SOAP Security Prof. Dr. Eric Dubuis Berner Fachhochschule Biel Version April 11, 2012
Overview Motivation Transport security versus SOAP Security WS-Security stack overview Structure of secured SOAP messages Security tokens Encrypting SOAP messages Signing SOAP messages Timestamps SOAP Security 2
Motivation SOAP messages are text documents As such, they contain valuable data in clear-text Such data may be confidential Such data may be subject to tampering Starting point for SOAP security is: SOAP Message Security 1.1 (WS-Security 2004) http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-soapmessagesecurity.pdf SOAP Security 3
Position of SOAP Security Application level XML Documents XML Signature XML Encryption Message level SOAP Message WS-Security Transport level TCP SSL / TLS XML Signature: http://www.w3.org/tr/xmldsig-core/ XML Encryption: http://www.w3.org/tr/xmlenc-core/ WS-Security, SOAP Message Security: http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-soapmessagesecurity.pdf SSL, Secure Socket Layer: http://web.archive.org/web/20080208141212/http://wp.netscape.com/eng/ssl3/, TLS, Transport Layer Security: http://www.ietf.org/rfc/rfc4346.txt, SOAP Security 4
Transport Security versus Message Security Client Server Client Program Server Program Message SSL/TLS SSL/TLS Message client: messages in the clear in the pipe: messages encrypted back and forth server: messages in the clear SSL, Secure Socket Layer: http://web.archive.org/web/20080208141212/http://wp.netscape.com/eng/ssl3/ TLS, Transport Layer Security: http://www.ietf.org/rfc/rfc4346.txt SOAP Security 5
Transport Security versus Message Security Transport security Pros: mature big support well understood relatively simple Cons: point to point only all-or-nothing security Message security Pros: security attached to the message itself selective flexible Cons: complex many standards SOAP Security 6
WS-Security Stack Source: http://msdn.microsoft.com/en-us/library/aa480548.appx_interopcons_f01(en-us,msdn.10).gif SOAP Security 7
WS-Security Namespaces For These Slides Prefix Short for Namespace ds XML signature http ://www.w3.org/2000/09/xmldsig# wsse wsu xenc WS-Security extension Web services utility XML encryption http ://www.docs.oasis-open.org/ wss/2004/01/oasis-200401-wsswssecurity-secext-1.0.xsd http ://www.docs.oasis-open.org/ wss/2004/01/oasis-200401-wsswssecurity-utility-1.0.xsd http ://www.w3.org/2001/04/xmlenc# Unless otherwise noted, SOAP Message Security 1.1 is addressed in these notes, see WS-Security: http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-soapmessagesecurity.pdf SOAP Security 8
Extending SOAP with Security: Structure (I) <S:Envelope> <S:Header> <wsse:security> <!-- see next slide --> </wsse:security> </S:Header> Content of the XML S:Body element is encrypted. <S:Body Id= body > <xenc:encrypteddata Id="bodyID" Type="http://www.w3.org/2001/04/xmlenc#Content">... </xenc:encrypteddata> </S:Body> </S:Envelope> SOAP 1.1: http://www.w3.org/tr/soap11/ SOAP 1.2: http://www.w3.org/tr/soap12-part1/, http://www.w3.org/tr/soap12-part2/ SOAP Security 9
Extending SOAP with Security: Structure (II) The optional encrypted key list carries the encrypted keys used for encryption. The signatures are performed prior to encryption! <wsse:security>... <!-- XML encrypted key --> <xenc:encryptedkey>...</xenc:encryptedkey> <!-- XML encryption reference list --> <xenc:referencelist> <xenc:datareference URI="#tokenID"/> <xenc:datareference URI="#bodyID"/> </xenc:referencelist> <!-- Security Token --> The optional reference list is a manifest of encrypted portions of the SOAP message. <xenc:encrypteddata Id="tokenID"...></xenc:EncryptedData> <!-- XML Signature --> <ds:signature>... <ds:reference URI="#timestamp">...</ds:Reference> <ds:reference URI="#body">...</ds:Reference> </ds:signature> </wsse:security> SOAP Security 10
Extending SOAP with Security: Summary of Structural Elements The following elements can be embedded within the <wsse:security> element: Encrypted Keys zero, one, or more of embedded keys Reference List zero, one, or more of references to encrypted parts Security Tokens zero, one, or more (but usually not more than one) security tokens may be encrypted Signatures zero, one, or more XML signatures. If an XML signature is included, at minimum it signs all or part of the SOAP body SOAP Security 11
