2. WS-Security
• WS-Security
– Authentication
– Integrity and non-repudiation
– Confidentiality
• Initial effort of MSFT, IBM, Verisign, etc.
• Standardized at : Organization for the
Advancement of Structured Information
Standards (OASIS)
3. WS-Security
• Based on XML Encryption and XML Signature
• Basic framework for message level security
Encryption
Signature
Security Tokens
4. Security Tokens
• Security Tokens are pieces of information used for
authentication and authorization.
- UserNameToken [User name/password]
- BinaryToken [ X.509 Tokens / Kerberos Tokens]
- XML Token [SAML Tokens]
5. WS-Security
• Provisions for “profiles” to support different crypto
technologies
SAML Tokens
X. 509 Tokens
UsernameToken
6. Message Level Security
• Authentication
– UsernameToken
– Use plain text password with a secure transport
• Integrity and Non-repudiation
– A detached XML-Signature used and one or more
parts are signed
• Confidentiality
– Encrypt the SOAP Body or any other part of the
message
7. WS-Security
• For XML Encryption, the security header may hold an
<EncryptedKey> element with a <ReferenceList>
element pointing to the specific parts of the message
that have been encrypted.
• XML Signature, inside the security header , with its
<Reference> elements points to the parts of the
message that are being digitally signed.
9. <BinarySecurityToken />
• Can hold binary tokens – e.g. X509 tokens, Kerberos
tokens.
• Because these are binary tokens – should specify the
EncodingType to represent them in XML.
• ValueType indicates what the security token is.
<wsse:BinarySecurityToken ValueType=”’’
EncodingType="...#Base64Binary”
wsu:Id=" MyID ">
</wsse:BinarySecurityToken>
13. QUESTION 1
Discuss the applicability of following child elements under
<KeyInfo> with respect to the Example -1.
<KeyName /> <KeyValue /><RetrievalMethod />
<X509Data />
17. Token References
• Defines mechanisms for referencing security tokens.
• Introduces the <SecurityTokenReferenece> as a
standard way to refer to a security token regardless
of their format.
Direct References
Key Identifiers
Key Names
Embedded References
18. Direct References
• This allows references to include tokens using URI
fragments and external tokens using full URIs
20. Key Identifiers
• This allows tokens to be referenced using an opaque
value that represents the token.
• A KeyIdentifier is a value that can be used to
uniquely identify a security token (e.g. a hash of the
important elements of the security token).
22. Key Identifiers
• Having an explicit ValueType removes ambiguity
about the format of the KeyIdentifier. The Basic
Security Profile restricts the value to that specified in
the security token profile that is associated with the
security token. The ValueType attribute in a
KeyIdentifier is optional. This can cause ambiguity
when it is not explicitly stated. Furthermore,
interoperability is discouraged if a ValueType is
specified but does not correspond to the value
associated with that token as stated in its security
token profile.
23. Key Names
• This allows tokens to be referenced using a string
that matches an identity assertion within the security
token.
• In any case where a security token would be referred
to by Key Name, it would also be possible to refer to
it by a more efficient and/or less ambiguous
mechanism (e.g. Direct, Key Identifier and/or Issuer
and Serial Number).
24. Key Names Example
<!-- This example is incorrect because it uses a ds:KeyName element to refer to
an X.509 certificate -->
<wsse:SecurityTokenReference>
<ds:KeyName>CN=Security WG, OU=BSP, O=WS-I, C=US</ds:KeyName>
</wsse:SecurityTokenReference>
KeyName references are prohibited by the
WS-Security Basic Profile.
25. Embedded
• This allows tokens to be embedded (as opposed to a
pointer to a token that resides elsewhere).
• Basic Security Profile 1.0 restricts embedded security
tokens to contain exactly one security token element.
28. 1
Reading SOAP is fun
<wsse:Security >
<wsse:BinarySecurityToken wsu:Id='SomeCert'
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap<!-- This example is incorrect because it refers to a wsse:BinarySecurityToken element which
message-security-1.0#Base64Binary">
specifies a wsu:id
lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/...
</wsse:BinarySecurityToken>
attribute using a wsse:KeyIdentifier element rather than a wsse:Reference or wsse:Embedded
<wsse:SecurityTokenReference>
element -->
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile1.0#X509SubjectKeyIdentifier">
MIGfMa0GCSq
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</wsse:Security>
32. 4
Reading SOAP is fun
<wsse:Security >
<xenc:EncryptedKey>
<xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' />
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference
URI='#SomeCert'
<!-- This example is incorrect because the wsse:BinarySecurityToken with the wsu:Id of
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
SomeCert appears after it is
</wsse:SecurityTokenReference>
referenced from within the xenc:EncryptedKey element -->
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
XZEEVABD3L9G+VNTCDiDTE7WB1a4kILtz5f9FT747eE=
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<wsse:BinarySecurityToken wsu:Id='SomeCert'
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security1.0#Base64Binary">
lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/...
