Technik und Informatik. SOAP Security. Prof. Dr. Eric Dubuis Berner Fachhochschule Biel. Version April 11, 2012

Transcription

1 SOAP Security Prof. Dr. Eric Dubuis Berner Fachhochschule Biel Version April 11, 2012

2 Overview Motivation Transport security versus SOAP Security WS-Security stack overview Structure of secured SOAP messages Security tokens Encrypting SOAP messages Signing SOAP messages Timestamps SOAP Security 2

3 Motivation SOAP messages are text documents As such, they contain valuable data in clear-text Such data may be confidential Such data may be subject to tampering Starting point for SOAP security is: SOAP Message Security 1.1 (WS-Security 2004) SOAP Security 3

4 Position of SOAP Security Application level XML Documents XML Signature XML Encryption Message level SOAP Message WS-Security Transport level TCP SSL / TLS XML Signature: XML Encryption: WS-Security, SOAP Message Security: SSL, Secure Socket Layer: TLS, Transport Layer Security: SOAP Security 4

5 Transport Security versus Message Security Client Server Client Program Server Program Message SSL/TLS SSL/TLS Message client: messages in the clear in the pipe: messages encrypted back and forth server: messages in the clear SSL, Secure Socket Layer: TLS, Transport Layer Security: SOAP Security 5

6 Transport Security versus Message Security Transport security Pros: mature big support well understood relatively simple Cons: point to point only all-or-nothing security Message security Pros: security attached to the message itself selective flexible Cons: complex many standards SOAP Security 6

7 WS-Security Stack Source: SOAP Security 7

8 WS-Security Namespaces For These Slides Prefix Short for Namespace ds XML signature http :// wsse wsu xenc WS-Security extension Web services utility XML encryption http :// wss/2004/01/oasis wsswssecurity-secext-1.0.xsd http :// wss/2004/01/oasis wsswssecurity-utility-1.0.xsd http :// Unless otherwise noted, SOAP Message Security 1.1 is addressed in these notes, see WS-Security: SOAP Security 8

9 Extending SOAP with Security: Structure (I) <S:Envelope> <S:Header> <wsse:security> <!-- see next slide --> </wsse:security> </S:Header> Content of the XML S:Body element is encrypted. <S:Body Id= body > <xenc:encrypteddata Id="bodyID" Type=" </xenc:encrypteddata> </S:Body> </S:Envelope> SOAP 1.1: SOAP 1.2: SOAP Security 9

10 Extending SOAP with Security: Structure (II) The optional encrypted key list carries the encrypted keys used for encryption. The signatures are performed prior to encryption! <wsse:security>... <!-- XML encrypted key --> <xenc:encryptedkey>...</xenc:encryptedkey> <!-- XML encryption reference list --> <xenc:referencelist> <xenc:datareference URI="#tokenID"/> <xenc:datareference URI="#bodyID"/> </xenc:referencelist> <!-- Security Token --> The optional reference list is a manifest of encrypted portions of the SOAP message. <xenc:encrypteddata Id="tokenID"...></xenc:EncryptedData> <!-- XML Signature --> <ds:signature>... <ds:reference URI="#timestamp">...</ds:Reference> <ds:reference URI="#body">...</ds:Reference> </ds:signature> </wsse:security> SOAP Security 10

11 Extending SOAP with Security: Summary of Structural Elements The following elements can be embedded within the <wsse:security> element: Encrypted Keys zero, one, or more of embedded keys Reference List zero, one, or more of references to encrypted parts Security Tokens zero, one, or more (but usually not more than one) security tokens may be encrypted Signatures zero, one, or more XML signatures. If an XML signature is included, at minimum it signs all or part of the SOAP body SOAP Security 11

12 Encrypted Key Element <xenc:encryptedkey Id="_5002"..."> <xenc:encryptionmethod..."/> <ds:keyinfo..."> <wsse:securitytokenreference> <ds:x509data> <ds:x509issuerserial> <ds:x509issuername>cn=...</ds:x509issuername> <ds:x509serialnumber>2</ds:x509serialnumber> </ds:x509issuerserial> </ds:x509data> </wsse:securitytokenreference> </ds:keyinfo> <xenc:cipherdata> <xenc:ciphervalue>oo...yc=</xenc:ciphervalue> </xenc:cipherdata> </xenc:encryptedkey> SOAP Security 12

