WS – Security Policy Prabath Siriwardena Director, Security Architecture.
WS - Security
58
WS - Security Prabath Siriwardena Director, Security Architecture
description
WS - Security. Prabath Siriwardena Director, Security Architecture. WS-Security. WS-Security Authentication Integrity and non-repudiation Confidentiality Initial effort of MSFT, IBM, Verisign, etc. - PowerPoint PPT Presentation
Transcript of WS - Security
WS - Security
Prabath SiriwardenaDirector, Security Architecture
WS-Security• WS-Security–Authentication– Integrity and non-repudiation–Confidentiality
• Initial effort of MSFT, IBM, Verisign, etc.• Standardized at : Organization for the
Advancement of Structured Information Standards (OASIS)
WS-Security
• Based on XML Encryption and XML Signature• Basic framework for message level security
Encryption Signature Security Tokens
Security Tokens
• Security Tokens are pieces of information used for authentication and authorization.
- UserNameToken [User name/password] - BinaryToken [ X.509 Tokens / Kerberos Tokens] - XML Token [SAML Tokens]
WS-Security
• Provisions for “profiles” to support different crypto technologies
SAML Tokens X. 509 Tokens UsernameToken
Message Level Security
• Authentication – UsernameToken– Use plain text password with a secure transport
• Integrity and Non-repudiation– A detached XML-Signature used and one or more
parts are signed• Confidentiality– Encrypt the SOAP Body or any other part of the
message
WS-Security
• For XML Encryption, the security header may hold an <EncryptedKey> element with a <ReferenceList> element pointing to the specific parts of the message that have been encrypted.
• XML Signature, inside the security header , with its <Reference> elements points to the parts of the message that are being digitally signed.
WS-Security <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="...">
<S11:Header> <wsse:Security xmlns:wsse="...">
<wsse:BinarySecurityToken ValueType=”’’ EncodingType="...#Base64Binary” wsu:Id=" MyID "> </wsse:BinarySecurityToken> <ds:Signature> </ds:Signature>
<xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/>
</xenc:ReferenceList> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody">
<xenc:EncryptedData Id="bodyID"> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
<BinarySecurityToken />
• Can hold binary tokens – e.g. X509 tokens, Kerberos tokens.
• Because these are binary tokens – should specify the EncodingType to represent them in XML.
• ValueType indicates what the security token is.
<wsse:BinarySecurityToken ValueType=”’’ EncodingType="...#Base64Binary” wsu:Id=" MyID "> </wsse:BinarySecurityToken>
WS-Security – Encryption Example - 1
<S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header>
</S11:Header> <S11:Body wsu:Id="MsgBody">
<tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> 1548 QQQ
</tru:StockSymbol> </S11:Body> </S11:Envelope>
WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody">
<xenc:EncryptedData Id="bodyID"> <ds:KeyInfo>
<ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData>
</xenc:EncryptedData> </S11:Body> </S11:Envelope>
WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security>
<xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/>
</xenc:ReferenceList> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody">
<xenc:EncryptedData Id="bodyID"> <ds:KeyInfo>
<ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData>
</xenc:EncryptedData> </S11:Body> </S11:Envelope>
QUESTION 1
Discuss the applicability of following child elements under<KeyInfo> with respect to the Example -1.
<KeyName /> <KeyValue /><RetrievalMethod /><X509Data />
WS-Security – Encryption Example - 2
<S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header>
</S11:Header> <S11:Body wsu:Id="MsgBody">
<tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> 1548 QQQ
</tru:StockSymbol> </S11:Body> </S11:Envelope>
WS-Security – Encryption Example - 2
<S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody">
<xenc:EncryptedData Id="bodyID"> <xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData>
</xenc:EncryptedData> </S11:Body> </S11:Envelope>
WS-Security – Encryption Example - 2 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security>
<xenc:EncryptedKey> <ds:KeyInfo>
<wsse:SecurityTokenReference> <ds:X509IssuerSerial>
<ds:X509IssuerName> </ds:X509IssuerName> <ds:X509SerialNumber></ds:X509SerialNumber>
</ds:X509IssuerSerial> </wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:ReferenceList>
<xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList>
</xenc:EncryptedKey> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody">
<xenc:EncryptedData Id="bodyID"> <xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData>
</xenc:EncryptedData> </S11:Body> </S11:Envelope>
Token References
• Defines mechanisms for referencing security tokens.• Introduces the <SecurityTokenReferenece> as a
standard way to refer to a security token regardless of their format.
