Translation: Zhang Yong, Zhou Jing
Summary:
How to use WSE (Microsoft Web Services Enhancements supporting WS security specification to enable encrypted SOAP across standard HTTP? How to explain SOAP packet encryption, how to define in WS security and XML encryption.
table of Contents:
Introduction WSE
WSE security features
Encrypt SOAP packet
WSE supports support
Configure WSE
Symmetric encryption algorithm for SOAP packets
Use X.509 certificates to encrypt SOAP packets
Select the node (component) of the message to encrypt
Limitations and collaborative details
Conclusion
WSE introduction
In order to make the web service run better in the enterprise, the new generation of Web service specification is proposed. It is recommended to improve the aspects of the Web services such as safe, reliable packets, and send accessories to regional coordination. In order to support These proposals, MS released WSE1.0 SP1, which contains a series of classes to support these new protocols, such as Microsoft's ASP.NET host filters, intercepting and issuing SOAP packets, interception or Generate the function of the SOAP head to support the needs. WSE supports the following specifications:
WS-security and Web service security supplement
WS attachment
WS route
WS reference
WSE's security features
When the WSE is run, a series of filters generate and read WS-Security-compatible SOAP headers. When the SOAP packet is received on a web server that supports WSE, the SOAP packet reads through a series of input filters. WS- * compatible headers, if necessary, generate a series of related program objects. Similarly, the output of the output is some column output filter, serialized a certain header as the WSE object is defined. All WSE1.0 The web service security feature supported by SP1 is implemented by security input and output filters through SecurityInputFilter and SecurityoutputFilte objects. It contains: digital signature, encryption, signing, and encrypted user ID, signing, and encrypting X.509 certificates, signs and encryption Customize 2 credit identity.
Encrypt SOAP packet
Use a unified format to transfer data, enabling valuable data to be accessed by malicious users, so that it is intercepted. Use SOAP and XML to transfer data not only with potential security threats, but the inherent working mode of your web service is possible to find By observing the XML syntax of the SOAP message itself. Use the appropriate encryption algorithm, data and information interfaces to be fully protected. Encryption is a simple use of a reversible algorithm to encrypt clear text using a particular key to encrypt clear text, make data If you do not decrypt, you cannot read. Today, the most common form of Internet encryption introduces a transfer-level encryption mode, such as IPsec and SSL, encrypted in the transport layer. It has certain security, but the transport layer encryption affects performance. Especially when only part of the SOAP packet needs to be encrypted. And the transport layer encryption does not allow the packet secure route to serve as an intermediary through the web service. Because the message needs to decrypt the medium to the final reception of the new encryption Before
How is XML encryption work?
The XML encryption protocol specifies that some or all of the SOAP packet can be encrypted. When using XML encryption, the part of the XML document is encrypted, and the encrypted content is inside the EncryptedData node. WS security is based on XML encryption, full guarantee When using XML encryption to encrypt SOAP packets, EncryptedData is a reference to the Security head node element. If there are multiple nodes in the main body of the SOAP message, each node references each independent and in ReferenceList ReferenceData node
For an EncryptedData node, some key information can be specified at the KeyInfo node, the encrypted algorithm is specified in the EncryptionMethod node, and the KeyInfo node is defined in accordance with the XML signature specification.
A encrypted SOAP message
The following SOAP packet has a Payment node that contains some sensitive customer information.
Quote
Quote
Of course, in this example, you can use a digital signature to sign the message to prevent malicious people from tamping data, or use a timestamp or other unique identifier to determine if the information is attacked. Category
Symmetrical encryption and nonsense encryption
The encrypted algorithm can be divided into symmetric encryption and asymmetrical encryption. In the symmetric encryption algorithm, a key is used to exchange two parties. The sender uses the private key to copy to encrypt data. In the receiver, use the same The copy of the private key to decrypt data. Most of the encryption, such as the shared password and the shared security identifier are parallel to the encryption example.
In this type of system, a central server distributes the shared key to the user who needs security interaction. The disadvantage of symmetrical encryption is the management, distribution, and protecting their security, especially in the icnet. Public online.
In order to overcome the difficulty of managing the key in the public network, use a pair of keys to replace a single key. In the case of increasing algorithms, both parties have a private key and a key.
The public key is generated by an irreversible method to operate after the private key, so once one of the two is used to encrypt the data, and the other can be used to decrypt. In addition, it is not possible to speculate private key The key, and only the private key is used to decrypt the public key encrypted data. When sending asynchronous encrypted messages, the sender uses the recipient's public key to encrypt the message, ensuring that only the recipient can decrypt the newspaper with his private key. Wen. If you use another way to process, anyone can decrypt packets with the available public key. Asymmetric encryption is the foundation of PKI, PKI is the basis of X.509 security standards. Do not give a plus algorithm is A typical algorithm based on large numbers such as index alignment. It requires more CPU time to encrypt and decrypt compared to addending algorithms. Because of this reason, it is often used to transmit A symmetrical "session" key used to encrypt the remainder of the interaction, which is only valid for the continuous period of information exchange.
