Web-Service-SecurityOSGI相關(guān)書籍教學課件_第1頁
Web-Service-SecurityOSGI相關(guān)書籍教學課件_第2頁
Web-Service-SecurityOSGI相關(guān)書籍教學課件_第3頁
Web-Service-SecurityOSGI相關(guān)書籍教學課件_第4頁
Web-Service-SecurityOSGI相關(guān)書籍教學課件_第5頁
已閱讀5頁,還剩74頁未讀, 繼續(xù)免費閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進行舉報或認領(lǐng)

文檔簡介

WebServiceSecurity

IntroductionZhangBingSept.2009InformationSecurity(involvedconcepts)Confidentiality(CofCIA-Triad)Integrity(IofCIA-Triad)Availability(AofCIA-Triad)Identification(AccessControl)Authentication(AccessControl)Authorization(AccessControl)Non-repudiationAuditConfidentialityensuringthatinformationisaccessibleonlytothoseauthorizedtohaveaccesstopreventthedisclosureofinformationtounauthorizedindividualsorsystemsexamples:thecreditcardnumber,passwordIntegritysimply,dataintegrityistheassurancethatdataareconsistentandcorrectthatdatacannotbemodifiedwithoutauthorizationincryptographyandinformationsecurity,integrityreferstothevalidityofdataexample:referentialintegrityindatabases,man-in-middle,checksum,MessageAuthenticationCodeAvailabilitytheinformationmustbeavailablewhenitisneededHighavailabilitysystemsaimtoremainavailableatalltimesexamples:denial-of-serviceattackIdentification/Identityanassertionofwhosomeoneisorwhatsomethingisaimstomapaknownidentifier(ID)toanunknownentitysoastomakeitknowntheIDmustbeuniqueIDsmaybescopedexamples:usernameAuthenticationtheactofestablishingorconfirmingsomething(orsomeone)asauthentic(genuine)tovalidatethatbothpartiesinvolvedarewhotheyclaimtheyarethreedifferenttypesofinformationthatcanbeusedforauthentication:somethingyouknow,somethingyouhave,orsomethingyouareexamples:password,serverauthenticationinTLS,mutualauthenticationinTLSAuthorizationtodeterminewhatinformationalresourcestheyarepermittedtoaccessandwhatactionstheywillbeallowedtoperformtospecifyaccessrightstoresourcesapproaches:thenon-discretionaryapproach,thediscretionaryapproach,themandatoryaccesscontrolapproach(securityclassification)examples:Role-BasedDatabaseManagementSystems,thesimpleaccesscontrollistsusedinmanyfirewallsandroutersNon-repudiationensuringthatapartyinadisputecannotrepudiate,orrefutethevalidityofastatementorcontractimpliesthatonepartyofatransactioncannotdenyhavingreceivedatransactionnorcantheotherpartydenyhavingsentatransactionexamples:digitalsignatureAuditmanualorsystematicmeasurabletechnicalassessmentofasystemorapplicationexamples:reviewtheaccesscontrollist,analyzethelogs

WebServiceSecuritySpecifications

HTTP(S)XML/SchemaXMLDigitalSignatureSOAP/WSDL/WS-AddressXMLEncryptionWebServicesPolicyWSTrustWSFederationWSSecureConversationWSSecurityPolicySecurityAssertionMarkupLanguageWebServicesSecurity

WebServiceSecuritySpecifications

HTTP(S)XML/SchemaXMLDigitalSignatureSOAP/WSDL/WS-AddressXMLEncryptionWebServicesPolicyWSTrustWSFederationWSSecureConversationWSSecurityPolicySecurityAssertionMarkupLanguageWebServicesSecurityHowtopreventthedatabechangedbyothers?XMLDigitalSignature(1)W3C:XMLSignatureSyntaxandProcessing(SecondEdition),/TR/xmldsig-core/XMLSignaturecanbeusedtosignthedataandrepresenttheresultinXMLXMLSignaturescanbeappliedtoanydigitalcontent(dataobject),includingXMLacombinationofDigitalSignatureandXMLenvelopedsignature,envelopingsignature,detachedsignatureXMLDigitalSignature(2)structure(mainelements)<SignatureID?><SignedInfo><CanonicalizationMethod/><SignatureMethod/>(<ReferenceURI?>(<Transforms>)?<DigestMethod><DigestValue></Reference>)+</SignedInfo><SignatureValue>(<KeyInfo>)?(<ObjectID?>)*</Signature>XMLDigitalSignature(3)exampleXMLDigitalSignature(4)conclusion(Integrity)toensurethedataintegritybetweensenderandreceiverifthealgorithmofsignatureisasymmetric,themessagesendercan’trepudiatehisactionifthealgorithmofsignatureisasymmetric,thesubjectofthemessagesendercanbedecided(maybeusedasAuthentication)APIandimplementationsJavaXMLDigitalSignaturesAPIs(JSR105)ApacheSantuario(XMLSecurity)project(javaandc++),usedbothinWSS4J、

