Securing Web Services with WS-Security

Transcription

1 Securing Web Services with WS-Security Demystifying WS-Security, WS-Policy, SAML, XML Signature and XML Encryption jothy Rosenberg David L. Remy SAMS Sams Publishing, 800 East 96th Street, Indianapolis, Indiana 46240

2 Table of Contents Forewords xx Introduction i Who This Book Is For 1 About This Book 1 How This Book Is Organized 2 I. Basic Concepts ofweb Services Security 5 Web Services Basics : XML, SOAP, andwsdl 6 XML and XML Schema 6 SOAP 7 WSDL 9 UDDI 9 Application Integration 9 B2Ii Business Process Integration 10 Portals 11 Service-Oriented Architectures 11 Definition ofweb Services 12 Security Basics 12 Shared Key and Public Key Technologies 13 Security Concepts and Definitions 16 Web Services Security Basics 19 XML Signature 19 XML Encryption 20 SAML 20 WS-Security 21 Trust Issues 22 Other WS-Security-Related Specs 22 Sununary 22 2 The Foundations ofweb Services 25 The Gestalt ofweb Services 25 Application Integration 25 The Evolution ofdistributed Computing 2$ The Inevitability ofweb Services 32 Security Challenges 35

3 XML: Meta-Language for Data-Oriented Interchange 37 Where XML Came From and Why It's Important 38 XML and Web Services 39 XML Namespaces 39 XML Schema 42 XML Transformations 43 XML's Role in Web Services Security 46 SOAP: XML Messaging and Remote Application Access 49 Where SOAP Came From andwhy It's Important 50 SOAP Envelope 52 SOAP Header 53 SOAP Body 53 SOAP Processing 55 SOAP Attachments 55 SOAP and Web Services Security 55 WSDL ; Schema for XML/SOAP Objects and Interfaces 56 Where WSDL Came From. and Why It's Important 56 WSDL Elements 58 WSDL and SOAP 61 WSDL and Web Services Security 61 UDDI : Publishing and Discovering Web Services 62 ebxml and RosettaNet: Alternative Technologies for Web Services 65 The Web Services Security Specifications 65 Summary 67 ä The Foundations of Distributed Message- Level Security 69 Tbre Challenges ofinformation Security for Web Services 69 Security of Distributed Systems Is Hard 69 Security ofexchanged Information (Messages) Is Harder 70 Security ofweb Services Is Hardest 71

4 Viii Contents Shared Key Technologies 72 Shared Key Encryption 72 Kerberos 75 Limitations ofshared Key Technologies 76 Public Key Technologies 76 Public Key Encryption 76 Limitations ofpublic Key Encryption 79 Digital Signature Basics 80 A Digital Signature Expressed in XML 85 Public Key Infrastructure 86 SSLTransport Layer Security 97 Summary Safeguarding the Identity and Integrity of XMI. Messages 105 Introduction To and Motivation for XML Signature 105 AW3C Standard 105 Critical Building Block forws-security 105 Close Associations with Web Services Security 106 The Goal ofensuring Integrity (and Usually Identity) and Non-repudiation Persistently 106 XML Signature and XML Encryption : Fundamental Web Services Security Technologies 106 XML Signature Fundamentals 107 XML Signature Structure 107 Basic Structure 108 Specifying the Items Being Signed 109 Types ofxml Signatures 109 The Signature Element Schema 113 XML Signature Processing 116 XML Signature Generation 1.17 XML SignatureValidation 119 The XML Signature Elements 120 The Signedinfo Element 120 The Canonical iaationmethod Element and Canonicalization 120

5 Contents ix The SignatureMethod Element 125 The Reference Element 125 The Transform Element 127 The DigestMethod Element 132 The Digestvalue Element 133 The signaturevalue Element 133 The object Element 133 The Keyin o Element 137 Security Strategies for XML Signature 140 Using Transforms 140 Mxowing the Security Model 141 KnowingYour Keys 142 Signing Object Elements 142 Signing DTDs with Entity References 142 Summary Ensuring Confidentiality ofxml Messages 147 Introduction to and Motivation for XML Encryption 147 Relating XML Encryption and XML Signature 147 Critical Building Block for WS-Security 148 The Goal Is to Ensure Confidentiality of Messages from End to End with Different Recipients 149 Think Shared Key CryptographyWhenYou Think of XML Encryption 149 XML Encryption Will Become Part of the Infrastructure Like XML Signature 149 XML Encryption Fundamentals 150 XML Encryption Structure 151 EncryptedData:The Core ofxml Encryption 151 EncryptedData Schema 152 EncryptedType 153 EncryptionMethod 154 CipherData 154 Encrypt ionproperties 155

