WS-Security ProtocolWeb Services (WS)Consuming a Web ServiceWS is not secureWS-SecuritySlide 6SOAP Security HeaderWS-Security TokensXML EncryptionSlide 10XML SignatureXML Signature SchemaWS-Security DemoConclusionQ&AWS-Security ProtocolRamkumar ChandrasekharanCS 265Web Services (WS) A service available over Internet Standard protocols: HTTP, SMTP, FTPIs based on XML messaging systemSOAP (Simple Object Access Protocol), XML-RPCA WS should be self describingWSDL: Web Services Description LanguageDiscoverableUDDI: Universal Description Definition InterfaceConsuming a Web Service1) Client discovers the WS from UDDI registry to which WS has published itself2) Client retrieves the WSDL file pointed by UDDI3) Client Creates SOAP packets with the appropriate Web Service calls4) Invokes Web Service method over HTTP, SMTP etc5) Response is received from the WS as a SOAP packet as wellWS is not secureXML messages over the network. Anybody can easily sniff and read the text.Secure with SSL at transport layer but does not guarantee end to end security. SSL also encrypts everything which could be resource expensive.Many ways of securing at message layer for WS is possible, WS-Security is a standard way of securing WS.WS-SecurityWS-* SpecsStandardizing various pieces of Web Service for e.g., Security, Policy, Messaging etc.Various Standards Orgs (OASIS, W3C etc.) and corporations (IBM, MS, Verisign etc.) are involvedWS-SecuritySOAP header carries security infoXML Encryption standard is used for encryption XML Signature standard is used for Digital SignatureSOAP Security Header<soap:Envelopexmlns:soap=http://schemas.xmlsoap.ord/soap/envelopexmlns:wsse=”http://schemas.xmlsoap.ord/ws/2002/12/secext”><soap:Header><wsse:Security soap:role=”….”>All the security related mechanisms like security tokens, encryption and signatures goes here</wsse:Security>WS-Security TokensAuthentication mechanisms:UsernameTokenPlaintext, Hashed (Base64 Encoding (SHA-1 (Nonce + Created + Password))Binarysecuritytoken based on Kerberos or X.509 certificatesXML EncryptionProvides End to end securitySelective EncryptionVery simple to do, lets say if there is an XML doc for e.g.,XML EncryptionXML before encryption:<?xml version=‘1.0’?><CreditCard><Name>John </Name><Number> 1234567</Number><Code>123</Code><Expiry>0106</expiry></CreditCard>XML After encryption<?xml version=‘1.0’?><CreditCard><Name>John </Name><EncryptionData><CipherData><CipherValue>asdgsd45454</CipherValue></CipherData></EncryptionData></CreditCardXML SignatureStandard Schema for digital signature XML docsSelective Signing of XML docs, that is portions of XML docs can be signed Its not as simple as XML encryptionXML Signature Schema<Signature><SignedInfo><CanonicalizationMethod /><SignatureMethod /><Reference URI=“ “> (0 or more)<Transforms/><DigestMethod/><DigestValue/></Reference></SignedInfo><SignatureValue /> - Digest of SignedInfo<KeyInfo/> (Optional)</Signature>WS-Security DemoUsing WSE 2.0ConclusionWeb service is going to create revolution in distributed computing and with standards like WS-Security helps achieve security into Web Services.With Web Services the vision of Vint Clif “father of the Internet’ could be achieved. He said “it wont be long before your bathroom scale surreptitiously transmits your weight to your doctor, who might command a stop to the rocky road ice cream your fridge automatically orders for you from
View Full Document