WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u...
-
Upload
lillian-green -
Category
Documents
-
view
212 -
download
0
Transcript of WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u...
![Page 1: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/1.jpg)
WS-Security Additional Material
![Page 2: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/2.jpg)
Security Element: enclosing information
UsernameToken block Defines how username-and-password info is enclosed in
SOAP Password must be protected against eavesdroppers
(enc) and replay (timestamp/nonce) BinarySecurityToken block
Encloses binary data An X.509 certificate or a Kerberos ticket Has an identifier (Id), a value (ValueType), and an
encoding (EncodingType) XML Signature KeyInfo may point to a certificate used in
signing using a Reference to its Id. Similar for XML Encryption.
So we can sign/encrypt data with a certificate in the header.
![Page 3: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/3.jpg)
ID References
A new global attribute: wsu:Id attribute <anyElement wsu:id=”..”>..</anyElement> Note that the SOAP processor needs to support
this wsu:id a WS-Security namespace (wssecurity-
secext-1.0.xsd) Recipients do not need to understand the full
schema of the message for processing the security elements
Two wsu:Id attributes within an XML document MUST NO have the same value
Recommended that wsu:Id is used instead of a more general transformation, especially XPath
![Page 4: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/4.jpg)
Signatures
Does not use the Enveloped Signature Transform So sig does not envelope signed data Due to mutability of SOAP header
Does not use the Enveloping Signature So sig is not appended as a child to the document
The sig is appended to the security block Explicitly include the elements to be signed
Allows for extensions, multiple signatures, etc.
![Page 5: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/5.jpg)
Signing Messages
Multiple signature entries MAY be added into a single SOAP Envelope within one <wsse:Security> header block
MUST be prepended to the existing content <ds:Reference> elements contained in the signature should
refer to a resource within the enclosing SOAP envelope <wsse:SecurityTokenreference>
How to locate a key in a security token? Extensible mechanism that provides an open content model for
referencing security tokens Specification considers only use in a header block
New reference option for XML signature STR Deference Transform
Applied to a SecurityTokenreference Means that the output is the token referenced by the element, not the
element itself You can conveniently locate and sign security tokens anywhere in the
header
![Page 6: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/6.jpg)
XML Encryption Example
![Page 7: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/7.jpg)
Encryption
Public key Private keyAsymmetric Key Pair
Encrypt Decrypt
![Page 8: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/8.jpg)
XML Encryption
<EncryptedData Id? Type? MimeType? Encoding?> <EncryptionMethod/>? <ds:KeyInfo> <EncryptedKey>? <AgreementMethod>? <ds:Keyname>? <ds:RetrievalMethod>? <ds:*>? </ds:KeyInfo> <CipherData> <CipherValue>? <CipherReference URI?>? </CipherData><EncryptionProperties>?</EncryptedData>
![Page 9: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/9.jpg)
Example
SOAP Envelope SOAP Header
WS Security
• Security token (a certificate)
• Encryption key (passing symmetric key)
• Signature SOAP Body
Encrypted content
![Page 10: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/10.jpg)
Overall message structure
<?xml version="1.0" encoding="utf-8"?> <soap:Envelope> <soap:Header> <wsse:Security> <wsse:BinarySecurityToken>...</wsse:Binary...> <xenc:EncryptedKey>...</xenc:EncryptedKey> <ds:Signature> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo>...</ds:KeyInfo> </ds:Signature> </wsse:Security> </soap:Header> <soap:Body wsu:Id="body"> <xenc:EncryptedData>...</xenc:EncryptedData> </soap:Body> </soap:Envelope>
Security block
1.2.
3.
4.
![Page 11: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/11.jpg)
1. Binary security token
<wsse:Security> <wsu:Timestamp wsu:Id="T0"> <wsu:Created> 2001-09-13T08:42:00Z </wsu:Created> </wsu:Timestamp><wsse:BinarySecurityToken ValueType="...#X509v3" wsu:Id="X509Token" EncodingType="...#Base64Binary"> ABCDEF....</wsse:BinarySecurityToken><xenc:EncryptedKey>...</xenc:EncryptedKey><ds:Signature>...</ds:Signature></wsse:Security>
![Page 12: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/12.jpg)
2. Passing encryption key
<xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm="...#rsa-1_5"/> <ds:KeyInfo> <wsse:KeyIdentifier EncodingType="...#Base64Binary" ValueType="...#X509v3"> ABCDEF.... </wsse:KeyIdentifier> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#enc1"> </xenc:ReferenceList> </xenc:EncryptedKey>
We are using another certificate for asymmetric
crypto. This one is for symmetric
Encrypted symmetric key
Reference to cipher data
![Page 13: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/13.jpg)
3. Actual signature<ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod algorithm="http://...-exc-c14n#"/> <ds:SignatureMethod algorithm="http://...#rsa-sha1"/> <ds:Reference URI="#T0">...</ds:Reference> <ds:Reference URI="#body">...</ds:Reference> …. </ds:SignedInfo> <ds:SignatureValue> ..... </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#X509Token"/> </wsse:SecurityTokenReference> </ds:KeyInfo></ds:Signature>
Exclusive canonicalization
References & digests to data
Reference to certificate.
![Page 14: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/14.jpg)
<ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://...-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://...#rsa-sha1"/> <ds:Reference URI="#T0"> <ds:Transforms> <ds:Transform Algorithm="http://...exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://...#sha1"/> <ds:DigestValue>...</ds:DigestValue> </ds:Reference> <ds:Reference URI="#body"> <ds:Transforms> <ds:Transform Algorithm="http://...exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://...#sha1"/> <ds:DigestValue>...</ds:DigestValue> </ds:Reference> </ds:SignedInfo>
3. SignedInfo in more detail
![Page 15: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/15.jpg)
4. Actual message body
<soap:Body wsu:Id="body"> <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" wsu:Id="enc1"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData></soap:Body></soap:Envelope>
![Page 16: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/16.jpg)
SAML Examples
![Page 17: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/17.jpg)
Attribute assertion
An issuing authority asserts that: subject S is associated with attributes A,B,.. with values ”a”,”b”,…
Typically this would be gotten from an LDAP repository ”john.doe” in ”example.com” is associated with attribute ”Department” with value ”Human Resources”
![Page 18: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/18.jpg)
Example attribute assertion<saml:Assertion ...> <saml: Conditions .../> <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier SecurityDomain="example.com" Name="johndoe" /> </saml:Subject> <saml:Attribute AttributeName="PaidStatus" AttributeNameSpace="http://example.com"> <saml:AttributeValue> PaidUp </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion>
![Page 19: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/19.jpg)
Authorization decision assertion
An issuing authority decides whether to grant the request by subject S for access type A to resource R given evidence E
The subject could be a human or a program
The resource could be a web page or a web service, for example
![Page 20: WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f535503460f94c783c0/html5/thumbnails/20.jpg)
Example authorization decision assertion
<saml:Assertion ...> <saml:Conditions .../> <saml:AuthorizationStatement Decision="Permit" Resource="http://example.com/res123"> <saml:Subject> <saml:NameIdentifier SecurityDomain="example.com" Name="johndoe" /> </saml:Subject> </saml:AuthorizationStatement> </saml:Assertion>