Web Service SecurityOSGI相關(guān)書籍ppt課件

1、 Zhang Bing Sept. 2021Information Security (involved concepts)Confidentiality ( C of CIA-Triad)Integrity ( I of CIA-Triad)Availability ( A of CIA-Triad)Identification (Access Control)Authentication (Access Control)Authorization (Access Control)Non-repudiationAuditConfidentialityensuring that informa

2、tion is accessible only to those authorized to have accessto prevent the disclosure of information to unauthorized individuals or systemsexamples: the credit card number, passwordIntegritysimply, data integrity is the assurance that data are consistent and correctthat data cannot be modified without

3、 authorizationin cryptography and information security, integrity refers to the validity of dataexample: referential integrity in databases, man-in-middle, check sum, Message Authentication CodeAvailabilitythe information must be available when it is neededHigh availability systems aim to remain ava

4、ilable at all timesexamples: denial-of-service attackIdentification/Identityan assertion of who someone is or what something isaims to map a known identifier(ID) to an unknown entity so as to make it knownthe ID must be uniqueIDs may be scopedexamples: usernameAuthenticationthe act of establishing o

5、r confirming something (or someone) as authentic (genuine)to validate that both parties involved are who they claim they arethree different types of information that can be used for authentication: something you know, something you have, or something you areexamples: password, server authentication

6、in TLS, mutual authentication in TLSAuthorizationto determine what informational resources they are permitted to access and what actions they will be allowed to performto specify access rights to resourcesapproaches: the non-discretionary approach, the discretionary approach, the mandatory access co

7、ntrol approach(security classification)examples: Role-Based Database Management Systems, the simple access control lists used in many firewalls and routersNon-repudiationensuring that a party in a dispute cannot repudiate, or refute the validity of a statement or contractimplies that one party of a

8、transaction cannot deny having received a transaction nor can the other party deny having sent a transactionexamples: digital signatureAuditmanual or systematic measurable technical assessment of a system or applicationexamples: review the access control list, analyze the logsWeb Service Security Sp

9、ecifications (S)XML/Schema XML Digital SignatureSOAP/WSDL/WS-AddressXML EncryptionWeb Services PolicyWS TrustWSFederationWS SecureConversationWS Security PolicySecurity AssertionMarkupLanguageWeb Services SecurityWeb Service Security Specifications (S)XML/Schema XML Digital SignatureSOAP/WSDL/WS-Add

10、ressXML EncryptionWeb Services PolicyWS TrustWSFederationWS SecureConversationWS Security PolicySecurity AssertionMarkupLanguageWeb Services SecurityHow to prevent the data be changed by others ?XML Digital Signature (1)W3C: XML Signature Syntax and Processing (Second Edition), /TR/xmldsig-cor

11、e/XML Signature can be used to sign the data and represent the result in XMLXML Signatures can be applied to any digital content (data object), including XMLa combination of Digital Signature and XMLenveloped signature, enveloping signature, detached signatureXML Digital Signature (2)structure(main

12、elements) ( ()? )+ ()? ()* XML Digital Signature (3)exampleXML Digital Signature (4)conclusion (Integrity)to ensure the data integrity between sender and receiverif the algorithm of signature is asymmetric, the message sender cant repudiate his actionif the algorithm of signature is asymmetric, the

13、subject of the message sender can be decided (may be used as Authentication)API and implementationsJava XML Digital Signatures APIs(JSR 105)Apache Santuario(XML Security) project(java and c+), used both in WSS4J、 Axis2 and CXFWeb Service Security Specifications (S)XML/Schema XML Digital SignatureSOA

14、P/WSDL/WS-AddressXML EncryptionWeb Services PolicyWS TrustWSFederationWS SecureConversationWS Security PolicySecurity AssertionMarkupLanguageWeb Services SecurityHow to prevent the data be seen by others ?XML Encryption(1)W3C: XML Encryption Syntax and Processing, /TR/xmlenc-core/XML Encryptio

15、n can be used to encrypt the data and represent the result in XMLThe data may be arbitrary data (including an XML document), an XML element, or XML element contenta EncryptedData element replaces the element or content in the encrypted version of the XML documenta EncryptedKey Element is used to tra

16、nsport encrypted keys for the originator to a known receiversAlso can be used to encrypt the external dataXML Encryption(2)structure ? ? ? ? ? ? ? ? ? EncryptionProperties? XML Encryption(3)exampleXML Encryption(4)conclusion(Confidentiality)to ensure the data confidentiality between the sender and t

17、he receiver symmetric keys are always used to encrypt data, asymmetric keys are always used to encrypt symmetric keyAPIs and implementationsJava XML Digital Encryption APIs(JSR 106)Apache Santuario(XML Security) project(java and c+), used both in WSS4J、Axis2 and CXFWeb Service Security Specification

18、s (S)XML/Schema XML Digital SignatureSOAP/WSDL/WS-AddressXML EncryptionWeb Services PolicyWS TrustWSFederationWS SecureConversationWS Security PolicySecurity AssertionMarkupLanguageWeb Services SecurityHow to send security information? How to enable signature and encryption with SOAP message? Web Se

