WS-Security Additional
Material
Security Element: enclosing
information

UsernameToken block



BinarySecurityToken block






Defines how username-and-password info is enclosed in
SOAP
Password must be protected against eavesdroppers
(enc) and replay (timestamp/nonce)
Encloses binary data
An X.509 certificate or a Kerberos ticket
Has an identifier (Id), a value (ValueType), and an
encoding (EncodingType)
XML Signature KeyInfo may point to a certificate used in
signing using a Reference to its Id.
Similar for XML Encryption.
So we can sign/encrypt data with a certificate in the
header.
ID References

A new global attribute: wsu:Id attribute






<anyElement wsu:id=”..”>..</anyElement>
Note that the SOAP processor needs to support
this
wsu:id a WS-Security namespace (wssecuritysecext-1.0.xsd)
Recipients do not need to understand the full
schema of the message for processing the security
elements
Two wsu:Id attributes within an XML document
MUST NO have the same value
Recommended that wsu:Id is used instead of a
more general transformation, especially XPath
Signatures

Does not use the Enveloped Signature Transform



Does not use the Enveloping Signature



So sig does not envelope signed data
Due to mutability of SOAP header
So sig is not appended as a child to the document
The sig is appended to the security block
Explicitly include the elements to be signed

Allows for extensions, multiple signatures, etc.
Signing Messages

Multiple signature entries MAY be added into a single SOAP
Envelope within one <wsse:Security> header block



<ds:Reference> elements contained in the signature should
refer to a resource within the enclosing SOAP envelope
<wsse:SecurityTokenreference>




MUST be prepended to the existing content
How to locate a key in a security token?
Extensible mechanism that provides an open content model for
referencing security tokens
Specification considers only use in a header block
New reference option for XML signature

STR Deference Transform



Applied to a SecurityTokenreference
Means that the output is the token referenced by the element, not the
element itself
You can conveniently locate and sign security tokens anywhere in the
header
XML Encryption Example
Encryption
Encrypt
Public key
Decrypt
Asymmetric
Key Pair
Private key
XML Encryption
<EncryptedData Id? Type? MimeType? Encoding?>
<EncryptionMethod/>?
<ds:KeyInfo>
<EncryptedKey>?
<AgreementMethod>?
<ds:Keyname>?
<ds:RetrievalMethod>?
<ds:*>?
</ds:KeyInfo>
<CipherData>
<CipherValue>?
<CipherReference URI?>?
</CipherData>
<EncryptionProperties>?
</EncryptedData>
Example

SOAP Envelope

SOAP Header


WS Security
• Security token (a certificate)
• Encryption key (passing symmetric key)
• Signature
SOAP Body

Encrypted content
Overall message structure
Security block
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope>
<soap:Header>
<wsse:Security>
1.<wsse:BinarySecurityToken>...</wsse:Binary...>
<xenc:EncryptedKey>...</xenc:EncryptedKey>
2.
<ds:Signature>
3.
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>...</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body
wsu:Id="body">
4.
<xenc:EncryptedData>...</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
1. Binary security token
<wsse:Security>
<wsu:Timestamp wsu:Id="T0">
<wsu:Created>
2001-09-13T08:42:00Z
</wsu:Created>
</wsu:Timestamp>
<wsse:BinarySecurityToken
ValueType="...#X509v3"
wsu:Id="X509Token"
EncodingType="...#Base64Binary">
ABCDEF....
</wsse:BinarySecurityToken>
<xenc:EncryptedKey>...</xenc:EncryptedKey>
<ds:Signature>...</ds:Signature>
</wsse:Security>
2. Passing encryption key
We are using another
certificate for asymmetric
<xenc:EncryptedKey> crypto. This one is for
<xenc:EncryptionMethod Algorithm="...#rsa-1_5"/>
symmetric
<ds:KeyInfo>
<wsse:KeyIdentifier
EncodingType="...#Base64Binary"
ValueType="...#X509v3">
ABCDEF....
</wsse:KeyIdentifier>
</ds:KeyInfo>
Encrypted symmetric key
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
Reference to cipher data
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#enc1">
</xenc:ReferenceList>
</xenc:EncryptedKey>
3. Actual signature
<ds:Signature>
<ds:SignedInfo>
Exclusive canonicalization
<ds:CanonicalizationMethod
algorithm="http://...-exc-c14n#"/>
<ds:SignatureMethod algorithm="http://...#rsa-sha1"/>
<ds:Reference URI="#T0">...</ds:Reference>
<ds:Reference URI="#body">...</ds:Reference>
….
References & digests to
</ds:SignedInfo>
data
<ds:SignatureValue>
.....
</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#X509Token"/>
</wsse:SecurityTokenReference>
Reference to certificate.
</ds:KeyInfo>
</ds:Signature>
3. SignedInfo in more detail
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://...-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://...#rsa-sha1"/>
<ds:Reference URI="#T0">
<ds:Transforms>
<ds:Transform Algorithm="http://...exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://...#sha1"/>
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#body">
<ds:Transforms>
<ds:Transform Algorithm="http://...exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://...#sha1"/>
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
4. Actual message body
<soap:Body wsu:Id="body">
<xenc:EncryptedData
Type="http://www.w3.org/2001/04/xmlenc#Element"
wsu:Id="enc1">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
SAML Examples
Attribute assertion

An issuing authority asserts that:




subject S
is associated with attributes A,B,..
with values ”a”,”b”,…
Typically this would be gotten from an
LDAP repository



”john.doe” in ”example.com”
is associated with attribute ”Department”
with value ”Human Resources”
Example attribute assertion
<saml:Assertion ...>
<saml: Conditions .../>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier
SecurityDomain="example.com"
Name="johndoe" />
</saml:Subject>
<saml:Attribute
AttributeName="PaidStatus"
AttributeNameSpace="http://example.com">
<saml:AttributeValue>
PaidUp
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
Authorization decision
assertion

An issuing authority decides whether to
grant the request






by subject S
for access type A
to resource R
given evidence E
The subject could be a human or a
program
The resource could be a web page or a
web service, for example
Example authorization
decision assertion
<saml:Assertion ...>
<saml:Conditions .../>
<saml:AuthorizationStatement
Decision="Permit"
Resource="http://example.com/res123">
<saml:Subject>
<saml:NameIdentifier
SecurityDomain="example.com"
Name="johndoe" />
</saml:Subject>
</saml:AuthorizationStatement>
</saml:Assertion>