Web Services Introduction WS-Security XKMS

Transcription

1 Web Service Security Wolfgang Werner HP Decus Bonn Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Agenda Web Services Introduction WS-Security XKMS 1

2 Web Services Introduction What is a Web Service? Problem taking different applications running on different operating systems built with different object models using different programming languages and turning them into Web applications. Web Services Introduction What is a Web Service? Web services are building blocks for constructing distributed Web-based applications allows a site to expose programmatic functionality via the Internet are based on open Internet standards such as HTTP, XML, SOAP can be consumed by applications implemented in any language for any platform 2

3 Web Services Introduction: Example Web Service WebService Language="C#" Class="HelloW" %> using System.Web.Services; [WebService(Namespace="urn:HelloW")] public class HelloW : WebService { [ WebMethod ] public string sayhelloto(string name) { return "Hello World " + name; } } Web Services Introduction: SOAP Today's distributed applications use binary protocolls like DCOM and CORBA/IIOP DCOM and CORBA/IIOP don't work in Internet scenarios HTTP is supported widely 3

4 Web Services Introduction: SOAP Simple Object Access Protocol (SOAP) Provides the mechanism for Web Services to communicate with clients and each other 'RPC over the Internet' SOAP uses HTTP as RPC-style transport XML for data encoding Web Services Introduction: SOAP POST /string_server/object17 HTTP/1.1 Host: Content-Type: text/xml Content-Length: 152 SOAPMethodName: urn:strings-com:istring#sayhelloto <SOAP-ENV:Envelope xmlns:soap-env=" <SOAP-ENV:Header></SOAP-ENV:Header> <SOAP-ENV: Body> <m:sayhelloto xmlns:m='urn:strings-com:istring'> <thestring>hello, World</theString> </m: sayhelloto> </SOAP-ENV:Body> </ SOAP-ENV:Envelope> 4

5 Web Services Introduction: Caveats of Webservices Reliability Accounting Performance Trust Security Web Services Introduction: SSL Secure Sockets Layer Open standard Establishes a secure channel between two parties Uses strong encryption 128-bit keys Transport Layer Security TLS Version 1.0 (RFC 2246) the successor of SSL 5

6 Web Services Introduction: SSL mytravel.com Web Server 1 Client requests secure channel 2 Server sends public key certificate 3 Client verifies certificate and sends session key 4 Client sends its public key certificate 5 Server verifies certificate and sends session key 6 Client and Server communicate secure with session key Web Service Introduction: SSL SSL only secures the transmission of the data Integrity not maintained No possibility to sign or encrypt only parts of a document 6

7 Agenda Web Services Introduction WS-Security XKMS WS-Security: Introduction Lack of standardized security No cross-platform open communication Microsoft, IBM and Verisign designed a security modell called "Web Services Security" (WS-Security) Security for Web Services through message integrity, message confidentiality and message authentication 7

8 WS-Security: Introduction Message integrity XML Signature (W3C) Message confidentiality XML Encryption (W3C) Message authentication User Name, X509 Certificates and Kerberos WS-Security: Introduction WS-Security is an additional SOAP header <Soap:Envelope > <Soap:Header>... <Credentials > <UsernameToken...> <Username> </Username> <Password Type= > </Password> </UsernameToken> </Credentials>... </Soap:Header>... <Soap:Body> </Soap:Body> </Soap:Envelope> 8

9 WS-Security: Introduction Placing security related information into the header enables the SOAP processor to handle the token verification seperately allows to pass and remove specific information to different actors (receivers) Keyinfo, DigestMethod, WS-Security: XML Signature The ability to digitally sign a document is not a new concept Apply to the entire document Focused on message transportation There is no standard mechanism to sign only specific portions of a document have multiple signatures on different parts of the document manage persistant signature information 9

10 WS-Security: XML Signature Goals: Represent signatures in standard XML format Support signing of specific portions of an XML document Sign arbitrary digital content Including binary data such as JPEG images WS-Security: XML Signature Signature creatiuon and validation must occur on the same bits Canonical XML ( Ensure identical physical representation of logically equivalent XML documents Serializing to a standard form 10

11 WS-Security: XML Signature <Signature xmlns=" <SignedInfo> <CanonicalizationMethod Algorithm=" /> <SignatureMethod Algorithm=" /> <Reference URI="#StudentData"> <DigestMethod Algorithm=" /> <DigestValue>UAbcP0xOFEf0ta6/EVhV9shjXCs=</DigestValue> </Reference> </SignedInfo> <SignatureValue>WE7ZXjb7kGX5d1MOW...</SignatureValue> <Object Id="StudentData"> <Loans> data here. </Loans> </Object> </Signature> WS-Security: XML Signature <SignedInfo> <KeyInfo> <X.509Data xmlns=" <X509Certificate> 9EL4LqrfV8IRXU...bbHcsdMSeZn3En+htDHjM </X.509Certificate> </X509Data> </KeyInfo> </SignedInfo> 11

12 WS-Security: XML Encryption Process to encrypt and decrypt digital content and represent the encrypted content in XML Encrypt only specific portions of a document Have multiple parties encrypt different parts of the document Peristant Storage WS-Security: XML Encryption Supports encryption of Entire XML documents Elements Contents of an element Arbitrary data Builds on exisiting algorithms Provides a standard representation format 12

