You are previewing Securing Web Services with WS-Security.
O'Reilly logo
Securing Web Services with WS-Security

Book Description

Comprehensive coverage is given in this up-to-date and practical guide to Web services security--the first to cover the final release of new standards SAML 1.1 and WS-Security. Rosenberg and Remy are security experts who co-founded GeoTrust, the #2 Web site certificate authority.

Table of Contents

  1. Copyright
  2. About the Authors
  3. Acknowledgments
  4. We Want to Hear from You!
  5. Forewords
    1. Securing Web Services to Deliver on Their Promise
    2. Building the Foundation for Agile Computing
  6. Introduction
    1. Who This Book Is For
    2. About This Book
    3. How This Book Is Organized
  7. 1. Basic Concepts of Web Services Security
    1. Web Services Basics: XML, SOAP, and WSDL
      1. XML and XML Schema
      2. SOAP
      3. WSDL
      4. UDDI
    2. Application Integration
      1. B2B Business Process Integration
      2. Portals
      3. Service-Oriented Architectures
      4. Definition of Web Services
    3. Security Basics
      1. Shared Key and Public Key Technologies
        1. Cryptography
        2. Keys
        3. Shared Key Cryptography
        4. Public Key Cryptography
      2. Security Concepts and Definitions
        1. Authentication
        2. Authorization
        3. Integrity
        4. Confidentiality
        5. Non-repudiation
    4. Web Services Security Basics
      1. XML Signature
      2. XML Encryption
      3. SAML
      4. WS-Security
      5. Trust Issues
      6. Other WS-Security–Related Specs
    5. Summary
  8. 2. The Foundations of Web Services
    1. The Gestalt of Web Services
      1. Application Integration
        1. Enterprise Application Integration
        2. B2C and B2B Application Integration
        3. Automating Business Processes
        4. Information Aggregation Portals
      2. The Evolution of Distributed Computing
        1. Middleware
        2. The Web: The Global Network for Information Exchange
      3. The Inevitability of Web Services
      4. Security Challenges
        1. Identities
        2. Messages
        3. Service-Oriented Architectures
    2. XML: Meta-Language for Data-Oriented Interchange
      1. Where XML Came From and Why It's Important
      2. XML and Web Services
      3. XML Namespaces
      4. XML Schema
      5. XML Transformations
        1. XPath
        2. XSLT
        3. XQuery
        4. XMLBeans
      6. XML's Role in Web Services Security
    3. SOAP: XML Messaging and Remote Application Access
      1. Where SOAP Came From and Why It's Important
      2. SOAP Envelope
      3. SOAP Header
      4. SOAP Body
      5. SOAP Processing
      6. SOAP Attachments
      7. SOAP and Web Services Security
    4. WSDL: Schema for XML/SOAP Objects and Interfaces
      1. Where WSDL Came From and Why It's Important
      2. WSDL Elements
      3. WSDL and SOAP
      4. WSDL and Web Services Security
    5. UDDI: Publishing and Discovering Web Services
    6. ebXML and RosettaNet: Alternative Technologies for Web Services
    7. The Web Services Security Specifications
    8. Summary
  9. 3. The Foundations of Distributed Message-Level Security
    1. The Challenges of Information Security for Web Services
      1. Security of Distributed Systems Is Hard
      2. Security of Exchanged Information (Messages) Is Harder
      3. Security of Web Services Is Hardest
    2. Shared Key Technologies
      1. Shared Key Encryption
      2. Kerberos
      3. Limitations of Shared Key Technologies
    3. Public Key Technologies
      1. Public Key Encryption
      2. Limitations of Public Key Encryption
      3. Digital Signature Basics
        1. Hashing the Message to Create a Message Digest
        2. Public Key Encryption of the Message Digest
        3. Digital Signature Signing Process
        4. Digital Signature Verification Process
        5. Integrity Without Non-Repudiation
      4. A Digital Signature Expressed in XML
      5. Public Key Infrastructure
        1. Digital Certificates Are Containers for Public Keys
        2. Certificate Authorities Issue (and Sign) Digital Certificates
        3. CAs Must Be Trusted or Vouched For by a Trusted CA
        4. Root CAs Are Trusted by Everyone
        5. Key Escrow for Recovering Lost Private Keys
        6. Certificate Revocation for Dealing with Public Keys Gone Bad
          1. CRL Certificate Revocation Checking
          2. OCSP Certificate Revocation Checking
        7. Trust Services
          1. Key Management Services
          2. Digital Signature Services
          3. Single Sign-On Services
          4. Access Control Services