Axis2andCXF

WebServiceSecuritySpecifications

HTTP(S)XML/SchemaXMLDigitalSignatureSOAP/WSDL/WS-AddressXMLEncryptionWebServicesPolicyWSTrustWSFederationWSSecureConversationWSSecurityPolicySecurityAssertionMarkupLanguageWebServicesSecurityHowtopreventthedatabeseenbyothers?XMLEncryption(1)W3C:XMLEncryptionSyntaxandProcessing,/TR/xmlenc-core/XMLEncryptioncanbeusedtoencryptthedataandrepresenttheresultinXMLThedatamaybearbitrarydata(includinganXMLdocument),anXMLelement,orXMLelementcontentaEncryptedDataelementreplacestheelementorcontentintheencryptedversionoftheXMLdocumentaEncryptedKeyElementisusedtotransportencryptedkeysfortheoriginatortoaknownreceiversAlsocanbeusedtoencrypttheexternaldataXMLEncryption(2)structure<EncryptedDataId?Type?MimeType?Encoding?><EncryptionMethod/>?<ds:KeyInfo><EncryptedKey>?<AgreementMethod>?<ds:KeyName>?<ds:RetrievalMethod>?<ds:*>?</ds:KeyInfo>?<CipherData><CipherValue>?<CipherReferenceURI?>?</CipherData>EncryptionProperties>?</EncryptedData>XMLEncryption(3)exampleXMLEncryption(4)conclusion(Confidentiality)toensurethedataconfidentialitybetweenthesenderandthereceiversymmetrickeysarealwaysusedtoencryptdata,asymmetrickeysarealwaysusedtoencryptsymmetrickeyAPIsandimplementationsJavaXMLDigitalEncryptionAPIs(JSR106)ApacheSantuario(XMLSecurity)project(javaandc++),usedbothinWSS4J、Axis2andCXF

WebServiceSecuritySpecifications

HTTP(S)XML/SchemaXMLDigitalSignatureSOAP/WSDL/WS-AddressXMLEncryptionWebServicesPolicyWSTrustWSFederationWSSecureConversationWSSecurityPolicySecurityAssertionMarkupLanguageWebServicesSecurityHowtosendsecurityinformation?HowtoenablesignatureandencryptionwithSOAPmessage?WebServicesSecurity(1)OASIS:/specs/#wssv1.1

,includingaSOAPMessagesecurityandseveralTokenProfilestosecurewebservicesbasedonXMLsignature、XMLencryptionandexistingsecuritytechnologies(kerberos,X.509,SAMLetc.)tosendsecuritytokensaspartofSOAPmessagetosignaturesecuritytokensandmessagepartstoencryptsecuritytokensandmessagepartstoprovideend-to-endmessagelevelsecurityWebServicesSecurity(2)securitytokenconceptsAclaimisadeclarationmadebyanentity(name,identity,key,group,privilege,capability,etc.)Asecuritytokenrepresentsacollectionofclaims,itmaybesignedorunsignedsecuritytokensUserNameToken:providingausernameBinarySecurityTokens:(X.509certificatesandKerberosTicketsetc.),needtobeencodedXMLTokens:XMLbasedsecuritytokens,SAMLetc.EncryptedDataToken:thetoken’sencryptionformIdattributeunderaspecifiednamespacemaybeusedforreferenceWebServicesSecurity(3)securitytokenreferenceprovidesanextensiblemechanismforreferencingsecuritytokensandotherkeybearingelementssecuritytokenreferencemechanicsDirectReferences:usingURIKeyIdentifiers:usingaopaquevalueKeyNames:usinganameassertedEmbedReferences:embeddedthereferencesmaybeencryptedWebServicesSecurity(4)signaturesandencryptioncanbeusedbothformessagepartsandsecuritytokenssecuritytimestampstoavoidreplayproblemforrecipienttodeterminethefreshnessofthesecuritysemanticsthecontents:creationtimeor/andexpirationtimeclocksynchronizationisoutofscopeWebServicesSecurity(5)exampleWebServicesSecurity(6)example(continue)WebServicesSecurity(7)example(continue)WebServicesSecurity(8)example(continue)WebServicesSecurity(9)example(continue)WebServicesSecurity(10)securityheaderheaderelementisaddedtothefrontoftheexistingelements,forexampletodecidetheorderofsignaturestepandencryptionstepkey-bearingelementshouldbeorderedtoprecedethekey-usingelementmoreaboutusernametokens(extensions)twotypesofpassword:PasswordTextandPasswordDegisttoavoidreplayattacks:Nonce(arandomvalue)andCreated(timestamp)Password_Degest=Base64(SHA-1(nouce+created+password))keyderivation:SaltandIterationactonasharedsecretkeytogenerateanewkeyfortheMessageAuthenticationCodeandEncryptionWebServicesSecurity(11)example(usernametoken)WebServicesSecurity(12)conclusion(Integrity,ConfidentialityandAuthentication)useencryptiontoensureSOAPMessage’sConfidentialityusesignaturetoensureSOAPMessage’sIntegrityusesecuritytokenstoprovideauthenticationinformation,keyinformationandotherextendedinformationusetimestampstoavoidreplayattackimplementationsApacheWSS4J,usedbothinAxis2andCXF,itseemsnotsupportalltokensdefinedbythespecificationgroup