19、rvices Security(1)OASIS: /specs/#wssv1.1 , including a SOAP Message security and several Token Profilesto secure web services based on XML signature 、XML encryption and existing security technologies (kerberos, X.509, SAML etc.)to send security tokens as part of SOAP messageto signatur

20、e security tokens and message partsto encrypt security tokens and message partsto provide end-to-end message level securityWeb Services Security(2)security token conceptsA claim is a declaration made by an entity(name, identity, key, group, privilege, capability, etc.)A security token represents a c

21、ollection of claims, it may be signed or unsignedsecurity tokensUser Name Token: providing a usernameBinary Security Tokens:(X.509 certificates and Kerberos Tickets etc.), need to be encodedXML Tokens: XML based security tokens , SAML etc.EncryptedData Token: the tokens encryption formId attribute u

22、nder a specified namespace may be used for referenceWeb Services Security(3)security token referenceprovides an extensible mechanism for referencing security tokens and other key bearing elementssecurity token reference mechanicsDirect References: using URIKey Identifiers: using a opaque valueKey Na

23、mes: using a name assertedEmbed References: embeddedthe references may be encrypted Web Services Security(4)signatures and encryption can be used both for message parts and security tokenssecurity timestampsto avoid replay problemfor recipient to determine the freshness of the security semanticsthe

24、contents: creation time or/and expiration timeclock synchronization is out of scopeWeb Services Security(5)exampleWeb Services Security(6)example(continue)Web Services Security(7)example(continue)Web Services Security(8)example(continue)Web Services Security(9)example(continue)Web Services Security(

25、10)security headerheader element is added to the front of the existing elements, for example to decide the order of signature step and encryption stepkey-bearing element should be ordered to precede the key-using elementmore about username tokens (extensions)two types of password: PasswordText and P

26、asswordDegistto avoid replay attacks: Nonce(a random value) and Created (timestamp)Password_Degest=Base64(SHA-1(nouce+created+password)key derivation: Salt and Iteration act on a shared secret key to generate a new key for the Message Authentication Code and EncryptionWeb Services Security(11)exampl

27、e (username token)Web Services Security(12)conclusion(Integrity, Confidentiality and Authentication)use encryption to ensure SOAP Messages Confidentiality use signature to ensure SOAP Messages Integrityuse security tokens to provide authentication information , key information and other extended inf

28、ormationuse timestamps to avoid replay attackimplementationsApache WSS4J, used both in Axis2 and CXF, it seems not support all tokens defined by the specification groupWeb Service Security Specifications (S)XML/Schema XML Digital SignatureSOAP/WSDL/WS-AddressXML EncryptionWeb Services PolicyWS Trust

29、WSFederationWS SecureConversationWS Security PolicySecurity AssertionMarkupLanguageWeb Services SecurityHow to obtain Security Token and make the token trustable?WS-Trust(1)OASIS: /specs/#wstrustv1.4based on web services security discussed aboveTrust is the characteristic that one enti

30、ty is willing to rely upon a second entity to execute a set of actions and /or to make set of assertions about a set of subjects and /or scopesto issue, renew, cancel and validate security tokensto establish the presence of, and broker trust relationshipsWS-Trust(2)Security Token Service (STS)a web

31、service that issues security tokensmakes assertions based on evidence it trusts to whoever trust itrequest /ws-sx/ws-trust/201912/Issue /ws-sx/ws-trust/201912/R/ws-sx/ws-trust/201912/Cancel /ws-sx/ws-trust/201912/Va

32、lidaterequest-response styleWS-Trust(3)Security Token Service(continue)WS-Trust(4)example (request)WS-Trust(5)example (response)WS-Trust(6)Negotiation and Challengeprior to returning a security token from STS, a set of exchanges between parties is required, not just simple request-responseseveral ex

33、changes of challenge-answer may be neededWS-Trust(7)conclusion (Trust)to ensure the security tokens are trustedimplementationsCXF supports (as a client to access STS)Microsofts WSE, IBM, SUNs Metro supportWeb Service Security Specifications (S)XML/Schema XML Digital SignatureSOAP/WSDL/WS-AddressXML

34、EncryptionWeb Services PolicyWS TrustWSFederationWS SecureConversationWS Security PolicySecurity AssertionMarkupLanguageWeb Services SecurityHow to establish a secure session to allow conversation?WS-SecureConversation(1)OASIS: /specs/#wssecconv1.4to establish a security contextto amen

35、d security contextto compute and pass derived keysSecurity Context Token (extensions of WSS Tokens)identifier: a globally unique value in time and spacekey instance (without reveal the actual key)the token is obtained from STS, STS need to support amend, renew and cancel actionWS-SecureConversation(

36、2)example (request token)WS-SecureConversation(3)example (response token)WS-SecureConversation(4)derived keyswithin the context, use one or more shared secret keys to sign and encrypt messagedifferent algorithms can be used to generate derived keye.g., P_SHA1 (secret, label + seed) exampleWS-SecureC

