XML Web Services Security
March 27, 2003
IIDS Group, Vrije Universiteit
Yuri Demchenko, NLnet Labs
<>
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_2
Outlines
•
Historical
•
XML Security
•
Web Services Security
•
OGSA Security
•
XML Web Services technology for IIDS - Discussion
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_3
Historical: How all this started (quoting Tim Berners-Lee)

•
Initial idea to create resource description language
◆
Existing technologies: SGML + WAIS, Gopher + Library Catalogues
◆
Problems: hyperlinks reference and semantic meaning binding
•
Past steps:
◆
WWW and HTML
◆
RDF and Metadata
◆
XML and XML Signature
•
Next step: Semantic Web
•
Ongoing development:
Computer Grids -> Information Grids -> Semantic Grids
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_4
XML Basics: DTD, Schema, XML Protocol, etc.
DTD is document-oriented
•
Like HTML

Schema is data-oriented
•
XML Signature
•
SAML
Basic XML Protocol(s)
•
XML-RPC
•
SOAP
XForms, XLink, XML Query, XPath, XPointer, XSL and XSLT, Legal XML
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_5
XML Security vs Traditional (Network) security
Traditional Security:
•
Host-to-host or point-to-point security
•
Client/server oriented
•
Connection or connectionless oriented
•
Generically single/common trust domain/association
XML Security
•

Document oriented approach
◆
Security tokens/assertions and policies can be associated with the document or its
parts
•
Intended to be cross-domain
•
Potentially for virtual and dynamic trust domains (security associations)
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_6
XML Security - Components
•
XML Signature
•
XML Encryption
•
Security Assertion
◆
SAML (Security Assertion Mark-up Language)
◆
XrML (XML Right Mark-up Language)
◆
XACML (XML Access Control Mark-up Language)
•
XKMS (XML Key Management Specification)

March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_7
XML Signature: Features
Fundamental feature: the ability to sign only specific portions of the XML tree
rather than the whole document.
•
XML document may have a long history when different component are authored
by different parties at different times
•
Different parties may want to sign only those elements relevant to them
•
Important when keeping integrity of certain parts of an XML document is
essential while leaving the possibility for other parts to be changed
•
Allows carrying security tokens/assertions on document/data rather than on
user/client
•
Provides security features for XML based protocols
◆
Provides basic functionality for state assertions
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu

rity
Slide2_8
XML Signature structure
<Signature ID?>
<SignedInfo>
<CanonicalizationMethod/>
<SignatureMethod/>
(<Reference URI? >
(<Transforms>)?
<DigestMethod>
<DigestValue>
</Reference>)+
</SignedInfo>
<SignatureValue>
(<KeyInfo>)?
(<Object ID?>)*
</Signature>
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_9
XML Web Services
A Web Service is a software system identified by URI, whose public interfaces and
bindings are defied and described by XML. Other software systems may discover
and interact with the Web Service in a manner prescribed by its definition, using
XML based messages conveyed by Internet protocols.
•

Service oriented architecture for application-to-application interaction
◆
Describing Web services – WSDL
◆
Exchanging messages – SOAP extensions
◆
Publishing and Discovering WS descriptions - UDDI
•
Programming language-, programming model-, and system software-neutral
•
Standard based: XML/SOAP foundation
•
Industry initiatives (and development platforms)
◆
Sun SunONE/J2EE (SunONE Studio)
◆
Microsoft .NET (Visual Studio .NET)
◆
IBM Dynamic e-Business (AlphaWorks)
◆
XML Spy by Altova
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_10
XML WS - Service Oriented Architecture
• WSDL based Service

Description
• SOAP based messaging
over HTTP, SMTP,
TCP, etc.
• UDDI based
Publishing/Discovery
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_11
Web services features – three stacks
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_12
Web Service Description Language (WSDL)
•
WSDL is an XML document format
for describing Web service as a set of
endpoints operating on messages
containing either document-oriented
or procedure-oriented (RPC)
messages.
•

The operations and messages are
described abstractly and then bound to
a concrete network protocol and
message format to define an endpoint
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_13
WSDL Example – TimeService.wsdl
/> />March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_14
Web Services Security Model
WS-Security model provides end-to-end security (as contrary to point-to-point)
allowing intermediaries
•
A Web service can require that an incoming message prove a set of claims (e.g.,
name, key, permission, capability, etc.).
◆
Set of required claims and related information is referred as a Policy.
•
A requester can send messages with proof of the required claims by associating
security tokens with the messages.

◆
Messages both demand a specific action and prove that their sender has the claim to
demand the action.
•
When a requester does not have the required claims, the requester or someone on
its behalf can try to obtain the necessary claims by contacting other Web
services.
◆
Security token services broker trust between different trust domains by issuing
security tokens.
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_15
Web Services Security Model
Security token types
•
Username/password
•
X.509 PKC
•
SAML
•
XrML
•
XCBF
March 27, 2003

. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_16
WS Security Scenarios
All are built on SOAP based security tokens exchange
•
Direct Trust using username/password (using SSL/TLS)
•
Direct Trust using security token
•
Security token acquisition
•
Issued security token
•
Enforcing business policy
•
Web clients
•
Mobile clients (gateway services)
•
Enabling Federations
◆
Using trust chaining, security token exchange, credentials exchange
◆
Supporting delegation
•
Access control

•
Auditing
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_17
Web Services Security Architecture
WS-Security: describes how to attach signature and encryption headers to SOAP messages. In
addition, it describes how to attach security tokens, including binary security tokens such as
X.509 certificates, SAML, Kerberos tickets and others, to messages.
Core Specification - Web Services Security: SOAP Message Security

WS-Policy
SOAP Foundation
WS Security
WS-
SecureConversation
WS-Trust WS-Privacy
WS-AuthorisationWS-Federation