2.6.2 for server both Soap and Rest– UsernameToken – Timestamp – Signature – Encrypt
• Deploy on Tomcat Server 7.0.30– HTTP– SSL/HTTPS
• Intergrated with Spring 3.1.2
• Apache CXF client for Soap, Jersey for client Rest
18
Link Reference
• SOAP SERVICE– http://cxf.apache.org/docs/jax-ws.html– https://sites.google.com/site/ddmwsst/home
• REST SERVICE– http://cxf.apache.org/docs/secure-jax-rs-services.html– http://grepcode.com/file/repo1.maven.org/maven2/org.apach
e.cxf.systests/cxf-systests-rs-security/2.5.2/org/apache/cxf/systest/jaxrs/security/bob.properties?av=f
– http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/– http://stackoverflow.com/questions/3434309/accessing-secur
e-restful-web-services-using-jersey-client
19
Thank You