Service Oriented Architecture Lecture 6 Web Service Security

Service Oriented Architecture Lecture 6 Web Service Security, XML Signature and XML Encryption Mike Mc. Carthy Notes adapted from “Web Services Security”, Bilal Siddiqui 95 -843: Service Oriented Architecture Master of Information System Management 1

Web Services & Cryptography • Bob and Alice – Want to exchange SOAP messages. • Eve is always watching. • Mallory is always trying to cause trouble. 95 -843: Service Oriented Architecture Master of Information System Management 2

What’s going on? • Web Services Security (WSS) specification from OASIS • Message confidentiality • Message identification (Who are you? ) • Message authentication (Can you prove it? ) • Authorization (What are you allowed to do? ) • End-to-end (not just point-to-point) 95 -843: Service Oriented Architecture Master of Information System Management 3

The WS Cryptography Stack XML Web Services Security SAML (Security Assertion ML), XKMS (XML Key Management Specification), XACML (e. Xtensible Access Control Markup Language) XMLDSIG (W 3 C) XMLENC (W 3 C) . NET Crypto API’s 95 -843: Service Oriented Architecture Master of Information System Management Java Security API’s 4

Tools Becoming common • Apache’s WSS 4 J (Web Services Security) • Java’s JCE and JCA • C# Crypto API’s • Active Endpoints supports security if you purchase their product • IBM’s Web. Sphere • Microsoft, Oracle… 95 -843: Service Oriented Architecture Master of Information System Management 5

The Need For Web Services Application integration within the enterprise Application integration across enterprise boundaries customers partners suppliers 95 -843: Service Oriented Architecture Master of Information System Management 6

A Tourism Supply Chain Hotel Tourists Hotel Tour Operator Car Rental Without WSS - coarse-grained protection provided by firewalls Hotel - SSL provides point-to-point encryption and authentication Anyone may call Room. Rent. Info. For. All() With WSS - fine grained security Restricted callers Room. Rent. Info. For. Partners. Only() decisions 95 -843: Service Oriented Architecture Master of Information System Management 7

Service Oriented Architecture SOAP over HTTP SOAP Server Hotel Room. Rent. Info. For. All() Room. Rent. Info. For. Partners. Only() 95 -843: Service Oriented Architecture Master of Information System Management 8

Listing 1 SOAP Request POST /Vendors HTTP/1. 1 Host: www. my. Hotel. com Content-Type: text/xml; Charset=utf-8 Content-Length: 350 SOAPACtion: "" <? xml version='1. 0'? > <SOAP-ENV: Envelope xmlns: SOAP-ENV='http: //schemas. xmlsoap. org/soap/envelope/' > <SOAP-Env: Body> <s: Get. Special. Discounted. Booking. For. Partners xmlns: s='http: //www. My. Hotel. com/partnerservice/' > <!--Parameters passed with the method call--> </s: Get. Special. Discounted. Booking. For. Partners> </SOAP-Env: Body> </SOAP-Env: Envelope> 95 -843: Service Oriented Architecture Master of Information System Management 9

Listing 2 SOAP Response HTTP/1. 0 200 OK Content-Type: text/xml; charset=utf-8 Content-Length: 1474 <? xml version="1. 0"> <SOAP-ENV: Envelope xmlns: SOAP-ENV='http: //schemas. xmlsoap. org/soap/envelope/' > <SOAP-ENV: Body> <m: Get. Special. Discounted. Booking. For. Partners. Response xmlns: m="http: //www. My. Hotel. com/partnerservice/" > <!-- Booking confirmation details--> </m: Get. Special. Discounted. Booking. For. Partners. Response> </SOAP-ENV: Body> </SOAP-ENV: Envelope> 95 -843: Service Oriented Architecture Master of Information System Management 10

1 st Generation Web Services SOAP Client SOAP Server 95 -843: Service Oriented Architecture Master of Information System Management Hotel Class RDBMS 11

2 ND Generation Web Services SOAP Server SOAP Client SOAP Server 95 -843: Service Oriented Architecture Master of Information System Management Hotel Class RDBMS Tour Planning Class 12

3 RD Generation Web Services • • SOAP Server Plane Class RDBMS SOAP Server Hotel Class RDBMS WS-Transaction/WS-Security SOAP Client SOAP Server 95 -843: Service Oriented Architecture Master of Information System Management Tour Planning Class 13

WS Security SOAP Client SOAP Server Hotel Class RDBMS SOAP Server (SOAP Aware Firewall) • inspect SOAP message • match user roles with access lists • XML Signature (not SOAP specific) • XML Encryption (not SOAP specific) • WSS (SOAP specific use of XMLEnc and XMLDsig) • Security Access Markup Language (SAML) for single sign on replacing HTTP cookies • XACML (extensible Access Control Markup Language) to express authorization and access policies 95 -843: Service Oriented Architecture Master of Information System Management 14

XML Signature An IETF/W 3 C Recommendation 95 -843: Service Oriented Architecture Master of Information System Management 15

XML Digital Signatures First, some fundamental ideas: Message Digest -message m + digest algorithm da -> hash value h = hda(m) -impossible to go from h(m) back to m -very hard to find m’ so that hda(m’) = h(m) Alice transmits (da, m, h(m)) triple. Very useful for checking if errors occurred during transmission 95 -843: Service Oriented Architecture Master of Information System Management 16

