Securing Web
Services with
WS-Security
Demystifying WS-Security,
WS-Policy, SAML, XML Signature
and XML Encryption
jothy Rosenberg
David L. Remy
SAMS
Table of Contents
Forewords xx Introduction i Who This Book Is For 1 About This Book 1
How This Book Is Organized 2
I. Basic Concepts ofWeb Services Security 5 Web Services Basics: XML, SOAP, andWSDL 6
XML and XML Schema 6 SOAP 7
WSDL 9 UDDI 9
Application Integration 9
B2Ii Business Process Integration 10 Portals 11
Service-Oriented Architectures 11 Definition ofWeb Services 12 Security Basics 12
Shared Key and Public Key Technologies 13 Security Concepts and Definitions 16 Web Services Security Basics 19
XML Signature 19 XML Encryption 20 SAML 20 WS-Security 21 Trust Issues 22 OtherWS-Security-Related Specs 22 Sununary 22
2 The Foundations ofWeb Services 25 The Gestalt ofWeb Services 25
Application Integration 25
The Evolution ofDistributed Computing 2$ The Inevitability ofWeb Services 32
XML: Meta-Language for Data-Oriented Interchange 37
Where XML Came From and Why It's Important 38
XML and Web Services 39 XML Namespaces 39 XML Schema 42 XMLTransformations 43
XML's Role in Web Services Security 46 SOAP: XML Messaging and Remote Application Access 49
Where SOAP Came From andWhy It's Important 50 SOAP Envelope 52 SOAP Header 53 SOAP Body 53 SOAP Processing 55 SOAP Attachments 55
SOAP and Web Services Security 55 WSDL; Schema for XML/SOAP Objects and
Interfaces 56
Where WSDL Came From. and Why It's Important 56
WSDL Elements 58 WSDL and SOAP 61
WSDL and Web Services Security 61
UDDI: Publishing and DiscoveringWebServices 62 ebXML and RosettaNet: Alternative Technologies for Web Services 65
The Web Services Security Specifications 65 Summary 67
ä The Foundations of Distributed Message-Level Security 69
Tbre Challenges ofInformation Security for Web Services 69
Security of Distributed Systems Is Hard 69 Security ofExchanged Information (Messages) Is Harder 70
Viii Contents
Shared Key Technologies 72 Shared Key Encryption 72 Kerberos 75
Limitations ofShared Key Technologies 76 Public Key Technologies 76
Public Key Encryption 76
Limitations ofPublic Key Encryption 79 Digital Signature Basics 80
A Digital Signature Expressed in XML 85 Public Key Infrastructure 86
SSLTransport Layer Security 97 Summary 102
4 Safeguarding the Identity and Integrity of XMI. Messages 105
Introduction To and Motivation for XML Signature 105
AW3C Standard 105
Critical Building Block forWS-Security 105 Close Associations with Web Services
Security 106
The Goal ofEnsuring Integrity (and Usually Identity) and Non-repudiation Persistently 106 XML Signature and XML Encryption:
Fundamental Web Services Security Technologies 106
XML Signature Fundamentals 107 XML Signature Structure 107
Basic Structure 108
Specifying the Items Being Signed 109 Types ofXML Signatures 109
The SignatureElement Schema 113
XML Signature Processing 116 XML Signature Generation 1.17 XML SignatureValidation 119 The XML Signature Elements 120
The Signedinfo Element 120
The CanonicaliaationMethodElement and
The SignatureMethod Element 125 The Reference Element 125
The Transform Element 127 The DigestMethod Element 132 The Digestvalue Element 133 The signatureValue Element 133 The object Element 133
The Keyin£o Element 137
Security Strategies for XML Signature 140 Using Transforms 140
Mxowing the Security Model 141 KnowingYour Keys 142
Signing Object Elements 142
Signing DTDs with Entity References 142 Summary 144
5 Ensuring Confidentiality ofXML Messages 147
Introduction to and Motivation for XML Encryption 147
Relating XML Encryption and XML Signature 147
Critical Building Block for WS-Security 148 The Goal Is to Ensure Confidentiality of Messages from End to End with Different Recipients 149
Think Shared Key CryptographyWhenYou Think of XML Encryption 149
XML Encryption Will Become Part of the Infrastructure Like XML Signature 149 XML Encryption Fundamentals 150
XML Encryption Structure 151
EncryptedData:The Core ofXML Encryption 151 EncryptedData Schema 152 EncryptedType 153 EncryptionMethod 154 CipherData 154 EncryptionProperties 155 Contents ix
