WS-SecureConversation Xiuduan Fang. 2 Agenda Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action.

WS-SecureConversation WS-SecureConversation

Xiuduan FangXiuduan Fang

22

AgendaAgenda

• Introduction

• Security Context Token

• Establishing Security Context

• Deriving Keys

• SecureCoversation in Action

• Conclusion

• References

33

Introduction to WS-Introduction to WS-SecureConversationSecureConversation

• Why introduce WS-SecureConversation?

• Consider the functions of WS-Security– message integrity– message confidentiality– single message authentication

44

Introduction to WS-Introduction to WS-SecureConversationSecureConversation

• What if senders and receivers need to exchange multiple messages?

55

Introduction to WS-Introduction to WS-SecureConversationSecureConversation

• A Feasible Solution– Encrypt all messages with a security token issued by a token issuing service.

• Drawback: the size of each message can become a performance bottleneck.

66

Introduction to WS-Introduction to WS-SecureConversationSecureConversation

• A Better Solution

– WS-SecureConvsation • Similar to SSL• Introduce a security context

• A SecurityContextToken is applied. Once created, the messages are smaller and can be processed faster by both ends.

77

Introduction to WS-Introduction to WS-SecureConversationSecureConversation

• Goals

– Define how security contexts are established

– Specify how derived keys are computed and passed

• Non-Goals

– Define how trust is established or determined—that is done by WS-Trust

88

IntroductionIntroduction

• Introduction

• Security Context Token

• Establishing Security Context

• Deriving Keys

• SecureConversation in Action

• Conclusion

• References

99

Security Context TokenSecurity Context Token

<SecurityContextToken> describes a security context.

1010

Syntax of Security Context TokenSyntax of Security Context Token<wsse:SecurityContextToken wsu:Id="...">

<wsu:Identifier>...</wsu:Identifier> <wsu:Created>...</wsu:Created> <wsu:Expires>...</wsu:Expires>

<wsse:Keys>

<xenc:EncryptedKey Id=“…”>…

</xenc:EncryptedKey> <wsse:SecurityTokenReference>...

</wsse:SecurityTokenReference>

...

</wsse:Keys>

</wsse:SecurityContextToken>

1111

Security Context Token ExampleSecurity Context Token Example

<wsse:SecurityContextToken wsu:Id="SecurityToken-

f3dfe69f-4bd6-41f9-b198-bb6247d14780"> <wsu:Identifier>uuid:f1971e12-f402-433d-bf7d-

29c78a0a81eb

</wsu:Identifier>

<wsu:Created>2003-07-08T02:52:55Z</wsu:Created> <wsu:Expires>2003-07-08T06:52:55Z</wsu:Expires>

</wsse:SecurityContextToken>

1212

AgendaAgenda

• Introduction

• Security Context Token

• Establishing Security Context

• Deriving Keys

• SecureCoversation in Action

• Conclusion

• References

1313

Establishing Security ContextEstablishing Security Context

• A security context needs to be created and shared by the communicating parties before being used.

• How?1. created by a security token service (STS) 2. created by one of the communicating parties and propagated

with a message

3. created through negotiation

1414

Way 1: Created by STSWay 1: Created by STS

1515

<RequestSecurityToken> Example<RequestSecurityToken> Example

<S:Body wsu:Id="req"> <RequestSecurityToken>

<TokenType>wsse:SecurityContextToken</TokenType> <RequestType>wsse:ReqIssue</RequestType> </RequestSecurityToken>

</S:Body>

1616

<RequestSecurityTokenResponse> <RequestSecurityTokenResponse> ExampleExample

<S:Body> <RequestSecurityTokenResponse> <RequestedSecurityToken>

<wsse:SecurityContextToken> <wsu:Identifier>uuid:...</wsu:Identifier> </wsse:SecurityContextToken>

</RequestedSecurityToken> <RequestedProofToken>

<xenc:EncryptedKey Id="newProof"> ...