          5. Security in a Box
          6. Billing and Metering Services
      6. SSL Transport Layer Security
        1. A Description of the SSL Protocol
    4. Summary
  10. 4. Safeguarding the Identity and Integrity of XML Messages
    1. Introduction To and Motivation for XML Signature
      1. A W3C Standard
      2. Critical Building Block for WS-Security
      3. Close Associations with Web Services Security
      4. The Goal of Ensuring Integrity (and Usually Identity) and Non-repudiation Persistently
      5. XML Signature and XML Encryption: Fundamental Web Services Security Technologies
    2. XML Signature Fundamentals
    3. XML Signature Structure
      1. Basic Structure
      2. Specifying the Items Being Signed
      3. Types of XML Signatures
        1. Enveloping Signatures
        2. Enveloped Signatures
        3. Detached Signatures
      4. The Signature Element Schema
    4. XML Signature Processing
      1. XML Signature Generation
        1. Reference Generation
        2. Signature Generation
      2. XML Signature Validation
        1. Reference Validation
        2. Signature Validation
    5. The XML Signature Elements
      1. The SignedInfo Element
      2. The CanonicalizationMethod Element and Canonicalization
        1. Canonicalization Actions from Canonical XML Version 1.0
        2. Canonicalization Subtleties: Exclusive Canonicalization
      3. The SignatureMethod Element
      4. The Reference Element
      5. The Transform Element
        1. Canonicalization Transform
        2. Base-64 Transform
        3. XPath Filtering Transform
        4. Enveloped Signature Transform
        5. XSLT Transform
        6. XPath Filter 2.0 Transform
      6. The DigestMethod Element
      7. The DigestValue Element
      8. The SignatureValue Element
      9. The Object Element
        1. The Manifest Element
        2. The SignatureProperties Element
      10. The KeyInfo Element
        1. KeyName
        2. KeyValue
        3. RetrievalMethod
        4. X509Data
        5. PGPData
        6. SPKIData
    6. Security Strategies for XML Signature
      1. Using Transforms
        1. Only What Is Signed Is Secure
        2. Only What Is Seen Should Be Signed
        3. “See” What Is Signed
      2. Knowing the Security Model
      3. Knowing Your Keys
      4. Signing Object Elements
      5. Signing DTDs with Entity References
    7. Summary
  11. 5. Ensuring Confidentiality of XML Messages
    1. Introduction to and Motivation for XML Encryption
      1. Relating XML Encryption and XML Signature
      2. Critical Building Block for WS-Security
      3. The Goal Is to Ensure Confidentiality of Messages from End to End with Different Recipients
      4. Think Shared Key Cryptography When You Think of XML Encryption
      5. XML Encryption Will Become Part of the Infrastructure Like XML Signature
    2. XML Encryption Fundamentals
    3. XML Encryption Structure
      1. EncryptedData: The Core of XML Encryption
      2. EncryptedData Schema
      3. EncryptedType
      4. EncryptionMethod
      5. CipherData
        1. CipherValue
        2. CipherReference
      6. EncryptionProperties
      7. KeyInfo
      8. EncryptedKey
      9. AgreementMethod
      10. ReferenceList
      11. CarriedKeyName
      12. Super Encryption
    4. XML Encryption Processing
      1. Encryption Process
        1. 1. Choose an Encryption Algorithm
        2. 2. Obtain an Encryption Key and Optionally Represent It
        3. 3. Serialize Message Data
        4. 4. Encrypt the Data
        5. 5. Specify the Data Type
        6. 6. Build the Corresponding EncryptedData Structure
      2. Decryption Process
        1. 1. Get Algorithm, Parameters, and KeyInfo
        2. 2. Locate the Key
        3. 3. Decrypt Data
        4. 4. Process XML Elements or XML Element Content
        5. 5. Process Non–XML Element (Type Not Specified)
    5. Using XML Encryption and XML Signature Together
      1. The Decryption Transform for XML Signature
      2. XML Encryption and XML Signature Strategies
    6. Summary
  12. 6. Portable Identity, Authentication, and Authorization
    1. Introduction to and Motivation for SAML
      1. The Problems SAML Addresses
      2. Transporting Identity or “Portable Trust”
      3. The Concept of Trust Assertions
    2. How SAML Works
      1. SAML Assertions
        1. Authentication Assertions
        2. Attribute Assertions
        3. Authorization Assertions
      2. SAML Producers and Consumers
      3. SAML Protocol
        1. Authentication Request
        2. Attribute Request
      4. Authorization Request
        1. SAML Protocol Response
      5. SAML Bindings
      6. SAML Profiles
    3. Using SAML with WS-Security