XML Digital Signatures Problem: Mallory might replace the message, hash value pair with her own message, hash value pair. She has access to digest algorithms just like everyone else. Bob checks the arriving triple and everything looks great. No errors during transmission? 95 -843: Service Oriented Architecture Master of Information System Management 17

XML Digital Signatures Solution: Get a secret key involved in the calculation of the hash. Given a message m, compute a hash of m. h = hda(m). Alice encrypts the hash with a private key. E = Epriv(h). Alice Transmit (da, m, E). Mallory doesn’t know the private key. Bob verifies by decrypting E using the secret key (which he shares with Alice). He now has h which he compares with his own hash of m using the same digest algorithm. If they are equal he has good reason to believe that m was from Alice and that it has not been manipulated by Mallory. 95 -843: Service Oriented Architecture Master of Information System Management 18

What Are XML Signatures? • XML Signatures are digital signatures used in XML transactions • May be used to sign only a portion of an XML document. The document might have a long history with different parts holding different signatures • The signature may apply to XML or non. XML data 95 -843: Service Oriented Architecture Master of Information System Management 19

Referencing What is Signed • An XML Signature can be used to sign a message outside of the document itself. • Or, it can be used to sign parts of the document itself. 95 -843: Service Oriented Architecture Master of Information System Management 20

XMLDsig General Form The Components of an XML Signature 95 -843: Service Oriented Architecture Master of Information System Management 21

The <Reference> Element Each signed resource is specified with a <Reference> element A typical <Reference> element will contain - a pointer to what is signed - a digest method (for example SHA 1) - and a digest value of the message in base 64 notation 95 -843: Service Oriented Architecture Master of Information System Management 22

The <Reference> Element This is the location of the document being signed. <Reference URI =“http: //. . . /po. xml”> <Digest. Method>…. </Digest. Method> <Digest. Value> calculated digest of po. xml </Digest. Value> </Reference> 95 -843: Service Oriented Architecture Master of Information System Management 23

We may have many references <Reference> pointer, digest method, digest value </Reference> : <Reference> pointer, digest method, digest value </Reference> 95 -843: Service Oriented Architecture Master of Information System Management 24

Place Within a Signed. Info Element <Signed. Info> <Canonicalization. Method> algorithm used on Signed. Info element <Signature. Method> for example dsa-sha 1 <Reference> pointer, digest method, digest value </Reference> </Signed. Info> 95 -843: Service Oriented Architecture Master of Information System Management 25

Compute Digest of Signed. Info <Signed. Info> <Canonicalization. Method> algorithm used on Signed. Info element <Signature. Method> for example dsa-sha 1 <Reference> pointer, digest method, digest value </Reference> </Signed. Info> 95 -843: Service Oriented Architecture 26

Sign the digest and place value in a Signature. Value element… <Signed. Info> <Canonicalization. Method> algorithm used on Signed. Info element <Signature. Method> for example dsa-sha 1 <Reference> pointer, digest method, digest value </Reference> </Signed. Info> <Signature. Value>Base 64 signature of the Signed. Info Element m. Epriv(hda(m)) </Signature. Value> 95 -843: Service Oriented Architecture 27

Enclose in a Signature Element <Signature> <Signed. Info> <Canonicalization. Method> algorithm used on Signed. Info element <Signature. Method> for example dsa-sha 1 <Reference> pointer, method, digest value </Reference> </Signed. Info> <Signature. Value>Signature in Base 64 </Signature. Value> </Signature> 95 -843: Service Oriented Architecture Master of Information System Management 28

We may include Key. Info <Signature> <Signed. Info> <Canonicalization> <Signature. Method> <Reference>… </Signed. Info> <Signature. Value>Base 64 signature of the Signed. Info Element </Signature. Value> <Key. Info> <X 509 Data> <X 509 Subject. Name>CN=Cristina Mc. Carthy, O=CMU, … <X 509 Certificate> base 64 public key and identity signed by a CA </X 509 Certificate> </X 509 Data> </Key. Info> 95 -843: Service Oriented Architecture </Signature> Master of Information System Management 29

What Can Mallory Do? • Can she modify the CA signed certificate so that someone else appears to have signed the document? • Can she modify what is being pointed by the reference element? • Can she change the canonicalization method? • Can she change the contents of the signature method tag? 95 -843: Service Oriented Architecture Master of Information System Management 30

Verification 1. Canonicalize the Signed. Info element. 2. Compute the digest of the Signed. Info element using the method described within it 3. Compare the above value with that value got from applying the shred secret (or signer’s public key) to the value in the Signature. Value element 4. Compute digests of referenced items (after any transformations) and compare those digests found within each reference tag 95 -843: Service Oriented Architecture Master of Information System Management 31

XML Security Tools Abound 95 -843: Service Oriented Architecture Master of Information System Management 32

Sign a grade book Gradebook. xml <? xml version="1. 0" encoding="UTF-8"? > <Grade. Book> <Student> <Score>100</Score> <Score>89</Score> </Student> </Grade. Book> 95 -843: Service Oriented Architecture Master of Information System Management 33

We need keys… D: . . 95 -804IBMXMLSecurity. SuiteSample. Sign 2> keytool -genkey -keyalg RSA -keystore test. keystore -dname "CN=Mike Mc. Carthy, OU=Heinz School, O=CMU, L=Pgh, S=PA, C=US" -alias mjm -storepass sesame -keypass sesame Creates test. keystore holding keys and a self-signed certificate 95 -843: Service Oriented Architecture Master of Information System Management 34

