XML Web Services Security March 27, 2003 IIDS Group, Vrije Universiteit Yuri Demchenko, NLnet Labs <demch@NLnetLabs.nl> March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_2 Outlines • Historical • XML Security • Web Services Security • OGSA Security • XML Web Services technology for IIDS - Discussion March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_3 Historical: How all this started (quoting Tim Berners-Lee) • Initial idea to create resource description language ◆ Existing technologies: SGML + WAIS, Gopher + Library Catalogues ◆ Problems: hyperlinks reference and semantic meaning binding • Past steps: ◆ WWW and HTML ◆ RDF and Metadata ◆ XML and XML Signature • Next step: Semantic Web • Ongoing development: Computer Grids -> Information Grids -> Semantic Grids March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_4 XML Basics: DTD, Schema, XML Protocol, etc. DTD is document-oriented • Like HTML Schema is data-oriented • XML Signature • SAML Basic XML Protocol(s) • XML-RPC • SOAP XForms, XLink, XML Query, XPath, XPointer, XSL and XSLT, Legal XML March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_5 XML Security vs Traditional (Network) security Traditional Security: • Host-to-host or point-to-point security • Client/server oriented • Connection or connectionless oriented • Generically single/common trust domain/association XML Security • Document oriented approach ◆ Security tokens/assertions and policies can be associated with the document or its parts • Intended to be cross-domain • Potentially for virtual and dynamic trust domains (security associations) March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_6 XML Security - Components • XML Signature • XML Encryption • Security Assertion ◆ SAML (Security Assertion Mark-up Language) ◆ XrML (XML Right Mark-up Language) ◆ XACML (XML Access Control Mark-up Language) • XKMS (XML Key Management Specification) March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_7 XML Signature: Features Fundamental feature: the ability to sign only specific portions of the XML tree rather than the whole document. • XML document may have a long history when different component are authored by different parties at different times • Different parties may want to sign only those elements relevant to them • Important when keeping integrity of certain parts of an XML document is essential while leaving the possibility for other parts to be changed • Allows carrying security tokens/assertions on document/data rather than on user/client • Provides security features for XML based protocols ◆ Provides basic functionality for state assertions March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_8 XML Signature structure <Signature ID?> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> (<Reference URI? > (<Transforms>)? <DigestMethod> <DigestValue> </Reference>)+ </SignedInfo> <SignatureValue> (<KeyInfo>)? (<Object ID?>)* </Signature> March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_9 XML Web Services A Web Service is a software system identified by URI, whose public interfaces and bindings are defied and described by XML. Other software systems may discover and interact with the Web Service in a manner prescribed by its definition, using XML based messages conveyed by Internet protocols. • Service oriented architecture for application-to-application interaction ◆ Describing Web services – WSDL ◆ Exchanging messages – SOAP extensions ◆ Publishing and Discovering WS descriptions - UDDI • Programming language-, programming model-, and system software-neutral • Standard based: XML/SOAP foundation • Industry initiatives (and development platforms) ◆ Sun SunONE/J2EE (SunONE Studio) ◆ Microsoft .NET (Visual Studio .NET) ◆ IBM Dynamic e-Business (AlphaWorks) ◆ XML Spy by Altova March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_10 XML WS - Service Oriented Architecture • WSDL based Service Description • SOAP based messaging over HTTP, SMTP, TCP, etc. • UDDI based Publishing/Discovery [...]... 27, 2003 XML Web Services Secu Slide2_14 Web Services Security Model Security token types •Username/password •X.509 PKC •SAML •XrML •XCBF March 27, 2003 XML Web Services Secu Slide2_15 WS Security Scenarios All are built on SOAP based security tokens exchange • • • • • • • • Direct Trust using username/password (using SSL/TLS) Direct Trust using security token Security token acquisition Issued security. .. format to define an endpoint XML Web Services Secu Slide2_12 WSDL Example – TimeService.wsdl http://www.Nanonull.com/TimeService/ http://www.Nanonull.com/TimeService/#message(getUTCTimeSoapIn) March 27, 2003 XML Web Services Secu Slide2_13 Web Services Security Model WS -Security model provides end-to-end security (as contrary to point-to-point) allowing intermediaries • A Web service can require that... addition, it describes how to attach security tokens, including binary security tokens such as X.509 certificates, SAML, Kerberos tickets and others, to messages Core Specification - Web Services Security: SOAP Message Security http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf March 27, 2003 XML Web Services Secu Slide2_17 Web Service Security – others specifications... business policy Web clients Mobile clients (gateway services) Enabling Federations x x Using trust chaining, security token exchange, credentials exchange Supporting delegation • Access control • Auditing March 27, 2003 XML Web Services Secu Slide2_16 Web Services Security Architecture WSSecureConversation WS-Federation WS-Authorisation WS-Policy WS-Trust WS-Privacy WS Security SOAP Foundation WS -Security: ... modification – integrity x XML Signature • Security consideration – Auditing x x Timestamping and message expiration Sequence number and Messages correlation March 27, 2003 XML Web Services Secu Slide2_19 SOAP Message Security Model Describe abstract message security model in terms of security tokens combined with digital signatures as proof of possession of the security token (key) • Security token asserts... • Open Grid Services Architecture was boosted by developing XML Web Services – 2002 • Commercial Grids are starting March 27, 2003 XML Web Services Secu Slide2_23 Open Grid Services Architecture (OGSA) • WSDL extensions to describe specifics of Grid Services x x x x Defines new portType - GridService Provides mechanism to create Virtual Organisation Provides mechanism to create transient services -... Systems March 27, 2003 XML Web Services Secu Slide2_29 OGSA Security Built upon WS Security March 27, 2003 XML Web Services Secu Slide2_30 OGSA Security Roadmap - Specifications (1) Naming • • • • OGSA Identity Specification OGSA Target/Action Naming Specification OGSA Attribute and Group Naming Specification Transient Service Identity Acquisition Specification Translating between Security Realms • •... http://www.w3.org/2001/12/soapenvelope XML Digital Sign ds http://www.w3.org/2000/09/xmldsig# XML Encryption xenc http://www.w3.org/2001/04/xmlenc# XML/ SOAP Routing m http://schemas.xmlsoap.org/rp WSSL wsse http://schemas.xmlsoap.org/ws/2002/04/secext Security token Digital signature DigSignature description: Normalisation Transformation Signed elements DigSignature value Ref to DSign Sec token SOAP Message payload March 27, 2003 Security. .. New header block are added/appended to existing ones XML Web Services Secu Slide2_21 SecurityTokenReference Model Usage and processing models for the element • Local Reference – A security token, that is included in the message in the header, is associated with an XML Signature • Remote Reference – A security token, that is not included in the message but.. .Web services features – three stacks March 27, 2003 XML Web Services Secu Slide2_11 Web Service Description Language (WSDL) • • March 27, 2003 WSDL is an XML document format for describing Web service as a set of endpoints operating on messages containing either document-oriented or procedure-oriented . siteit, Amster dam XML Web Services Secu rity Slide2_2 Outlines • Historical • XML Security • Web Services Security • OGSA Security • XML Web Services technology. Amster dam XML Web Services Secu rity Slide2_11 Web services features – three stacks March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu