Secured SOA
87
Secured SOA By Prabath Siriwardena ~ WSO2
-
Upload
wso2 -
Category
Technology
-
view
1.375 -
download
0
description
Prabath Siriwardana - WSO2 SOA Security Architect, gives out a presentation on secured SOA at the SOA workshop in Colombo, Sri Lanka (September 17, 2009).
Transcript of Secured SOA
Secured SOABy Prabath Siriwardena ~ WSO2
November 01st, 2007
WSO2NO: 59Flower Road,Colombo 07,Sri Lanka
Ruchith FernandoSecurity LeadWSO2, 2006 – 2008
Now, PhD student at University of Purdue
First Assignment…
Securing a Web Service..???
WHY Secure..???
People Can SEE What You Send
People Can ALTER What You Send
Anyone Can CALL Your Service
People SEE What’s On HTTP
People Can ALTER What’s On HTTP
HTTP is NOT Secured
HTTPS
HTTPS is Transport Level
Security inherited from the transport channel
Safe only while on the transport
Parts of the message CANNOT
BEencrypted
Authenticating with HTTPS ?
BasicAuth
Mutual Authentication
SSL Handshake
CLIENT_HELLO
Highest SSL Version,
Ciphers Supported,
Data Compression Methods,
SessionId = 0,
Random Data
SERVER_HELLO
Selected SSL Version,
Selected Cipher,
Selected Data Compression Method,
Assigned Session Id,
Random Data
CERTIFICATE
Public Key,
Authentication Signature
CLIENT_CERT_REQUEST
[Optional]
CLIENT_CERT
[Optional]
CLIENT_KEY_EXCHANGE
CERTIFICATE_VERIFY[Optional]
CHANGE_CIPHER_SPEC
FINISHED
CHANGE_CIPHER_SPEC
FINISHED
MONDAY Morning
NOT Happy With HTTPS
Requires END To END Security
Parts of message need to be Encrypted
<soap:Envelope > <soap:Body>
<ns1:withdrawMoney > <param1></ param1><param2></ param2><param3></ param3>
</ ns1:withdrawMoney > </soap:Body>
</soap:Envelope>
<soap:Envelope > <soap:Body>
<ns1:withdrawMoney > <param1></ param1><param2></ param2><param3></ param3>
</ ns1:withdrawMoney > </soap:Body>
</soap:Envelope>
Message Level Security
XML Encryption
XML Signature
WS - Security
Confidentiality
Integrity
NON - Repudiation
Authentication
UsernameToken
<wsse:UsernameToken wsu:Id="Example-1"><wsse:Username> ... </wsse:Username><wsse:Password
Type="..."> ... </wsse:Password><wsse:Nonce
EncodingType="..."> ... </wsse:Nonce><wsu:Created> ... </wsu:Created>
</wsse:UsernameToken>
NOBODY Can See the Message in Clear Text Other
than the Intended Recipient
NOBODY In the Middle Can ALTER the Message
Only the Authenticated Users Can Invoke the Service
XML SignatureXML
EncryptionUsername
Token ProfileX.509 Token
Profile
WS - Security
DONE with My First Assignment
BUT… Paul NOT Happy
Authentication LIMITED to
INTERNAL Users ONLY
Users OUT SIDE OurDomain Need ACCESS
We DON’T Have Their Credentials
We Can’t Use UsernameToken
Delegate Authentication to the External Domain
itself
They Should Know How to Authenticate Their Own
Users
We TRUST What the External Domain Says
WS-TRUST
<s:Envelope><s:Header>
<wsa:Action>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
</wsa:Action></s:Header><s:Body>
<wst:RequestSecurityToken><wst:TokenType>
http://example.org/mySpecialToken</wst:TokenType><wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
</wst:RequestSecurityToken></s:Body>
</s:Envelope>
<s:Envelope><s:Header>
<wsa:Action>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue
</wsa:Action></s:Header><s:Body>
<wst:RequestSecurityTokenResponseCollection> <wst:RequestSecurityTokenResponse>
<wst:RequestedSecurityToken><xyz:CustomToken xmlns:xyz="..."> </xyz:CustomToken>
</wst:RequestedSecurityToken> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection>
</s:Body> </s:Envelope>
XML Signature
XML Encryption
Username Token Profile
X.509 Token Profile
WS - Security
WS - Trust
Another Problem on HAND…
How Do We Communicate our Security
Requirements to Outsiders ?
The Encryption Algorithm We Use…
Key Size…
Token Types…
Elements to be Signed…
Elements to be Encrypted…
Use Symmetric Key or Asymmetric Key…
WS-Security Policy
Finally… We All Moved to the White Board…
Thank You…!!!