</wsse:BinarySecurityToken>
</wsse:Security>
33. 5
Reading SOAP is fun
<wsse:Security xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
xmlns:ds='http://www.w3.org/2000/09/xmldsig#' >
<wsse:SecurityTokenReference>
<wsse:Reference URI='http://www.ws-i.org/CertStore/Examples/BSP.PEM'
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</wsse:Security>
35. 6
Reading SOAP is fun
<wsse:BinarySecurityToken wsu:Id='SomeCert'
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security<!-- This example is incorrect because the second wsse:SecurityTokenReference element refers
1.0#Base64Binary">
to the
lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/...
wsse:SecurityTokenReference with an wsu:Id of TheFirstSTR -->
</wsse:BinarySecurityToken>
<wsse:SecurityTokenReference wsu:Id="TheFirstSTR">
<wsse:Reference URI='#SomeCert'
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
<wsse:SecurityTokenReference>
<wsse:Reference URI='#TheFirstSTR'
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
36. 7
Reading SOAP is fun
<wsse:Security >
<wsu:Timestamp wsu:Id="timestamp1">
<wsu:Created>2001-09-13T08:42:00Z</wsu:Created>
<wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires>
</wsu:Timestamp>
<wsu:Timestamp wsu:Id="timestamp2">
<wsu:Created>2001-09-13T08:42:00Z</wsu:Created>
<wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
37. 7
Reading SOAP is fun
<wsse:Security >
<wsu:Timestamp wsu:Id="timestamp1">
<wsu:Created>2001-09-13T08:42:00Z</wsu:Created>
<wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires>
<!-- This example is
</wsu:Timestamp> incorrect because Security header MUST NOT contain more than one
TIMESTAMP-->
<wsu:Timestamp wsu:Id="timestamp2">
<wsu:Created>2001-09-13T08:42:00Z</wsu:Created>
<wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
38. 8
Reading SOAP is fun
<soap: Header>
<wsse:Security >
</wsse:Security>
<wsse:Security >
</wsse:Security>
</soap: Header>
39. 8
Reading SOAP is fun
<soap: Header>
<wsse:Security >
<!– This</wsse:Security> Header MUST not have more than one Security header where the
is incorrect. SOAP
actor/role attribute omitted-->
<wsse:Security >
</wsse:Security>
</soap: Header>
40. 9
Reading SOAP is fun
<soap: Header>
<wsse:Security actor=“foo” >
</wsse:Security>
<wsse:Security actor=“foo” >
</wsse:Security>
</soap: Header>
41. 9
Reading SOAP is fun
<soap: Header>
<wsse:Security actor=“foo” >
<!– This is</wsse:Security>
incorrect. SOAP Header MUST not have more than one Security header with the same
actor/role
<wsse:Security actor=“foo” > attribute omitted-->
</wsse:Security>
</soap: Header>
45. 11
Reading SOAP is fun
<wsse:Security >
<wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken>
<ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' />
<ds:Reference URI=''>
<ds:Transforms>
<ds:Transform Algorithm='http://www.w3.org/TR/1999/REC-xpath-19991116'>
<ds:XPath>/soap:Envelope/soap:Body/*</ds:XPath>
A signature reference to an element that does not have an ID attribute MUST contain a
</ds:Transform>
TRANSFORM with an Algorithm attribute value of "http://www.w3.org/2002/06/xmldsig-filter2"
<ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /></ds:Transforms>
<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' />
<ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference
URI='#SomeCert'
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
47. 13
Reading SOAP is fun
<ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#' >
<wsse:SecurityTokenReference>
<wsse:Reference URI='#SomeCert'
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
Any Signature/Encryption KeyInfo MUST contain a
SecurityTokenReference child element and that is the only
child element.
51. 15
Reading SOAP is fun
<wsse:Security >
<wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“">
</wsse:BinarySecurityToken>
<xenc:EncryptedData Id='Enc1'>
<xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' />
<xenc:CipherData>
<xenc:CipherValue></xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData> Any EncryptedKey MUST precede any EncryptedData in
This is incorrect.
<xenc:EncryptedKey>
header referenced by the associated ReferenceList.
<xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' />
<ds:KeyInfo>
<wsse:SecurityTokenReference></wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue></xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI='#Enc1' />
</xenc:ReferenceList>
</xenc:EncryptedKey>
</wsse:Security>
the same Security
53. 16
Reading SOAP is fun
<wsse:Security ' >
<wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken>
<xenc:EncryptedKey>
<xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' />
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI='#SomeCert’ ValueType=“" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<!-- This example is incorrect because the xenc:EncryptedKey element is missing an
<xenc:CipherData>
<xenc:CipherValue></xenc:CipherValue>
xenc:ReferenceList child element -->
</xenc:CipherData>
</xenc:EncryptedKey>
<xenc:ReferenceList>
<xenc:DataReference URI='#Enc1' />
</xenc:ReferenceList>
<xenc:EncryptedData Id='Enc1'>
<xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' />
<xenc:CipherData>
<xenc:CipherValue></xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</wsse:Security>
54. <wsse11:SignatureConfirmation />
Ensure that a received SOAP message was generated in
response to the original request sent by the web client. The
client request is typically signed but does not have to be. In
this mechanism, the web service adds a
<SignatureConfirmation> element to the security header
element, and the web client can check that
<SignatureConfirmation> element
<wsse11:SignatureConfirmation wsu:Id="..." Value="..." />
55. <wsse11:EncryptedHeader />
WSS 1.1 introduced a new <EncryptedHeader /> mechanism
to encrypt headers. When it is required that an entire SOAP
header block including the top-level element and its
attributes be encrypted, the original header block is replaced
with an <EncryptedHeader /> . Where an <EncryptedHeader
/> element exists, it contains a child <EncryptedData />
element that is the result of encrypting the header block.
57. STR-Transform
This transform is specified by the URI #STR-Transform and
when applied to a <wsse:SecurityTokenReference> element
it means that the output is the token referenced by the
<wsse:SecurityTokenReference> element not the element
itself.