Why message-level security (e.g. WS-Security) is better than transport-level security (e.g. TLS/SSL):
- End-to-end security: message-level XML-Encryption protects sensitive data also in the intermediaries / external proxies. The point-to-point security TLS/SSL doesn't prevent the intermediaries to read the sensitive data.
- With WS-Encryption it's also possible to encrypt only a part of the messages for flexibility (e.g. in case the intermediary proxy need to peek the unencrypted part) or performance (it's cheaper to encrypt/decrypt only portions of the messages).
- The message-level security (e.g. WSS Authentication, XML-Encryption, XML-Signature) is independent to the protocols thus it offers more flexibility to send SOAP messages across different protocols (e.g. http, jms, ftp).
On the other hand, message-level security
has also
disadvantages:
- Performance (encrypt/decrypt, validate): processing time & increased message size
- Configuration & Maintenance (but can be easier using declarative policy)
- Can not peek the message values during development & debug
- More complex, more difficult to find developers who master
Transport level security (TLS/SSL)
Security protocol for internet communication with web protocol (e.g. web application, web services SOAP/REST)
Authentication
The basic authentication scheme is by passing the credentials (userid & password) in the http header. This can be improved using password digest: the credentials are hashed (so that the attacker can not read the password) & using nonce (to prevent reply attack)
SSL
Certificates can be used for authentication, encryption and signature (non repudiation)
How
by setting in the web server (e.g. Weblogic, Apache, Tomcat): basically enabling the https listening port and register the location of keystore/certificates.
Message standard for SOAP web services security e.g. WS-Security (WSS), WS-Policy.
How:
- Java: using handler/adapter to insert WSS header in the request and remove the WSS header in the received response. The handler also encrypt/decrypt the data. Futher info: read book by Kanneganti.
- Java using Rampart/Axis2 framework: set security context (e.g. keystore) in the request, define security policy in the wsdl. Futher info: read book by Tong.
- OSB: using OWSM by defining policy. Futher info: read OSB development cookbook by Schmutz et.al.
Messages examples:
WSS Authentication using user password token
<soapenv:Header>
<wsse:Security xmlns:wsse=".../oasis-200401-wsswssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>myname</wsse:Username>
<wsse:Password>mypasswd</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
WSS Authentication using password digest
<wsse:UsernameToken>
<wsse:Username>myname</wsse:Username>
<wsse:Password Type=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">thepasswoorddigest</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" >thenonce</wsse:Nonce>
<wsu:Created>2011-01-11T11:11:11.111Z</wsu:Created>
</wsse:UsernameToken>
WSS Encryption and Signature
The encrypted data is stored in <xenc:CipherData> inside <xenc:EncryptedData> in the body. The <ds:KeyInfo> inside <xenc:EncryptedData> in the body refers to the key information <xenc:EncryptedKey> in the header. So in this example the key is also sent in the message (in the <xenc:CipherData> inside <xenc:EncryptedKey> in the header) but there is also a scheme where you can reuse the key so you don't have to resent it everytime.
In this example we show also the use of signature, the signature is in the <ds:Signature> and the client key signature information is in the <wsse:BinarySecurityToken> both in the message header.
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<soap:Header>
<wsse:Security xmlns:wsse="..." soap:mustUnderstand="1">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="EncKeyId-9B0F450EB80863260412615456546075">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="...">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=CA...<ds:X509IssuerName>
<ds:X509SerialNumber>4</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>Pgdgg...cpL4gIc=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-2" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
<wsse:BinarySecurityToken .
ValueType="...oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-9B0F450EB80863260412615456546075">M34634347D4=
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="Signature-1">
...
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body xmlns:wsu="..." wsu:Id="Id-16874657">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="EncDataId-2" Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference xmlns:wsse="...">
<wsse:Reference xmlns:wsse="..."
URI="#EncKeyId-9B0F450EB80863260412615456546075" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>tdfgdfgdg...yk5H</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
See also:
Web Service Security: Threats & Countermeasures
Please share your comment.
References:
• SOA Security by Kanneganti
Oracle Service Bus 11g Development Cookbook by Schmutz & Biemond et.al.
Developing Web Services with Apache CXF and Axis2 by Tong