Encrypted Key Element <xenc:encryptedkey Id="_5002"..."> <xenc:encryptionmethod..."/> <ds:keyinfo..."> <wsse:securitytokenreference> <ds:x509data> <ds:x509issuerserial> <ds:x509issuername>cn=...</ds:x509issuername> <ds:x509serialnumber>2</ds:x509serialnumber> </ds:x509issuerserial> </ds:x509data> </wsse:securitytokenreference> </ds:keyinfo> <xenc:cipherdata> <xenc:ciphervalue>oo...yc=</xenc:ciphervalue> </xenc:cipherdata> </xenc:encryptedkey> SOAP Security 12
Reference List Shows encrypted parts of the SOAP message Optional <xenc:referencelist..."> <xenc:datareference URI="#_5009"/> <xenc:datareference URI="#_5010"/> </xenc:referencelist> SOAP Security 13
Security Tokens: Overview Examples of Security Tokens: User name with password token X.509 certificate token } Kerberos ticket binary Encrypted data token SAML assertion Types of Security Tokens: User name tokens (two variants) binary tokens (many) XML tokens (many) tokens Most often encrypted. Security token that is encrypted. The recipient knows how to decrypt it to obtain the effective token. SOAP Security 14
Security Tokens: User Name Token Basic <UsernameToken> with clear-text password <S:Envelope> <S:Header>... <wsse:security> <wsse:usernametoken> <wsse:username>alice</wsse:username> <wsse:password>ilovedogs</wsse:password> </wsse:usernametoken> </wsse:security>... </S:Header>... </S:Envelope> Username Token Profile 1.1: http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-usernametokenprofile.pdf SOAP Security 15
Security Tokens: User Name with Password Digest Basic Idea: Provides an alternative to the clear-text password approach Sender hashes some random information with the password Receiver performs the same process Receiver compares the computed value with the one received Further Elements: Nonce: A random value to prevent reply attack. That is, the receiver caches the values obtained so far, and discards any request having the same value. Time stamp: Allows to clear the server's cache from old, obsolete entries. Password Digest = Base64 ( SHA-1 ( nonce + created + password ) ) SOAP Security 16
Security Tokens: Example of User Name with Password Digest <wsse:security> <wsse:usernametoken xmlns:wsse="...wss-wssecurity-secext-1.0.xsd" xmlns:wsu="...wss-wssecurity-utility-1.0.xsd"> <wsse:username>alice</wsse:username> <wsse:password Type="wsse:PasswordDigest"> D2A12DFE8D9F0C6BB82C89B091DF5C8A872F94DC </wsse:password> <wsse:nonce>efd89f06ccb28c89</wsse:nonce> <wsu:created>2007-10-13t09:00:00z</wsu:created> </wsse:usernametoken> </wsse:security> You don't see the real password here... SOAP Security 17
Binary Security Tokens: Overview Template for binary tokens: <wsse:binarysecuritytoken wsu:id=... EncodingType=... ValueType=...>...Binary Data... <wsse:binarysecuritytoken/> Encoding type: how is the binary data encoded. Most often: wsse:base64binary Value type: type of token. Can be an X.509 V3 certificate or one of the Kerberos tickets. SOAP Security 18
X.509 V3 Certificate as Binary Token An example of a X.509 V3 certificate as a binary token looks like: <wsse:binarysecuritytoken Id="myX509Token" ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary">NIFEPzQ......CrAwIBAgIQEm FExErTECA</wsse:BinarySecurityToken> With a certificate, you authenticate yourself with the receiver by signing an element with your private key, such that the receiver can validate the signed element with the help of the certificate's public key, provided the receiver trusts the certificate authority. X.509 Certificate Token Profile 1.1: http://www.oasis-open.org/committees/download.php/16785/wss-v1.1-spec-os-x509tokenprofile.pdf SOAP Security 19
Relating an XML Signature with a X.509 V3 Certificate You learned: XML signature (optionally) has a KeyInfo element: <ds:keyinfo> <ds:keyvalue>...</ds:keyvalue> <ds:x509data>...</ds:x509data> </ds:keyinfo> WS-Security recommends however: <ds:keyinfo> <wsse:securitytokenreference> <wsse:reference URI="#myX509Token"/> </wsse:securitytokenreference> </ds:keyinfo> You don't include the certifcate here but you reference it... SOAP Security 20