13 Reference List Shows encrypted parts of the SOAP message Optional <xenc:referencelist..."> <xenc:datareference URI="#_5009"/> <xenc:datareference URI="#_5010"/> </xenc:referencelist> SOAP Security 13

14 Security Tokens: Overview Examples of Security Tokens: User name with password token X.509 certificate token } Kerberos ticket binary Encrypted data token SAML assertion Types of Security Tokens: User name tokens (two variants) binary tokens (many) XML tokens (many) tokens Most often encrypted. Security token that is encrypted. The recipient knows how to decrypt it to obtain the effective token. SOAP Security 14

15 Security Tokens: User Name Token Basic <UsernameToken> with clear-text password <S:Envelope> <S:Header>... <wsse:security> <wsse:usernametoken> <wsse:username>alice</wsse:username> <wsse:password>ilovedogs</wsse:password> </wsse:usernametoken> </wsse:security>... </S:Header>... </S:Envelope> Username Token Profile 1.1: SOAP Security 15

16 Security Tokens: User Name with Password Digest Basic Idea: Provides an alternative to the clear-text password approach Sender hashes some random information with the password Receiver performs the same process Receiver compares the computed value with the one received Further Elements: Nonce: A random value to prevent reply attack. That is, the receiver caches the values obtained so far, and discards any request having the same value. Time stamp: Allows to clear the server's cache from old, obsolete entries. Password Digest = Base64 ( SHA-1 ( nonce + created + password ) ) SOAP Security 16

17 Security Tokens: Example of User Name with Password Digest <wsse:security> <wsse:usernametoken xmlns:wsse="...wss-wssecurity-secext-1.0.xsd" xmlns:wsu="...wss-wssecurity-utility-1.0.xsd"> <wsse:username>alice</wsse:username> <wsse:password Type="wsse:PasswordDigest"> D2A12DFE8D9F0C6BB82C89B091DF5C8A872F94DC </wsse:password> <wsse:nonce>efd89f06ccb28c89</wsse:nonce> <wsu:created> t09:00:00z</wsu:created> </wsse:usernametoken> </wsse:security> You don't see the real password here... SOAP Security 17

18 Binary Security Tokens: Overview Template for binary tokens: <wsse:binarysecuritytoken wsu:id=... EncodingType=... ValueType=...>...Binary Data... <wsse:binarysecuritytoken/> Encoding type: how is the binary data encoded. Most often: wsse:base64binary Value type: type of token. Can be an X.509 V3 certificate or one of the Kerberos tickets. SOAP Security 18

19 X.509 V3 Certificate as Binary Token An example of a X.509 V3 certificate as a binary token looks like: <wsse:binarysecuritytoken Id="myX509Token" ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary">NIFEPzQ......CrAwIBAgIQEm FExErTECA</wsse:BinarySecurityToken> With a certificate, you authenticate yourself with the receiver by signing an element with your private key, such that the receiver can validate the signed element with the help of the certificate's public key, provided the receiver trusts the certificate authority. X.509 Certificate Token Profile 1.1: SOAP Security 19

20 Relating an XML Signature with a X.509 V3 Certificate You learned: XML signature (optionally) has a KeyInfo element: <ds:keyinfo> <ds:keyvalue>...</ds:keyvalue> <ds:x509data>...</ds:x509data> </ds:keyinfo> WS-Security recommends however: <ds:keyinfo> <wsse:securitytokenreference> <wsse:reference URI="#myX509Token"/> </wsse:securitytokenreference> </ds:keyinfo> You don't include the certifcate here but you reference it... SOAP Security 20

21 Kerberos Tokens Two types of tokens: Ticket Granting Ticket (TGT) Service Ticket (ST) You specify the type of Kerberos token with the attribute ValueType. An example of a TGT Kerberos token looks like: <wsse:binarysecuritytoken wsu:id="mykerberostoken" ValueType="wsse:Kerberosv5TGT" EncodingType="wsse:Base64Binary">ABCDEFG...CrAwIBAgIQEm... QwErTY</wsse:BinarySecurityToken> Kerberos Token Profile 1.1: SOAP Security 21

