WS-Security Protocol
Ramkumar Chandrasekharan CS 265
�Web Services (WS)
A service available over Internet Is based on XML messaging system
Standard protocols: HTTP, SMTP, FTP
SOAP (Simple Object Access Protocol), XML-RPC
A WS should be self describing
Discoverable
WSDL: Web Services Description Language
UDDI: Universal Description Definition Interface
�Consuming a Web Service
1) Client discovers the WS from UDDI registry to which WS has published itself 2) Client retrieves the WSDL file pointed by UDDI 3) Client Creates SOAP packets with the appropriate Web Service calls 4) Invokes Web Service method over HTTP, SMTP etc 5) Response is received from the WS as a SOAP packet as well
�WS is not secure
XML messages over the network. Anybody can easily sniff and read the text. Secure with SSL at transport layer but does not guarantee end to end security. SSL also encrypts everything which could be resource expensive. Many ways of securing at message layer for WS is possible, WS-Security is a standard way of securing WS.
�WS-Security
WS-* Specs Various Standards Orgs (OASIS, W3C etc.) and corporations (IBM, MS, Verisign etc.) are involved
Standardizing various pieces of Web Service for e.g., Security, Policy, Messaging etc.
�WS-Security
SOAP header carries security info XML Encryption standard is used for encryption XML Signature standard is used for Digital Signature
�SOAP Security Header
<soap:Envelope xmlns:soap=http://schemas.xmlsoap.ord/soap/envelope xmlns:wsse=http://schemas.xmlsoap.ord/ws/2002/12/ secext> <soap:Header> <wsse:Security soap:role=.> All the security related mechanisms like security tokens, encryption and signatures goes here </wsse:Security>
�WS-Security Tokens
Authentication mechanisms: UsernameToken
Created + Password))
Plaintext, Hashed (Base64 Encoding (SHA-1 (Nonce +
Binarysecuritytoken based on Kerberos or X.509 certificates
�XML Encryption
Provides End to end security Selective Encryption Very simple to do, lets say if there is an XML doc for e.g.,
�XML Encryption
XML before encryption:
XML After encryption
<?xml version=1.0?> <CreditCard> <Name>John </Name> <Number> 1234567</Number> <Code>123</Code> <Expiry>0106</expiry> </CreditCard>
<?xml version=1.0?> <CreditCard> <Name>John </Name> <EncryptionData> <CipherData> <CipherValue> asdgsd45454 </CipherValue> </CipherData> </EncryptionData> </CreditCard
�XML Signature
Standard Schema for digital signature XML docs Selective Signing of XML docs, that is portions of XML docs can be signed Its not as simple as XML encryption
�XML Signature Schema
<Signature> <SignedInfo> <CanonicalizationMethod /> <SignatureMethod /> <Reference URI= > (0 or more) <Transforms/> <DigestMethod/> <DigestValue/> </Reference> </SignedInfo> <SignatureValue /> - Digest of SignedInfo <KeyInfo/> (Optional) </Signature>
�WS-Security Demo
Using WSE 2.0
�Conclusion
Web service is going to create revolution in distributed computing and with standards like WS-Security helps achieve security into Web Services. With Web Services the vision of Vint Clif father of the Internet could be achieved. He said it wont be long before your bathroom scale surreptitiously transmits your weight to your doctor, who might command a stop to the rocky road ice cream your fridge automatically orders for you from www.groceries.com.
�Q&A
