21-05-2012, 11:32 AM
Attacking XML Security
Attacking XML Security.pdf (Size: 1.72 MB / Downloads: 87)
Introduction
–Who am I?
–Why care about XML Security?
•Part 1: Executive briefing challenging the emerging CW on message oriented security
–Break for questions
•Part 2: The gory technical details
–How do XML Digital Signatures work?
–How to build a cross-platform worm in XML.
–Can we use this technology safely?
Why care about XML Security?
•Web Services have gone mainstream:
–SOA & B2B integration
–Web Single Sign On
•And everybodyhas XML applications.
•It’s lurking more places than you might think:
–Mobile code manifests
–Printing
–DRM & software licensing
–P3P
–Digital identity systems
Web Services in the Real World
•Service Oriented Architectures are now mainstream.
•But many of the grand dreams of transformation have not materialized.
–The Universal Business Registry has been discontinued.
•Improvements in interoperability and development efficiency are welcome.
•But basic business structure is the same.
Threat Model Realities
•Businesses place a lot of trust in their partners.
•B2B IT risk management is rolled up with other fraud, errors and omissions and managed with contracts, audit and lawyers.
•Still need to build robust applications, but authenticatedattacks at the business logic layer (SQL injection, etc) are not the biggest concern
Exclude the Anonymous Attacker
•The biggest threat for Web Service endpoints exposed to the public Internet is the anonymous attacker.
•The security technology you want should authenticate your genuine users and exclude everyone else as thoroughly and efficiently as possible.
•The Internet has no Accountability.
Security as a business enabler
•Exposing these powerful security constructs in an interoperable form with a portable data format has the potential to be revolutionary.
•But its place is for new classes of system and problems not yet solved in the mainstream.
•Distributed authentication and identity systems are the major standouts here so far:
–SAML, Liberty, WS-Federation
–CardSpace
My prediction for WS-Security
•Lots of potential for disruptive, market-changing ideas and businesses to be built on this technology for those who understand the opportunities.
•Ideas from ahead-of-their-time crytpo and digital cash companies may find new fertility on an open, standardized and interoperable substrate deployed by default on every app-server in the world.
•Lots of good security research will be needed in support of this. It is needed already, as we’ll soon see.
Goals of XMLDSIG in WS-Security
•Sign arbitrary digital content.
•Sign the semantic intent of an XML document, (the “InfoSet”) not an octet stream. (binary XML encoding compatibility)
•Cryptographic algorithm and key format agility.
•Indirectedand flexible referencing of the signed content.
•Optionally supply keying info as part of the signature, with flexible referencing thereof.
•Allow exclusion of portions of content from the signature.