last week…. xml-family xml-encryption objective
Post on 21-Dec-2015
227 views
TRANSCRIPT
![Page 1: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/1.jpg)
Last week…
Web Services XML-family
SOAP Web Service Security framework
Web Services&
Security18-1-2006 - v22
By Jothy Rosenberg, David L. Remy Sams Publishing, 2004 ISBN : 0-672-32651-5
Securing Web Services with WS-Security
![Page 2: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/2.jpg)
XML-family
![Page 3: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/3.jpg)
XML-Encryption
![Page 4: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/4.jpg)
XML-Encryption
![Page 5: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/5.jpg)
Objective
![Page 6: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/6.jpg)
XML-Encryption structure
![Page 7: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/7.jpg)
Resulting Schema shorthand
<EncryptedData Id? Type? MimeType? Encoding?><EncryptionMethod/>?<ds:KeyInfo>
<EncryptedKey>?<AgreementMethod>?<ds:KeyName>?<ds:RetrievalMethod>?<ds:*>?
</ds:KeyInfo>?<CipherData>
<CipherValue>? <CipherReference URI?>?
</CipherData><EncryptionProperties>?
</EncryptedData>
![Page 8: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/8.jpg)
Web service security:Part 2
![Page 9: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/9.jpg)
Combining XML-Encryption with XML-Signature
![Page 10: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/10.jpg)
EncryptedData for SSNo.
Key (1) info belonging to Ciphered SSNo.
Example Enc & Sig 1: Protecting Integrity of <EncryptedData>(1/2)
Ciphered SSNo.
EncryptedData for Key
Encrypted Key to decrypt Ciphered SSNo.
Key (2) info belonging to Encrypted Key
Signed info refers to Encrypted Data for SSNo.
Digest of EncryptedData for SSNo.
Signature of SignedInfo
Key (3) info to verify Signature
![Page 11: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/11.jpg)
Example Enc & Sig 1: Protecting Integrity of <EncryptedData>(2/2)
Reasonable Statement
Iff:Confident keys are associated with sender & recipientAND private keys are not compromised
Then:“This document was prepared by David Remy and can only be read by Jothy Rosenberg”
![Page 12: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/12.jpg)
SfE: however...
<Signature> & <EncryptedData> are detached
<Signature> can be removed without being noticed
<Signature> can even be replaced: "Signed by David Copperfield"
Need Policy: If encrypted, then also signed
BTW: what's the order of processing ??
![Page 13: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/13.jpg)
Example Enc & Sig 2: Encryption follows Signing (1/3)
<Order> <LineItem sku="82394" quantity="1"> <ProductName>Birdcage</ProductName> </LineItem> <Customer id="customer" custNum="A2345"> <FirstName>Fred</FirstName> <MiddleInit>L</MiddleInit> <LastName>Jones</LastName> <CreditCard> <CreditCardType>VISA</CreditCardType> <CreditCardNumber>43343456343566</CreditCardNumber> <CreditCardExpiration>10/08</CreditCardExpiration> </CreditCard> </Customer></Order>
The original Order
![Page 14: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/14.jpg)
Example Enc & Sig 2: Encryption follows Signing (2/3)
<Order> <LineItem sku="82394" quantity="1"> <ProductName>Birdcage</ProductName> </LineItem> <Customer id="customer" custNum="A2345"> <Name . . . /> <CreditCard . . . /> <Signature> <SignedInfo> <CanonicalizationMethod Algorigthm=". . ." /> <SignatureMethod Algorithm=". . ." /> <Reference URI="#customer"> <Transform Algorithm=".../#envelopedSignature" /> <DigestMethod Algorithm=". . ." /> <DigestValue>. . .</DigestValue> </Reference> </SignedInfo> <SignatureValue>. . . </SignatureValue> <KeyInfo> <X509Data> <X509SubjectName>O=MyCompany,OU=Engineering,CN=David Remy</X509SubjectName> </X509Data> </KeyInfo> </Signature> </Customer></Order>
The Order, signed by David Remy
![Page 15: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/15.jpg)
Example Enc & Sig 2: Encryption follows Signing (3/3)
<Order> <LineItem sku="82394" quantity="1"> <ProductName>Birdcage</ProductName> </LineItem> <EncryptedData id="encryptedData1" Type="Element"> <EncryptionMethod Algorithm=". . ." /> <CipherText> <CipherValue>. . . </CipherValue> </CipherText> <KeyInfo> <EncryptedKey> <EncryptionMethod Algorithm=". . ." /> <CipherText> <CipherValue>. . .</CipherValue> </CipherText> <KeyInfo> <X509Data> <X509Subject>O=HisCompany,OU=Technology,CN=Jothy Rosenberg</X509Subject> </X509Data> </KeyInfo> </EncryptedKey> </KeyInfo> </EncryptedData></Order>
The signed order, <Customer> is element Encrypted
![Page 16: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/16.jpg)
EfS: however...
