Securing Web Services with WS-Security



Similar documents
This Working Paper provides an introduction to the web services security standards.

02267: Software Development of Web Services

Java Security Web Services Security (Overview) Lecture 9

CICS Identity and Security

Web Services Security: What s Required To Secure A Service-Oriented Architecture. An Oracle White Paper January 2008

Encryption, Signing and Compression in Financial Web Services

<Insert Picture Here> Oracle Security Developer Tools (OSDT) August 2008

Technik und Informatik. SOAP Security. Prof. Dr. Eric Dubuis Berner Fachhochschule Biel. Version April 11, 2012

A Signing Proxy for Web Services Security. Dr. Ingo Melzer RIC/ED

NIST s Guide to Secure Web Services

Principles and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards)

Network Security. Chapter 10. Application Layer Security: Web Services. Part I: Introduction to Web Services

XML Encryption Syntax and Processing. Duan,Limiao 07,12,2006

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

XML Signatures in an Enterprise Service Bus Environment

Web Services Security Using SOAP, WSDL and UDDI

Digital Signature with Hashing and XML Signature Patterns

Strategic Information Security. Attacking and Defending Web Services

Web Services Trust and XML Security Standards

Securing Web Services From Encryption to a Web Service Security Infrastructure

Web Service Security Vulnerabilities and Threats in the Context of WS-Security

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

WEB SERVICES SECURITY

Digital Signature Web Service Interface

Representation of E-documents in AIDA Project

The Global Justice Reference Architecture (JRA) Web Services Service Interaction Profile

Christoph Bussler. B2B Integration. Concepts and Architecture. With 165 Figures and 4 Tables. IIIBibliothek. Springer

17 March 2013 NIEM Web Services API Version 1.0 URI:

SAML Implementation Guidelines

Communication Security for Applications

CS 356 Lecture 28 Internet Authentication. Spring 2013

Software Requirement Specification Web Services Security

Improving performance for security enabled web services. - Dr. Colm Ó héigeartaigh

GRID COMPUTING Techniques and Applications BARRY WILKINSON

Tusker IT Department Tusker IT Architecture

On the Insecurity of XML Security

Run-time Service Oriented Architecture (SOA) V 0.1

Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents

Contents at a Glance. 1 Introduction Basic Principles of IT Security Authentication and Authorization in

Security Assertion Markup Language (SAML)

Federated Service Oriented Architecture for Effects-Based Operations

DISTRIBUTED SYSTEMS SECURITY

Szolgáltatásorientált rendszerintegráció. WS-* standards

Federated Identity and Trust Management

Chapter 12 GRID SECURITY ARCHITECTURE: Requirements,fundamentals, standards, and models

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

Architectures, and. Service-Oriented. Cloud Computing. Web Services, The Savvy Manager's Guide. Second Edition. Douglas K. Barry. with.

PKI Uncovered. Cisco Press. Andre Karamanian Srinivas Tenneti Francois Dessart. 800 East 96th Street. Indianapolis, IN 46240

An IDL for Web Services

REST and SOAP Services with Apache CXF

Introduction into Web Services (WS)

IBM WebSphere DataPower Integration Appliance XI52

An Oracle White Paper November Oracle Primavera P6 EPPM Integrations with Web Services and Events

On the Insecurity of XML Security

Service Virtualization: Managing Change in a Service-Oriented Architecture

Using WS-Federation and WS-Security for Identity Management in Virtual Organisations

IT Networks & Security CERT Luncheon Series: Cryptography

Chapter 7 Transport-Level Security

User Management Interfaces for Earth Observation Services Abstract Test Suite

SMPTE Standards Transition Issues for NIST/FIPS Requirements v1.1

WebService Security. A guide to set up highly secured client-server communications using WS-Security extensions to the SOAP protocol

T-Check in Technologies for Interoperability: Web Services and Security Single Sign-On

Table of Contents. Bibliografische Informationen digitalisiert durch

Exploring ADSS Server Signing Services

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

On Technical Security Issues in Cloud Computing

Digital Signing Specification

Secure Envelope specification

Securing your XML and Web service implementations Nattakan Pengphon Technical Specialist

Complying with PCI Data Security

Unit IV: SOAP protocol, XML-RPC, HTTP, SOAP faults and SOAP attachments, Web services, UDDI, XML security

A Service Oriented Security Reference Architecture

PUBLIC Connecting a Customer System to SAP HCI

An Introduction to Cryptography as Applied to the Smart Grid

Rights Management Services

SAML Federated Identity at OASIS

, ) I Transport Layer Security

Transcription:

Securing Web Services with WS-Security Demystifying WS-Security, WS-Policy, SAML, XML Signature and XML Encryption jothy Rosenberg David L. Remy SAMS Sams Publishing, 800 East 96th Street, Indianapolis, Indiana 46240

Table of Contents Forewords xx Introduction i Who This Book Is For 1 About This Book 1 How This Book Is Organized 2 I. Basic Concepts ofweb Services Security 5 Web Services Basics : XML, SOAP, andwsdl 6 XML and XML Schema 6 SOAP 7 WSDL 9 UDDI 9 Application Integration 9 B2Ii Business Process Integration 10 Portals 11 Service-Oriented Architectures 11 Definition ofweb Services 12 Security Basics 12 Shared Key and Public Key Technologies 13 Security Concepts and Definitions 16 Web Services Security Basics 19 XML Signature 19 XML Encryption 20 SAML 20 WS-Security 21 Trust Issues 22 Other WS-Security-Related Specs 22 Sununary 22 2 The Foundations ofweb Services 25 The Gestalt ofweb Services 25 Application Integration 25 The Evolution ofdistributed Computing 2$ The Inevitability ofweb Services 32 Security Challenges 35

XML: Meta-Language for Data-Oriented Interchange 37 Where XML Came From and Why It's Important 38 XML and Web Services 39 XML Namespaces 39 XML Schema 42 XML Transformations 43 XML's Role in Web Services Security 46 SOAP: XML Messaging and Remote Application Access 49 Where SOAP Came From andwhy It's Important 50 SOAP Envelope 52 SOAP Header 53 SOAP Body 53 SOAP Processing 55 SOAP Attachments 55 SOAP and Web Services Security 55 WSDL ; Schema for XML/SOAP Objects and Interfaces 56 Where WSDL Came From. and Why It's Important 56 WSDL Elements 58 WSDL and SOAP 61 WSDL and Web Services Security 61 UDDI : Publishing and Discovering Web Services 62 ebxml and RosettaNet: Alternative Technologies for Web Services 65 The Web Services Security Specifications 65 Summary 67 ä The Foundations of Distributed Message- Level Security 69 Tbre Challenges ofinformation Security for Web Services 69 Security of Distributed Systems Is Hard 69 Security ofexchanged Information (Messages) Is Harder 70 Security ofweb Services Is Hardest 71

Viii Contents Shared Key Technologies 72 Shared Key Encryption 72 Kerberos 75 Limitations ofshared Key Technologies 76 Public Key Technologies 76 Public Key Encryption 76 Limitations ofpublic Key Encryption 79 Digital Signature Basics 80 A Digital Signature Expressed in XML 85 Public Key Infrastructure 86 SSLTransport Layer Security 97 Summary 102 4 Safeguarding the Identity and Integrity of XMI. Messages 105 Introduction To and Motivation for XML Signature 105 AW3C Standard 105 Critical Building Block forws-security 105 Close Associations with Web Services Security 106 The Goal ofensuring Integrity (and Usually Identity) and Non-repudiation Persistently 106 XML Signature and XML Encryption : Fundamental Web Services Security Technologies 106 XML Signature Fundamentals 107 XML Signature Structure 107 Basic Structure 108 Specifying the Items Being Signed 109 Types ofxml Signatures 109 The Signature Element Schema 113 XML Signature Processing 116 XML Signature Generation 1.17 XML SignatureValidation 119 The XML Signature Elements 120 The Signedinfo Element 120 The Canonical iaationmethod Element and Canonicalization 120

Contents ix The SignatureMethod Element 125 The Reference Element 125 The Transform Element 127 The DigestMethod Element 132 The Digestvalue Element 133 The signaturevalue Element 133 The object Element 133 The Keyin o Element 137 Security Strategies for XML Signature 140 Using Transforms 140 Mxowing the Security Model 141 KnowingYour Keys 142 Signing Object Elements 142 Signing DTDs with Entity References 142 Summary 144 5 Ensuring Confidentiality ofxml Messages 147 Introduction to and Motivation for XML Encryption 147 Relating XML Encryption and XML Signature 147 Critical Building Block for WS-Security 148 The Goal Is to Ensure Confidentiality of Messages from End to End with Different Recipients 149 Think Shared Key CryptographyWhenYou Think of XML Encryption 149 XML Encryption Will Become Part of the Infrastructure Like XML Signature 149 XML Encryption Fundamentals 150 XML Encryption Structure 151 EncryptedData:The Core ofxml Encryption 151 EncryptedData Schema 152 EncryptedType 153 EncryptionMethod 154 CipherData 154 Encrypt ionproperties 155