Run XSS 4 J’s Sample. Sign 2 D: . . . 95 -804IBMXMLSecurity. Suite Sample. Sign 2>java Sample. Sign 2 mjm sesame -embxml gradebook. xml > signature. xml Key store: test. keystore Sign: 851 ms 95 -843: Service Oriented Architecture Master of Information System Management 35

Examine Signature. xml <Signature xmlns="http: //www. w 3. org/2000/09/xmldsig#"> <Signed. Info> <Canonicalization. Method Algorithm="http: //www. w 3. org/TR/2001/REC-xml-c 14 n -20010315"></Canonicalization. Method> <Signature. Method Algorithm="http: //www. w 3. org/2000/09/xmldsig#rsasha 1"></Signature. Method> 95 -843: Service Oriented Architecture Master of Information System Management 36

We are signing resource 0 Transforms Prior to hashing <Reference URI="#Res 0"> <Transforms> <Transform Algorithm= "http: //www. w 3. org/TR/2001/REC-xml- c 14 n-20010315"> </Transform> </Transforms> <Digest. Method Algorithm="http: //www. w 3. org/2000/09/xmldsig#sha 1"> </Digest. Method> <Digest. Value>m 6 f 9 xh. Oc 4 i. EXok. D/29 V 9 Esd. Y 3 y. I= </Digest. Value> </Reference> 95 -843: Service Oriented Architecture Master of Information System Management 37

</Signed. Info> <Signature. Value> Gll 1 H/upl. Owfa. X 3 j 7 ST 6 Uq. Qlc 92 Hx 2 ns. Cd. N 2 KWz 32 CW 0 D 4 h H 64 n 32 v/Ink. Gux 1 d. Yg. Tya 6 S 4 s 55 i. Hq. ZEj. Dp. H 2 I 359 H 4 PAx. BYY XJj 4 LUBNx. AFx. Uc. Dy 6 xr. EUb. Ln. Keut. T 5 pf 1 DBSmxg 9 Cp 3 PO 5 Rs 36 n. VN 8 GVfn. Fl 1 M 86 WQd 19/Rs. An. A= </Signature. Value> 95 -843: Service Oriented Architecture Master of Information System Management 38

<Key. Info> <Key. Value> <RSAKey. Value> <Modulus> 7 V 5 eyh. Vaw 0 cl. ED 11 H 6 PTPo. KQA 1 Vxr. LAug. U 3 Qx. KA 0 hbb. UOiav Fbq. Cdc 6 Z+Fe 9 JZFMk. S Iqdl+khw. Wwd+AIs. Ryr. N 4 V 2 DWm 1 f+xy. YQf 6 bd. Zg. Ca. VVgk. ST 1 Bp. Qx. BTg. NKRc. S 5 Vb. Lr. Xf 4 MXb 5 Tbh. A+eo 1 Qbr 2 Ijl. V 10 a. Lb. Vh. Uk/g+ylag+k= </Modulus> <Exponent>AQAB</Exponent> </RSAKey. Value> </Key. Value> 95 -843: Service Oriented Architecture Master of Information System Management 39

<X 509 Data> <X 509 Issuer. Serial> <X 509 Issuer. Name>CN=Mike Mc. Carthy, OU=Heinz School, O=CMU, L=Pgh, ST=PA, C=US </X 509 Issuer. Name> <X 509 Serial. Number>1049138061 </X 509 Serial. Number> </X 509 Issuer. Serial> <X 509 Subject. Name>CN=Mike Mc. Carthy, OU=Heinz School, O=CMU, L=Pgh, ST=PA, C=US </X 509 Subject. Name> <X 509 Certificate> 95 -843: Service Oriented Architecture Master of Information System Management 40

MIICPDCCAa. UCBD 6 Ik 40 w. DQYJKo. ZIhvc. NAQEEBQAw. ZTELMAk. GA UEBh. MCVVMx. Cz. AJBg. NVBAg. TAl. BBMQww. Cg. YDVQQHEw. NQZ 2 gx DAKBg. NVBAo. TA 0 NNVTEVMBMGA 1 UECx. MMSGVpbnog. U 2 Nob 29 s RYw. FAYDVQQDEw 1 Na. Wtl. IE 1 j. Q 2 Fyd. Gh 5 MB 4 XDTAz. MDMz. MTE 5 M Qy. MVo. XDTAz. MDYy. OTE 5 MTQy. MVow. ZTELMAk. GA 1 UEBh. MCVVMx z. AJBg. NVBAg. TAl. BBMQww. Cg. YDVQQHEw. NQZ 2 gx. DDAKBg. NVBAo. T 0 NNVTEVMBMGA 1 UECx. MMSGVpbnog. U 2 Nob 29 s. MRYw. FAYDVQQ Ew 1 Na. Wtl. IE 1 j. Q 2 Fyd. Gh 5 MIGf. MA 0 GCSq. GSIb 3 DQEBAQUA A 4 GNADCBi. QKBg. QDt. Xl 7 KFVr. DRy. UQPXUfo 9 M+gp. ADVXGss. C 6 BT DEo. DSFtt. Q 6 Jq 8 Vuo. J 1 zpn 4 V 70 lk. Uy. RIip 2 X 6 SHBb. B 34 Aix. HKs 3 h. XYN b. V/7 HJh. B/pt 1 m. AJp. VWCRJPUGl. DEFOA 0 p. Fx. Ll. Vsutd/gxdvl Nu. ED 56 j. VBuv. Yi. OVXXRott. WFST+D 7 KVq. D 6 QIDAQABMA 0 GCSq. G 3 DQEBBAUAA 4 GBAMp. Ua. A 8 Cw 8 m. KQn 408 Ku. V 4 xr. Tci. EEc. TLNni. DGn 8 d 9 W 1 f. R 4 veqh. Kz 8 L 8+886+4 b. NS 5 Wih+1 o. EC 5 k/da 23 Qicp. Td. Xf. Uy. A 1 c 9 Zu 3 c. GU 4 ul. Ufh. FPWv 0 Igdp. I 63 KQt 9 Qwsu. Tx. Wck 5 d. Ata 2+KWWTv 85 I By. HXgoa. Dlv. J 65 Jj. T 87 n. APAI 3 95 -843: Service Oriented Architecture Master of Information System Management 41