Direct References Key Identifiers Key Names Embedded References
Direct References• This allows references to include tokens using URI
fragments and external tokens using full URIs
Direct Reference Example<S11:Envelope > <S11:Header> <wsse:Security>
<wsse:BinarySecurityToken ValueType="...#X509v3” EncodingType="...#Base64Binary” wsu:Id="X509Token"> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i...
</wsse:BinarySecurityToken> <ds:Signature>
<ds:SignedInfo> <ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#myBody">
<ds:Transforms> <ds:Transform Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>EULddytSo1...</ds:DigestValue>
</ds:Reference> </ds:SignedInfo> <ds:SignatureValue> BL8jdfToEb1l/vXcMZNNjPOV... </ds:SignatureValue> <ds:KeyInfo>
<wsse:SecurityTokenReference> <wsse:Reference URI="#X509Token"/>
</wsse:SecurityTokenReference> </ds:KeyInfo>
</ds:Signature> </wsse:Security> </S11:Header> <S11:Body wsu:Id="myBody">
<tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> QQQ </tru:StockSymbol>
</S11:Body> </S11:Envelope>
Key Identifiers• This allows tokens to be referenced using an opaque
value that represents the token.• A KeyIdentifier is a value that can be used to uniquely
identify a security token (e.g. a hash of the important elements of the security token).
Key Identifiers<wsse:SecurityTokenReference> <wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" > MIGfMa0GCSq </wsse:KeyIdentifier></wsse:SecurityTokenReference>
Key Identifiers• Having an explicit ValueType removes ambiguity about
the format of the KeyIdentifier. The Basic Security Profile restricts the value to that specified in the security token profile that is associated with the security token. The ValueType attribute in a KeyIdentifier is optional. This can cause ambiguity when it is not explicitly stated. Furthermore, interoperability is discouraged if a ValueType is specified but does not correspond to the value associated with that token as stated in its security token profile.
Key Names• This allows tokens to be referenced using a string
that matches an identity assertion within the security token.
• In any case where a security token would be referred to by Key Name, it would also be possible to refer to it by a more efficient and/or less ambiguous mechanism (e.g. Direct, Key Identifier and/or Issuer and Serial Number).
Key Names Example
<!-- This example is incorrect because it uses a ds:KeyName element to refer to an X.509 certificate --><wsse:SecurityTokenReference> <ds:KeyName>CN=Security WG, OU=BSP, O=WS-I, C=US</ds:KeyName></wsse:SecurityTokenReference>
KeyName references are prohibited by the WS-Security Basic Profile.
Embedded• This allows tokens to be embedded (as opposed to a
pointer to a token that resides elsewhere).• Basic Security Profile 1.0 restricts embedded security
tokens to contain exactly one security token element.
Embedded Token Example
<wsse:SecurityTokenReference> <wsse:Embedded wsu:Id=“"> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Embedded></wsse:SecurityTokenReference>
Reading SOAP is fun <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"> MIGfMa0GCSq </wsse:KeyIdentifier> </wsse:SecurityTokenReference></wsse:Security>
1
Reading SOAP is fun <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"> MIGfMa0GCSq </wsse:KeyIdentifier> </wsse:SecurityTokenReference></wsse:Security>
<!-- This example is incorrect because it refers to a wsse:BinarySecurityToken element which specifies a wsu:id
attribute using a wsse:KeyIdentifier element rather than a wsse:Reference or wsse:Embedded element -->
1
Reading SOAP is fun
<wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference></wsse:Security>
2
Reading SOAP is fun <wsse:Security > <wsse:SecurityTokenReference> <wsse:Embedded wsu:Id="TheEmbeddedElementAroundSomeCert"> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Embedded> </wsse:SecurityTokenReference></wsse:Security>
3
Reading SOAP is fun <wsse:Security > <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> XZEEVABD3L9G+VNTCDiDTE7WB1a4kILtz5f9FT747eE= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken></wsse:Security>
4
Reading SOAP is fun <wsse:Security > <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> XZEEVABD3L9G+VNTCDiDTE7WB1a4kILtz5f9FT747eE= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken></wsse:Security>
<!-- This example is incorrect because the wsse:BinarySecurityToken with the wsu:Id of SomeCert appears after it is
referenced from within the xenc:EncryptedKey element -->
4
Reading SOAP is fun 5
<wsse:Security xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' xmlns:xenc='http://www.w3.org/2001/04/xmlenc#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#' > <wsse:SecurityTokenReference> <wsse:Reference URI='http://www.ws-i.org/CertStore/Examples/BSP.PEM' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference></wsse:Security>