      1. The WS-Security SAML Profile
    4. Applying SAML: Project Liberty
      1. The Identity Problem
      2. Federated Identity
      3. How Liberty Uses SAML
        1. Account Linking
        2. Authentication Context
        3. Liberty's SAML Profiles
      4. The Microsoft Passport Alternative Approach
    5. Summary
  13. 7. Building Security into SOAP
    1. Introduction to and Motivation for WS-Security
      1. Problems and Goals
        1. HTTP Transport Security Versus Message Security
      2. The Origins of WS-Security
      3. WS-Security Is Foundational
    2. Extending SOAP with Security
    3. Security Tokens in WS-Security
      1. UsernameToken
        1. UsernameToken with Clear-Text Password
        2. UsernameToken with PasswordDigest
          1. Username PasswordDigest Algorithm
          2. UsernameToken PasswordDigest Summary
      2. BinarySecurityTokens
        1. X.509 V3 Certificate
        2. Kerberos Tokens
      3. XML Tokens
        1. SAML Tokens
        2. XrML Tokens
        3. XCBF Tokens
      4. Referencing Security Tokens
    4. Providing Confidentiality: XML Encryption in WS-Security
      1. Shared Key XML Encryption
      2. Wrapped Key XML Encryption
      3. Encrypting Attachments
      4. WS-Security Encryption Summary
    5. Providing Integrity: XML Signature in WS-Security
      1. XML Signature for Validating a Security Token
      2. XML Signature for Message Integrity
      3. XML Signature in WS-Security Considerations
      4. WS-Security XML Signature Example
      5. Signing a Security Token Reference
    6. Message Time Stamps
    7. Summary
  14. 8. Communicating Security Policy
    1. WS-Policy
      1. WS-Policy and WSDL
      2. WS-Policy and WS-SecurityPolicy
    2. The WS-Policy Framework
      1. WS-Policy Details
      2. WS-PolicyAssertions
        1. TextEncoding
        2. Language
        3. SpecVersion
        4. MessagePredicate
      3. WS-PolicyAttachment
        1. Arbitrary Resource Attachment
      4. Specifying WS-Policy in WSDL
    3. WS-SecurityPolicy
      1. SecurityToken
        1. Username Token Claims
        2. X509v3 Token Claims
      2. Integrity
      3. Confidentiality
      4. Visibility
      5. SecurityHeader
      6. MessageAge
    4. Summary
  15. 9. Trust, Access Control, and Rights for Web Services
    1. The WS-* Family of Security Specifications
      1. WS-* Security Specifications for Trust Relationships
        1. WS-Trust
          1. <RequestSecurityToken>
          2. <RequestSecurityTokenResponse>
        2. WS-Privacy
      2. WS-* Security Specifications for Interoperability
        1. WS-Policy
        2. WS-SecureConversation
          1. <SecurityContextToken>
          2. Establishing a Security Context
      3. WS-* Security Specifications for Integration
        1. WS-Federation
        2. WS-Authorization
    2. XML Key Management Specification (XKMS)
      1. Origins of XKMS
      2. Goals of XKMS
      3. The XKMS Services
        1. X-KISS
        2. X-KRSS
    3. eXtensible Access Control Markup Language (XACML) Specification
      1. The XACML Data Model
      2. XACML Operation
      3. XACML Policy Example
    4. eXtensible Rights Markup Language (XrML) Management Specification
      1. The XrML Data Model
      2. XrML Use Case Example
    5. Summary
  16. 10. Building a Secure Web Service Using BEA's WebLogic Workshop
    1. Security Layer Walkthrough
      1. Transport-Level Security
      2. Message-Level Security
      3. Role-Based Security
    2. WebLogic Workshop Web Service Walkthrough
      1. Transport Security
      2. Message-Based Security
    3. Summary
  17. A. Security, Cryptography, and Protocol Background Material
    1. The SSL Protocol
    2. Testing for Primality
    3. RSA Cryptography
      1. Choosing RSA Key Pairs
      2. Padding
      3. RSA Encryption
      4. RSA Decryption
    4. DSA Digital Signature Algorithms
      1. DSA Key Generation
      2. DSA Algorithm Operation
    5. Block Cipher Processing
      1. Block Cipher Padding (PKCS#5)
      2. Block Cipher Feedback
    6. DES Encryption Algorithm
    7. AES Encryption Algorithm
    8. Hashing Details and Requirements
      1. Motivation for Using Hash Functions
      2. Requirements for Digital Signature
    9. SHA1
      1. Collision Resistance
      2. Security
      3. Simplicity and Efficiency
    10. Silvio Micali's Fast Validation/Revocation
      1. Validity Check
      2. Revocation
    11. Canonicalization of Messages for Digital Signature Manifests
      1. Canonicalization V1 Transform Steps
      2. Canonicalization Subtleties: Exclusive Canonicalization
    12. Base-64 Encoding
    13. PGP
  18. Glossary