The resource 0 object </X 509 Certificate> </X 509 Data> </Key. Info> <dsig: Object xmlns="" xmlns: dsig="http: //www. w 3. org/2000/09/xm ldsig#" Id="Res 0"> <Grade. Book> <Student> <Score>100</Score> <Score>89</Score> </Student> </Grade. Book> </dsig: Object> </Signature> 95 -843: Service Oriented Architecture Master of Information System Management 42

Let’s change the low grade! <dsig: Object xmlns="" xmlns: dsig="http: //www. w 3. org/2000/09/xml dsig#" Id="Res 0"> <Grade. Book> <Student> <Score>100</Score> </Student> </Grade. Book></dsig: Object> 95 -843: Service Oriented Architecture Master of Information System Management 43

And run verify… D: Mc. Carthywww95804IBMXMLSecurity. SuiteSample. Sign 2>java Verify. CUI < signature. xml The signature has a Key. Value element. The signature has one or more X 509 Data elements. Checks an X 509 Data: 1 certificate(s). 95 -843: Service Oriented Architecture 44

Certificate Information: Version: 1 Validity: OK Subject. DN: CN=Mike Mc. Carthy, OU=Heinz School, O=CMU, L=Pgh, ST=PA, C=US Issuer. DN: CN=Mike Mc. Carthy, OU=Heinz School, O=CMU, L=Pgh, ST=PA, C=US Serial#: 0 x 3 e 88938 d Time to verify: 521 [msec] Core Validity: NG Signature Validity: OK [0] "#Res 0" NG: Digest value mismatch: calculated: tf. Vy. Hns 8 w. RB 6 l/HDU 2 d. XZkzf+7 Q= Exception in thread "main" java. lang. Runtime. Exception: Core Validity: NG at dsig. Verify. CUI. main(Verify. CUI. java: 137) 95 -843: Service Oriented Architecture Master of Information System Management 45

Another Example PO. XML <? xml version="1. 0" encoding="UTF-8"? > <Purchase. Order xmlns="urn: purchase-order"> <Customer> <Name>Robert Smith</Name> <Customer. Id>788335</Customer. Id> </Customer> <Item part. Num="C 763"> <Product. Id>6883 -JF 3</Product. Id> <Quantity>3</Quantity> <Ship. Date>2002 -09 -03</Ship. Date> <Name>Think. Pad X 20</Name> </Item> </Purchase. Order> 95 -843: Service Oriented Architecture Master of Information System Management 46

PO After Signing <? xml version='1. 0' encoding='UTF-8'? > <Signed. Purchase. Order> <Purchase. Order id="id 0" xmlns="urn: purchase-order"> <Customer> <Name>Robert Smith</Name> <Customer. Id>788335</Customer. Id> </Customer> <Item part. Num="C 763"> <Product. Id>6883 -JF 3</Product. Id> <Quantity>3</Quantity> <Ship. Date>2002 -09 -03</Ship. Date> <Name>Think. Pad X 20</Name> </Item> </Purchase. Order> 95 -843: Service Oriented Architecture Master of Information System Management 47

<Signature xmlns="http: //www. w 3. org/2000/09/xmldsig#"> <Signed. Info> <Canonicalization. Method Algorithm="http: //www. w 3. org/TR/2001/REC-xml-c 14 n 20010315"/> <Signature. Method Algorithm="http: //www. w 3. org/2000/09/xmldsig#rsasha 1"/> <Reference URI="#id 0"> <Digest. Method Algorithm="http: //www. w 3. org/2000/09/xmldsig#sha 1"/> <Digest. Value>Ufeisc. UCL 7 Qkh. Zt. RDLWDPWLp. Vl. A=</Diges t. Value> </Reference> </Signed. Info> 95 -843: Service Oriented Architecture Master of Information System Management 48

<Signature. Value> Ptysg 8 Wd. HI 2 mxwry. OOt 5 I 9 r 9 q. Zm/2 g. NFNOJy. H 1 Wak 4 n. CUe g. Rpe 72 t. Wnsig. AKZyopmg. USH 3 TG a. GGQF 1 BTSvk 3 JUUY/ljrw+5 Fp. Tpf 3 hg. ZBi 7 GSWf 6 Wt. Xq. Zv. MY GUKIlv. R/421 MZg 7 P 9 XRUyy 37 ZUz. QHtm. CYk. Bor. Ek. Ex 1 J 4 CYB 0 G 2 c= </Signature. Value> 95 -843: Service Oriented Architecture Master of Information System Management 49