13 WS-Security: XML Encryption <?xml version="1.0"?> <EncryptedData xmlns=" MimeType="text/xml"> <CipherData> <CipherValue> ys3dhtac.. GDSb3 </CipherValue> </CipherData> </EncryptedData> WS-Security: XML Encryption <Observation doctor="tim Smith" id="bloodpressure"> <EncryptedData xmlns=" Type=" <CipherData> <CipherValue> ys3dhtac.. GDSb3 </CipherValue> </CipherData> </EncryptedData> </Observation> 13

14 WS-Security: Message Authentication Security token propagation Informs the web service who requires the service Username and password information <UsernameToken> Binary formats (X.509 certificates, Kerberos tickets <BinarySecurityToken> WS-Security: Message Authentication <Security> <UsernameToken> <Username>Peter</Username> <Password type="passworddigest"> Q67vzYSMAKonUOFXy19TcMSq4U </Password> </UsernameToken> </Security> <!--A digest is a base64 encoded SHA1 hash value --> 14

15 WS-Security: Message Authentication <Security> <BinarySecurityToken xmlns:wsse=" ValueType="X509v3" Id="myToken" EncodingType="Base64Binary"> MIIEZzCCA9CgAwIBAgIQEmtJZc0... </BinarySecurityToken> </Security> <!-- ValueTypes: X509v3 X.509 v3 certificate Kerberosv5TGT Kerberos v5 TGT ticket. Kerberosv5ST Kerberos v5 service ticket. --> WS-Security: Summary Microsoft has released Web Services Enhancements 1.0 for Microsoft.NET, (WSE) WSE is a.net library that utilize the WS-Security specification WSE has superseded the Web Services Development Kit (WSDK) 15

16 Agenda Web Services Introduction WS-Security XKMS XKMS XKMS: XML Key Management Specification XML Signature and XML Encryption are generally based on PKI PKI based on public and private key pairs(asymmetric encryption) Organizations who wish to communticate exchange their public keys 16

17 XKMS Problems Locating the public keys Key verification Handle multiple PKI implementations No longer XML based Increased complexity of applications XKMS XKMS is a W3C initiative Original input from Microsoft, Verisign and WebMethods Web service for management of PKI based cryptographic keys Applications delegate all PKI processing tasks to a third party trust service 17

18 XKMS Benefits Simplifies usage of XML Signature and XML Encryption Builds a layer of abstraction between the application and multiple PKI implementations Moves the complexety of managing PKI out to the infrastructure level Fits smoothly into the web service environment XKMS mytravel.com Encryted, signed message 1 Key registration Locate myhotel.com Public key 3 XKMS Server myhotel.com Locate and validate mytravel.com Public key PKI Database PKI Server 18

19 XKMS XKMS is comprised of two parts XML Key Information Service Specification (XKISS) Locate service Validate service XML Key Registration Service Specification (XKRSS) Register service XKMS XKISS Direct processing support for the ds:keyinfo element used by XML Encryption and XML Signature Based on any PKI like X.509, SPKI or PGP Locate and validate public keys 19

20 XKMS XKISS Locate Service Retrieve a public key registered Resolve the ds:keyinfo element and provide the client with the required public key information May use local data, relay the request to other servers or act as a gateway to an underlying PKI infrastructure XKMS <SOAP:Envelope> <LocateRequest> <KeyInfoQuery> <ds:keyname>myhotel.com</ds:keyname> </KeyInfoQuery> </LocateRequest> </SOAP:Envelope> Get public key (proprietary format) <SOAP:Envelope> <LocateResult> <ds:keyinfo> <ds:keyname>myhotel.com</ds:keyname> <ds:keyvalue>...afg7we7...</ds:keyvalue> </dskeyinfo> </LocateResult> </SOAP:Envelope> mytravel.com xkms.verisign.com PKI infrastructure 20

21 XKMS XKISS Validate Service provides the functionallity of the Locate Service and key validation Key - name binding Key status Validity period Key usage Not revoked XKMS XKISS security issues Communication between the client and the trust service must be secure Authenticity Integrity Correspondance XKISS specification recommends Digital signatures Transport layer security Packet layer security 21

22 XKMS XKRSS Register Service Support for registration and further management of public key information Generate or register public/private key pairs Support for the entire certificate life cycle XKMS The generation of public and private keys can be delegated to the XKRSS service to generate a public and private key pair Advantage: the responsibility of maintaining a private key goes with the service provider Disadvantage: the private key information is exposed to the service provider.??? be completed at the client's end??? 22

23 XKMS Support for the entire certificate life cycle Register Reissue Revocation Recovery XKMS Client authentication: XKRSS specification does not specify any authentication policy Left to the trust service provider Shared secret most commonly used 23

24 XKMS: Implementations Entrust Verisign Phaos XKMS &.Net Not covered... XACML XTAML SAML Liberty Alliance Passport P3P authxml WS-Policy WS-Trust WS-SecureConversation WS-SecurityPolicy... 24