Web Services, ebxml and XML Security

Transcription

1 Web Services, ebxml and XML Security Dr David Cheung Director Center for E-Commerce E Infrastructure Development

2 Electronic Commerce Models Business to Customer (B2C) Convenient access to services Business to Business (B2B) Automation of business process execution and information exchange across two companies Other models Government to Government (G2G) Government to Citizen (G2C), Government to Business (G2B), B2B2C, G2G2B Most modern e-commerce e services use Internet as delivery medium and XML as data format Internet + XML Web Services

3 What is ebxml? Electronic Business using extensible Markup Language B2B e-commerce standard Enables enterprises of any size, in any global region, to conduct business using the Internet Lower barriers of e-commerce adoption, esp for SMEs Jointly developed by: UN/CEFACT United Nations Center For Trade Facilitation And Electronic Business OASIS Organization for the Advancement of Structured Information Standards Version 1 finalized in May 2001

4 ebxml Business Process Model Registry Profile of Company A Profile of Company B Profile of Company B Company A Collaboration Protocol Agreement (CPA) & Business Process Specification (BPS) Company B ebxml Message Service (ebms)

5 The Need for Security We have traditional business practices working well Putting business online means putting the practices online, including security Authentication Authorization Signature - legally accepted Information integrity Confidentiality Privacy Digital Rights Management

6 Web Services & ebxml Security Both are XML-based protocols relying on Simple Object Access Protocol (SOAP) They are open e-business e standards Need open security standards Everybody knows how the security algorithm works The only secret bit: the private key PKI is naturally fit Web Services & ebxml Security leverage on XML Security, which is based on PKI technologies Never re-invent the wheel

7 Why XML-specific Security Specs? Traditional security technologies focus on binary formats Require mutually agreed, specialized software for interpretation and use Not support common XML technical approaches for managing content (e.g. URIs, XPath,, etc.) Require tight integration of security-specific specific software and applications

8 Characteristics of XML Document Consider this: <?xml version="1.0"?> <rooms> <room type="single" currency="usd" charge="50"/> <room type="double" currency="usd" charge="70"/> <room type="suite" currency="usd" charge="100"/> </rooms>

9 Characteristics of XML Document And this: <?xml version="1.0"?> <rooms> <room type="single" charge="50" currency="usd"/> <room type="double" charge="70" currency="usd"/> <room type="suite" charge="100" currency="usd"/> </rooms>

10 Characteristics of XML Document And also this: <?xml version="1.0"?> <rooms><room type="single" charge="50" currency="usd"/><room type="double" charge="70" currency="usd"/><room type="suite" charge="100" currency="usd"/> </rooms>

11 XML Canonicalization There are all the same! They have same document structure (i.e. same XML Schema) They convey the same information The canonical XML specification (W3C) has defined an algorithm to author the canonical form of XML documents Facilitate checking the message integrity Facilitate applying message security technologies

12 XML Security Defines XML vocabulary for representing security information Supports end-to to-end security Applies to whole document, to individual XML elements, and to arbitrary binary documents Consists of the following specs: XML Digital Signature (XML DigSig) XML Encryption (XML Enc) XML Key Management (XKMS) Authentication and Authorization (SAML) Authorization Rule (XACML)

13 XML Digital Signature W3C Recommendation Provides authentication and non-repudiation Applies to entire doc or individual elements, or multiple docs Allows XML variations by utilizing XML Canonicalization, e.g. whitespaces Supports counter-signatures (signs on other signatures) Signature values can be placed inline to the document

14 ebxml Headers

15 Signature Headers

16 Canonicalization

17 Sign Algorithm

18 Sign which part?

19 Sign only a portion

20 Generate digest

21 Digest output

22 Sign output

23 public key information

24 ebxml message structure

25 XML Digital Signature in Action Step 1: Canonicalize Reduce variations (e.g. double quotes vs single quotes) Step 2: Make Digest Signature is only valid if content not changed The content to be signed is represented using a short, fixed-length digest Step 3: Sign Signature is applied on the digest All algorithms used are referenced in the <Signature> element using a URI Encoding and decoding algorithms should be exactly the same

26 XML Encryption W3C Recommendation Different from SSL/TLS/VPN, XML Encryption provides confidentiality even when the document is stored at a server Applies to entire doc or individual elements, or multiple docs Can be used in conjunction with XML Digital Signatures Supports a variety of encryption algorithms and techniques

27 XML Encryption in Action Encrypt the content using a symmetric key The encrypted content is replaced by an <EncryptedData> > element Encrypt the symmetric key using the recipient s public key Package and send the encrypted content, encrypted key and necessary algorithm information together

28 XML Key Management Specification W3C Candidate Recommendation Handles public key management Defines XML message formats to support requests and responses for public key management Registration of public key Revocation Updates Can be used in conjunction with other XML Security protocols

29 Security Assertion Markup Language Defines XML vocabulary for expressing authentication and authorization assertions A request-response response protocol for conveying SAML assertions Supports single sign-on Useful for passing authentication information between applications

30 XML Access Control Markup Language Defines XML vocabulary to express authorization rules Often used in conjunction with SAML SAML defines who XACML defines who can do what A means for creating policy statements, a collection of rules applicable to a subject

31 Application: Web Services and ebxml OASIS Web Services Security (WSS) makes use of: XML Digital Signature XML Encryption SAML XACML ebxml Messaging Service makes use of: XML Digital Signature XML Encryption

32 Conclusion Open e-business e standards need open security standards XML Security standards define XML languages and processing rules for meeting common security requirements They are based on a foundation of accepted practices and technologies They work together

33 References xml-security.html#soap core/ open.org/committees/tc_home.php?wg_abbrev=security open.org/committees/tc_home.php?wg_abbrev=xacml