<Key. Info> <X 509 Data> <X 509 Certificate> MIIDGj. CCAo. Og. Aw. IBAg. ICAQAw. DQYJKo. ZIhvc. NAQEFBQAw. Xz. ELMAk. GA 1 UEBh. MCSl. Ax. ETAPBg. NVBAg. T CEthbm. Fn. YXdh. MQ 8 w. DQYDVQQHEw. ZZYW 1 hd. G 8 x. DDAKBg. NVBAo. TA 0 l. CTTEMMAo. GA 1 UECx. MDVFJMMRAw Dg. YDVQQDEwd. UZXN 0 IENBMB 4 XDTAx. MTAw. MTA 3 MTYx. MFo. XDTEx. MTAw. MTA 3 MTYx. MFow. UDELMAk. GA 1 UE Bh. MCSl. Ax. ETAPBg. NVBAg. TCEthbm. Fn. YXdh. MQww. Cg. YDVQQKEw. NJQk 0 x. DDAKBg. NVBAs. TA 1 RSTDESMBAG A 1 UEAx. MJU 2 lnbm. F 0 d. XJl. MIGf. MA 0 GCSq. GSIb 3 DQEBAQUAA 4 GNADCBi. QKBg. QCvn. FQi. PEJn. UZnkmzoc Mjsse. D 8 ms 9 HBgas. ZR 0 VOAvsby 5 aajsm 9 Ct. B 18 d. DCem. DXZ 2 Yj. Bdpr. X+epf. F 4 SLNP 5 ankfphhr 9 QXA NJd. CKpy. F 3 j. Poydckle 7 E 7 g. I 9 w 3 Q 4 NDa 4 ry. VOu. IS 2 qev 6 jl. E 7 OVPqi. XIDVl. CH 4 u 6 Gb. Io. JEp. J 57 yzx d. QIDAQABo 4 Hz. MIHw. MAk. GA 1 Ud. Ew. QCMAAw. Cw. YDVR 0 PBAQDAg. Xg. MCw. GCWCGSAGG+EIBDQQf. Fh 1 Pc. GVu U 1 NMIEdlbm. Vy. YXRl. ZCBDZXJ 0 a. WZp. Y 2 F 0 ZTAd. Bg. NVHQ 4 EFg. QUYap. Fv 9 Mv. Q 9 NNn 1 Q 7 zgzqka 4 XORsw g. Yg. GA 1 Ud. Iw. SBg. DB+g. BR 7 Fu. T 9 b. LBj 3 v. Vsg. Az. Ie. Ya 4 h. BUZBa. Fjp. GEw. Xz. ELMAk. GA 1 UEBh. MCSl. Ax. ETAP Bg. NVBAg. TCEthbm. Fn. YXdh. MQ 8 w. DQYDVQQHEw. ZZYW 1 hd. G 8 x. DDAKBg. NVBAo. TA 0 l. CTTEMMAo. GA 1 UECx. MD VFJMMRAw. Dg. YDVQQDEwd. UZXN 0 IENBgg. EAMA 0 GCSq. GSIb 3 DQEBBQUAA 4 GBALFz. GDXMzx. Jv. On. Cd. JCMZ 2 Ns. Zdz 1+wmo. Yyej. B 5 J 6 Ch 2 ygd. Peib. Mn. W/Ci. YKCTWBhp. Egx. Eqr 1 BNlg. SVq. A 6 nyvj. Hs. VIvg. Bfwx 37 D h. J 5 hz 4 azp. Wu 1 X 22 Xqy. U 9 f. Uqo. QUt. EAd. M/Ml. Lek. Bkprk. JVb 9 u. JXTFzzvm/3 Do. Ei. Bk. X/BT 78 Yd. M 8 eq 0 </X 509 Certificate> </X 509 Data> </Key. Info> </Signature> </Signed. Purchase. Order> 95 -843: Service Oriented Architecture Master of Information System Management 50

Web Service Security • Describes how XMLDSig is used within the web service framework. • SOAP Headers are used to hold the signature 95 -843: Service Oriented Architecture Master of Information System Management 51

SOAP <Envelope> <Header> WS-* specifications : are placed in the header area and will be </Header> handles by intermediaries <Body> : Message payload including fault messages </Body> as well-formed XML. </Envelope> 95 -843: Service Oriented Architecture Master of Information System Management 52

WSS XMLDSig Listing 1 <? xml version=” 1. 0”? > <SOAP-ENV: Envelope xmlns: SOAP-ENV=”http: //schemas. xmlsoap. org/soap/envelope/”> <SOAP-ENV: Body> <s: Get. Special. Discounted. Booking. For. Partners xmlns: s=“http: //www. My. Hotel. com/partnerservice/”> <!--Parameters passed with the method call--> </s: Get. Special. Discounted. Booking. For. Partners> </SOAP-ENV: Body> </SOAP-ENV: Envelope> From “Web Services Security”, Bilal Siddiqui 95 -843: Service Oriented Architecture 53