6 x Contents Keyinfo 156 Encrypt:edKey 157 AgreementMethod 159 Ref erencelist 160 CarriedKeyName 161 Super Encryption 162 XML Encryption Processing 1.63 Encryption Process 163 Decryption Process 164 Using XML Encryption and XML Signature Together 165 The Decryption Transform for XML Signature 168 XML Encryption and XML Signature Strategies 175 Summary Portable Identity, Authentication, and Authorization 3,77 Introduction to and Motivation for SAML 178 The Problems SAML Addresses 179 Transporting Identity or "Portable Trust" 181 The Concept oftrust Assertions 181 How SAML Works 181 SAML Assertions 184 SAML Producers and Consumers 188 SAML Protocol 189 Authorization Request 191 SAML Bindings 192 SAML Profiles 194 Using SAML with WS-Security 195 Tile WS-Security SAML Profile 196 Applying SAML: Project Liberty 197 The Identity Problem 197 Federated Identity 197 How Liberty Uscs SAML 198 The Microsoft Passport Alternative Approach 199 Summary 200

7 Contents 7 Building Security into SOAP 201 Introduction to and Motivation forws-security 201 Problems and Goals 201 The Origins ofws-security 205 WS-Security Is Foundational 206 Extending SOAP with Security 206 Security Tokens inws-security 208 UsernameToken 209 BinarySecuri.t:yTokens 21.2 XML Tokens 215 Referencing Security Tokens 220 Providing Confidentiality : XML Encryption in WS-Security 222 Shared Key XML Encryption 222 Wrapped Key XML Encryption 223 Encrypting Attachments 224 WS-Security Encryption Summary 227 Providing Integrity : XML Signature in WS-Security 227 XML Signature forvalidating a Security Token 227 XML Signature for Message Integrity 228 XML Signature in WS-Security Considerations 228 WS-Security XML Signature Example 228 Signing a Security Token Reference 229 Message Time Stamps 230 Summary Communicating Security Policy 235 WS-Policy 235 WS-Policy and WSDL 236 WS-Policy and WS-SecurityPolicy 236 The WS-Policy Framework 237 WS-Policy Details 238 WS-PolicyAssertions 240 WS-PofcyAttachment 241 Specifying WS-Policy in WSDL 242

8 x1i Contents WS-SecurityPolicy 245 SecurityToken 245 integrity 248 Confidentiality 250 Visibility 251 SecurityHeader 252 MessageAge 253 Summary Trust, Access Control, and Rights for Web Services 255 The WS-* Family of Security Specifications 255 WS-* Security Specifications fortrust Relationships 258 WS-* Security Specifications for Interoperabiiity 265 WS-* Security Specifications for Integration 269 XML Key Management Specification (XKMS) 272 Origins ofxkms 272 Goals of XKMS 272 The XKMS Services 273 extensible Access Control Markup Language (XACML) Specification 279 The XACML Data Model 280 XACML Operation 281 XACML Policy Example 282 extensible Rights Markup Language (XrML) Management Specification 284 The XrML Data Model 285 XrML Use Case Example 285 Summary Building a Secure Web Service Using BEA's WebLogic Workshop 293 Security Layer Walkthrough 294 Transport-Level Security 295 Message-Level Security 296 Role-Based Security 297

9 Contents xiii WebLogic Workshop Web Service Walkthrough 297 Transport Security 302 Message-Based Security 312 Summary 330 A Security, Cryptography, and Protocol Background Material 331 The SSL Protocol 331 Testing for Primality 333 RSA Cryptography 334 Choosing RSA Key Pairs 335 Padding 335 RSA Encryption 335 RSA Decryption 336 DSA Digital Signature Algorithms 336 DSA. Key Generation 336 DSA Algorithm Operation 337 Block Cipher Processing 337 Block Cipher Padding (PKCS#5) 337 Block Cipher Feedback 338 DES Encryption Algoritluii 338 AES Encryption Algorithm 339 Hashing Details and Requirements 339 Motivation for Using Hash Functions 340 Requirements for Digital Signature 340 SHA1 340 Collision Resistance 341 Security 341 Simplicity and Efficiency 341 Silvio Micali's FastValidation/Revocation. 341 Vilidity Check 342 Revocation 343 Canonicalization ofmessages for Digital Signature Manifests 343 CanonicalizationV1 Transform Steps 343. Canonicalization Subtleties : E%clusive Canonicalization 344

10 AV Contents Base-64 Encoding 345 PGP 346 Glossary 347 Index 367