++ Signature, w/t sensitive data, invisible
++ Clear order of processing
-- Integrity of EncryptedData isn’t guaranteed
![Page 17: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/17.jpg)
In conclusion
Order of processing SfESecurity Model: SfE or EfS
![Page 18: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/18.jpg)
Order of processing SfE
Problem: What to do 1st, Decrypt or Validate Signature
Solution: additional 'Decrypt Transform' element for XML-Signature
![Page 19: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/19.jpg)
Security Model: SfE or EfS
Depends on context, the specific situation
Specify a PolicyConsider multi-layered approach
SfEfS
![Page 20: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/20.jpg)
Summary
![Page 21: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/21.jpg)
XML-family
![Page 22: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/22.jpg)
SAML
![Page 23: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/23.jpg)
Identity
![Page 24: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/24.jpg)
Significance of Identity
Questions focus around Identity:
Who is accessing my network / information?
Who is this request from?
Who sais this information is correct?
Who sent me this confidential information?
How do I know it is really the sender?
...
![Page 25: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/25.jpg)
Establishing and using Identity: establishing Identity (1/2)
Subject(indiv./entity)
Trusted Third Party TTP
Credentials
Refer
Identity
![Page 26: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/26.jpg)
Trust domain HUTrust domain NL
Establishing and using Identity: using Identity (2/2)
Trusted Third Party TTP
Refer
IdentitySubject Credentials
Assertion:“Presenting Credentials when
Subject initiates action”
Authentication: Subject is who she claims to be.
Verify: Credentials are legitimately in possession of Subject
Authorization: Subject is allowed to perform action.
Verify: Action is allowed by Credentials (rights have been established under control of authority responsible for action)
Portable AssertionPortable Assertion:
“Presenting Credentials when Subject initiates action in other
Trust Domain”
![Page 27: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/27.jpg)
Problem
![Page 28: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/28.jpg)
Solution: open federated identity model
![Page 29: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/29.jpg)
Order car
Book flight
Federated Identity:
SubjectTravelAgency.com
Trust Domain 1Trust Domain 1
ChosenAirline.comTrust Domain 2Trust Domain 2
ChosenRentals.comTrust Domain 3Trust Domain 3
ChosenHotels.comTrust Domain 4Trust Domain 4
Auth. & make travel order
Credentials
Book flight
SAML: 1. Communicates Assertions:
• Deferred Identity Decisions2. SAML Fundaments:
• Assertions: XML Schema• Protocols: XML Schema for
Request/response pairs• Bindings: Ass.s on transport &
messaging standards (currently: SOAP@HTTP(s) )
Assertion Statement:“I vouch that this is van Gogh”
Credentials:“Who is this subject”
![Page 30: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/30.jpg)
Summary
![Page 31: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/31.jpg)
Where are we?
Web Services XML-family
SOAP Web Service Security framework
Web Services&
Security18-1-2006 - v22
By Jothy Rosenberg, David L. Remy Sams Publishing, 2004 ISBN : 0-672-32651-5
Securing Web Services with WS-Security
![Page 32: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/32.jpg)
SOAP
![Page 33: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/33.jpg)
Objective & Characteristics
![Page 34: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/34.jpg)
Transport of XML data
Where XML defines the content of a message ...
SOAP defines how that data moves from A to B
Via a number of standard transport protocols, but ...
Extensible to future needs (protocols & standards, functionality)
SOAP is for web services...
.... what Internet Inter-ORB Protocol (IIOP) is for CORBA ....
... and RMI is for Java Allows Sender &
Receiver to support common transport protocol
![Page 35: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/35.jpg)
Simple Object Access Protocol
It isn't Simpleit doesn't deal with ObjectsIt's got more to do with transport
than Accessfrom version 1.1: SOAP is no longer
an acronymsometimes: Service-Oriented
Architecture (or Application) Protocol
![Page 36: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/36.jpg)
Characteristics
SOAP = XML derivativeHence character orientedHence easier debugging (meta-data
describing what is being passed)Hence firewall friendlyTreat XML messages as service
requestSeparation between infrastructure &
application processing of messages
![Page 37: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/37.jpg)
Supported transport protocols
Number of Transport protocols = 1Technically, spec supports expansion
to others (UDP, SMTP, JMS, etc.)Spec Formal binding to HTTP
![Page 38: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/38.jpg)
Structure
![Page 39: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/39.jpg)
Provide transport envelope
Envelope = container to hold XML Data
Uniform container, then be carried by variety of transports
Applications refer to content
Transport refers to envelope
![Page 40: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/40.jpg)
SOAP Header
Information about SOAP envelopeManage the packageExtensibility is located hereSOAP Security (extensions) lives
here
![Page 41: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/41.jpg)
SOAP Body
Information about SOAP ContentContaints the message payload, i.e.