Reading SOAP is fun 6
<wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/...</wsse:BinarySecurityToken><wsse:SecurityTokenReference wsu:Id="TheFirstSTR"> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /></wsse:SecurityTokenReference><wsse:SecurityTokenReference> <wsse:Reference URI='#TheFirstSTR' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /></wsse:SecurityTokenReference>
Reading SOAP is fun 6
<wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/...</wsse:BinarySecurityToken><wsse:SecurityTokenReference wsu:Id="TheFirstSTR"> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /></wsse:SecurityTokenReference><wsse:SecurityTokenReference> <wsse:Reference URI='#TheFirstSTR' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /></wsse:SecurityTokenReference>
<!-- This example is incorrect because the second wsse:SecurityTokenReference element refers to the
wsse:SecurityTokenReference with an wsu:Id of TheFirstSTR -->
Reading SOAP is fun
<wsse:Security > <wsu:Timestamp wsu:Id="timestamp1"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> <wsu:Timestamp wsu:Id="timestamp2"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp></wsse:Security>
7
Reading SOAP is fun
<wsse:Security > <wsu:Timestamp wsu:Id="timestamp1"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> <wsu:Timestamp wsu:Id="timestamp2"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp></wsse:Security>
7
<!-- This example is incorrect because Security header MUST NOT contain more than one TIMESTAMP-->
Reading SOAP is fun
<soap: Header><wsse:Security ></wsse:Security><wsse:Security ></wsse:Security>
</soap: Header>
8
Reading SOAP is fun
<soap: Header><wsse:Security ></wsse:Security><wsse:Security ></wsse:Security>
</soap: Header>
8
<!– This is incorrect. SOAP Header MUST not have more than one Security header where the actor/role attribute omitted-->
Reading SOAP is fun
<soap: Header><wsse:Security actor=“foo” ></wsse:Security><wsse:Security actor=“foo” ></wsse:Security>
</soap: Header>
9
Reading SOAP is fun
<soap: Header><wsse:Security actor=“foo” ></wsse:Security><wsse:Security actor=“foo” ></wsse:Security>
</soap: Header>
9
<!– This is incorrect. SOAP Header MUST not have more than one Security header with the same actor/role attribute omitted-->
Reading SOAP is fun <ds:Signature Id='TheSig' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:Reference URI='#SigPropBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>i3qi5GjhHnfoBn/jOjQp2mq0Na4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>oxNwoqGbzqg1YBliz+PProgcjw8=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:SignatureProperties> <ds:SignatureProperty Id='SigPropBody' Target='#TheSig'> <SomeSecurityToken/> </ds:SignatureProperty> </ds:SignatureProperties> </ds:Object></ds:Signature>
10
Reading SOAP is fun <ds:Signature Id='TheSig' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:Reference URI='#SigPropBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>i3qi5GjhHnfoBn/jOjQp2mq0Na4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>oxNwoqGbzqg1YBliz+PProgcjw8=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:SignatureProperties> <ds:SignatureProperty Id='SigPropBody' Target='#TheSig'> <SomeSecurityToken/> </ds:SignatureProperty> </ds:SignatureProperties> </ds:Object></ds:Signature>
10
<!– This is incorrect. Must used Detached Signature. Enveloping or Enveloped Signatures are not allowed.-->
Reading SOAP is fun <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/TR/1999/REC-xpath-19991116'> <ds:XPath>/soap:Envelope/soap:Body/*</ds:XPath> </ds:Transform> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /></ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
11
Reading SOAP is fun <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/TR/1999/REC-xpath-19991116'> <ds:XPath>/soap:Envelope/soap:Body/*</ds:XPath> </ds:Transform> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /></ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
11
A signature reference to an element that does not have an ID attribute MUST contain a TRANSFORM with an Algorithm attribute value of "http://www.w3.org/2002/06/xmldsig-filter2"
Reading SOAP is fun <wsse:Security ><ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2002/06/xmldsig-filter2' xmlns:dsxp='http://www.w3.org/2002/06/xmldsig-filter2'> <dsxp:XPath Filter='intersect'>/soap:Envelope/soap:Body/*</dsxp:XPath> </ds:Transform> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'> <xc14n:InclusiveNamespaces xmlns:xc14n='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert” ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
12
Reading SOAP is fun
<ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#' > <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference></ds:KeyInfo>
13
Any Signature/Encryption KeyInfo MUST contain a SecurityTokenReference child element and that is the only
child element.