22 XML Tokens Several kinds of XML tokens exist: SAML assertions XrML / REL tokens XCBF tokens We will discuss SAML assertions in a later session. SOAP Security 22

23 Encrypted Data Tokens (in <Security> Header) A token that needs to be decrypted by the recipient An <xenc:encrypteddata> element is used <xenc:encrypteddata Id="_5009"...> <xenc:encryptionmethod Algorithm="...#aes128-cbc"/> <ds:keyinfo...> <wsse:securitytokenreference wsse11:tokentype="...#encryptedkey"> <wsse:reference URI="#_5002" ValueType="...#EncryptedKey"/> </wsse:securitytokenreference> </ds:keyinfo> <xenc:cipherdata> <xenc:ciphervalue>yw...==</xenc:ciphervalue> </xenc:cipherdata> </xenc:encrypteddata> Encrypted Data Tokens: SOAP Security 23

24 Referencing Security Tokens In XML, you'll use Id and Key as an identifier. Different types in security tokens different strategies for unique identifiers Problem: How to references security tokens in other places? Solution: WS-Security introduces Security Token References Within a Security Token Reference, there are three possibilities: direct element key identifier key name (not recommended due to uniqueness problem) Additional alternative: You can embed the security token directly in the Security Token Reference. SOAP Security 24

25 Example of a Direct Security Token Reference A direct Security Token Reference looks like: <wsse:securitytokenreference xmlns:wsse="...wss-wssecurity-secext-1.0.xsd"> <wsse:reference URI=" ValueType="wsse:X509v3"/> </wsse:securitytokenreference> SOAP Security 25

26 Example of a Key Identified Security Token Reference A direct Key Identified Security Token Reference looks like: <wsse:securitytokenreference> <wsse:keyidentifier ValueType="wsse:X509v3"> uthyqbrcgfu4xmo14md/iygyyig= </wsse:keyidentifier> </wsse:securitytokenreference> SOAP Security 26

27 Example of an Embedded Security Token A security token can be embedded into a Security Token Reference: <wsse:securitytokenreference> <wsse:embedded> <wsse:binarysecuritytoken ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary" wsu:id="x509token"> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... </wsse:binarysecuritytoken> </wsse:embedded> </wsse:securitytokenreference> SOAP Security 27

28 Signature Used to sign different parts of the SOAP message <ds:signature...> <ds:signedinfo> <ds:canonicalizationmethod...>...</ds:canonicalizationmethod> <ds:signaturemethod Algorithm="...#hmac-sha1"/> <ds:reference URI="#_5003"> <ds:transforms>...</ds:transforms> <ds:digestmethod Algorithm=".../xmldsig#sha1"/> <ds:digestvalue>oyq...=</ds:digestvalue> </ds:reference>... </ds:signedinfo> <ds:signaturevalue>0...=</ds:signaturevalue> <ds:keyinfo> Many references to signed parts of the SOAP message... <wsse:securitytokenreference...>...</wsse:securitytokenreference> </ds:keyinfo> </ds:signature> SOAP Security 28

29 Encrypting SOAP Messages On SOAP message encryption: Based on XML encryption However, a few features needs to be discussed in the context of SOAP encryption Envelope, Header and Body tags are never encrypted Modes of Encryption: Shared key XML encryption Wrapped key XML encryption Encrypting attachments (not discussed) Examples are given on the next slides. SOAP Security 29

30 SOAP Encryption Based on Shared Key XML Encryption Assume a shared key is known to the sender and receiver An optional Reference List in the security header points to the parts of the message that have been encrypted: <S:Envelope> <S:Header> <wsse:security> <xenc:referencelist> <xenc:datareference URI="#body"/> </xenc:referencelist> </wsse:security> </S:Header> <S:Body> <xenc:encrypteddata Id="body"> <xenc:cipherdata>...</xenc:cipherdata> </xenc:encrypteddata> </S:Body> </S:Envelope> Encrypted data, shared secret key is know to the receiver. SOAP Security 30