Because the public key can be easily obtained, encrypt the distribution and management key using the public key. Unfortunately, this convenient cost is not a plus algorithm to slowly compare a plurality of quantities. Because of this, the asymmetric encryption method is only used to handle the relatively small data. For example, the security key and the identity and a digital signature.
WSE support for encryption
WSE supports partial encryption of SOAP packets. Symmetrical encryption uses a shared key, asymmetric encryption supports using X.509 certificate. When using WSE to encrypt SOAP packets, the entire Body node is encrypted, unless explicitly specified Do not encrypt. 2 examples will be added, an encrypted this body part, a encryption section.
The WSE runtime library implements all WS-Security. In the SecurityOutputFilter class in the SecurityInputFilter and the SecurityoutputFilter class. The former finds the Security node in one
Enter SOAP packets, if the node exists. It creates an object that represents any security tag and encryption key, decrypting node, verifies any digital signature. For an entry packet, any security node is passed The security properties of the SOAPContext object generated by the message are accessed. Conversely, SecurityOutputFilter implements the encryption and signature operations for entering and export, with any specific security tag or encryption key. Security measures, such as adding tags, encryption, or signing Packets use the message's SOAPCONTEXT.Security and SOAPCONTEXT.EXTendedSecurity properties, ExtendedSecurity only uses the Security property only when you need the final destination when you need to create a security header.
Configuring WSE
Although WSE has been installed on the ASP.NET web server, there are also additional configurations, if you need security support for those ASP.NET applications. When you create an ASP.NET Web service, Visual STUDIO.NET, reference to Microsoft.Web.Services.dll assembly needs to be loaded into the project. You also need to add a new SOAP extension to the SOAPEXTENSIONTYPES node. This can create a new ADD node in the web.config file. Shown
Quote
When programming with WSE, you need to add a reference to Microsoft.Web.Services and a System.Security namespace. In the client and server-side project, if you are encrypted in the customer request and the server. In the customer part You should use the Add Web Reference Tool to generate a Web Service Agent for WSE-based Web Service.
Symmetrical encryption to SOAP packets
Next, let's take a look at how to use the WSE to encrypt the SOAP message. The following example is based on a web service that enables WSE, this web service will return a SOAP response message, including some sensitive data in the packet. So, the client sends a simple web service request to the service, which will return an XML document encrypted by the Trimed DES symmetrical encryption algorithm (using a shared key and an initial vector, IV), when the client After receiving the encrypted response information, the SecurityInputFilter will call a decryption key provider for the client to access the same shared key on the client, and decrypt the newspaper, this decryption key provider must be You are written and provide a method for synchronizing shared keys. These examples assume that both sides know the key, and what we have to do, just provide the name of the key, use this as a hint, give the other party know which key encryption is used.
Be sure to be careful between management, synchronization, and and confidentiality of the key. There is a solution to use a distributed key mechanism, such as Kerberos. But from the WSE version 1.0, WSE will no longer continue to support Kerberos.
Encrypting packets sent outside
Here I briefly describe how to create a web service that can return a encrypted XML document. The first step first uses the USING indicator to add the necessary namespaces as follows:
Quote
using System.Web.Services; using Microsoft.Web.Services; using Microsoft.Web.Services.Security; using System.Security.Cryptography; using System.Security.Cryptography.Xml; using System.Xml;
The GetXmldocument method uses the .NET framework implemented the tripod DES algorithm, using a 128-bit key and 64-bit initialization vector (IV), can generate a symmetric key. This key will also have a name and is added to the SOAPCONTEXT element of the response message, followed by SecurityOutputFilter to an encrypted simple XML document, which will eventually return to the client. For more information on the .NET framework, please see the Cryptography Overview on the .NET Framework Developer Guide. Quote
/ / Returns the data encrypted by the three-dollar DES symmetric algorithm [WebMethod (Description = "returns a sensitive XML document", enablesions = false) after the symmetric encryption algorithm ", enablesession = false] public xmldocument getXmldocument () {// Create a for simple XML document XmlDocument myDoc returned = new XmlDocument (); myDoc.InnerXml = "
Based on the previous method, the WSE pipe has produced the following has corresponding safety head information, ciphertext, and key information response packets:
Quote
Note that the ReferenceList element in the text body contains a reference to the EncryptedData element, which contains the name of the key, the encryption algorithm used and a ciphertext form of a data. Decrypted message received
Whether it is on the client or on the server side, WSE is always decrypted in the securityInputFilter implementation, because the symmetric encryption needs to be born with the public key, you need to create a SECURITYINPUTFILTER to call the method to get this symmetrical Key, then you can use the key and algorithm information contained in EncryptedData to help you find the correct shared key and encryption algorithm. This method must be implemented in a class that is derived from Microsoft.Web.Services.Security.IdecryptionKeyProvider. In my example, the DecryptionKeyProvider.getDecryptionKey method returns a symmetrical key as follows:
Quote
Public DecryptionKey getDecryptionKey (String Encalgorithmuri, KeyInfo Keyinfo) {// Re-created the same 16 bytes used to represent 128-bit keys BYTE [] Keybytes = {48, 218, 89, 25, 222, 209, 227, 51 , 50, 168, 146, 188, 250, 166, 5, 206}; // Re-created 8 bytes representing the initialization vector (64-bit) Byte [] Ivbytes = {16, 143, 111, 77, 233, 137, 12, 72}; SymmetricAlgorithm mySymAlg = new TripleDESCryptoServiceProvider (); mySymAlg.Key = keyBytes; mySymAlg.IV = ivBytes; // re-create the symmetric encryption key DecryptionKey myKey = new SymmetricDecryptionKey (mySymAlg); return myKey;}
Even if you don't use them in my method, WSE wants to pass the URI of the KeyInfo element and encryption algorithm to this method, decide which shared key or encryption algorithm to generate a symmetric key
In order to allow SecurityInputFilter to access the getDecryptionKey method, the following configuration information must be added to the application's configuration file (that is, app.config file)
Quote
The TYPE attribute does not have any space or any wrap. They only contain the above content to enhance readability, which can also be modified by WSE setting tools. Once the DecryptionKeyProvider class is added to the client and WSE security support is already configured, WSE will automatically block encrypted data, a 2-time development platform program based on standard web services, allows you to program it with your heart.
