1Thuy, Le Huu | Pentalog VN

Web Services Security

2

Agenda

• Cryptography Concepts– Cryptographic Algorithms

• Cryptographic Operations– Data Privacy– Data Integrity, Authenticity, and Non-repudiation

• Basics of Digital Certificates and Certificate Authority– What is a Digital Certificate– Certificate Purposes

• Create Your Own Certificate and CA• WS Security Implementation Using Apache CXF and

Spring

3

Cryptography Concepts

• Cryptography is the art and science of keeping data secure. Cryptographic services help ensure data privacy, maintain data integrity, authenticate communicating parties, and prevent repudiation (when a party refutes having sent a message). Three major areas of concern: privacy, authentication, and integrity are addressed using Cryptography.

4

Cryptography Concepts

• Basic encryption allows you to store information or to communicate with other parties while preventing non-involved parties from understanding the stored information or understanding the communication

• Encryption transforms understandable text (plaintext) into an unintelligible piece of data (ciphertext). Decryption restores the understandable text from the unintelligible data

• Both functions involve a mathematical formula (the algorithm) and secret data (the key).

5

Cryptographic Algorithms

• Symmetric key algorithm– With a secret or symmetric key algorithm, the key is a

shared secret between two communicating parties. Encryption and decryption both use the same key

6

Cryptographic Algorithms

• Asymmetric key algorithm– One of the keys, the private key, is kept secret and not

shared with anyone. The other key, the public key, is not secret and can be shared with anyone

7

Cryptographic Algorithms

8

Cryptographic Operations

• Data Privacy– Encryption/Decryption

• Field/Message level encryption: The user application completely controls key generation, selection, distribution, and what data to encrypt

• Session level encryption: SSL or HTTPS is such sesion level encryption

• Link Level encryption: Usually by specialized hardware. Bank ATM networks may implement hardware encryption

– Translate• The translate operation is used to decrypt data from encryption

under one key to encryption under another key. This is done in one step to avoid exposing the plaintext data within the application program

9

Cryptographic Operations

• Data Integrity, Authenticity, and Non-repudiation– Hash (Message Digest)

10

Cryptographic Operations

• Data Integrity, Authenticity, and Non-repudiation– HMAC (Hash MAC), MAC (Message Authentication Code)

11

Cryptographic Operations

• Data Integrity, Authenticity, and Non-repudiation– Sign/Verify

12

Basics of Digital Certificates and Certificate Authority

• What is a Digital Certificate– Digital certificates are electronic credentials that are used to

assert the online identities of individuals, computers, and other entities on a network.

– Digital certificates function similarly to identification cards such as passports and drivers licenses.

– Most commonly they contain a public key and the identity of the owner. They are issued by certification authorities (CAs) that must validate the identity of the certificate-holder both before the certificate is issued and when the certificate is used.

– Common uses include business scenarios requiring authentication, encryption, and digital signing

13

Digital Certificate

14

Digital Certificate

15

Certificate Purposes

• Encryption. A certificate with this purpose will contain cryptographic keys for encryption and decryption.

• Signature. A certificate with this purpose will contain cryptographic keys for signing data only.

• Signature and encryption. A certificate with this purpose covers all primary uses of a certificate’s cryptographic key, including encryption of data, decryption of data, initial logon, or digitally signing data.

• Signature and smartcard logon. A certificate with this purpose allows for initial logon with a smart card, and digitally signing data; it cannot be used for data encryption.

16

Create Your Own Certificate and CA

• Java Keytool: Generate a Key Pair, Your Self-Signed Certificate

• OpenSSL: Set Up a Certificate Authority

keytool -genkey -alias client -keystore /pressf5/ClientKeyStore.jks -keyalg RSA -sigalg SHA1withRSA//password: client-pass and key-passkeytool -genkey -alias server -keystore /pressf5/ServerKeyStore.jks -keyalg RSA -sigalg SHA1withRSA//password: server-pass and key-passkeytool -export -alias client -file /pressf5/certfile.cer -keystore /pressf5/ClientKeyStore.jkskeytool -export -alias server -file /pressf5/scertfile.cer -keystore /pressf5/ServerKeyStore.jks

keytool -import -alias server -file /pressf5/scertfile.cer -keystore /pressf5/ClientKeyStore.jkskeytool -import -alias client -file /pressf5/certfile.cer -keystore /pressf5/ServerKeyStore.jks

openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca

17

WS Security Implementation

• Apache CXF 2.6.2 for server both Soap and Rest– UsernameToken – Timestamp – Signature – Encrypt

• Deploy on Tomcat Server 7.0.30– HTTP– SSL/HTTPS

• Intergrated with Spring 3.1.2

• Apache CXF client for Soap, Jersey for client Rest

18

Link Reference

• SOAP SERVICE– http://cxf.apache.org/docs/jax-ws.html– https://sites.google.com/site/ddmwsst/home

• REST SERVICE– http://cxf.apache.org/docs/secure-jax-rs-services.html– http://grepcode.com/file/repo1.maven.org/maven2/org.apach

e.cxf.systests/cxf-systests-rs-security/2.5.2/org/apache/cxf/systest/jaxrs/security/bob.properties?av=f

– http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/– http://stackoverflow.com/questions/3434309/accessing-secur

e-restful-web-services-using-jersey-client

19

Thank You