XML and Web Service S ecu ri t y Survey - … · XML and Web Service S ecu ri t y Survey Lili Sun...
Transcript of XML and Web Service S ecu ri t y Survey - … · XML and Web Service S ecu ri t y Survey Lili Sun...
20/06/09 2
Outline• Introduction• What is security?• XML-based Web services security
standards XML signatures,
XML encryption,XML Key Management Specification,Extensible Access Control Markup Language,
Security Assertion Markup Language,WS-Security.
• How they work together• Conclusion
20/06/09 3
Introduction • Meeting security requirements for privacy, confidentiality
and integrity is essential in order to move business online.
• XML has been widely used in e-services, M-services.• XML has emerged as a prevalent standard for document
representation and exchange on the Web. • The following example shows a credit card message
from a bank in XML document that can be accessed by anyone if there is no protective security.
<?xml version="1.0" encoding="ISO-8859-1"?> <PaymentInfo xmlns=“http://example.org/paymentv2> <name>John Smith</name> <CreditCard Limit=‘$5000’> <Number>1234 5678 9012</Number> <Issuer> Bank </Issuer> <Expiration>11/07</Expiration> </CreditCard> < /PaymentInfo>
20/06/09 4
• Current security technologies provide several specifications for web service applications. Such as SSL, TLS
In this topic, I will introduce the standards for XML and Web service security.
20/06/09 5
What is Security
Concrete Forms of Security:• Confidentiality: can prying eyes see it?• Authentication: are you who you say you are?
• Trust: have I agreed to work with you?• Non-repudiation: can you claim you didn’t send
it even if you really did?• Integrity: was it changed before I got it?• Authorization: are you allowed to have it?
20/06/09 6
Issues with Current Web Security Schemes
SSL/TLS/HTTPS
• Transport level security (not message level security)• Point-to-point security only, does not handle end-to-
end multi-hopped messaging security• Security only when data is in transition, does not
secure data off transition• HTTPS doesn’t support non-repudiation• No element-wise signing and encryption
20/06/09 7
New opportunities
• The web services security infrastructure can take advantage of XML’s granularity
- Encrypt or sign the selected portions
- Act on and rewrite individual headers
- Hardware appliances could accelerate these
functions
20/06/09 8
XML &Web Services Security Standards
XML Digital Signature XML Encryption XKMS( XML Key Management Specification) XACML (eXtensible Access Control Markup Language) SAML (Security Assertion Markup Language) WS-Security
20/06/09 9
Standards Framework
20/06/09 10
XML Signature• Digital signatures are an important
element in electronic security because they can be used to ensure the integrity, authentication, and non-repudiation of data.
- XML syntax for representing signature of web
resources and portions - Procedures for computing and verifying such signatures - Canonicalization of XML data
20/06/09 11
Why XML Digital Signature
• Very flexible, thus can support diverse set of internet transaction models
Can sign individual items of an XML document Can sign multiple items Can sign both local and remote objects Can sign both XML and non-XML contents Allows multiple levels of signing to same content
20/06/09 12
XML Signature TypesThere are three types of XML Signature:
Enveloped: The XML Signature is included in the XML document. It is
a child element of the XML document. For example, <document>
<signature> ….</signature>
</document>
Figure1 __ Enveloped Signature
Signed Document
Signature
SignedInfo
Reference
20/06/09 13
XML Signature Types
Enveloping: The XML document is included in the XML Signature, It is
a child element of the XML signature.• For example, <signature>
<document>….</document>
</signature>
Figure2 __ Enveloping Signature
Signature
SignedInfo
Reference
Object
Signed Data
20/06/09 14
XML Signature TypesDetached: The XML Signature is included in a separate document
from the signed document. For example, <signature>…</signature>
XML Document
Signature
SignedInfo
Reference
Reference
Signed Data
Signed data
Figure 3 __ Detached Signature
20/06/09 15
The structure of XML Signature
The following shows the structure of XML Signature. <Signature ID> <SignedInfo> It is the information that is actually signed <CanonicalizationMethod/> Contains the algorithm name used to transform the data into canonical XML. <SignatureMethod/> Contains the algorithm used to generate the signature (<Reference URI> Contains the method used to generate the digest and the result digest value. <DigestMethod> <DigestValue> </Reference>) </SignedInfo> <SignatureValue> Contains the actual signature value (<KeyInfo>) Contains an indication of the key that must be used to signature. </Signature>
20/06/09 16
Example XML Signature
<Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n- 20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI=“PurchaseOrder"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> </Reference> </SignedInfo> <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> <P>...</P><Q>...</Q><G>...</G><Y>...</Y> </DSAKeyValue> </KeyValue> </KeyInfo></Signature>
20/06/09 17
XML Encryption
What is XML EncryptionThe XML Encryption Syntax and Processing specification
defines an XML vocabulary and processing rules for
protecting confidentiality of XML document.
