Secured SOABy Prabath Siriwardena ~ WSO2
Santa Clara , CA
Securing a Web Service..???
People Can SEE What You Send
People Can ALTER What You Send
People Can ALTER What You Send
Anyone Can CALL Your Service
People SEE What’s On
People Can ALTER What’s On
People Can ALTER What’s On
HTTP is NOT Secured
HTTPS
HTTPS is Transport Level
Security inherited from the transport channel
Safe only while on the transport
Parts of the message CANNOT
BEencrypted
Authenticating with HTTPS ?
BasicAuth
Mutual Authentication
SSL Handshake
CLIENT_HELLO
Highest SSL Version,
Ciphers Supported,
Data Compression Methods,
SessionId = 0,
Random Data
SERVER_HELLO
Selected SSL Version,
Selected Cipher,
Selected Data Compression Method,
Assigned Session Id,
Random Data
CERTIFICATE
Public Key,
Authentication Signature
CLIENT_CERT_REQUEST
[Optional]
CLIENT_CERT
[Optional]
CLIENT_KEY_EXCHANGE
CERTIFICATE_VERIFY[Optional]
CHANGE_CIPHER_SPEC
FINISHED
CHANGE_CIPHER_SPEC
FINISHED
MONDAY Morning
NOT Happy With HTTPS
Requires END To END Security
Parts of message need to be Encrypted
<soap:Envelope > <soap:Body>
<ns1:withdrawMoney > <param1></ param1><param2></ param2><param3></ param3>
</ ns1:withdrawMoney > </soap:Body>
</soap:Envelope>
<soap:Envelope > <soap:Body>
<ns1:withdrawMoney > <param1></ param1><param2></ param2><param3></ param3>
</ ns1:withdrawMoney > </soap:Body>
</soap:Envelope>
Message Level Security
XML Encryption
XML Signature
WS - Security
Confidentiality
Integrity
NON - Repudiation
Authentication
UsernameToken
<wsse:UsernameToken wsu:Id="Example-1"><wsse:Username> ... </wsse:Username><wsse:Password
Type="..."> ... </wsse:Password><wsse:Nonce
EncodingType="..."> ... </wsse:Nonce><wsu:Created> ... </wsu:Created>
</wsse:UsernameToken>
NOBODY Can See the Message in Clear Text Other
than the Intended Recipient
NOBODY In the Middle Can ALTER the Message
Only the Authenticated Users Can Invoke the Service
Sign & Encrypt OR Encrypt & Sign
Sign & Encrypt
MessgaeSignture
XML Signature defines THREE
types of signatures
<Message>
</Message>
</Signature>
<Signature>
<Message>
</Message>
<Signature>
</Signature>
<Message>
</Message>
<Signature>
</Signature>
<Message>
</Message>
<Signature>
</Signature>
<Envelope>
</Envelope>
<Header>
</Header><Body>
</Body>
Sign & EncryptWith
WS-Security
<Message>
</Message>
<Envelope>
</Envelope>
<Body>
</Body>
1
<Message>
</Message>
<Signature>
</Signature>
<Envelope>
</Envelope>
<Header>
</Header><Body>
</Body>
2
<EncryptedData>
</EncryptedData>
<Signature>
</Signature>
<Envelope>
</Envelope>
<Header>
</Header><Body>
</Body>
3
Encrypt & SignMessgaeSignture
<Message>
</Message>
<Envelope>
</Envelope>
<Body>
</Body>
1
<EncryptedData>
</EncryptedData>
<Envelope>
</Envelope>
<Body>
</Body>
2
<EncryptedData>
</EncryptedData>
<Signature>
</Signature>
<Envelope>
</Envelope>
<Header>
</Header><Body>
</Body>
3
XML SignatureXML
EncryptionUsername
Token ProfileX.509 Token
Profile
WS - Security
DONE with My First Assignment
BUT… Paul NOT Happy
Authentication LIMITED to
INTERNAL Users ONLY
Users OUT SIDE OurDomain Need ACCESS
We DON’T Have Their Credentials
We Can’t Use UsernameToken
Delegate Authentication to the External Domain
itself
They Should Know How to Authenticate Their Own
Users
We TRUST What the External Domain Says
WS-TRUST
<s:Envelope><s:Header>
<wsa:Action>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
</wsa:Action></s:Header><s:Body>
<wst:RequestSecurityToken><wst:TokenType>
http://example.org/mySpecialToken</wst:TokenType><wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
</wst:RequestSecurityToken></s:Body>
</s:Envelope>
<s:Envelope><s:Header>
<wsa:Action>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue
</wsa:Action></s:Header><s:Body>
<wst:RequestSecurityTokenResponseCollection> <wst:RequestSecurityTokenResponse>
<wst:RequestedSecurityToken><xyz:CustomToken xmlns:xyz="..."> </xyz:CustomToken>
</wst:RequestedSecurityToken> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection>
</s:Body> </s:Envelope>
XML Signature
XML Encryption
Username Token Profile
X.509 Token Profile
WS - Security
WS - Trust
Another Problem on HAND…
How Do We Communicate our Security
Requirements to Outsiders ?
The Encryption Algorithm We Use…
Key Size…
Token Types…
Elements to be Signed…
Elements to be Encrypted…
Use Symmetric Key or Asymmetric Key…
WS-Security Policy
Finally… all on the White Board…
Thank You…!!!