WEB SERVICES CRYPTOGRAPHIC PATTERNS By Keiko Hashizume A Thesis Submitted to the Faculty of The College of Engineering and Computer Science in Partial Fulfillment of the Requirements for the Degree of Master of Science Florida Atlantic University Boca Raton, Florida August 2009 ACKNOWLEDGEMENTS I would like to thank my advisor, Prof. Eduardo Fernandez, for his guidance during my research and study at Florida Atlantic University. I also want to express my gratitude to the members of the Secure Systems Research group for the constructive comments and suggestions they provided in developing the patterns. My studies were supported by the US Department of Defense (Secure Telecommunications Network) and by Pronto Progress, I thank both institutions. iii ABSTRACT Author: Keiko Hashizume Title: Web Services Cryptographic Patterns Institution: Florida Atlantic University Thesis Advisor: Dr. Eduardo B. Fernandez Degree: Master of Science Year: 2009 Data security has been identified as one of the most important concerns where sensitive messages are exchanged over the network. In web service architecture multiple distributed applications communicate with each other over the network by sending XML messages. How can we protect these sensitive messages? Some web services standards have emerged to tackle this problem. The XML Encryption standard defines the process of encrypting and decrypting all of an XML message, part of an XML message, or even an external resource. Like XML Encryption, the XML Signature standard specifies how to digitally sign an entire XML message, part of an XML message, or an external object. WS-Security defines how to embed security tokens, XML encryption, and XML signature into XML documents. It does not define new security mechanisms but leverages existing security technologies such as encryption and digital signature. iv WEB SERVICES CRYPTOGRAPHIC PATTERNS List of Table………………………………………………………………………………ix List of Figures……………………………………………………………………………..x Introduction…………………………………………………………………………..........1 Background…………………………………………………………………………..........4 SOA...…..…………………………………………………....................................4 Web Services and Standards……………………….……………………...............5 The Current Status of Web Services Standards…...…………………………....................7 Web Services Standards Classification…………………...……………………….7 XML Specifications……………………………………………………….7 Messaging Specifications………………………………………………….9 Description and Discovery Specifications……………………………….11 Security Specifications…………………………………………...............13 Reliable Messaging Specifications………………………………………17 Business Process Specifications…………………………………………18 Transaction Specifications……………………………………………….18 Management Specifications……………………………………………...19 Web Services Security Standards Interdependencies…………………................20 Encryption Patterns………...…………………………………………………………….23 Symmetric Encryption………………………………….......................................24 v Intent……………………………………………………………..............24 Example………………………………………………………………….24 Context………………………….………………………………………..25 Problem………………………………….……………………………….25 Solution………………………………………….……………………….25 Implementation………………………………………….……………….30 Known Uses…………………………………………………….………..31 Consequences………………….…………………………………………32 Example Resolved…………………………………………………….…33 Related Patterns………………………………………………………….33 Asymmetric Encryption………………..………………………...........................33 Intent……………………………………………………………………..33 Example………………………………………………………………….34 Context………………………….………………………………………..34 Problem………………………………….……………………………….34 Solution………………………………………….……………………….35 Implementation………………………………………….……………….40 Known Uses…………………………………………………….………..41 Consequences…………………….………………………………………41 Example Resolved…………………………………………………….…43 Related Patterns………………………………………………………….43 XML Encryption……………………………………………………....................44 Intent……………………………………………………………………..44 vi Example………………………………………………………………….44 Context…………………………………………………………………...44 Problem…………………………………………………………………..44 Solution…………………………………………………………………..45 Implementation…………………………………………………………..52 Known Uses……………………………………………………………...54 Consequences…………………………………………………………….54 Related Patterns………………………………………………………….55 Summary…………………………………...…………………….........................56 Signature Patterns….………………...…………………………………………………..57 Digital Signature with Hashing ……………………………………………….....58 Intent……………………………………………………………………..58 Example………………………………………………………………….59 Context………………………………………………………….………..59 Problem……………………………………….………………………….60 Solution……………………………………………….………………….60 Implementation……………………………………………….………….67 Known Uses………………………………….…………………………..69 Consequences………………………………………….…………………69 Example Resolved……………………………………………….