A Guide to Current Standards

fizzlargeΑσφάλεια

3 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

290 εμφανίσεις

563.xx Web Services Security:
A Guide to Current Standards

Advanced Computer Security

Adam Lee and Lars Olson

Spring 2006


2

Overview


Core Standards


XML


SOAP


WSDL


UDDI


Access Control and Authorization


XACML


SAML


Core Security Standards


XML Digital Signature


XML Encryption


Advanced Security


WS
-
*

3

Multiple Standards Bodies


W3C


XML, SOAP, WSDL, XML Encryption, XML
Digital Signature, XKMS


OASIS


UDDI, SAML, XACML, WS
-
Security, WS
-
Policy, WS
-
Trust, WS
-
Authorization, WS
-
SecureConversation, WS
-
Federation, WS
-
*


WS
-
* standards developed by MS/IBM and
submitted to OASIS for standardization


Sun


Liberty Alliance Project

4

Standards Interactions

5

Core Standards

6

XML


eXtensible Markup Language


W3C Recommendation, V1.1


A restricted form of SGML (an ISO standard)


Allows delivery of custom data


Focuses on
what data is,

not what data looks
like (e.g., HTML)


Use a Document Type Definition (DTD) or
Schema

to describe new syntax

7

Simple XML Example

<?xml version=

1.1

?>

<note>


<date>2004
-
11
-
10</date>


<to>Adam</to>


<from>Kody</from>


<heading>Hungry</heading>


<body>Feed me, dad!</body>

</note>

8

XML with DTD

<?xml version=

1.1

?>

<!DOCTYPE note[


<!ELEMENT note (date, to, from, heading, body)>


<!ELEMENT date (#PCDATA)>


<!ELEMENT to (#PCDATA)>


<!ELEMENT from (#PCDATA)>


<!ELEMENT heading (#PCDATA)>


<!ELEMENT body (#PCDATA)>

]>

<note>


<date>2004
-
10
-
11</date>


<to>Adam</to>


<from>Jasmine</from>


<heading>Bone</heading>


<body>Kody stole my bone!</body>

</note>

9

Schema Example

<?xml version="1.0"?>

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"


targetNamespace="http://www.w3schools.com"


xmlns="http://www.w3schools.com"


elementFormDefault="qualified">



<xs:element name="note">


<xs:complexType>


<xs:sequence>


<xs:element name=“date“ type=“xs:date”/>


<xs:element name="to" type="xs:string"/>


<xs:element name="from" type="xs:string"/>


<xs:element name="heading" type="xs:string"/>


<xs:element name="body" type="xs:string"/>


</xs:sequence>


</xs:complexType>


</xs:element>


</xs:schema>

XML Schema Tutorial

10

XML Namespaces


Namespaces used (as in programming
languages) to scope element definitions


What if we want to use multiple
“vocabularies” of terms that may overlap?


For instance, if we have two definitions for the
element <foo>, which do we use?


Namespaces identified through a URI


Don’t try to look up the URI, it is not
guaranteed to exist!

11

XML Namespace Example

<Department>


<Name>DVS1</Name>


<addr:Address


xmlns:addr="http://blah.com/addresses">


<addr:Street>Wilhelminenstr. 7</addr:Street>


<addr:City>Darmstadt</addr:City>


<addr:State>Hessen</addr:State>


<addr:Country>Germany</addr:Country>


<addr:PostalCode>D
-
64285</addr:PostalCode>


</addr:Address>


<serv:Server


xmlns:serv="http://blah.com/servers">


<serv:Name>OurWebServer</serv:Name>


<serv:Address>123.45.67.8</serv:Address>


</serv:Server>


</Department>

XML Namespaces FAQ

12

DOM


Document Object Model


W3C Recommendation, V1.0 Level 3


Internal representation of an XML document as
a tree


Allows us to specify an element and all the data
inside it as a subtree


Also allows us to specify a search pattern over
the document (e.g. XPath)