WebServiceSecuritySpecifications

HTTP(S)XML/SchemaXMLDigitalSignatureSOAP/WSDL/WS-AddressXMLEncryptionWebServicesPolicyWSTrustWSFederationWSSecureConversationWSSecurityPolicySecurityAssertionMarkupLanguageWebServicesSecurityHowtoobtainSecurityTokenandmakethetokentrustable?WS-Trust(1)OASIS:/specs/#wstrustv1.4basedonwebservicessecuritydiscussedaboveTrustisthecharacteristicthatoneentityiswillingtorelyuponasecondentitytoexecuteasetofactionsand/ortomakesetofassertionsaboutasetofsubjectsand/orscopestoissue,renew,cancelandvalidatesecuritytokenstoestablishthepresenceof,andbrokertrustrelationshipsWS-Trust(2)SecurityTokenService(STS)awebservicethatissuessecuritytokensmakesassertionsbasedonevidenceittruststowhoevertrustitrequesttypes/ws-sx/ws-trust/201912/Issue/ws-sx/ws-trust/201912/Renew/ws-sx/ws-trust/201912/Cancel/ws-sx/ws-trust/201912/Validaterequest-responsestyleWS-Trust(3)SecurityTokenService(continue)WS-Trust(4)example(request)WS-Trust(5)example(response)WS-Trust(6)NegotiationandChallengepriortoreturningasecuritytokenfromSTS,asetofexchangesbetweenpartiesisrequired,notjustsimplerequest-responseseveralexchangesofchallenge-answermaybeneededWS-Trust(7)conclusion(Trust)toensurethesecuritytokensaretrustedimplementationsCXFsupports(asaclienttoaccessSTS)Microsoft’sWSE,IBM,SUN’sMetrosupport

WebServiceSecuritySpecifications

HTTP(S)XML/SchemaXMLDigitalSignatureSOAP/WSDL/WS-AddressXMLEncryptionWebServicesPolicyWSTrustWSFederationWSSecureConversationWSSecurityPolicySecurityAssertionMarkupLanguageWebServicesSecurityHowtoestablishasecuresessiontoallowconversation?WS-SecureConversation(1)OASIS:/specs/#wssecconv1.4toestablishasecuritycontexttoamendsecuritycontexttocomputeandpassderivedkeysSecurityContextToken(extensionsofWSSTokens)identifier:agloballyuniquevalueintimeandspacekeyinstance(withoutrevealtheactualkey)thetokenisobtainedfromSTS,STSneedtosupportamend,renewandcancelactionWS-SecureConversation(2)example(requesttoken)WS-SecureConversation(3)example(responsetoken)WS-SecureConversation(4)derivedkeyswithinthecontext,useoneormoresharedsecretkeystosignandencryptmessagedifferentalgorithmscanbeusedtogeneratederivedkeye.g.,P_SHA1(secret,label+seed)exampleWS-SecureConversation(5)conclusion(securesession)toprovideasharedsecuritycontextamongthecommunicatingpartiestoexchangemultiplemessagestopromoteperformanceifmultiplemessagesneedtobeexchangedduringonelogicrequestimplementationsCXF(basedonWS-SecurityPolicy,in“wsdl-first”case)

WebServiceSecuritySpecifications

HTTP(S)XML/SchemaXMLDigitalSignatureSOAP/WSDL/WS-AddressXMLEncryptionWebServicesPolicyWSTrustWSFederationWSSecureConversationWSSecurityPolicySecurityAssertionMarkupLanguageWebServicesSecurityHowtoexpressservice’srequirementsandcapabilities?WebServicesPolicy(1)W3C:/2019/ws/policy/,includingframeworkandattachmentamachine-readablelanguageforrepresentingthecapabilitiesandrequirementsofawebservicewhichcalled‘policies’fourelements:Policy,All,ExactlyOneandPolicyReferencetwoattributes:OptionalandIgnorableWebServicesPolicy(2)Policybasicconceptspolicy:apotentiallyemptycollectionofpolicyalternativespolicyalternative:apotentiallyemptycollectionofpolicyassertionspolicyassertion:representsarequirement,acapability,orotherpropertyofabehaviorpolicyexpression:anXMLInfosetrepresentationofapolicy,eitherinanormalformorinanequivalentcompactformWebServicesPolicy(3)PolicyDataModelWebServicesPolicy(4)example(policyexpression)WebServicesPolicy(5)policyattachmentpolicyattachment:amechanismforassociatingpolicywithoneormorepolicyscopespolicyscope:acollectionofpolicysubjectstowhichapolicymayapplypolicysubject:anentity(e.g.,anendpoint,message,resource,operation)withwhichapolicycanbeassociatedattachpolicieswithexistingtechnologies:WSDLandUDDIWebServicesPolicy(6)PolicyscopesinWSDLWebServicesPolicy(7)conclusion(custommetada)tosolvehowtoexpresstheservice’srequirements,capabilitiesandconstraintstoserviceclientimplementations:ApacheNeethiproject,usedbothinAixs2andCXF