……....71 Related Patterns………………………………………………………….71 XML Signature…………………………………………………..........................72 Intent……………………………………………………………………..72 vii Example………………………………………………………………….72 Context…………………………………………………………………...73 Problem…………………………………………………………………..73 Solution…………………………………………………………………..74 Implementation…………………………………………………………..83 Known Uses……………………………………………………………...84 Consequences…………………………………………………………….85 Example Resolved……………………………………………………….87 Related Patterns………………………………………………………….87 Summary…………………………………………………………........................88 WS-Security Pattern……………………………………….……………………….…….89 Intent……………………………………………………………………………..90 Context…………………………………………………………………………...90 Problem…………………………………………………………………………..90 Solution…………………………………………………………………………..91 Implementation…………………………………………………………………..96 Known Uses……………………………………………………………………...97 Consequences…………………………………………………………………….97 Related Patterns………………………………………………………………….98 Summary…………………………………………………………........................98 Conclusion and Future Work…………………………………………………………….99 Reference…………...…………………………………………………………………..100 viii TABLES Table 1. List of XML Specifications………...…………………………………………...8 Table 2.. List of Messaging Specifications………...……………………………………...9 Table 3. .List of Description and Discovery Specifications……………………...……...11 Table 4. .List of Security Specifications…………………...…………………………….13 Table 5. .List of Reliable Messaging Specifications……..…………...………………….17 Table 6. .List of Business Process Specifications……………..…...…………………….18 Table 7. .List of Transaction Specifications……..………………………...…………….18 Table 8. .List of Management Specifications……..………..…………...……………….19 ix FIGURES Figure 1. Pattern Diagram for Web Services Security Standards………………...……..22 Figure 2. Class Diagram for Symmetric Encryption Pattern…………………...……….27 Figure 3. Sequence Diagram for encrypting a message………………………..……….29 Figure 4. Sequence Diagram for decrypting an encrypted message…………..………..30 Figure 5. Class Diagram for Symmetric Encryption Pattern…………………...……….37 Figure 6. Sequence Diagram for encrypting a message………………………..……….39 Figure 7. Sequence Diagram for decrypting an encrypted message……………..……..40 Figure 8. Class Diagram for XML Encryption Pattern…………………………..……..49 Figure 9. Sequence Diagram for encrypting XML elements……………………..….....50 Figure 10. Sequence Diagram for decrypting XML elements..…………………..….....51 Figure 11. Class Diagram for Digital Signature Pattern..…………………………..…..64 Figure 12. Sequence Diagram for signing a message…..………………………..……..66 Figure 13. Sequence Diagram for verifying a signature………………………..………67 Figure 14. Class Diagram for XML Signature Pattern..…………………………..……80 Figure 15. Sequence Diagram for signing different XML elements…..………..……...81 Figure 16. Sequence Diagram for verifying an XML Signature………………..……...83 Figure 17. Class diagram for WS-Security Pattern……………………………..………93 Figure 18. Sequence Diagram for encrypting a message………………………..……...95 Figure 19. Sequence Diagram for signing a XML element…………..…...…………….96 x 1. INTRODUCTION Web services are components that are located in the Internet and can be incorporated into applications or as a standalone services. Web services are an alternative way for businesses to communicate with other businesses and also with clients. Web services communicate using XML messages that may contain sensitive data. How can we protect this data? Traditional protocols such as SSL and IPSec can be used to transport web services, but using these transport protocols lead to some limitations. SSL protects the data while they are in transit. After the data is delivered, the security is lost. Additionally, in secure transport layers, the entire message is protected. We cannot protect only the sensitive data; we cannot allow either different access to different parts of a document. In response of this deficiency, some standards have emerged to fill this gap. XML Encryption and XML Signature are two of the basic standards in securing web services, and these standards are used by other emerging standards such as WS- Security. The XML Encryption standard defines the process of encrypting and decrypting all of an XML message, part of an XML message, or even an external resource. Encryption provides message confidentiality by protecting messages from being read by people other than the intended recipients. Like XML Encryption, the XML Signature standard specifies how to digitally sign an entire XML message, part of an XML 1 message, or an external object. This security mechanism, digital signature, provides message integrity (the message has not been changed since it was created) and message authentication (the message was originated from the sender). WS-Security defines how to embed XML encryption and XML signature into XML documents. It also defines how to embed security