13

SOAP


Simple Object Access Protocol


W3C Recommendation, V1.2


W3C SOAP Primer


Type of XML document


Extensible messaging framework


Issues such as security not part of
specification, addressed as extensions


14

The Stack

HTTP (Usually

but not always)

XML

SOAP

15

SOAP Messages


Two main parts to the message


Header: Contains message meta
-
information


Body: Contains the main message

SOAP Envelope

SOAP Header

(optional)

SOAP Body

16

SOAP Example

<env:Envelope


xmlns:env="
http://www.w3.org/2003/05/soap
-
envelope
">


<env:Header>


<n:alertcontrol
xmlns:n="http://example.org/alertcontrol">


<n:priority>1</n:priority>


<n:expires>2001
-
06
-
22T14:00:00
-
05:00</n:expires>


</n:alertcontrol>


</env:Header>


<env:Body>


<m:alert xmlns:m="http://example.org/alert">


<m:msg>Pay the electric bill today!</m:msg>


</m:alert>


</env:Body>

</env:Envelope>

17

SOAP RPC Request

POST /travelservice

SOAPAction:
http://www.acme
-
travel.com/flightinfo

Content
-
Type: text/xml; charset="utf
-
8


Content
-
Length: nnnn


<SOAP:Envelope
xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">



<SOAP:Body>



<m:GetFlightInfo



xmlns:m="http://www.acme
-
travel.com/flightinfo"



SOAP:encodingStyle=



"http://schemas.xmlsoap.org/soap/encoding/"



xmlns:xsd="http://www.w3.org/2001/XMLSchema"



xmlns:xsi=



"http://www.w3.org/2001/XMLSchema
-
instance">



<airlineName xsi:type="xsd:string">UL



</airlineName>



<flightNumber xsi:type="xsd:int">506



</flightNumber>



</m:GetFlightInfo>



</SOAP:Body>

</SOAP:Envelope>

Unraveling the Web Services Web

18

SOAP RPC Response

HTTP/1.1 200 OK

Content
-
Type: text/xml; charset="utf
-
8


Content
-
Length: nnnn


<SOAP:Envelope xmlns:SOAP=



"http://schemas.xmlsoap.org/soap/envelope/">



<SOAP:Body>



<m:GetFlightInfoResponse



xmlns:m="http://www.acme
-
travel.com/flightinfo"



SOAP:encodingStyle=



"http://schemas.xmlsoap.org/soap/encoding/"



xmlns:xsd="http://www.w3.org/2001/XMLSchema"



xmlns:xsi=



"http://www.w3.org/2001/XMLSchema
-
instance">



<flightInfo>



<gate xsi:type="xsd:int">10</gate>



<status xsi:type="xsd:string">ON TIME</status>



</flightInfo>



</m:GetFlightInfoResponse>



</SOAP:Body>

</SOAP:Envelope>

19

WSDL


Web Services Description Language


W3C Recommendation, V1.1


Tutorial


Another type of XML document


Describes ports (services), port types (sets
of operations), data type definitions, …

20

The Stack Redux

HTTP (Usually

but not always)

XML

SOAP

WSDL

21

Sample WSDL


WSDL is usually long and ugly


Click
here

for an annotated example


Fortunately, WSDL is not usually written
by hand


Apache Axis


Java2WSDL


Generate WSDL form Java source


WSDL2Java


Generate proxy and stub Java code
from WSDL

22

UDDI


Universal Description, Discovery and Integration


OASIS Specification, V3.0.1


Set of services supporting description and
discovery of:


Businesses and web service providers


The web services the above entities make available


The interfaces used to access the above service


Note security issues:


Are the services you find
really

the services you’re
looking for?