Sign The SOAP Request <? xml version=” 1. 0”? > <SOAP-ENV: Envelope xmlns: SOAP-ENV=”http: //schemas. xmlsoap. org/soap/envelope/” xmlns: ds=”http: //www. w 3. org/2000/09/xmldsig#”> <SOAP-ENV: Header> <ds: Signature> <!– wraps all other XMLDS elements <ds: Signed. Info> <!– note the ds prefix </ds: Signed. Info> <!– note three children of signed. Info <ds: Signature. Value> </ds: Signature. Value> <ds: Key. Info> </ds: Signature> </SOAP-ENV: Header> <SOAP-ENV: Body> <s: Get. Special. Discounted. Booking. For. Partners xmlns: s=“http: //www. My. Hotel. com/partnerservice/”> <!--Parameters passed with the method call--> </s: Get. Special. Discounted. Booking. For. Partners> </SOAP-ENV: Body> </SOAP-ENV: Envelope> 95 -843: Service Oriented Architecture Listing 2 of article by Bilal Siddiqui 54

After Signing (1) <? xml version=” 1. 0”? > <SOAP-ENV: Envelope xmlns: SOAP-ENV=”http: //schemas. xmlsoap. org/soap/envelope/” xmlns: ds=”http: //www. w 3. org/2000/09/xmldsig#”> <SOAP-ENV: Header> <ds: Signature> <ds: Signed. Info> <ds: Canonicalization. Method Algorithm="http: //www. w 3. org/2001/10/xml-exc-c 14 n#"/> <ds: Signature. Method Algorithm="http: //www. w 3. org/2000/09/xmldsig#rsa-sha 1"/> <ds: Reference URI="#Get. Special. Discounted. Booking. For. Partners"> <ds: Transforms> <ds: Transform Algorithm="http: //www. w 3. org/2001/10/xml-exc-c 14 n#"/> </ds: Transforms> 95 -843: Service Oriented Architecture 55 Listing 5

After Signing (2) <ds: Digest. Method Algorithm="http: //www. w 3. org/2000/09/xmldsig#sha 1"/> <ds: Digest. Value> BIUddkj. KKo 2. . . </ds: Digest. Value> </ds: Reference> </ds: Signed. Info> <ds: Signature. Value> hal. HJghyf 765. . </ds: Signature. Value> <ds: Key. Info> <!– the key name for signature verification <ds: Key. Name>My. Key. Identifier</ds: Key. Name> </ds: Key. Info> <!– application dependent, perhaps a symmetric key ID </ds: Signature> </SOAP-ENV: Header> 95 -843: Service Oriented Architecture Listing 5 from article by Bilal Siddiqui 56

After Signing (3) <SOAP-ENV: Body> <s: Get. Special. Discounted. Booking. For. Partners xmlns: s=“http: //www. My. Hotel. com/partnerservice/” ID="Get. Special. Discounted. Booking. For. Partners"> <!--Parameters passed with the method call--> </s: Get. Special. Discounted. Booking. For. Partners> </SOAP-ENV: Body> </SOAP-ENV: Envelope> 95 -843: Service Oriented Architecture Listing 5 continued 57

Validation Procedure (1) Canonicalize the Signed. Info element. (2) Check message integrity. We’ll need a. the data to be digested b. any transforms to perform first c. the digest algorithm (3) If the digests compare equal verify the signature (continued) 95 -843: Service Oriented Architecture Master of Information System Management 58

Validation Procedure (3) If the digests compare equal verify the signature a. get the signer’s key (public key or shared secret) perhaps by consulting the <key. Info> element. b. read the signature method used to compute the signature c. Attempt to verify and if we have a match call Get. Special. Discounted. Booking. For. Partners 95 -843: Service Oriented Architecture Master of Information System Management 59

XML Encryption & Web Service Security 95 -843: Service Oriented Architecture Master of Information System Management 60

XML Encryption • W 3 C Recommendation 10 December 2002 • JSR 105 XMLDSig proposed final draft • JSR 106 XMLEnc is in progress • JWSDP 1. 5 supports Web Services Security V 1. 0 • . Net supports XMLEnc out of the box • Some notes from http: //www-106. ibm. com/developerworks/library/xencrypt/index. html by Bilal Siddiqui And “Secure XML” by Eastlake and Niles Addison Wesley 95 -843: Service Oriented Architecture Master of Information System Management 61

General Form 1 <Encrypted. Data> <Cipher. Value> cipher text in Base 64 </Cipher. Value> </Cipher. Data> </Encrypted. Data> 95 -843: Service Oriented Architecture Master of Information System Management 62

General Form 2 <Encrypted. Data> <Cipher. Data> <Cipher. Reference> pointer (URL) to cipher text </Cipher. Reference> </Cipher. Data> </Encrypted. Data> 95 -843: Service Oriented Architecture Master of Information System Management 63

Encrypted. Data is the core element • Replaces the encrypted element or • Serves as the new document root • May contain a Key. Info element that describes the key needed for decryption (borrowed from XML Digital Signature) or signature verification 95 -843: Service Oriented Architecture Master of Information System Management 64

General Example (1) <Med. Info> <ID> <Name> <Address> </ID> <Medical>…</Medical> <Financial>…</Financial> </Med. Info> 95 -843: Service Oriented Architecture Master of Information System Management 65

General Example (2) <Med. Info> <ID>…. </ID> <Encrypted. Data> <Key. Info> <Key. Name>Medical </Key. Info> <Cipher. Data> <Cipher. Value> cipher text </Encrypted. Data> 95 -843: Service Oriented Architecture Master of Information System Management 66

General Example (3) <Financial> <Encrypted. Data> <Key. Info> <Key. Name>Pay </Key. Info> <Cipher. Data> <Cipher. Value> cipher text </Encrypted. Data> </Finacial> </Med. Info> 95 -843: Service Oriented Architecture Master of Information System Management 67

