PowerPoint PresentationXML Web ServicesExisting XML Web ServicesXML Web Services & CryptographyWhat’s going on?The WS Cryptography StackThe Need For Web ServicesA Tourism Supply ChainService Oriented ArchitectureListing 1 SOAP RequestListing 2 SOAP Response1st Generation Web Services2ND Generation Web Services3RD Generation Web ServicesWS SecurityXML Signature An IETF/W3C RecommendationXML Digital SignaturesSlide 18XML SignatureReferencing What is SignedXMLDsig General FormThe <Reference> ElementSlide 23We may have many referencesPlace Within a SignedInfo ElementCompute Digest of SignedInfoSign the digest and place value in a SignatureValue element…Enclose in a Signature ElementWe may include KeyInfoKeyInfo Element in XMLDsigWhat Can Mallory Do?VerificationUsing IBM’s XML Security SuiteSigning in Three Steps(1)Signing in Three Steps(2)Signing in Three Steps(3)Sign a grade bookWe need keys…Run XSS4J’s SampleSign2Examine Signature.xmlSlide 41Slide 42Slide 43Slide 44Slide 45Slide 46Let’s change the low grade!And run verify…Another Example PO.XMLPO After SigningSlide 51Slide 52Slide 53WSS XMLDSig Listing 1Sign The SOAP RequestAfter Signing (1)After Signing (2)After Signing (3)Validation ProcedureSlide 60XML EncryptionGeneral Form 1General Form 2EncryptedData is the core elementGeneral Example (1)General Example (2)General Example (3)Detailed Example (Listing 1)Encrypting the Entire File (Listing 2)Encrypting The Payment (Listing 3)Encrypting Only the CardId (Listing 4)Encrypting Non-XML Data (Listing 5)Sending a public key (listing 6)Receiving a Secret Key Encrypted with a Public Key (listing 7)Data Encrypted to Secret Key (Listing 8)Pointing to encrypted data (listing 9)Point to a distant encrypted element (Listing 10)SOAP ResponseSlide 79Slide 80Slide 81Tell The Client to EncryptTell the server to require encryptionEncrypted RequestSlide 85Slide 86Slide 87Tell the client to send a username/passwordUsername/Password RequestSlide 90Slide 91QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.95-702 OCTMaster of Information System Management95-702 OCTWeek 10Securing Web Services• XML Digital Signature• XML Encryption• Web Service SecurityQuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.95-702 OCTMaster of Information System ManagementXML Web ServicesHot topicFoundation of Service Oriented ArchitecturesInteroperableRemote Method InvocationMessagingSupported by all the big playersNotes adpated from the required reading “Web Services Security”, Bilal SiddiquiQuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.95-702 OCTMaster of Information System ManagementExisting XML Web ServicesGoogleEBayAmazonXIgnite (financial computations)Hundreds of othersSee www.xmethods.comBut remember, many are not public.An SOA would have many in house webservices.QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.95-702 OCTMaster of Information System ManagementXML Web Services & CryptographyBob and Alice want to exchange SOAP messages.Eve and Mallory need to be taken seriously.QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.95-702 OCTMaster of Information System ManagementWhat’s going on?Web Services Security (WSS) specification from OASISMessage confidentialityMessage authenticationEnd-to-end (not just point-to-point like SSL)QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.95-702 OCTMaster of Information System ManagementThe WS Cryptography StackXML Web Services SecuritySAML (Security Assertion ML),XKMS (XML Key Management Specification), XACML (eXtensible Access Control Markup Language)XMLDSIG (W3C)XMLENC (W3C).NET Crypto API’s Java Security API’sQuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.95-702 OCTMaster of Information System ManagementThe Need For Web ServicesApplication integration within the enterpriseApplication integration across enterprise boundaries customers partners suppliersService Oriented Architecture is often built ona web service foundationQuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.95-702 OCTMaster of Information System ManagementA Tourism Supply ChainTourists Tour OperatorCar RentalHotelHotelCar RentalHotel RoomRentInfoForAll()RoomRentInfoForPartnersOnly()Without XML/WSS - message formats must be agreed to - coarse-grained protection provided by firewallsWith XML/WSS - SOAP is used for RPC or messaging - WSS provides fine grained security decisionsAnyone may callRestricted callersQuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.95-702 OCTMaster of Information System ManagementService Oriented ArchitectureHotel RoomRentInfoForAll()RoomRentInfoForPartnersOnly()SOAP ServerSOAP (XML RPC) over HTTPQuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.95-702 OCTMaster of Information System ManagementListing 1 SOAP RequestPOST /Vendors HTTP/1.1Host: www.myHotel.comContent-Type: text/xml;Charset=utf-8Content-Length: 350SOAPACtion:"" <?xml version='1.0'?> <SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' > <SOAP-Env:Body> <s:GetSpecialDiscountedBookingForPartners xmlns:s='http://www.MyHotel.com/partnerservice/' > <!--Parameters passed with the method call--> </s:GetSpecialDiscountedBookingForPartners> </SOAP-Env:Body> </SOAP-Env:Envelope>QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.95-702 OCTMaster of Information System ManagementListing 2 SOAP ResponseHTTP/1.0 200 OKContent-Type: text/xml; charset=utf-8Content-Length: 1474<?xml version="1.0"><SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' > <SOAP-ENV:Body> <m:GetSpecialDiscountedBookingForPartnersResponse xmlns:m="http://www.MyHotel.com/partnerservice/" > <!-- Booking confirmation details--> </m:GetSpecialDiscountedBookingForPartnersResponse> </SOAP-ENV:Body></SOAP-ENV:Envelope>QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.95-702 OCTMaster of Information System Management1st Generation Web Services SOAP ClientSOAPServerHotel ClassRDBMSQuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.95-702 OCTMaster of Information System Management2ND Generation Web Services SOAPServerHotel
View Full Document