Kerberos Tokens Two types of tokens: Ticket Granting Ticket (TGT) Service Ticket (ST) You specify the type of Kerberos token with the attribute ValueType. An example of a TGT Kerberos token looks like: <wsse:binarysecuritytoken wsu:id="mykerberostoken" ValueType="wsse:Kerberosv5TGT" EncodingType="wsse:Base64Binary">ABCDEFG...CrAwIBAgIQEm... QwErTY</wsse:BinarySecurityToken> Kerberos Token Profile 1.1: http://www.oasis-open.org/committees/download.php/16788/wss-v1.1-spec-os-kerberostokenprofile.pdf SOAP Security 21
XML Tokens Several kinds of XML tokens exist: SAML assertions XrML / REL tokens XCBF tokens We will discuss SAML assertions in a later session. SOAP Security 22
Encrypted Data Tokens (in <Security> Header) A token that needs to be decrypted by the recipient An <xenc:encrypteddata> element is used <xenc:encrypteddata Id="_5009"...> <xenc:encryptionmethod Algorithm="...#aes128-cbc"/> <ds:keyinfo...> <wsse:securitytokenreference wsse11:tokentype="...#encryptedkey"> <wsse:reference URI="#_5002" ValueType="...#EncryptedKey"/> </wsse:securitytokenreference> </ds:keyinfo> <xenc:cipherdata> <xenc:ciphervalue>yw...==</xenc:ciphervalue> </xenc:cipherdata> </xenc:encrypteddata> Encrypted Data Tokens: http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-soapmessagesecurity.pdf, 6.5 SOAP Security 23
Referencing Security Tokens In XML, you'll use Id and Key as an identifier. Different types in security tokens different strategies for unique identifiers Problem: How to references security tokens in other places? Solution: WS-Security introduces Security Token References Within a Security Token Reference, there are three possibilities: direct element key identifier key name (not recommended due to uniqueness problem) Additional alternative: You can embed the security token directly in the Security Token Reference. SOAP Security 24
Example of a Direct Security Token Reference A direct Security Token Reference looks like: <wsse:securitytokenreference xmlns:wsse="...wss-wssecurity-secext-1.0.xsd"> <wsse:reference URI="http://www.company.com/certs/alice#X509token" ValueType="wsse:X509v3"/> </wsse:securitytokenreference> SOAP Security 25
Example of a Key Identified Security Token Reference A direct Key Identified Security Token Reference looks like: <wsse:securitytokenreference> <wsse:keyidentifier ValueType="wsse:X509v3"> uthyqbrcgfu4xmo14md/iygyyig= </wsse:keyidentifier> </wsse:securitytokenreference> SOAP Security 26
Example of an Embedded Security Token A security token can be embedded into a Security Token Reference: <wsse:securitytokenreference> <wsse:embedded> <wsse:binarysecuritytoken ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary" wsu:id="x509token"> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i... </wsse:binarysecuritytoken> </wsse:embedded> </wsse:securitytokenreference> SOAP Security 27
Signature Used to sign different parts of the SOAP message <ds:signature...> <ds:signedinfo> <ds:canonicalizationmethod...>...</ds:canonicalizationmethod> <ds:signaturemethod Algorithm="...#hmac-sha1"/> <ds:reference URI="#_5003"> <ds:transforms>...</ds:transforms> <ds:digestmethod Algorithm=".../xmldsig#sha1"/> <ds:digestvalue>oyq...=</ds:digestvalue> </ds:reference>... </ds:signedinfo> <ds:signaturevalue>0...=</ds:signaturevalue> <ds:keyinfo> Many references to signed parts of the SOAP message... <wsse:securitytokenreference...>...</wsse:securitytokenreference> </ds:keyinfo> </ds:signature> SOAP Security 28
Encrypting SOAP Messages On SOAP message encryption: Based on XML encryption However, a few features needs to be discussed in the context of SOAP encryption Envelope, Header and Body tags are never encrypted Modes of Encryption: Shared key XML encryption Wrapped key XML encryption Encrypting attachments (not discussed) Examples are given on the next slides. SOAP Security 29
SOAP Encryption Based on Shared Key XML Encryption Assume a shared key is known to the sender and receiver An optional Reference List in the security header points to the parts of the message that have been encrypted: <S:Envelope> <S:Header> <wsse:security> <xenc:referencelist> <xenc:datareference URI="#body"/> </xenc:referencelist> </wsse:security> </S:Header> <S:Body> <xenc:encrypteddata Id="body"> <xenc:cipherdata>...</xenc:cipherdata> </xenc:encrypteddata> </S:Body> </S:Envelope> Encrypted data, shared secret key is know to the receiver. SOAP Security 30
SOAP Encryption Based on Wrapped Key XML Encryption (I) Generated, symmetric key is used for encrypting (parts of) the body ( shared key) Then, the shared key is encrypted using the recipient's public key <S:Envelope> <S:Header> <wsse:security> <xenc:encryptedkey> <xenc:encryptionmethod Algorithm="..."/> <ds:keyinfo> <wsse:securitytokenreference> <wsse:keyidentifier EncodingType="wsse:Base64Binary" ValueType="wsse:X509v3">F2J...</wsse:KeyIdentifier> </wsse:securitytokenreference> </ds:keyinfo> <xenc:cipherdata>aecdjs78wea...yxc</xenc:cipherdata> <xenc:referencelist> <xenc:datareference URI= #body /> </xenc:referencelist> </xenc:encryptedkey> </wsse:security> </S:Header> Which key to use for decrypting shared key? What is encrypted? Encrypted shared key SOAP Security Note: List can be outside of the 31 EncryptedKey element.
SOAP Encryption Based on Wrapped Key XML Encryption (II) Encrypted body: <S:Envelope>... <S:Body> <xenc:encrypteddata Id="body"> <xenc:cipherdata> <xenc:ciphervalue>...</xenc:ciphervalue> </xenc:cipherdata> </xenc:encrypteddata> </S:Body> </S:Envelope> SOAP Security 32
Signing SOAP Messages Used for verifying message integrity Used for verifying security token integrity XML signatures are put into the security header The detached signature model is the only one allowed (due to the mutability of headers) <S:Envelope> <S:Header> <wsse:security> <ds:signature> <ds:reference URI= #body >... <S:Body Id= body > SOAP Security 33
An Example of a Signed SOAP Message (I) <S:Envelope> <S:Header> This is an X509 <wsse:security> certificate used as <wsse:binarysecuritytoken security token ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary" wsu:id="x509token">figezzcr...</wsse:binarysecuritytoken> <ds:signature> <ds:signedinfo> <ds:canonicalizationmethod Algorithm="...xml-exc-c14n#" /> <ds:signaturemethod Algorithm="...rsa-sha1" /> <ds:reference URI="#body"> <ds:transforms> <ds:transform Algorithm="...xml-exc-c14n#" /> </ds:transforms> <ds:digestmethod Algorithm="...#sha1" /> <ds:digestvalue>eulddytso1...</ds:digestvalue> </ds:reference> </ds:signedinfo> to be continued... SOAP Security 34
An Example of a Signed SOAP Message (II)... continued <ds:signaturevalue>xld.../ds:signaturevalue> <ds:keyinfo> <wsse:securitytokenreference> <wsse:reference URI="#X509Token"/> </wsse:securitytokenreference> </ds:keyinfo> </ds:signature> </wsse:security> </S:Header> <S:Body wsu:id="body"> <StatusRequest xmlns="http://www.mycompany.com/order"> <OrderNumber>1234</OrderNumber> </StatusRequest> </S:Body> </S:Envelope> The body is signed... The signature was produced by using the public key attached to the X509 certificate SOAP Security 35
Signing and Encrypting a SOAP Message If a producer signs a message before encryption, then following ordering is applied: The <Signature> element with all <Reference> elements is computed and added to the <Security> header The encryption elements such as <EncryptedKey>, <ReferenceList>, and <EncryptedData> are added to the <Security> header in front of the <Signature> element The above order can be sketched accordingly: If encryption is used first, and then signing, then the order changes accordingly (order matters). SOAP Security 36
Message Time Stamps WS-Security defines message timestamps Message timestamps define the freshness of a message Message timestamps are introduced in the header Message timestamps should be signed Example: <S:Envelope> <S:Header> <wsu:timestamp> <wsu:created>2001-04-03t08:42:00z</wsu:created> <wsu:expires>2001-04-04t09:00:00z</wsu:expires> </wsu:timestamp>... </S:Header> <S:Body>... </S:Body> </S:Envelope> SOAP Security 37