WebServiceSecuritySpecifications

HTTP(S)XML/SchemaXMLDigitalSignatureSOAP/WSDL/WS-AddressXMLEncryptionWebServicesPolicyWSTrustWSFederationWSSecureConversationWSSecurityPolicySecurityAssertionMarkupLanguageWebServicesSecurityHowtoexpresssecurityaspect’srequirementsandcapabilities?WS-SecurityPolicy(1)OASIS:/specs/#wssecpolv1.3baseonWebServicesPolicydefineabasesetofassertionsthatdescribehowmessagesaretobesecuredtoprovideenoughinformationofcompatibilityandinteroperabilityforwebserviceparticipantsWS-SecurityPolicy(2)assertionsdefinedProtectionAssertionsIntegrityAssertionsConfidentialityAssertionsRequiredelementsAssertionsTokenAssertionsSecurityBindingAssertionsTransportBindingAssertionSymmetricBindingAssertionAsymmetricBindingAssertionWssAssertionWS-TrustAssertiontheaboveassertions’attachedscopesinWSDLWS-SecurityPolicy(3)exampleWS-SecurityPolicy(4)conclusion(securityrelatedmetadata)tosupplyallinformationnecessaryofbuildingasecuremessageexchangingenvironmentbetweentheparticipantsimplementationsAxis2andCXF

WebServiceSecuritySpecifications

HTTP(S)XML/SchemaXMLDigitalSignatureSOAP/WSDL/WS-AddressXMLEncryptionWebServicesPolicyWSTrustWSFederationWSSecureConversationWSSecurityPolicySecurityAssertionMarkupLanguageWebServicesSecurityHowtomaketrustacrossrealms?WS-Federation(1)OASIS:/specs/#wsfedv1.2,WebServiceFederationLanguagetofederatedifferentrealmsintegratingexistingsecurityinfrastructuresleveragingtheWS-*specificationsrequirementsandcapabilitiesaredescribedbypoliciesWS-Federation(2)conceptsFederation:acollectionofrealmsthathaveestablishedaproducer-consumerrelationshipwherebyonerealmcanprovideauthorizedaccesstoaresourceitmanagesbasedonanidentity,andpossiblyassociatedattributes,thatareassertedinanotherrealmIdentityProvider(IP):anentitythatactsasanauthenticationservicetoendrequestorsandadataoriginauthenticationservicetoserviceproviders.ItneedtobetrustedbothbytherequestorandtheserviceproviderAttributeService:aWebservicethatmaintainsinformation(attributes)aboutprincipalswithinatrustrealmorfederationWS-Federation(3)concepts(continue)AuthorizationService:AspecializedtypeofSecurityTokenService(STS)thatmakesauthorizationdecisionsDigitalIdentity–AdigitalrepresentationofaprincipalthatisuniquetothatprincipalRealmorDomain:ArepresentationofasingleunitofsecurityadministrationortrustFederationMetadata:adescriptionofasinglefederationwhichishelpfulforpartnersPseudonymService:aWebservicethatmaintainsalternateidentityinformationaboutprincipalswithinatrustrealmorfederationWS-Federation(4)analternativeillustrationWS-Federation(5)anotheralternativeillustrationWS-Federation(6)conclusion(focusonauthenticationandauthorization)toenabletrustacrossdifferentsecurityrealmsinafederationimplementationsthisspecificationwasinitialbyMicrosoftandIBM

WebServiceSecuritySpecifications

HTTP(S)XML/SchemaXMLDigitalSignatureSOAP/WSDL/WS-AddressXMLEncryptionWebServicesPolicyWSTrustWSFederationWSSecureConversationWSSecurityPolicySecurityAssertionMarkupLanguageWebServicesSecurityWhatisXML-baseSecurityLanguageforsecurityinformation?SecurityAssertionMarkupLanguage(1)OASIS:/sp

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預覽,若沒有圖紙預覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負責。
  • 6. 下載文件中如有侵權(quán)或不適當內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論