23

The Stack, Fin

HTTP (Usually

but not always)

XML

SOAP

WSDL

UDDI

24

Access Control and Authorization

25

XACML


eXtensible Access Control Markup
Language


OASIS Standard, V1.0


An Introduction to XACML


Type of XML document


Provides a means of describing and
enforcing access control policies using a
simple language

26

XACML Layers


Policy Administration Point


Creates and stores policies


Policy Enforcement Point


Makes decision requests and enforces authorization
decisions


Policy Information Point


Repository for attribute values or data required for
policy evaluation


Policy Decision Point


Evaluates the applicable policy and gives returns a
decision

27

XACML Policy Example


Discussion on XACML Technical
Committee mailing list


http://lists.oasis
-
open.org/archives/xacml/200206/msg00003.h
tml


Fairly intuitive and readable, but very
“wordy”

28

SAML


Security Assertion Markup Language


OASIS Standard, V1.1


An Introduction to SAML


Allows an organization to make assertions
about security properties of a subject


Authentication


Attributes


Authorization decisions

29

SAML (cont.)


Subjects can present these assertions to
other organizations to prove that the
issuing organization “vouches” for them


Allows state for single sign
-
on services, like
browser cookies for HTTP

30

Sample SAML Assertion

<saml:Assertion


MajorVersion="1" MinorVersion="0"


AssertionID="128.9.167.32.12345678"


Issuer="Company.com"


IssueInstant="2002
-
03
-
21T10:02:00Z">

<saml:Conditions


NotBefore="2002
-
03
-
21T10:02:00Z"


NotAfter="2002
-
03
-
21T10:07:00Z" />


<saml:AuthenticationStatement


AuthenticationMethod="password"


AuthenticationInstant="2002
-
03
-
21T10:02:00Z">


<saml:Subject>


<saml:NameIdentifier


SecurityDomain="Comany.com"


Name="joeuser" />


</saml:Subject>


</saml:AuthenticationStatement>

</saml:Assertion>

An Introduction to SAML

31

Core Security Standards

32

Base64


Specification:
http://www.faqs.org/rfcs/rfc1521.html


A way to encode arbitrary binary data into
a text
-
friendly format [A
-
Za
-
z0
-
9+/=]*


A: 000000, B: 000001, …, +: 111110, /:
111111, = is for padding

33

XMLENC (XML Encryption)


Current version:
http://www.w3.org/TR/xmlenc
-
core/


Uses 3DES, AES to encrypt an arbitrary
subtree of a document


Key can be a shared key, or it can be
encrypted by another key and included in
the document

34

Example XMLENC transformation

<sampleDoc>


<value attr=

1

>some
value</value>

</sampleDoc>

<sampleDoc>

<xenc:EncryptedData>


<xenc:EncryptionMethod Algorithm=


http://www.w3.org/2001/04/xmlenc#aes12
8
-
cbc

/>


<xenc:CipherData>



<xenc:CipherValue>


cj2U3b428DXg+tB13/b8rx1yTh4oDEDbLInjCd
Zn28HNWsDEF621zEciHqsdGyz2eRn6huyWrgBE
ILbufIx9ww==



</xenc:CipherValue>


</xenc:CipherData>

</xenc:EncryptedData>

</sampleDoc>

35

Example XMLENC transformation

<sampleDoc>

<xenc:EncryptedData>

<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128
-
cbc

/>

<ds:KeyInfo>


<xenc:EncryptedKey>


<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa
-
1_5

/>


<xenc:CipherData>


<xenc:CipherValue>...</xenc:CipherValue>


</xenc:CipherData>


</xenc:EncryptedKey>

</ds:KeyInfo>

<xenc:CipherData>


<xenc:CipherValue>...</xenc:CipherValue>

</xenc:CipherData>

</xenc:EncryptedData>

</sampleDoc>

36

Things to Note


Different parts of a single document can be
encrypted by different keys for multiple
recipients


API’s not particularly well
-
documented yet
(Xerces was better than anything else I found)


Does not allow special use of the SOAP
header

all metadata (e.g.
KeyInfo
,
EncryptionMethod
) must be within
EncryptedData

element

37

XMLENC API’s


Java


IBM XML Security Suite for Java (XSS4J)

http://www.trl.ibm.com/projects/xml/xss4j/apidocs/index.html


Apache Xerces for Java

http://xml.apache.org/security/Java/api/index.html


Verisign

http://www.xmltrustcenter.org/developer/verisign/tsik/docs/api/index.html


C++


Apache Xerces for C++
http://xml.apache.org/security/c/apiDocs/index.html


C


Not much out there, I found
http://www.aleksey.com/xmlsec/

which is
based on Gnome's libxml2.