x Contents Keyinfo 156 Encrypt:edKey 157 AgreementMethod 159 Ref erencelist 160 CarriedKeyName 161 Super Encryption 162 XML Encryption Processing 1.63 Encryption Process 163 Decryption Process 164 Using XML Encryption and XML Signature Together 165 The Decryption Transform for XML Signature 168 XML Encryption and XML Signature Strategies 175 Summary 176 6 Portable Identity, Authentication, and Authorization 3,77 Introduction to and Motivation for SAML 178 The Problems SAML Addresses 179 Transporting Identity or "Portable Trust" 181 The Concept oftrust Assertions 181 How SAML Works 181 SAML Assertions 184 SAML Producers and Consumers 188 SAML Protocol 189 Authorization Request 191 SAML Bindings 192 SAML Profiles 194 Using SAML with WS-Security 195 Tile WS-Security SAML Profile 196 Applying SAML: Project Liberty 197 The Identity Problem 197 Federated Identity 197 How Liberty Uscs SAML 198 The Microsoft Passport Alternative Approach 199 Summary 200

Contents 7 Building Security into SOAP 201 Introduction to and Motivation forws-security 201 Problems and Goals 201 The Origins ofws-security 205 WS-Security Is Foundational 206 Extending SOAP with Security 206 Security Tokens inws-security 208 UsernameToken 209 BinarySecuri.t:yTokens 21.2 XML Tokens 215 Referencing Security Tokens 220 Providing Confidentiality : XML Encryption in WS-Security 222 Shared Key XML Encryption 222 Wrapped Key XML Encryption 223 Encrypting Attachments 224 WS-Security Encryption Summary 227 Providing Integrity : XML Signature in WS-Security 227 XML Signature forvalidating a Security Token 227 XML Signature for Message Integrity 228 XML Signature in WS-Security Considerations 228 WS-Security XML Signature Example 228 Signing a Security Token Reference 229 Message Time Stamps 230 Summary 232 8 Communicating Security Policy 235 WS-Policy 235 WS-Policy and WSDL 236 WS-Policy and WS-SecurityPolicy 236 The WS-Policy Framework 237 WS-Policy Details 238 WS-PolicyAssertions 240 WS-PofcyAttachment 241 Specifying WS-Policy in WSDL 242

x1i Contents WS-SecurityPolicy 245 SecurityToken 245 integrity 248 Confidentiality 250 Visibility 251 SecurityHeader 252 MessageAge 253 Summary 253 9. Trust, Access Control, and Rights for Web Services 255 The WS-* Family of Security Specifications 255 WS-* Security Specifications fortrust Relationships 258 WS-* Security Specifications for Interoperabiiity 265 WS-* Security Specifications for Integration 269 XML Key Management Specification (XKMS) 272 Origins ofxkms 272 Goals of XKMS 272 The XKMS Services 273 extensible Access Control Markup Language (XACML) Specification 279 The XACML Data Model 280 XACML Operation 281 XACML Policy Example 282 extensible Rights Markup Language (XrML) Management Specification 284 The XrML Data Model 285 XrML Use Case Example 285 Summary 290 10 Building a Secure Web Service Using BEA's WebLogic Workshop 293 Security Layer Walkthrough 294 Transport-Level Security 295 Message-Level Security 296 Role-Based Security 297

Contents xiii WebLogic Workshop Web Service Walkthrough 297 Transport Security 302 Message-Based Security 312 Summary 330 A Security, Cryptography, and Protocol Background Material 331 The SSL Protocol 331 Testing for Primality 333 RSA Cryptography 334 Choosing RSA Key Pairs 335 Padding 335 RSA Encryption 335 RSA Decryption 336 DSA Digital Signature Algorithms 336 DSA. Key Generation 336 DSA Algorithm Operation 337 Block Cipher Processing 337 Block Cipher Padding (PKCS#5) 337 Block Cipher Feedback 338 DES Encryption Algoritluii 338 AES Encryption Algorithm 339 Hashing Details and Requirements 339 Motivation for Using Hash Functions 340 Requirements for Digital Signature 340 SHA1 340 Collision Resistance 341 Security 341 Simplicity and Efficiency 341 Silvio Micali's FastValidation/Revocation. 341 Vilidity Check 342 Revocation 343 Canonicalization ofmessages for Digital Signature Manifests 343 CanonicalizationV1 Transform Steps 343. Canonicalization Subtleties : E%clusive Canonicalization 344

AV Contents Base-64 Encoding 345 PGP 346 Glossary 347 Index 367

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information