Defines:– XML syntax for encrypted data– Encrypting/decrypting such data– Can encrypt only certain parts of document
20/06/09 18
XML Encryption and SSL– SSL encrypts all the data transmitted
through an SSL channel
– XML Encryption can encrypt the portions of data selectively
for example: A specific element within an XML document
20/06/09 19
XML Encryption Structure<EncryptedData> Encryption Element <EncryptionMethod> Encryption algorithm
<ds:KeyInfo> Key information <EncryptedKey>
<AgreementMethord> <ds:KeyName> </ds:KeyInfo> <CipherData> Raw encrypted data <CipherValue> <CipherReference>
</ CipherData > <EncryptionProperties></EncryptedData>
<EncryptedData> element is core element in the syntax. It contains:– <EncryptionMethord>– <ds:KeyInfo>– <CipherData>– <EncryptionProperties>
20/06/09 20
Example of Encryption
In this example only encrypts the elements of <CreditCard> element
<?xml version="1.0" encoding="ISO-8859-1"?> <PaymentInfo xmlns=“http://example.org/paymentv2> <name>John Smith</name> <CreditCard Limit=‘$5000’> <EncryptedData xmlns=‘http://www.w3.org/2001/04/xmlenc#’ Type=‘http://www.w3.org/2001/04/xmlenc#Content’> <CipherData> <CipherValue>A23B45C67</CipherValue> </CipherData> </EncryptedData> </ CreditCard> < /PaymentInfo>
20/06/09 21
XKMS(XML Key Management Specification)
What is XKMS?– XKMS defines protocol between XKMS client and XKMS
server for performing public-key infrastructure (PKI) operations.
public key registration
public key validation
public key discovery
public key revocation
– XKMS server provides trust service in the form of a Web service
– Used along with XML digital signing and encryption
20/06/09 22
Why XKMS?
PKI is very important to Web services & E-commerce
PKI operations are too expensive to small devices
XKMS reduces the processing burden by moving it to an XKMS server
PKI operations are too complex to many applications
XKMS eases the integration of PKI by moving the complexity of PKI operation to an XKMS sever
20/06/09 23
XKMS Specifications
– XKISS: XML Key Information Service
Specification
Defines a protocol for validation of public keys
– XKRSS: XML Key Registration Service Specification
Defines a protocol for registration, revocation,
recovery of public keys
20/06/09 24
XACML (eXtensible Access Control Markup Language)
• XACML is an XML specification for expressing fine-grained information access policies in XML documents or any other electronic resources
• Access control lists in XACML are 4-tuples: subjects, target objects, permitted action, provision
20/06/09 25
Why XACML? Standardize access control language in
XML - Extensible language with flexible semantics
Lower costs
- No need to write policy in several languages Simpler - Admins only need to understand one language
Policy composition - Policies written by different parties can be combined
20/06/09 26
XACML Use Case2. A patient has patient record including mental
problem notes.
3. The patient grants access right to mental problem notes only to primary care doctor.
4. The primary care doctor grants access to patient record to associate doctor with access restriction so that associate doctor has no access to mental problem notes.
20/06/09 27
SAML (Security Assertion Markup Language)
What SAML? - SAML defines an XML framework for exchanging
authentication and authorization information.
- SAML can be used to realize single sign-on (SSO) between different systems and platforms.
20/06/09 28
Why SAML?
Standards are emerging for many things of collaborative e-commerce, such as:
- Business transactions
- Software interactions
SAML developed to sharing security information through SAML
20/06/09 29
SAML Use case
• Web single sign-on (SSO) A general requirement when using multiple networked
systems is "single sign-on" - authenticating once and then sharing the result of authentication with multiple systems to avoid repeated authentication.
For example, Logged-in (authenticated) users of Smith.com are allowed to access to sister site Johns.com without relogin.
20/06/09 30
WS-Security
WS-Security Specification
• Defines new SOAP extensions to provide pre-message authentication, as well as end-to-end message confidentiality using XML Encryption and end-to-end message integrity using XML Digital Signature in a Web services environment.
20/06/09 31
How they work together
SAML and Other Standards• SAML and XML digital signature
– XML Digital signature is used to sign and canonical SAML assertions
• SAML and XML Encryption– XML Encryption is used for encrypting and decrypting SAML
assertions
• SAML AND XKMS– SAML could be secured by XKMS-based PKI
20/06/09 32
SAML and Other Standards• SAML and XACML
– XACML could be used to define access control /policy as a basis for handling SAML assertion request
• SAML and WS-Security– SAML assertions can be carried as security token defined in WS-
Security
20/06/09 33
Conclusion• This topic has presented a brief introduction to
XML and Web services security standards and how they work together.
• The XML Security standards define XML languages and processing rules for meeting common security requirements. For the most part, these standards incorporate with the use of the other XML Security standards, especially the core XML Digital Signature and XML Encryption standards.