Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
(WS-Security, SAML)
Gustavo Alonso
Computer Science Department
Swiss Federal Institute of Technology (ETHZ)
alonso@inf.ethz.ch
http://www.iks.inf.ethz.ch/
Web Services Security Standards
Security Standards Overview
WS-Security
XML Messaging
XML Signature
SOAP
XML Encryption
XML
HTTPS
Transport
WS-Authorization
XACML
WS-SecurityPolicy
WS-SecureConversation XKMS
WS-Federation
SAML
WS-Trust
WS-Security
SOAP
Signature Validation
1. Canonicalize the <SignedInfo> element
2. Get the Key following the <KeyInfo> element
3. Compute the hash with the <SignatureMethod>
4. Compare it with the <SignatureValue>
<Signature> <Signature>
<XML> <Reference> <Reference>
Canonical Form
<XML> <XML>
Enveloped-Signature
<Signature>
Transform
<Reference>
<Transform>
Encrypted XML
Encrypted XML
Encrypted XML
Encrypted XML
SOAP
SOAP
HTTPS HTTPS
Secure Secure
Point to Point Point to Point
Transport Transport
©Gustavo Alonso, D-INFK. ETH Zurich 26
XML Encryption Example
<Employee> Original XML Document
<ID>222-654-456</ID>
<Name>Markus Bach</Name>
<Salary currency=“CHF”>100000</Salary>
</Employee>
Additional Metadata
<CipherData>
<CipherValue>BA234C96D1</CipherValue>
</CipherData>
Base 64 Encoded
<CipherReference>
reference to an URL of the encrypted data.
Can include a pipeline of Transform elements like XML
Signature, that specify how to filter the referenced data
before it is decrypted
<EncryptedData
<XML Document> id=“Salary”>
<EncryptedData>
<KeyInfo> <EncryptedData
id=“CreditCard”>
<KeyName>MyKey
<EncryptedKey>
<ReferenceList>
<DataReference
<EncryptedKey> URI=“#Salary”/>
<CarriedKeyName> <DataReference
MyKey URI=“#CreditCard”/>
Envelope
Header
wsse:Security
Signatures for Body
Security Tokens
and for Tokens
Body
Encrypted Body
X509
Token Web
Requester Service
Signature
Private Key Public Key
2. Send Message
Token Web
Requester
Service
Web
Service
(Airline)
Assertion
Authentication Query Single
Request Logout Name
Identifier
Mapping
SAML
Authority
Subject
Management
SAML
Authority
©Gustavo Alonso, D-INFK. ETH Zurich 60
Putting it all together
Service SAML
Client
Provider Authority
5. Forward (AA)
6. Verify (AA)
Optional
7. SOAP Response
Authorization Rule
1 6 – SAML Response
Policy Target
Access Resource
Point (PAP) Environment
©Gustavo Alonso, D-INFK. ETH Zurich 66