Detailed Example (Listing 1) <purchase. Order> <Order> <Item>book</Item> <Id>123 -958 -74598</Id> <Quantity>12</Quantity> </Order> <Payment> <Card. Id>123654 -8988889 -9996874</Card. Id> <Card. Name>visa</Card. Name> <Valid. Date>12 -10 -2004</Valid. Date> </Payment> </purchase. Order> 95 -843: Service Oriented Architecture Master of Information System Management 68

Encrypting the Entire File (Listing 2) <? xml version='1. 0' ? > <Encrypted. Data xmlns='http: //www. w 3. org/2001/04/xmlenc#' Type='http: //www. isi. edu/innotes/iana/assignments/media-types/text/xml'> <Cipher. Data> <Cipher. Value>bd 347 ba…</Cipher. Value> </Cipher. Data> </Encrypted. Data> IANA = Internet Assigned Numbers Authority a function of The Internet Corporation for Assigned Names and Numbers 95 -843: Service Oriented Architecture Master of Information System Management 69

Encrypting The Payment (Listing 3) <? xml version='1. 0' ? > <Purchase. Order> <Order> <Item>book</Item> <Id>123 -958 -74598</Id> One element <Quantity>12</Quantity> </Order> <Encrypted. Data Type='http: //www. w 3. org/2001/04/xmlenc#Element' xmlns='http: //www. w 3. org/2001/04/xmlenc#'> <Cipher. Data> <Cipher. Value>A 23 B 45 C 564587…</Cipher. Value> </Cipher. Data> </Encrypted. Data> </Purchase. Order> 95 -843: Service Oriented Architecture Master of Information System Management 70

Encrypting Only the Card. Id (Listing 4) <? xml version='1. 0' ? > <Purchase. Order> <Order> <Item>book</Item> <Id>123 -958 -74598</Id> <Quantity>12</Quantity> Element content </Order> <Payment> <Card. Id> <Encrypted. Data Type='http: //www. w 3. org/2001/04/xmlenc#Content' xmlns='http: //www. w 3. org/2001/04/xmlenc#'> <Cipher. Data> <Cipher. Value>A 23 B 45 C 564587</Cipher. Value> </Cipher. Data> </Encrypted. Data> </Card. Id> <Card. Name>visa</Card. Name> <Valid. Date>12 -10 -2004</Card. Name> </Payment> </Purchase. Order> 95 -843: Service Oriented Architecture Master of Information System Management 71

Encrypting Non-XML Data (Listing 5) <? xml version='1. 0' ? > <Encrypted. Data xmlns='http: //www. w 3. org/2001/04/xmlen#' Type='http: //www. isi. edu/innotes/iana/assignments/media-types/jpeg' > <Cipher. Data> <Cipher. Value>A 23 B 45 C 56…</Cipher. Value> </Cipher. Data> </Encrypted. Data> 95 -843: Service Oriented Architecture Master of Information System Management 72

Web Services Security Using Sun’s Application Server 95 -843: Service Oriented Architecture Master of Information System Management 73

No Security SOAP Going to Service Running the simple. Test. Client program. . Service URL=http: //localhost: 8080/securesimple/Ping About to ping Apr 9, 2005 10: 17: 52 AM com. sun. xml. wss. filter. Dump. Filter process INFO: ==== Sending Message Start ==== <? xml version="1. 0" encoding="UTF-8"? > <env: Envelope xmlns: env="http: //schemas. xmlsoap. org/soap/envelope/" xmlns: enc="http: //schemas. xmlsoap. org/soap/encoding/" xmlns: ns 0="http: //xmlsoap. org/Ping" xmlns: xsd="http: //www. w 3. org/2001/XMLSchema" xmlns: xsi="http: //www. w 3. org/2001/XMLSchema-instance"> <env: Body> <ns 0: Ping> <ns 0: ticket>SUNW</ns 0: ticket> <ns 0: text>Hello!</ns 0: text> </ns 0: Ping> </env: Body> </env: Envelope> 95 -843: Service Oriented Architecture 74 Master of Information System Management

SOAP Response <? xml version="1. 0" encoding="UTF-8"? > <env: Envelope xmlns: env="http: //schemas. xmlsoap. org/soap/envelope/" xmlns: enc="http: //schemas. xmlsoap. org/soap/encoding/" xmlns: ns 0="http: //xmlsoap. org/Ping" xmlns: xsd="http: //www. w 3. org/2001/XMLSchema" xmlns: xsi="http: //www. w 3. org/2001/XMLSchema-instance"> <env: Body> <ns 0: Ping. Response> <ns 0: text>Hello! Mike!</ns 0: text> </ns 0: Ping. Response> </env: Body> </env: Envelope> Ping complete 95 -843: Service Oriented Architecture Master of Information System Management 75

Configure The Client to Encrypt <xwss: JAXRPCSecurity xmlns: xwss="http: //java. sun. com/xml/ns/xwss/config"> <xwss: Service> <xwss: Security. Configuration dump. Messages="true"> <!- Since no targets have been specified below, the contents of the soap body would be encrypted by default. --> <xwss: Encrypt> <xwss: X 509 Token certificate. Alias="s 1 as"/> </xwss: Encrypt> </xwss: Security. Configuration> </xwss: Service> <xwss: Security. Environment. Handler> com. sun. xml. wss. sample. Security. Environment. Handler </xwss: Security. Environment. Handler> 95 -843: Service Oriented Architecture Master of Information System </xwss: JAXRPCSecurity> Management 76

