web services security dept of computer engineering khon kaen university
TRANSCRIPT
![Page 1: Web Services Security Dept of Computer Engineering Khon Kaen University](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f265503460f94c3cee7/html5/thumbnails/1.jpg)
Web Services Security
Dept of Computer EngineeringKhon Kaen University
![Page 2: Web Services Security Dept of Computer Engineering Khon Kaen University](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f265503460f94c3cee7/html5/thumbnails/2.jpg)
168493: XML and Web Services (II/2546) 2
Challenges of Securing Web
Services Need to figure out a way of
securing Web services that can be potentially accessed by a complete stranger over the network
Many technologies developed to support: XML Encryption XML Signature (XML DSIG) XML Key Management Service (XKMS)
![Page 3: Web Services Security Dept of Computer Engineering Khon Kaen University](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f265503460f94c3cee7/html5/thumbnails/3.jpg)
168493: XML and Web Services (II/2546) 3
Concepts of Cryptography
Encryption and digital signatures are a part of a bigger science of cryptography
Cryptography is the art of secret writing, the enciphering and deciphering of messages in secret code or cipher, as many would put it Cipher=a message written in a secret code Decipher=convert code into ordinary
language Encipher=convert plain text into the
cipher text
![Page 4: Web Services Security Dept of Computer Engineering Khon Kaen University](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f265503460f94c3cee7/html5/thumbnails/4.jpg)
168493: XML and Web Services (II/2546) 4
Four Goals of Cryptography
Confidentiality Ensuring that only authorized parties are able
to understand the data Authentication
Ensuring the identify of the party in a given security domain
Integrity Protecting sensitive information from
unauthorized modifications Non-repudiation
Ensures that another party cannot repudiate
![Page 5: Web Services Security Dept of Computer Engineering Khon Kaen University](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f265503460f94c3cee7/html5/thumbnails/5.jpg)
168493: XML and Web Services (II/2546) 5
Confidentiality Ensuring that only authorized parties are
able to understand the data Unauthorized parties may know that the
data exists, but they should not be able to understand what the data is
Confidentiality is made possible through encryption. Encryption is the process of converting a particular message into scrambled text, also known as cipher text
![Page 6: Web Services Security Dept of Computer Engineering Khon Kaen University](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f265503460f94c3cee7/html5/thumbnails/6.jpg)
168493: XML and Web Services (II/2546) 6
Authentication Ensures the identity of the party in a
given security domain This involves having some sort of
password or key through which the user would prove his or her identify in a particular security domain
Authentication is extremely important for services to be able to tell to whom all they are providing their services
![Page 7: Web Services Security Dept of Computer Engineering Khon Kaen University](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f265503460f94c3cee7/html5/thumbnails/7.jpg)
168493: XML and Web Services (II/2546) 7
Integrity Protecting sensitive information from
unauthorized modifications Ensures that the message received by
the recipient was the same message that was sent originally by the sender The message has not been tampered
with since it was sent Different hashing algorithms are used
to generate a sort of a checksum to guarantee integrity
![Page 8: Web Services Security Dept of Computer Engineering Khon Kaen University](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f265503460f94c3cee7/html5/thumbnails/8.jpg)
168493: XML and Web Services (II/2546) 8
Non-repudiation Repudiation is to refuse to accept something Non-repudiation is a technique in which one
party ensures that another party cannot repudiate
Example, a supplier of raw materials would want to ensure that the customer does not repudiate later its placing of an order for materials
Digital signatures can be used to provide non-repudiation in computer security systems
![Page 9: Web Services Security Dept of Computer Engineering Khon Kaen University](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f265503460f94c3cee7/html5/thumbnails/9.jpg)
168493: XML and Web Services (II/2546) 9
XML Encryption The XML Encryption standard is
currently been developed at the W3C http://www.w3.org/Encryption/2001/
Unlike SSL/TLS (Secure Sockets Layer/Transport Layer Security), XML Encryption enables the encryption of data at different granularity levels This means that one can select to encrypt
parts of data using XML Encryption
![Page 10: Web Services Security Dept of Computer Engineering Khon Kaen University](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f265503460f94c3cee7/html5/thumbnails/10.jpg)
168493: XML and Web Services (II/2546) 10
XML Encryption It also enables the establishment of
secure sessions with more than one party
XML encryption can also be used to encrypt both XML as well as as non-XML data
For more information about the implementation of XML Encryption http://www-106.ibm.com/
developerworks/xml/library/x-encrypt/
![Page 11: Web Services Security Dept of Computer Engineering Khon Kaen University](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f265503460f94c3cee7/html5/thumbnails/11.jpg)
168493: XML and Web Services (II/2546) 11
XML Signatures Provides a mechanism for applying
digital signatures to XML documents and other Internet resources
Provide strong integrity for message authentication, signer authentication and non-repudiation services for data of any type
![Page 12: Web Services Security Dept of Computer Engineering Khon Kaen University](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f265503460f94c3cee7/html5/thumbnails/12.jpg)
168493: XML and Web Services (II/2546) 12
Types of XML Signatures Three types of signatures supported
by the XML Signature specification Enveloped signatures
The signature is over the XML content that contains the signature as an element
Enveloping signatures The signature is over the content found
within an <object> element of the signature itself
Detached signatures The signature is over the content external to
the <Signature> element and this external content is identified via a URI
![Page 13: Web Services Security Dept of Computer Engineering Khon Kaen University](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f265503460f94c3cee7/html5/thumbnails/13.jpg)
168493: XML and Web Services (II/2546) 13
Example: Enveloped Signature
<doc Id=“doc0”><elem/><Signature>
….<Reference URI=“doc0”/>…
</Signature></doc>
![Page 14: Web Services Security Dept of Computer Engineering Khon Kaen University](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f265503460f94c3cee7/html5/thumbnails/14.jpg)
168493: XML and Web Services (II/2546) 14
Example: Enveloping Signature
<Signature>…<Reference URI=“#ID0”/>…<Object Id=“ID0”>
…</Object>
</Signature>
![Page 15: Web Services Security Dept of Computer Engineering Khon Kaen University](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f265503460f94c3cee7/html5/thumbnails/15.jpg)
168493: XML and Web Services (II/2546) 15
Detached Signatures<doc>
<Signature>...<reference URI=
http://www.ach.com/fundstransfer/fundstarnsferproc.html/></Signature><elem/>
</doc>