XML DataAnything: full purchase order doc,
RPC inc. method & parameters
![Page 42: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/42.jpg)
SOAP binding & encoding
Binding Style :: How to bind XML-
elements on physical remote methods & parameters
Binding style: RPC versus Document
RPC/Encoded: remote invocated procedures, synchronous, design-time binding
Encoding Type :: How to encode
original objects: Serialization of original object onto hierarchical XML-structure
Encoding type: SOAP encoded versus Literal
Document/Literal: document processing, asynchronous, run-time binding
![Page 43: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/43.jpg)
SOAP processing
SOAP Processors are part of application servers
SOAP runtime system acts upon Headers & Bodies
SOAP intermediaries act only upon Headers
Security: authenticate identities, encrypt or decrypt, validate signatures & call-out TTP authorities, ...
![Page 44: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/44.jpg)
WS-Security
![Page 45: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/45.jpg)
WS-Security
![Page 46: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/46.jpg)
Objective
![Page 47: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/47.jpg)
contrasts (& complements) transport-based security
Secure pipe between 2 directly connected endpoints
Endpoints usually Application Server
Secure IN the pipe, not outside
What about, for instance, logging?
Comparing Transport vs Message based security
![Page 48: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/48.jpg)
Comparing Transport vs Message based security
Transport based: ... Point-to-point ... Mature,
straightforward impl. ... Not granular: entire
payload, entire session
... transport dependent
Message based: ... End-to-
intermediary-to-end ... new, relatively
complex, many options
... Very granular: part of payload, single message
... Transport independent
![Page 49: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/49.jpg)
Characteristics
As flexible as XMLEach message carries own security
strategyFlexibility is strength AND weaknessWS-Security = SOAP securityWS-Security = part of Web Service
Security framework
![Page 50: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/50.jpg)
WS-Security structure
![Page 51: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/51.jpg)
WS-Security: What does it do?
Takes XML Security (XML-Enc & XML-Sig)
Links that with tokens (X509, Kerberos, SAML)
Binds that to SOAPDoing so, defines SOAP security
header
![Page 52: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/52.jpg)
Doing so, defines SOAP security header
Security TokensXML-EncryptionXML-Signature
![Page 53: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/53.jpg)
3 Building blocks
(1/3) Security Tokens
(2/3) XML-Encryption
(3/3) XML-Signature
![Page 54: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/54.jpg)
(1/3) Security Tokens
Information used for authentication & authorization (i.e. username / password, X.509 Certificate, ...)
<UsernameToken><BinaryToken><XML tokens>
![Page 55: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/55.jpg)
<UsernameToken>
<Username><Password> in
clear (over SSL) -> Don't!
Use PasswordType = PasswordDigest instead:
...Time stamp
... Nonce... Password Hash... Requires clear-
text password on both sides
![Page 56: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/56.jpg)
<BinaryToken>
Support few classes of binary credentials
X.509 certificates... needs Signature proving
possession PrivKeyKerberos tickets
![Page 57: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/57.jpg)
<XML tokens>
n XML token = n wrapping top-elements
SAML Assertion: <saml:Assertion>eXtensible Rights Markup Language
(XrML)XML Common Biometric Format
(XCBF)... and new tokens will be developed
![Page 58: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/58.jpg)
WS-Security: SecurityTokens in SOAP
<Envelope> <Header> <wsse:Security> SecurityToken
<ds:Signature> <ds:SignedInfo> <ds:Reference URI=“#MsgBody”> <ds:DigestValue>…</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>…</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> ReferenceToSecurityToken </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </Header> <Body Id=MsgBody> </Body></Envelope>
Username / password
Binary token
XML Token
Tokens have different syntax, hence distinct TokenReference
Announcement
![Page 59: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/59.jpg)
SAML Assertion: <saml:Assertion>
Goal is to confirm that:
... sender, or ... third party,
vouching for the sender,
... has proof of sender's identity
Hence: <holder-of-key> or <sender-vouches>
![Page 60: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/60.jpg)
(2/3) XML-Encryption
Hide selective information in SOAP messages
Security header holds <Encryptedkey> element
containing <ReferenceList> pointing to specific message parts
Encrypted attachments: SOAP w/t Attachments (SwA) not yet recommendation status
Example: Wrapped Symmetrical Key XML Encryption
![Page 61: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/61.jpg)
(3/3) XML-Signature
Goal 1: To provide message integrityGoal 2: To verify a security token
credential
![Page 62: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/62.jpg)
Goal 1: To provide message integrity
<Envelope> <Header> <wsse:Security> SecurityToken
<ds:Signature> <ds:SignedInfo> <ds:Reference URI=“#MsgBody”> <ds:DigestValue>…</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>…</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> ReferenceToSecurityToken </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </Header> <Body Id=MsgBody> </Body></Envelope>
Username / password
Binary token
XML Token
Tokens have different syntax, hence distinct TokenReference
Announcement
![Page 63: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/63.jpg)
Goal 2: To verify a security token credential
Reminder: SignatureValue is calulated over <SignedInfo>-block
... containing <reference> and ...