37、onversation(5)conclusion (secure session)to provide a shared security context among the communicating parties to exchange multiple messagesto promote performance if multiple messages need to be exchanged during one logic request implementationsCXF ( based on WS-SecurityPolicy, in “wsdl-first” case)W

38、eb Service Security Specifications (S)XML/Schema XML Digital SignatureSOAP/WSDL/WS-AddressXML EncryptionWeb Services PolicyWS TrustWSFederationWS SecureConversationWS Security PolicySecurity AssertionMarkupLanguageWeb Services SecurityHow to express services requirements and capabilities?Web Service

39、s Policy(1)W3C: /2019/ws/policy/ , including framework and attachmenta machine-readable language for representing the capabilities and requirements of a web service which called policiesfour elements: Policy, All, ExactlyOne and PolicyReferencetwo attributes: Optional and IgnorableWeb Services

40、 Policy(2)Policy basic conceptspolicy: a potentially empty collection of policy alternativespolicy alternative: a potentially empty collection of policy assertionspolicy assertion: represents a requirement, a capability, or other property of a behaviorpolicy expression: an XML Infoset representation

41、 of a policy, either in a normal form or in an equivalent compact formWeb Services Policy(3)Policy Data ModelWeb Services Policy(4)example (policy expression)Web Services Policy(5)policy attachmentpolicy attachment: a mechanism for associating policy with one or more policy scopespolicy scope: a col

42、lection of policy subjects to which a policy may applypolicy subject: an entity (e.g., an endpoint, message, resource, operation) with which a policy can be associatedattach policies with existing technologies: WSDL and UDDIWeb Services Policy(6)Policy scopes in WSDL Web Services Policy(7)conclusion

43、 (custom metada)to solve how to express the services requirements , capabilities and constraints to service clientimplementations:Apache Neethi project, used both in Aixs2 and CXFWeb Service Security Specifications (S)XML/Schema XML Digital SignatureSOAP/WSDL/WS-AddressXML EncryptionWeb Services Pol

44、icyWS TrustWSFederationWS SecureConversationWS Security PolicySecurity AssertionMarkupLanguageWeb Services SecurityHow to express security aspects requirements and capabilities?WS-SecurityPolicy(1)OASIS: /specs/#wssecpolv1.3base on Web Services Policydefine a base set of assertions that

45、 describe how messages are to be securedto provide enough information of compatibility and interoperability for web service participantsWS-SecurityPolicy(2)assertions definedProtection AssertionsIntegrity AssertionsConfidentiality AssertionsRequired elements AssertionsToken AssertionsSecurity Bindin

46、g AssertionsTransportBindingAssertionSymmetricBindingAssertionAsymmetricBindingAssertionWss AssertionWS-Trust Assertionthe above assertions attached scopes in WSDLWS-SecurityPolicy(3)exampleWS-SecurityPolicy(4)conclusion (security related metadata)to supply all information necessary of building a se

47、cure message exchanging environment between the participants implementationsAxis2 and CXFWeb Service Security Specifications (S)XML/Schema XML Digital SignatureSOAP/WSDL/WS-AddressXML EncryptionWeb Services PolicyWS TrustWSFederationWS SecureConversationWS Security PolicySecurity AssertionMarkupLang

48、uageWeb Services SecurityHow to make trust across realms?WS-Federation (1)OASIS: /specs/#wsfedv1.2, Web Service Federation Languageto federate different realmsintegrating existing security infrastructuresleveraging the WS-* specificationsrequirements and capabilities are described by p

49、oliciesWS-Federation (2)conceptsFederation: a collection of realms that have established a producer-consumer relationship whereby one realm can provide authorized access to a resource it manages based on an identity, and possibly associated attributes, that are asserted in another realmIdentity Prov

50、ider (IP): an entity that acts as an authentication service to end requestors and a data origin authentication service to service providers. It need to be trusted both by the requestor and the service providerAttribute Service: a Web service that maintains information (attributes) about principals w

51、ithin a trust realm or federationWS-Federation (3)concepts (continue)Authorization Service: A specialized type of Security Token Service (STS) that makes authorization decisions Digital Identity A digital representation of a principal that is unique to that principalRealm or Domain: A representation

52、 of a single unit of security administration or trust Federation Metadata: a description of a single federation which is helpful for partnersPseudonym Service : a Web service that maintains alternate identity information about principals within a trust realm or federationWS-Federation (4)an alternat

53、ive illustrationWS-Federation (5)another alternative illustrationWS-Federation (6)conclusion ( focus on authentication and authorization)to enable trust across different security realms in a federationimplementationsthis specification was initial by Microsoft and IBMWeb Service Security Specificatio

54、ns (S)XML/Schema XML Digital SignatureSOAP/WSDL/WS-AddressXML EncryptionWeb Services PolicyWS TrustWSFederationWS SecureConversationWS Security PolicySecurity AssertionMarkupLanguageWeb Services SecurityWhat is XML-base Security Language for security information?Security Assertion Markup Language(1)OASIS: /specs/#samlv2.0, including SAMLCore, SAMLBind, SAMLProf,