WS-Security TCWS-Security TC

Christopher KalerChristopher KalerKelvin LawrenceKelvin Lawrence

2

AgendaAgenda

Context for WS-SecurityContext for WS-Security WS-Security Elements and ExampleWS-Security Elements and Example TC Charter and DeliverablesTC Charter and Deliverables

3

Web Service Security Issues Web Service Security Issues

Getting easier to build web Getting easier to build web services but services but who is sending the who is sending the messagesmessages??

Several approachesSeveral approaches SSL with username and SSL with username and

passwordpassword SSL with X509 client certificatesSSL with X509 client certificates VPN with KerberosVPN with Kerberos XrML, SAML, …XrML, SAML, …

ChallengesChallenges Computational costComputational cost InflexibilityInflexibility FirewallsFirewalls Distributed managementDistributed management Hop-to-hop vs. end-to-endHop-to-hop vs. end-to-end

Username/passwordUsername/password

Client certificates,Client certificates,Smart Cards, …Smart Cards, …

VPNVPN

4

Security and Web ServicesSecurity and Web Services

Security in a Web Services WorldSecurity in a Web Services World Safer: Safer: no exposure at intermediariesno exposure at intermediaries Interoperable: Interoperable: broad vendor supportbroad vendor support

Leverages XML signature and XML encryptionLeverages XML signature and XML encryption Flexible: Flexible: builds on web infrastructurebuilds on web infrastructure

Works with HTTP, SMTP, and transportsWorks with HTTP, SMTP, and transports Works over firewall, through the DB, …Works over firewall, through the DB, …

Durable: Durable: security is available at the security is available at the business request / application layerbusiness request / application layer

Higher performance and scalabilityHigher performance and scalability Supports both public and symmetric keysSupports both public and symmetric keys Clients exchange security tokens and cacheClients exchange security tokens and cache

Easier: Easier: a simple common approach for a simple common approach for manageable authentication, authorization, manageable authentication, authorization, and permissionsand permissions

5

A Typical ChallengeA Typical Challenge

CertificationCertificationPartnerPartner

Web Web ServiceService

Business PartnersBusiness PartnersCompany ACompany A

1. Run Application1. Run Application3. Get Proof of Certification3. Get Proof of Certification

2. R

eque

st F

ails

2. R

eque

st F

ails

5. A

pp

rove

5. A

pp

rove

4. Fax C

ertific

ation

4. Fax C

ertific

ation

6

A WS-Security SolutionA WS-Security Solution

CertificationCertificationPartnerPartner

1. Run Application1. Run Application

3. R

eque

st S

ucce

eds

3. R

eque

st S

ucce

eds

2. Get Proof of Certification2. Get Proof of Certification

Web Web ServiceService

Business PartnersBusiness PartnersCompany ACompany A

How Does it Work?How Does it Work?1.1. Security tokens assert claimsSecurity tokens assert claims

2.2. Web services have policiesWeb services have policies

3.3. A security token service is just a web A security token service is just a web service that issues security tokensservice that issues security tokens

8

Security TokensSecurity Tokens

X.509, Kerberos, XrML, SAML, …X.509, Kerberos, XrML, SAML, …

Security tokens assert claims

IdentityIdentityKeysKeysPrivileges, rights, capabilitiesPrivileges, rights, capabilitiesCustomCustom……

9

PoliciesPolicies

PolicyPolicy

Services have policies

??Does the request havethe correct security tokens?

• Policies describe the required claims

• Security tokens assert the claims

10

Security Token ServiceSecurity Token Service

PolicyPolicy

WebWebServiceService

PolicyPolicy

SecuritySecurityTokenTokenServiceService

A security token service issues security tokens

• It is just a web service • A solution may require

multiple token services

11

AgendaAgenda

Context for WS-SecurityContext for WS-Security WS-Security Elements and ExampleWS-Security Elements and Example TC Charter and DeliverablesTC Charter and Deliverables

12

New SOAP ElementsNew SOAP ElementsWS-SecurityWS-Security NewNew

<Security> Header<Security> Header <UsernameToken><UsernameToken> <SecurityTokenReference><SecurityTokenReference> <BinarySecurityToken><BinarySecurityToken>

ExistingExisting XML SignatureXML Signature XML EncryptionXML Encryption Token formats (e.g., X.509, Kerberos, XrML, Token formats (e.g., X.509, Kerberos, XrML,

SAML)SAML)

13

<Security><Security>

SOAP:actor is optionalSOAP:actor is optional One header per actorOne header per actor All security information togetherAll security information together Sub-elements are pre-pendendSub-elements are pre-pendend Supports multiple signaturesSupports multiple signatures

<Security SOAP:actor="..."> ... </Security>

14

Elements In <Security>Elements In <Security> Including and referencing security tokensIncluding and referencing security tokens

<UsernameToken><UsernameToken> <BinarySecurityToken><BinarySecurityToken> <SecurityTokenReference><SecurityTokenReference> <ds:KeyInfo><ds:KeyInfo> <xenc:EncryptedKey><xenc:EncryptedKey>

SignatureSignature <ds:Signature><ds:Signature>

Encryption ManifestEncryption Manifest <xenc:ReferenceList><xenc:ReferenceList>

Encrypted AttachmentsEncrypted Attachments <xenc:EncryptedData><xenc:EncryptedData>