Configure The Server To Require Encryption <xwss: JAXRPCSecurity xmlns: xwss="http: //java. sun. com/xml/ns/xwss/config"> <xwss: Service> <xwss: Security. Configuration dump. Messages="true"> <!- Encryption requirement. As no target is specified, the contents of the soap body of the request are expected to be encrypted. --> <xwss: Require. Encryption/> </xwss: Security. Configuration> </xwss: Service> <xwss: Security. Environment. Handler> com. sun. xml. wss. sample. Security. Environment. Handler </xwss: Security. Environment. Handler> </xwss: JAXRPCSecurity> 95 -843: Service Oriented Architecture Master of Information System Management 77

Encrypted Request <? xml version="1. 0" encoding="UTF-8"? > <env: Envelope xmlns: env="http: //schemas. xmlsoap. org/soap/envelope/" xmlns: enc="http: //schemas. xmlsoap. org/soap/encoding/" xmlns: ns 0="http: //xmlsoap. org/Ping" xmlns: xsd="http: //www. w 3. org/2001/XMLSchema" xmlns: xsi="http: //www. w 3. org/2001/XMLSchema-instance"> <env: Header> <wsse: Security xmlns: wsse="http: //docs. oasis-open. org/wss/2004/01/oasis-200401 -wss env: must. Understand="1"> <wsse: Binary. Security. Token xmlns: wsu="http: //docs. oasis-open. org/wss/2004/01/oasis-200401 -wss-w Encoding. Type="http: //docs. oasis-open. org/wss/2004/01/oasis-200401 -wss Value. Type="http: //docs. oasis-open. org/wss/2004/01/oasis-200401 -wss-x 5 wsu: Id="Id-6842673312555922560">MIIDWTCCAs. Kg. Aw. IBAg. IBATANBgk G 9 w 0 BAQQFADB 0 MQsw. CQYDVQQ Large truncation for slides 95 -843: Service Oriented Architecture Master of Information System Management 78

</wsse: Binary. Security. Token> <xenc: Encrypted. Key xmlns: xenc="http: //www. w 3. org/2001/04/xmlenc#"> <xenc: Encryption. Method Algorithm="http: //www. w 3. org/2001/04/xmlenc#rsa <ds: Key. Info xmlns: ds="http: //www. w 3. org/2000/09/xmldsig#"> <wsse: Security. Token. Reference> <wsse: Reference URI="#Id-6842673312555922560" Value. Type="http: //docs. oasis-open. org/wss/2004/01/oasis-200401 -w </wsse: Security. Token. Reference> </ds: Key. Info> <xenc: Cipher. Data> <xenc: Cipher. Value>KB 79 tvo. F 6 Bu 7 Je. L 2 Re 6 i. GG 8 Bhdh. OFc. Zi. NDJr. JNe 8 l. V 3 GE 6 Sk+s 453 IF 3 GFpmkm. Qtt. Phz. H 1 D HKQ+2 n. Fj. IWPdy. ZOb. K 3 c. Vy. Df rox 7 Ysjbfuo 4 TNw. El. Hv. Ktn. GVNb c. QIGWiwyx. HIZCjq. Cd. F 8 LM 8 E 1 g. CZg. YSa. Rh 3 V 48 VMl. Osf. Z 8 RCR Vjw= </xenc: Cipher. Value> </xenc: Cipher. Data> 95 -843: Service Oriented Architecture Master of Information System Management 79

<xenc: Reference. List> <xenc: Data. Reference URI="#Id 7870285788177789579"/> </xenc: Reference. List> </xenc: Encrypted. Key> </wsse: Security> </env: Header> <env: Body> <xenc: Encrypted. Data xmlns: xenc="http: //www. w 3. org/2001/04/xmlenc#" Id="Id 7870285788177789579" Type="http: //www. w 3. org/2001/04/xmlenc#Content"> <xenc: Encryption. Method Algorithm= "http: //www. w 3. org/2001/04/xmlenc#tripledes-cbc"/> <xenc: Cipher. Data> <xenc: Cipher. Value> SL 1 G 08+b. GFaq. EOef. JWt. Bp. Oipgkvs 8 i 7 JWNwo. Gum 5 TO Ey. Zk. St. SKav/l. Yygo. C 5/ji 11 rccn. QWNq/Tg 1 e. YX 52 UTal. AS Large truncation for slides </xenc: Cipher. Value> </xenc: Cipher. Data> </xenc: Encrypted. Data> </env: Body> 95 -843: Service Oriented Architecture </env: Envelope> 80 Master of Information System Management

SOAP Response <? xml version="1. 0" encoding="UTF-8"? > <env: Envelope xmlns: env= "http: //schemas. xmlsoap. org/soap/envelope/" xmlns: enc="http: //schemas. xmlsoap. org/soap/encoding/" xmlns: ns 0="http: //xmlsoap. org/Ping" xmlns: xsd="http: //www. w 3. org/2001/XMLSchema" xmlns: xsi="http: //www. w 3. org/2001/XMLSchema-instance"> <env: Body> <ns 0: Ping. Response> <ns 0: text>Hello! Mike!</ns 0: text> </ns 0: Ping. Response> </env: Body> </env: Envelope> 95 -843: Service Oriented Architecture Master of Information System Management 81