WS-Security Clement Song02-09-04

OutlineWhat is WS-Security?Why WS-Security?Terminology How to Secure? Code Demos Reference

What is WS-Security?WS-Security:soap message protection through message integrity, confidentiality, and single message authentication extensible and flexible (multiple security tokens, trust domains, signature formats, and encryption technologies. )a flexible set of mechanisms that can be used to construct a range of security protocols Source: WS-Security version 1.0. ref[1]

Why WS-Security?Secure soap message exchange

Terminology ReferenceClaim - A claim is a statement that a requestor makes (e.g. name, identity, key, group, privilege, capability, etc). Security Token - A security token represents a collection of claims. Signed Security Token - A signed security token is a security token that is asserted and cryptographically endorsed by a specific authority (e.g. an X.509 certificate or a Kerberos ticket). Proof-of-Possession - The proof-of-possession information is data that is used in a proof process to demonstrate the sender's knowledge of information that should only be known to the claiming sender of a security token.

Terminology ReferenceDigest - A digest is a cryptographic checksum of an octet stream Signature - A signature is a cryptographic binding of a proof-of-possession and a digest. This covers both symmetric key-based and public key-based signatures. Consequently, non-repudiation Non-repudiation - means to ensure that a transferred message has been sent and received by the parties claiming to have sent and received the message. A way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.

How to Secure?Integrity - information is not modified in transit XML signature in conjunction with security tokens Multiple signature, multiple actors, additional signature formats

How to Secure?Confidentiality - only authorized actors or security token owners can view the dataXML encryption in conjunction with security tokensMultiple encryption processes, multiple actors

How to Secure?Authentication you are whom you said you areSecurity Tokens

Syntax ...

UsernameToken Element ... ... Types:

UsernameToken Example Zoe ILoveDogs

Binary Security Tokens

EncodingType:ValueType:

Binary Security Tokens Example MIIEZzCCA9CgAwIBAgIQEmtJZc0...

SecurityTokenReference

Example:

Username Token Demo

Digital Signing

XML Signature ( ()? )+ ()? ()*

XML Signature Example j6lwx3rvEPO0vKtMup4NbeVu8nk=

MC0CFFrVLtRlk=... ............

XML signature in WS-Security MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... EULddytSo1... BL8jdfToEb1l/vXcMZNNjPOV...

Digital-Signing Demo

XML Encryption ? ? ? ? ? ? ? ? ? ?

Example

RSA Algorithm Demo(optional)

Primary References1. WS-Security Specification http://msdn.microsoft.com/webservices/understanding/advancedwebservices/default.aspx?pull=/library/en-us/dnglobspec/html/ws-security.asp2. WS-Security AppNotes (examples and guidance to implementers) http://www-106.ibm.com/developerworks/library/ws-secapp/

Secondary References1. XML signature (Syntax and processing) http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/2. XML encryption (Syntax and processing) http://www.w3.org/TR/xmlenc-core/2. RSA encryption Demo (Explain how RSA works)http://intercom.virginia.edu/crypto/crypto.html