31 SOAP Encryption Based on Wrapped Key XML Encryption (I) Generated, symmetric key is used for encrypting (parts of) the body ( shared key) Then, the shared key is encrypted using the recipient's public key <S:Envelope> <S:Header> <wsse:security> <xenc:encryptedkey> <xenc:encryptionmethod Algorithm="..."/> <ds:keyinfo> <wsse:securitytokenreference> <wsse:keyidentifier EncodingType="wsse:Base64Binary" ValueType="wsse:X509v3">F2J...</wsse:KeyIdentifier> </wsse:securitytokenreference> </ds:keyinfo> <xenc:cipherdata>aecdjs78wea...yxc</xenc:cipherdata> <xenc:referencelist> <xenc:datareference URI= #body /> </xenc:referencelist> </xenc:encryptedkey> </wsse:security> </S:Header> Which key to use for decrypting shared key? What is encrypted? Encrypted shared key SOAP Security Note: List can be outside of the 31 EncryptedKey element.

32 SOAP Encryption Based on Wrapped Key XML Encryption (II) Encrypted body: <S:Envelope>... <S:Body> <xenc:encrypteddata Id="body"> <xenc:cipherdata> <xenc:ciphervalue>...</xenc:ciphervalue> </xenc:cipherdata> </xenc:encrypteddata> </S:Body> </S:Envelope> SOAP Security 32

33 Signing SOAP Messages Used for verifying message integrity Used for verifying security token integrity XML signatures are put into the security header The detached signature model is the only one allowed (due to the mutability of headers) <S:Envelope> <S:Header> <wsse:security> <ds:signature> <ds:reference URI= #body >... <S:Body Id= body > SOAP Security 33

34 An Example of a Signed SOAP Message (I) <S:Envelope> <S:Header> This is an X509 <wsse:security> certificate used as <wsse:binarysecuritytoken security token ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary" wsu:id="x509token">figezzcr...</wsse:binarysecuritytoken> <ds:signature> <ds:signedinfo> <ds:canonicalizationmethod Algorithm="...xml-exc-c14n#" /> <ds:signaturemethod Algorithm="...rsa-sha1" /> <ds:reference URI="#body"> <ds:transforms> <ds:transform Algorithm="...xml-exc-c14n#" /> </ds:transforms> <ds:digestmethod Algorithm="...#sha1" /> <ds:digestvalue>eulddytso1...</ds:digestvalue> </ds:reference> </ds:signedinfo> to be continued... SOAP Security 34

35 An Example of a Signed SOAP Message (II)... continued <ds:signaturevalue>xld.../ds:signaturevalue> <ds:keyinfo> <wsse:securitytokenreference> <wsse:reference URI="#X509Token"/> </wsse:securitytokenreference> </ds:keyinfo> </ds:signature> </wsse:security> </S:Header> <S:Body wsu:id="body"> <StatusRequest xmlns=" <OrderNumber>1234</OrderNumber> </StatusRequest> </S:Body> </S:Envelope> The body is signed... The signature was produced by using the public key attached to the X509 certificate SOAP Security 35

36 Signing and Encrypting a SOAP Message If a producer signs a message before encryption, then following ordering is applied: The <Signature> element with all <Reference> elements is computed and added to the <Security> header The encryption elements such as <EncryptedKey>, <ReferenceList>, and <EncryptedData> are added to the <Security> header in front of the <Signature> element The above order can be sketched accordingly: If encryption is used first, and then signing, then the order changes accordingly (order matters). SOAP Security 36

37 Message Time Stamps WS-Security defines message timestamps Message timestamps define the freshness of a message Message timestamps are introduced in the header Message timestamps should be signed Example: <S:Envelope> <S:Header> <wsu:timestamp> <wsu:created> t08:42:00z</wsu:created> <wsu:expires> t09:00:00z</wsu:expires> </wsu:timestamp>... </S:Header> <S:Body>... </S:Body> </S:Envelope> SOAP Security 37