.NET:



Currently, XML Encryption is not yet supported by .NET
” (as of 1.1?)


Seems to be implemented in 2.0,
see sample code


Perl? Others?

38

Using Xerces for Java API


No enumerated type for the algorithms


Must use 3DES or AES for encryption


RSA is in the list of enumerated algorithms, but it can
only be used for key encryption!


Must make the transformation on the document
itself, cannot generate it to a new document


Decoding is easier than encoding, but the
document parser must be namespace
-
aware!


Not pretty
-
printed

39

Using Xerces for Java API


Example encryption code:
(see source)

Document sourceDoc =

load/parse document to encrypt

;

Element elementToEncrypt =

select element of sourceDoc to encrypt

;

Key symmetricKey =

generate key

;

XMLCipher xmlCipher = XMLCipher.getInstance(XMLCipher.AES_128);

xmlCipher.init(XMLCipher.ENCRYPT_MODE, symmetricKey);


// to include encrypted key...

XMLCipher keyCipher = XMLCipher.getInstance(XMLCipher.RSA_v1dot5);

keyCipher.init(XMLCipher.WRAP_MODE, privKey);

EncryptedKey encryptedKey = keyCipher.encryptKey(sourceDoc, symmetricKey);

KeyInfo keyInfo = new KeyInfo(sourceDoc);

keyInfo.add(encryptedKey);

xmlCipher.getEncryptedData().setKeyInfo(keyInfo);


xmlCipher.doFinal(sourceDoc, elementToEncrypt, true);

40

Using Xerces for Java API


Example decryption code:
(see source)

Document sourceDoc =

load/parse document to decrypt

;

Element encryptedDataElement =

select element of sourceDoc to
decrypt

;

XMLCipher xmlCipher = XMLCipher.getInstance();


// if the key is included encrypted in the document...

xmlCipher.init(XMLCipher.DECRYPT_MODE, null);

xmlCipher.setKEK(

private or shared key for key encryption

);

// otherwise...

xmlCipher.init(XMLCipher.DECRYPT_MODE,

shared key for document
encryption

)


xmlCipher.doFinal(sourceDoc, encryptedDataElement);

41

XMLDSIG (XML Digital Signatures)


Current version:
http://www.w3.org/TR/xmldsig
-
core/


Allows a large collection of algorithms to
sign arbitrary parts of a document


Enveloped (contained within the document)


Enveloping (document contained within the
signature)


Detached (separate document for signature)

42

Example XMLDSIG transformation

<env:Envelope
xmlns:env="http://www.w3.org/2003/05/soap
-
envelope">


<env:Header>


</env:Header>


<env:Body>



<value attr="1">some value</value>


</env:Body>

</env:Envelope>

43

Example XMLDSIG transformation

<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap
-
envelope">


<env:Header>


<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC
-
xml
-
c14n
-
20010315"></ds:CanonicalizationMethod>

<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa
-
sha1"></ds:SignatureMethod>

<ds:Reference URI="">

<ds:Transforms>

<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped
-
signature"></ds:Transform>

...more stuff than can fit on this slide!!...

</ds:Signature>
</env:Header>


<env:Body>



<value attr="1">some value</value>


</env:Body>

</env:Envelope>

44

Example XMLDSIG transformation

<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap
-
envelope">


<env:Header>


<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>...</ds:SignedInfo>

<ds:SignatureValue>...</ds:SignatureValue>

<ds:KeyInfo>

<ds:X509Data>

<ds:X509Certificate>

...Base64 representation of certificate...

</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</ds:Signature></env:Header>


<env:Body>...</env:Body>

</env:Envelope>

45

Things to Note


Any part of an XML document can be
signed


The signature can be placed anywhere in
the document (e.g. SOAP header!!)


