Download - WS Security
![Page 1: WS Security](https://reader036.vdocuments.us/reader036/viewer/2022082419/577cce9c1a28ab9e788e1bbf/html5/thumbnails/1.jpg)
WS-Security Protocol
Ramkumar ChandrasekharanCS 265
![Page 2: WS Security](https://reader036.vdocuments.us/reader036/viewer/2022082419/577cce9c1a28ab9e788e1bbf/html5/thumbnails/2.jpg)
Web Services (WS) A service available over Internet Standard protocols: HTTP, SMTP, FTP Is based on XML messaging
systemSOAP (Simple Object Access Protocol), XML-RPC A WS should be self describingWSDL: Web Services Description Language DiscoverableUDDI: Universal Description Definition Interface
![Page 3: WS Security](https://reader036.vdocuments.us/reader036/viewer/2022082419/577cce9c1a28ab9e788e1bbf/html5/thumbnails/3.jpg)
Consuming a Web Service1) Client discovers the WS from UDDI
registry to which WS has published itself2) Client retrieves the WSDL file pointed by
UDDI3) Client Creates SOAP packets with the
appropriate Web Service calls4) Invokes Web Service method over HTTP,
SMTP etc5) Response is received from the WS as a
SOAP packet as well
![Page 4: WS Security](https://reader036.vdocuments.us/reader036/viewer/2022082419/577cce9c1a28ab9e788e1bbf/html5/thumbnails/4.jpg)
WS is not secure XML messages over the network. Anybody
can easily sniff and read the text. Secure with SSL at transport layer but
does not guarantee end to end security. SSL also encrypts everything which could be resource expensive.
Many ways of securing at message layer for WS is possible, WS-Security is a standard way of securing WS.
![Page 5: WS Security](https://reader036.vdocuments.us/reader036/viewer/2022082419/577cce9c1a28ab9e788e1bbf/html5/thumbnails/5.jpg)
WS-Security WS-* SpecsStandardizing various pieces of Web Service for
e.g., Security, Policy, Messaging etc. Various Standards Orgs (OASIS,
W3C etc.) and corporations (IBM, MS, Verisign etc.) are involved
![Page 6: WS Security](https://reader036.vdocuments.us/reader036/viewer/2022082419/577cce9c1a28ab9e788e1bbf/html5/thumbnails/6.jpg)
WS-Security SOAP header carries security info XML Encryption standard is used
for encryption XML Signature standard is used for
Digital Signature
![Page 7: WS Security](https://reader036.vdocuments.us/reader036/viewer/2022082419/577cce9c1a28ab9e788e1bbf/html5/thumbnails/7.jpg)
SOAP Security Header<soap:Envelopexmlns:soap=
http://schemas.xmlsoap.ord/soap/envelopexmlns:wsse=”http://schemas.xmlsoap.ord/ws/
2002/12/secext”><soap:Header><wsse:Security soap:role=”….”>All the security related mechanisms like security
tokens, encryption and signatures goes here</wsse:Security>
![Page 8: WS Security](https://reader036.vdocuments.us/reader036/viewer/2022082419/577cce9c1a28ab9e788e1bbf/html5/thumbnails/8.jpg)
WS-Security Tokens Authentication mechanisms: UsernameTokenPlaintext, Hashed (Base64 Encoding (SHA-1 (Nonce +
Created + Password))
Binarysecuritytoken based on Kerberos or X.509 certificates
![Page 9: WS Security](https://reader036.vdocuments.us/reader036/viewer/2022082419/577cce9c1a28ab9e788e1bbf/html5/thumbnails/9.jpg)
XML Encryption Provides End to end security Selective Encryption Very simple to do, lets say if there
is an XML doc for e.g.,
![Page 10: WS Security](https://reader036.vdocuments.us/reader036/viewer/2022082419/577cce9c1a28ab9e788e1bbf/html5/thumbnails/10.jpg)
XML Encryption XML before
encryption:<?xml version=‘1.0’?><CreditCard><Name>John </Name><Number> 1234567</Number><Code>123</Code><Expiry>0106</expiry></CreditCard>
XML After encryption
<?xml version=‘1.0’?><CreditCard><Name>John </Name><EncryptionData>
<CipherData><CipherValue>
asdgsd45454</CipherValue>
</CipherData></EncryptionData></CreditCard
![Page 11: WS Security](https://reader036.vdocuments.us/reader036/viewer/2022082419/577cce9c1a28ab9e788e1bbf/html5/thumbnails/11.jpg)
XML Signature Standard Schema for digital
signature XML docs Selective Signing of XML docs, that
is portions of XML docs can be signed
Its not as simple as XML encryption
![Page 12: WS Security](https://reader036.vdocuments.us/reader036/viewer/2022082419/577cce9c1a28ab9e788e1bbf/html5/thumbnails/12.jpg)
XML Signature Schema <Signature>
<SignedInfo><CanonicalizationMethod /><SignatureMethod /><Reference URI=“ “> (0 or more)<Transforms/><DigestMethod/><DigestValue/></Reference></SignedInfo><SignatureValue /> - Digest of SignedInfo<KeyInfo/> (Optional)
</Signature>
![Page 13: WS Security](https://reader036.vdocuments.us/reader036/viewer/2022082419/577cce9c1a28ab9e788e1bbf/html5/thumbnails/13.jpg)
WS-Security Demo
Using WSE 2.0
![Page 14: WS Security](https://reader036.vdocuments.us/reader036/viewer/2022082419/577cce9c1a28ab9e788e1bbf/html5/thumbnails/14.jpg)
Conclusion Web service is going to create revolution in
distributed computing and with standards like WS-Security helps achieve security into Web Services.
With Web Services the vision of Vint Clif “father of the Internet’ could be achieved. He said “it wont be long before your bathroom scale surreptitiously transmits your weight to your doctor, who might command a stop to the rocky road ice cream your fridge automatically orders for you from www.groceries.com”.
![Page 15: WS Security](https://reader036.vdocuments.us/reader036/viewer/2022082419/577cce9c1a28ab9e788e1bbf/html5/thumbnails/15.jpg)
Q&A