...Digest of reference. Problem: that is always
<SecurityTokenReference> rather than token itself
WS-Security therefore will follow token reference ("STR Dereference Transform" strategy)
![Page 64: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/64.jpg)
Summary
![Page 65: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/65.jpg)
Summary
![Page 66: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/66.jpg)
Where are we?
Web Services XML-family
SOAP Web Service Security framework
Web Services&
Security18-1-2006 - v22
By Jothy Rosenberg, David L. Remy Sams Publishing, 2004 ISBN : 0-672-32651-5
Securing Web Services with WS-Security
![Page 67: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/67.jpg)
Web Service Security framework
![Page 68: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/68.jpg)
Foundation: WS-Security
XML-SignatureXML-EncryptionSAML-AssertionsBinds to SOAP:
secure interactionSecure XML
leftovers
![Page 69: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/69.jpg)
Secure XML leftovers
XKMSXACMLXrML
![Page 70: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/70.jpg)
XKMS
Used for distributing and registering public keys:
Support the registration of a key pair by a key pair holder;
Delegates the processing of Key Information associated with an XML signature, XML encryption, or other public key.
Can be used as alternate for SAML when participants don't have single trust agreement established.
![Page 71: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/71.jpg)
XACML
The XACML (extensible access control markup language) specification consists of two related vocabularies: one for access control and one that defines a vocabulary for request and response exchanges. Through these languages, the creation of fine-grained security policies is made possible.
![Page 72: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/72.jpg)
XrML
Extensible Rights Markup Language is a grammar for expressing rights and conditions associated with digital content, services, or any digital resource.
Can be used as WS-Security token.
![Page 73: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/73.jpg)
Web Service Security framework
Foundation: WS-Security
related WS* standards on topLandscape of web services
Web Service Security framework
19-1-2006 - v5
![Page 74: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/74.jpg)
related WS* standards on top
WS-Policy framework
WS-TrustWS-PrivacyWS-Federation
framework
![Page 75: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/75.jpg)
WS-Policy framework
Where WS-Security implements security,
the WS-Policy framework is used to describe what has been implemented:
... What security token is required?
... Encryption is required.
... What part of the message must be encrypted? Signed? Whole body or a part?
... numerous options to agree upon
Both for server AND client (!)
![Page 76: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/76.jpg)
WS-Trust
This specification establishes a standard trust model used to unite existing trust models, so that the validity of exchanged security tokens can be verified. WS-Trust provides a communications process for requesting the involvement of third-party trust authorities to assist with this verification.
![Page 77: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/77.jpg)
WS-Privacy
Organizations can use WS-Privacy to communicate their privacy policies and check to see whether requestors intend to comply to these policies. WS-Privacy works in conjunction with WS-Policy and WS-Trust.
![Page 78: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/78.jpg)
WS-Federation framework
(WS-Federation, WS-Authorization, WS-SecureConversation)
There are numerous ways of integrating different trust domains (or realms) when utilizing the WS-Security, WS-Policy, and WS-Trust standards. The WS-Federation specification provides a series of standards and security models for achieving a federation — an environment where a level of trust has been established between disparate trust domains.
![Page 79: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/79.jpg)
Web Service Security framework
Foundation: WS-Security
related WS* standards on topLandscape of web services
Web Service Security framework
19-1-2006 - v5
![Page 80: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/80.jpg)
Landscape of web services
XML-landscape WS*-landscape
WS-Security landscape
![Page 81: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/81.jpg)
Cliff hanger
Understanding XML-Signature & XML-Encryption & SOAP
Understanding WS-Security
Cliff hanger19-1-2006 - v3
Principles
Understand purpose of major <element>s
Reading, not writing
Basic understanding of XML grammar
Principles
Understand its purpose
Know its compounding structure
Recognise differences between various usage scenarios
What do you need to know to pass your exam
![Page 82: Last week…. XML-family XML-Encryption Objective](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d555503460f94a32bbe/html5/thumbnails/82.jpg)
Invitation
Enjoyed Web services and/or Security?
Consider applying with TNO …
… doing your master’s thesis