Secured SOA

Secured SOABy Prabath Siriwardena ~ WSO2

Santa Clara , CA

Securing a Web Service..???

People Can SEE What You Send

People Can ALTER What You Send

Anyone Can CALL Your Service

People SEE What’s On

People Can ALTER What’s On

HTTP is NOT Secured

HTTPS is Transport Level

Security inherited from the transport channel

Safe only while on the transport

Parts of the message CANNOT

BEencrypted

Authenticating with HTTPS ?

BasicAuth

Mutual Authentication

SSL Handshake

CLIENT_HELLO

Highest SSL Version,

Ciphers Supported,

Data Compression Methods,

SessionId = 0,

Random Data

SERVER_HELLO

Selected SSL Version,

Selected Cipher,

Selected Data Compression Method,

Assigned Session Id,

Random Data

CERTIFICATE

Public Key,

Authentication Signature

CLIENT_CERT_REQUEST

[Optional]

CLIENT_CERT

[Optional]

CLIENT_KEY_EXCHANGE

CERTIFICATE_VERIFY[Optional]

CHANGE_CIPHER_SPEC

FINISHED

CHANGE_CIPHER_SPEC

FINISHED

MONDAY Morning

NOT Happy With HTTPS

Requires END To END Security

Parts of message need to be Encrypted

<soap:Envelope > <soap:Body>

<ns1:withdrawMoney > <param1></ param1><param2></ param2><param3></ param3>

</ ns1:withdrawMoney > </soap:Body>

</soap:Envelope>

Message Level Security

XML Encryption

XML Signature

WS - Security

Confidentiality

Integrity

NON - Repudiation

Authentication

UsernameToken

<wsse:UsernameToken wsu:Id="Example-1"><wsse:Username> ... </wsse:Username><wsse:Password

Type="..."> ... </wsse:Password><wsse:Nonce

EncodingType="..."> ... </wsse:Nonce><wsu:Created> ... </wsu:Created>

</wsse:UsernameToken>

NOBODY Can See the Message in Clear Text Other

than the Intended Recipient

NOBODY In the Middle Can ALTER the Message

Only the Authenticated Users Can Invoke the Service

Sign & Encrypt OR Encrypt & Sign

Sign & Encrypt

MessgaeSignture

XML Signature defines THREE

types of signatures

Sign & EncryptWith

WS-Security

<Message>

</Message>

<Envelope>

</Envelope>

<Body>

</Body>

1

<Message>

</Message>

<Signature>

</Signature>

<Envelope>

</Envelope>

<Header>

</Header><Body>

</Body>

2

<EncryptedData>

</EncryptedData>

<Signature>

</Signature>

<Envelope>

</Envelope>

<Header>

</Header><Body>

</Body>

3

Encrypt & SignMessgaeSignture

<Message>

</Message>

<Envelope>

</Envelope>

<Body>

</Body>

1

<EncryptedData>

</EncryptedData>

<Envelope>

</Envelope>

<Body>

</Body>

2

<EncryptedData>

</EncryptedData>

<Signature>

</Signature>

<Envelope>

</Envelope>

<Header>

</Header><Body>

</Body>

3

XML SignatureXML

EncryptionUsername

Token ProfileX.509 Token

Profile

WS - Security

DONE with My First Assignment

BUT… Paul NOT Happy

Authentication LIMITED to

INTERNAL Users ONLY

Users OUT SIDE OurDomain Need ACCESS

We DON’T Have Their Credentials

We Can’t Use UsernameToken

Delegate Authentication to the External Domain

itself

They Should Know How to Authenticate Their Own

Users

We TRUST What the External Domain Says

WS-TRUST

<s:Envelope><s:Header>

<wsa:Action>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue

</wsa:Action></s:Header><s:Body>

<wst:RequestSecurityToken><wst:TokenType>

http://example.org/mySpecialToken</wst:TokenType><wst:RequestType>

http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>

</wst:RequestSecurityToken></s:Body>

</s:Envelope>

<s:Envelope><s:Header>

<wsa:Action>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue

</wsa:Action></s:Header><s:Body>

<wst:RequestSecurityTokenResponseCollection> <wst:RequestSecurityTokenResponse>

<wst:RequestedSecurityToken><xyz:CustomToken xmlns:xyz="..."> </xyz:CustomToken>

</wst:RequestedSecurityToken> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection>

</s:Body> </s:Envelope>

XML Signature

XML Encryption

Username Token Profile

X.509 Token Profile

WS - Security

WS - Trust

Another Problem on HAND…

How Do We Communicate our Security

Requirements to Outsiders ?

The Encryption Algorithm We Use…

Key Size…

Token Types…

Elements to be Signed…

Elements to be Encrypted…

Use Symmetric Key or Asymmetric Key…

WS-Security Policy

Finally… all on the White Board…

http://wso2.com

http://wso2.com/about/contact

[email protected]

[email protected]

Thank You…!!!

Secured SOA

Technology

Transcript of Secured SOA