A key or certificate can be (optionally)
included in the signature


Whitespace is significant

46

XMLDSIG API’s


Same as XMLENC


Also, specifically for Web Services:
http://java.sun.com/webservices/docs/1.4/
xmldsig/api/index.html


.NET:
http://www.dotnet247.com/247reference/S
ystem/Security/Cryptography/Xml/SignedX
ml.aspx

47

Using Xerces for Java API


Easier than XMLENC


Again, to verify the signature, the document
parser must be namespace
-
aware


Not pretty
-
printed (remember, whitespace is
significant)


Possible bug?


Actual output:


--
INFO: Verification successful for URI ""


--
invalid signature

48

Using Xerces for Java API


Example signature creation code:
(see source)

Document sourceDoc =

load/parse document to sign

;

XMLSignature sig = new XMLSignature(sourceDoc, null,
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1);

sourceDoc.getDocumentElement().appendChild(sig.getElement());

Transforms transforms = new Transforms(sourceDoc);

transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);

transforms.addTransform(Transforms.TRANSFORM_C14N_WITH_COMMENTS);

// sign the whole document, hence the referenceURI is ""

sig.addDocument("", transforms, Constants.ALGO_ID_DIGEST_SHA1);

// remove next line to exclude key information from the document

sig.addKeyInfo(cert.getPublicKey());

sig.sign(privKey);

49

Using Xerces for Java API


Example signature verification code:
(see
source)

Document sourceDoc =

load/parse document to sign

;

Element sigElement =

find <Signature> element in
sourceDoc

;

XMLSignature sig = new XMLSignature(sigElement, null);

// replace below with checkSignatureValue(verifyKey) if
the verification key is not included

if
(sig.checkSignatureValue(sig.getKeyInfo().getPublicKey()
)) {



System.out.println("valid signature");

} else {



System.out.println("invalid signature");

}

50

Canonicalizations and Transformations


Need some agreement between sender and
receiver about a “canonical” document


whitespace?


XML comments?


Also need some agreement about how to
transform the signed document


A signature cannot sign itself! How much of the
signature do we remove?


How much of the document are we signing?

51

Canonicalizations


Implicitly includes character set (e.g. UTF
-
8) and content


Xerces for Java supports 4:


Canonical or Exclusive Canonicalization (?)


Canonical:
http://www.w3.org/TR/xml
-
c14n


Exclusive:
http://www.w3.org/TR/xml
-
exc
-
c14n/


Omit or include comments

52

Canonicalizations


Others include text
-
based algorithms like CRLF
and charset normalization


XMLDSIG spec says text
-
based canonicalization
is “NOT RECOMMENDED”


Also says to “exercise great care in … executing
an arbitrary canonicalization method”


e.g. “could rewrite the URIs of the References being
validated”


“could massively transform
<SignedInfo>


53

Transformations


Ordered list, starting with the
<Reference
URI="...">

element


Possible transforms


Remove the
<Signature>

element


Base64 decoding


XPath filtering

54

Transformations (XPath)


Filter on
//TicketInfo/ConfirmationNumber[2]


Full XPath specification at
http://www.w3.org/TR/xpath


How to do this in Xerces? Something to
do with
TransformParam

interface.

55

Advanced Security

56

Advanced Security Information


The WS
-
* standards are being developed
by IBM and Microsoft


Submitted to OASIS for review and
standardization


Essentially define ways to use things like
XML Digital Signature and XML Encryption
to establish trust, define policies, etc…


More details on these in a later
presentation

57

Questions?

58

Other References


E. Damiani, S. De Capitani di Vimercati, P. Samarati.
Towards Securing XML Web Services
. ACM Workshop
on XML Security, Nov. 2002.


C. Guiterrez, E. Fernandez
-
Medina, and M. Piattini.
Web Services Security: Is the Problem Solved?

WOSIS
2004.


B. Siddiqui.
Web Services Security
(Parts 1


4). Mar.


Jul. 2003. [webservices.xml.com/pub/a/ws/2003/

03/04/security.html]


OASIS [http://www.oasis
-
open.org/]


W3C [http://www.w3c.org/]