Other…Other…

15

Simple ExampleSimple Example

Requesting a stock quoteRequesting a stock quote Security token indicates usernameSecurity token indicates username Signature uses key generated Signature uses key generated

from passwordfrom password

16

Simple Example (1 of 2)Simple Example (1 of 2)(001) <?xml version="1.0" encoding="utf-8"?>(001) <?xml version="1.0" encoding="utf-8"?>(002) <S:Envelope xmlns:S=“.../soap-envelope“ xmlns:ds=“…/xmldsig#">(002) <S:Envelope xmlns:S=“.../soap-envelope“ xmlns:ds=“…/xmldsig#">(003) <S:Header>(003) <S:Header>(004) <m:path xmlns:m="http://schemas.xmlsoap.org/rp/">(004) <m:path xmlns:m="http://schemas.xmlsoap.org/rp/">(005) <m:action>http://fabrikam.org/getQuote</m:action>(005) <m:action>http://fabrikam.org/getQuote</m:action>(006) <m:to>http://fabrikam.org/stocks</m:to>(006) <m:to>http://fabrikam.org/stocks</m:to>(007) <m:id>uuid:84b9f5d0-33fb-4a81-b02b-5b760641c1d6</m:id>(007) <m:id>uuid:84b9f5d0-33fb-4a81-b02b-5b760641c1d6</m:id>(008) </m:path>(008) </m:path>(009) <wsse:Security xmlns:wsse=“…(009) <wsse:Security xmlns:wsse=“…/secext">/secext">(010) <wsse:UsernameToken Id="MyID">(010) <wsse:UsernameToken Id="MyID">(011) <wsse:Username>Zoe</wsse:Username> (011) <wsse:Username>Zoe</wsse:Username> (012) </wsse:UsernameToken>(012) </wsse:UsernameToken>(013) <ds:Signature>(013) <ds:Signature>(014) <ds:SignedInfo>(014) <ds:SignedInfo>(015) <ds:CanonicalizationMethod Algorithm=".../xml-exc-c14n#"/>(015) <ds:CanonicalizationMethod Algorithm=".../xml-exc-c14n#"/>(016) <ds:SignatureMethod Algorithm=".../xmldsig#hmac-sha1"/>(016) <ds:SignatureMethod Algorithm=".../xmldsig#hmac-sha1"/>

17

Simple Example (2 of 2)Simple Example (2 of 2)(017) <ds:Reference URI="#MsgBody">(017) <ds:Reference URI="#MsgBody">(018) <ds:DigestMethod Algorithm="http://.../xmldsig#sha1"/>(018) <ds:DigestMethod Algorithm="http://.../xmldsig#sha1"/>(019) <ds:DigestValue>LyLsF0Pi4wPU...</ds:DigestValue>(019) <ds:DigestValue>LyLsF0Pi4wPU...</ds:DigestValue>(020) </ds:Reference>(020) </ds:Reference>(021) </ds:SignedInfo>(021) </ds:SignedInfo>(022) <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue>(022) <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue>(023) <ds:KeyInfo>(023) <ds:KeyInfo>(024) <wsse:SecurityTokenReference>(024) <wsse:SecurityTokenReference>(025) <wsse:Reference URI="#MyID"/>(025) <wsse:Reference URI="#MyID"/>(026) </wsse:SecurityTokenReference>(026) </wsse:SecurityTokenReference>(027) </ds:KeyInfo>(027) </ds:KeyInfo>(028) </ds:Signature>(028) </ds:Signature>(029) </wsse:Security>(029) </wsse:Security>(030) </S:Header>(030) </S:Header>(031) <S:Body Id="MsgBody">(031) <S:Body Id="MsgBody">(032) <tru:StockSymbol xmlns:tru=“…">QQQ</tru:StockSymbol>(032) <tru:StockSymbol xmlns:tru=“…">QQQ</tru:StockSymbol>(033) </S:Body>(033) </S:Body>

18

AgendaAgenda

Context for WS-SecurityContext for WS-Security WS-Security Elements and ExampleWS-Security Elements and Example TC Charter and DeliverablesTC Charter and Deliverables

19

WS-Security TC CharterWS-Security TC Charter

Continue work on the Web service Continue work on the Web service security foundations published in the security foundations published in the WS-Security specification and under the WS-Security specification and under the context of the Web Services Security context of the Web Services Security roadmaproadmap

20

WS-Security TC ScopeWS-Security TC Scope

Using XML signature to provide SOAP message Using XML signature to provide SOAP message integrity for Web servicesintegrity for Web services

Using XML encryption to provide SOAP message Using XML encryption to provide SOAP message confidentiality for Web servicesconfidentiality for Web services

Attaching and/or referencing security tokens in Attaching and/or referencing security tokens in headers of SOAP messagesheaders of SOAP messages

Carrying security information for potentially multiple, Carrying security information for potentially multiple, designated actorsdesignated actors

Associating signatures with security tokensAssociating signatures with security tokens Representing specific forms of binary security tokens Representing specific forms of binary security tokens

as defined in WS-Security specification.as defined in WS-Security specification.

21

WS-Security TC DeliverablesWS-Security TC Deliverables Accept as input the Web Services Security (WS-Security)Accept as input the Web Services Security (WS-Security) Produce as output a specification for Web Services Produce as output a specification for Web Services

Security. This specification will reflect refinements and Security. This specification will reflect refinements and changes made to the submitted version of WS-Security that changes made to the submitted version of WS-Security that are identified by the WSS TC members for additional are identified by the WSS TC members for additional functionality within the scope of the TC charter.functionality within the scope of the TC charter.

Liaise and/or forge relationships with other Web services Liaise and/or forge relationships with other Web services efforts to assist in leveraging WS-Security as a part of their efforts to assist in leveraging WS-Security as a part of their specifications or solutions.specifications or solutions.

Coordinate with the chairs of the other OASIS security Coordinate with the chairs of the other OASIS security related groups via the Security Joint Coordination related groups via the Security Joint Coordination Committee.Committee.

Oversee ongoing maintenance and errata of the WS-Oversee ongoing maintenance and errata of the WS-Security specification.Security specification.

22

QuestionsQuestions