Use X.509 certificates to encrypt SOAP packets
As I mentioned earlier, the asymmetric operation has certain overhead. When transmitting a large amount of data, from performance, use asymmetric algorithm to encrypt these data, it is not practical. WSE is implemented, and a pseudo-asymmetric encryption is implemented. Compared to non-symmetric encrypted packets, WSE uses a non-symmetric algorithm and an open backup of the X.509 certificate to encrypt the symmetric key, and in fact these are used to encrypt packets. When the message is received, the SecurityInputFilter gets the private key associated with the X.509 certificate, and decrypts the symmetric key, and then decrypt the packets with the decrypted key. In order to allow this example to work, an X.509 certificate (supported encryption) from a trusted certificate authentication (supporting encryption) must appear inside the personal certificate storage room of the current user account on the client machine, the private key for this certificate must also In the account of the server where the local machine is in the executive Web service. In addition, a certificate in the CA certificate chain must appear in a trusted storage room of the client, such as WSE knows the X.509 certificate that can be trusted. Encrypting packets sent outside
I have modified the front of the getXmldocument method, allowing it to use the X.509 asymmetric encryption technology implemented by WSE. Encryption response packets, the FindCertificateBysubjectString method can be used to receive a public backup of the client certificate, a client certificate given from the personal storage chamber from the local machine account. This certificate is then used to create a new X.509 security token, which will be added to the security token collection of the response packet's SOAPCONTEXT. In addition, the namespace referenced in the symmetric encryption example, you should add a USING indicator attached to a Microsoft.WebServices.security.x509 namespace. The Getxmldocument method code is as follows:
Quote
// Create a simple XML document returned XmlDocument myDoc = new XmlDocument (); myDoc.InnerXml = "
Quote
Decrypt the packet received
When received by the message after encrypting the X.509 certificate, SOAPINPUTFILTER automatically attempts to decrypt using the private key of the user key storage room. Of course, this need to tell WSE to find additional configuration of this certificate. information. This information is specified by the security element of the application configuration file. This example is app.config on the client. For X.509 encryption, you only need to add an X509 child node, the content is the same as below.
Quote
In my example, I set the StoreLocation property of the X509 node to CURRENTUSER, assuming the certificate in the current user's certificate storage room, when I used the trusted certificate from the CA, I also set VerifyTrust to TRUE. These properties can also be modified with WSE setting tools. With this information, WSE can obtain a private key for the certificate in the packet, and can also decrypt the symmetry session key, decrypt the content to the end, to decrypt the text text.
Select packets for decryption
When the entire message body is encrypted by the default, WSE can be used to encrypt specific elements in the SOAP message; the only problem is that the elements of the security head element cannot be encrypted. You can also encrypt nested elements,
In this example, I modified the X.509 version of the getXmldocument method, using a X.509-based security token to digitize encrypted, and its EncryptedResponse parent node, and the XML document returned is as follows:
Quote
Quote
XMLns: WSU = "http://schemas.xmlsoap.org/ws/2002/07/UTILITY
In order to complete this, I add this XML to a new XML document, then add a ID attribute to the Microsoft XML Document Object Model (DOM) supported by the .NET Framework, which also needs to join the accessory System.xml to the project reference Inside, add the following:
Quote
Using system.xml; using system.xml.serialization;
When I add multiple ID attributes to the nested element, I started to traverse its parent's eNCryptedResponseponse, as follows:
Quote
String [] myid = {"ID:" Guid.newguid (), "ID:" guid.newguid ()}; // Create an XML document for returning XML XMLDocument mydoc = new xmldocument (); mydoc. LoadXML (" Suppose I have already used the logic of my previous logic from the X.509 certificate, I added these references to the EncryptedData element, as follows: Quote // Cycle traverside the ID value, add it to the new EncryptedData element on For (int i = 0; i Quote