Reading SOAP is fun <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI='#TheManifest’></ds:Reference> </ds:SignedInfo> <ds:SignatureValue>L7X0Zw23/zYQnX4+Z+p0gCygKQ0=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:Manifest Id='TheManifest'> <ds:Reference URI='#TheBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>+VTJraRYFT3pl7Z4uAWhmr5+bf4=</ds:DigestValue> </ds:Reference> </ds:Manifest> </ds:Object></ds:Signature>
14
Reading SOAP is fun <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI='#TheManifest’></ds:Reference> </ds:SignedInfo> <ds:SignatureValue>L7X0Zw23/zYQnX4+Z+p0gCygKQ0=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:Manifest Id='TheManifest'> <ds:Reference URI='#TheBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>+VTJraRYFT3pl7Z4uAWhmr5+bf4=</ds:DigestValue> </ds:Reference> </ds:Manifest> </ds:Object></ds:Signature>
14
A Signature MUST NOT contain a ds:Manifest descendant element.
Reading SOAP is fun <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“"></wsse:BinarySecurityToken> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> </xenc:EncryptedKey></wsse:Security>
15
Reading SOAP is fun <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“"></wsse:BinarySecurityToken> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> </xenc:EncryptedKey></wsse:Security>
15
This is incorrect. Any EncryptedKey MUST precede any EncryptedData in the same Security header referenced by the associated ReferenceList.
Reading SOAP is fun <wsse:Security ' > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert’ ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData></wsse:Security>
16
Reading SOAP is fun <wsse:Security ' > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert’ ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData></wsse:Security>
16
<!-- This example is incorrect because the xenc:EncryptedKey element is missing an xenc:ReferenceList child element -->
<wsse11:SignatureConfirmation />
Ensure that a received SOAP message was generated in response to the original request sent by the web client. The client request is typically signed but does not have to be. In
this mechanism, the web service adds a <SignatureConfirmation> element to the security header
element, and the web client can check that <SignatureConfirmation> element
<wsse11:SignatureConfirmation wsu:Id="..." Value="..." />
<wsse11:EncryptedHeader />
WSS 1.1 introduced a new <EncryptedHeader /> mechanism to encrypt headers. When it is required that an entire SOAP
header block including the top-level element and its attributes be encrypted, the original header block is replaced
with an <EncryptedHeader /> . Where an <EncryptedHeader /> element exists, it contains a child
<EncryptedData /> element that is the result of encrypting the header block.
STR-Transform<wsse:SecurityTokenReference wsu:Id="Str1"> </wsse:SecurityTokenReference> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:Reference URI="#Str1">
<ds:Transforms> <ds:Transform Algorithm="...#STR-Transform"> <wsse:TransformationParameters>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
</wsse:TransformationParameters> </ds:Transform> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>...</ds:DigestValue>
</ds:Reference> </ds:SignedInfo> <ds:SignatureValue></ds:SignatureValue> </ds:Signature>
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
STR-Transform
This transform is specified by the URI #STR-Transform and when applied to a <wsse:SecurityTokenReference> element
it means that the output is the token referenced by the <wsse:SecurityTokenReference> element not the element
itself.
lean . enterprise . middleware
![WS-SecureConversation · ... [WS-Security] to provide a framework for requesting and issuing security tokens, and to broker trust relationships. ... implementing this specification,](https://static.fdocuments.us/doc/165x107/5b4b49437f8b9a93238cceee/ws-secureconversation-ws-security-to-provide-a-framework-for-requesting.jpg)
![WS-Trust V1 - OASIS€¦ · ws-trust-1.3-spec-ed-07 09 May 2006 ... [WS-Security] to provide a ... 20 security tokens and broker trust relationships. 21](https://static.fdocuments.us/doc/165x107/5b4b49437f8b9a93238cceec/ws-trust-v1-oasis-ws-trust-13-spec-ed-07-09-may-2006-ws-security-to.jpg)