</xenc:EncryptedKey> </RequestedProofToken> </RequestSecurityTokenResponse>

</S:Body>

1717

Way 2: Way 2: Created by One of The Created by One of The Communicating PartiesCommunicating Parties

• Process– The initiator creates a security context token

and sends it to the other parties in a message– The recipient can then choose whether or not

to accept the security context token

• Application– This model works when the sender is trusted

to always create a new security context token.

1818

Way 3: Way 3: Created through Created through NegotiationNegotiation

• Process– The initiating party sends a <RequestSecurityToken>

request to the other party – A <RequestSecurityTokenResponse> is returned.– Repeat the above 2 steps until a final response

containing a <SecurityTokenReference> and a <ProofTokenReference> is received.

• Application– There is a need to negotiate among the participants

on the contents of the security context token, such as the shared secret

1919

AgendaAgenda

• Introduction

• Security Context Token

• Establishing Security Context

• Deriving Keys

• SecureCoversation in Action

• Conclusion

• References

2020

Deriving KeysDeriving Keys• Once the context and secret have been

established (authenticated), Derived Keys Mechanism can be used to compute derived keys for each key usage in the secure context.

• Example– Four keys may be derived so that two parties

can sign and encrypt using separate keys.

2121

Deriving KeysDeriving Keys

• Algorithms– Using a common secret, parties may define

different key derivations to use – Default: P_SHA-1 function (referred to as

wsse:PSHA1)

P_SHA1 (secret, label + seed)

2222

Deriving KeysDeriving Keys

• The <DerivedKeyToken> element is used to indicate that the key for a specific security token is generated from the function of P_SHA-1. 

• Example<DerivedKeyToken>

<SecurityTokenReference>

<Reference URI=".../ctx1"/> </SecurityTokenReference> <Generation>2</Generation>

</DerivedKeyToken>

2323

Subsequent Derivation ExampleSubsequent Derivation Example<DerivedKeyToken>

<Properties>

<Name>.../derivedKeySource</Name>

<Label>NewLabel</Label>

<Nonce>FHFE...</Nonce>

</Properties>

<Generation>3</Generation>

</DerivedKeyToken>

<DerivedKeyToken wsu:Id="newKey">

<SecurityTokenReference>

<Reference URI=".../derivedKeySource"/>

</SecurityTokenReference>

<Generation>0</Generation>

</DerivedKeyToken>

2424

AgendaAgenda

• Introduction

• Security Context Token

• Establishing Security Context

• Deriving Keys

• SecureCoversation in Action

• Conclusion

• References

2525

SecureConversation In ActionSecureConversation In Action

• Web Service Enhancements (WSE) 2.0 for .NET 2.0 improves the implementation of secure conversations in Web services architecture.

• Demonstration

2626

Predefined Security Tokens in Predefined Security Tokens in WSE 2.0 WSE 2.0

2727

AgendaAgenda

• Introduction

• Security Context Token

• Establishing Security Context

• Deriving Keys

• SecureCoversation in Action

• Conclusion

• References

2828

Conclusion of WS-Conclusion of WS-SecureConversationSecureConversation

• The WS-SecureConversation specification defines extensions to allow security context establishment and sharing, and session key derivation.

2929

AgendaAgenda

• Introduction

• Security Context Token

• Establishing Security Context

• Deriving Keys

• SecureCoversation in Action

• Conclusion

• References

3030

Primary ReferencesPrimary References

• http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/html/ws-secureconversation.asp

– Official specification describing WS-SecureConversation

• http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/wssecdrill.asp

– A good reference that explains how to use Web Services Enhancements 2.0 to implement security, trust, and secure conversations in Web services architecture.

3131

Secondary ReferencesSecondary References

• http://www.microsoft.com/downloads/details.aspx?FamilyId=21FB9B9A-C5F6-4C95-87B7-FC7AB49B3EDD&displaylang=en

– The WSE 2.0 technology preview provides early access to new advanced Web services capabilities.

• http://msdn.microsoft.com/webservices/building/wse/default.aspx– The latest advanced Web services capabilities to keep pace

with the evolving Web services protocol specifications.

Questions?Questions?