x Contents Keyinfo 156 Encrypt:edKey 157 AgreementMethod 159 ReferenceList 160 CarriedKeyName 161 Super Encryption 162 XML Encryption Processing 1.63 Encryption Process 163 Decryption Process 164
Using XML Encryption and XML Signature Together 165
The Decryption Transform for XML Signature 168
XML Encryption and XML Signature Strategies 175
Summary 176
6 Portable Identity, Authentication, and Authorization 3,77
Introduction to and Motivation for SAML 178 The Problems SAML Addresses 179
Transporting Identity or "Portable Trust" 181 The Concept ofTrust Assertions 181
How SAML Works 181 SAML Assertions 184
SAML Producers and Consumers 188 SAML Protocol 189
Authorization Request 191 SAML Bindings 192 SAML Profiles 194
Using SAML with WS-Security 195 Tile WS-Security SAML Profile 196 Applying SAML: Project Liberty 197
The Identity Problem 197 Federated Identity 197 How Liberty Uscs SAML 198 The Microsoft Passport Alternative Approach 199
8 Communicating Security Policy 235 WS-Policy 235
WS-Policy and WSDL 236
WS-Policy and WS-SecurityPolicy 236 The WS-Policy Framework 237
WS-Policy Details 238 WS-PolicyAssertions 240 WS-PofcyAttachment 241
SpecifyingWS-Policy in WSDL 242
Contents 7 Building Security into SOAP 201
Introduction to and Motivation forWS-Security 201 Problems and Goals 201
The Origins ofWS-Security 205 WS-Security Is Foundational 206 Extending SOAP with Security 206 Security Tokens inWS-Security 208
UsernameToken 209
BinarySecuri.t:yTokens 21.2 XML Tokens 215
Referencing Security Tokens 220 Providing Confidentiality: XML Encryption in WS-Security 222
Shared Key XML Encryption 222 Wrapped Key XML Encryption 223 Encrypting Attachments 224
WS-Security Encryption Summary 227 Providing Integrity: XML Signature in
WS-Security 227
XML Signature forValidating a Security Token 227
XML Signature for Message Integrity 228 XML Signature in WS-Security
Considerations 228
WS-Security XML Signature Example 228 Signing a Security Token Reference 229 Message Time Stamps 230
x1i Contents WS-SecurityPolicy 245 SecurityToken 245 integrity 248 Confidentiality 250 Visibility 251 SecurityHeader 252 MessageAge 253 Summary 253
9 . Trust, Access Control, and Rights for Web Services 255
The WS-* Family of Security Specifications 255 WS-* Security Specifications forTrust Relationships 258
WS-* Security Specifications for Interoperabiiity 265
WS-* Security Specifications for Integration 269
XML Key Management Specification (XKMS) 272 Origins ofXKMS 272
Goals of XKMS 272 The XKMS Services 273
eXtensible Access Control Markup Language (XACML) Specification 279
The XACML Data Model 280 XACML Operation 281 XACML Policy Example 282 eXtensible Rights Markup Language (XrML) Management Specification 284
The XrML Data Model 285
XrML Use Case Example 285 Summary 290
10 Building a Secure Web Service Using BEA's WebLogic Workshop 293
Security Layer Walkthrough 294 Transport-Level Security 295 Message-Level Security 296 Role-Based Security 297
WebLogic Workshop Web Service Walkthrough 297 Transport Security 302
Message-Based Security 312 Summary 330
A Security, Cryptography, and Protocol Background Material 331
The SSL Protocol 331 Testing for Primality 333 RSA Cryptography 334
Choosing RSA Key Pairs 335 Padding 335
RSA Encryption 335 RSA Decryption 336
DSA Digital Signature Algorithms 336 DSA. Key Generation 336 DSA Algorithm Operation 337 Block Cipher Processing 337
Block Cipher Padding (PKCS#5) 337 Block Cipher Feedback 338
DES Encryption Algoritluii 338 AES Encryption Algorithm 339 Hashing Details and Requirements 339
Motivation for Using Hash Functions 340 Requirements for Digital Signature 340 SHA1 340
Collision Resistance 341 Security 341
Simplicity and Efficiency 341
Silvio Micali's FastValidation/Revocation. 341 Vilidity Check 342
Revocation 343
Canonicalization ofMessages for Digital Signature Manifests 343
CanonicalizationV1 Transform Steps 343 . Canonicalization Subtleties: E%clusive Canonicalization 344
AV Contents
Base-64 Encoding 345 PGP 346
Glossary 347 Index 367
