基于可信SOAP的Web Services安全架构的实现
|
摘要
随着Web服务的不断发展,不可避免地存在着由此所带来的信息安全隐患。因此在Web服务中,安全性成为一个至关重要的核心问题,它要求网络能提供一种端到端的安全解决方案,如加密机制、签名机制、安全管理、存取控制、防火墙、防病毒保护等等。SOAP作为Web服务通信协议的基础,在实现Web服务安全性的工程中扮演着及其重要的角色。
本文研究了Web服务安全规范WS-Security的内容和架构:Web服务安全性语言(Web Services Security Language)是一个建立在标准的SOAP标准规范上,可以在构建安全的Web服务以实现完整性和机密性时使用的安全规范。WS-Security定义了一个用于携带安全性相关数据的SOAP标头元素。如果使用XML签名,此标头可以包含由XML签名定义的信息,其中包括消息的签名方法、使用的密钥以及得出的签名值。同样,如果消息中的某个元素被加密,则WS-Security标头中还可以包含加密信息(例如由XML加密定义的加密信息)。WS-Security并不指定签名或加密的格式,而是指定如何在SOAP消息中嵌入由其他规范定义的安全性信息。WS-Security主要是一个用于基于XML的安全性元数据容器的规范。在此标头中,消息可以存储关于调用方、消息的签名方法和加密方法的信息。WS-Security将所有安全信息保存在消息的SOAP部分中,从而为Web服务安全性提供了端到端的解决方案。
本文在WS-Security架构的实现中,介绍了SOAP标准规范及相应的安全机制,并讨论了Web Service安全上的现状以及现有安全解决方案存在的问题。本文研究介绍了WS-Security所涉及的三个方面:身份验证、签名和加密,并提出了如何使用WS-Security和其他配合工具WSE在SOAP消息中嵌入安全机制。在Web服务安全规范WS-Security的基础上,提出并分析了新的可信SOAP安全性模型的体系架构设计的基本原理并阐明了它的优点,对安全规范的关键技术——XML签名机制与XML加密机制也做了详细阐述。最后,本文遵循WS-Security的思想,使用现有的安全技术设计与实现了一个基于可信SOAP安全性模型的WS-Security架构,并对各部分的功能及实现机制作了详细介绍,详细分析了XML签名机制与XML加密机制。
With the development of Web service, it is inevitable to bring security hidden trouble to the information. So its security is becoming more and more important to Web service. Security solution for end to end application is required; it includes encryption, digital signatures, Security management, firewall and so on. SOAP, the basis of Web Service transport protocol, plays an important role in the implementation of Web Services Security.
This paper introduces the specification that proposes a standard set of SOAP extensions that can be used when building secure Web services to implement integrity and confidential. We refer to this set of extensions as the "Web Services Security Language" or "WS-Security". WS-Security uses SOAP header to carry security message. If uses XML Signature, this header should embody the message defined of XML Signature, which includes signature methods, using key and signature value. If some elements use XML encryption, the header should embody the message defined of XML Encryption. WS-Security not restricts the format of XML Encryption or XML Signature, but restricts how to embed some message defined by other standards. WS-Security is mostly a standard using XML security elements container. In the SOAP header, message can be used saved the information of call direction, signature method and encryption method. WS-Security saves total security information into SOAP header of the message, so it can provide end to end
security solution for security of Web Services.
In this thesis we discuss the standard set of SOAP and its security system, and status and limitation existing in current solution of Web Services Security. In this paper, we can learn how to use WS-Security and other methods WSE to embed security mechanism into SOAP message. We can understand identity validate, Signature and Encryption of WS-Security. On the basis of standard, the paper brings forward and analyses the principle of Trust SOAP security system architecture, and expounds the key technology Security Token, XML Encryption and XML Signature of WS Security. Inspired by WS Security design thought, the paper tried to utilize
available security technologies to design and realize the WS Security system architecture base on Trust SOAP, and, explains the implementation of every part's function, especially of XML Signature and XML Encryption.
本文研究了Web服务安全规范WS-Security的内容和架构:Web服务安全性语言(Web Services Security Language)是一个建立在标准的SOAP标准规范上,可以在构建安全的Web服务以实现完整性和机密性时使用的安全规范。WS-Security定义了一个用于携带安全性相关数据的SOAP标头元素。如果使用XML签名,此标头可以包含由XML签名定义的信息,其中包括消息的签名方法、使用的密钥以及得出的签名值。同样,如果消息中的某个元素被加密,则WS-Security标头中还可以包含加密信息(例如由XML加密定义的加密信息)。WS-Security并不指定签名或加密的格式,而是指定如何在SOAP消息中嵌入由其他规范定义的安全性信息。WS-Security主要是一个用于基于XML的安全性元数据容器的规范。在此标头中,消息可以存储关于调用方、消息的签名方法和加密方法的信息。WS-Security将所有安全信息保存在消息的SOAP部分中,从而为Web服务安全性提供了端到端的解决方案。
本文在WS-Security架构的实现中,介绍了SOAP标准规范及相应的安全机制,并讨论了Web Service安全上的现状以及现有安全解决方案存在的问题。本文研究介绍了WS-Security所涉及的三个方面:身份验证、签名和加密,并提出了如何使用WS-Security和其他配合工具WSE在SOAP消息中嵌入安全机制。在Web服务安全规范WS-Security的基础上,提出并分析了新的可信SOAP安全性模型的体系架构设计的基本原理并阐明了它的优点,对安全规范的关键技术——XML签名机制与XML加密机制也做了详细阐述。最后,本文遵循WS-Security的思想,使用现有的安全技术设计与实现了一个基于可信SOAP安全性模型的WS-Security架构,并对各部分的功能及实现机制作了详细介绍,详细分析了XML签名机制与XML加密机制。
With the development of Web service, it is inevitable to bring security hidden trouble to the information. So its security is becoming more and more important to Web service. Security solution for end to end application is required; it includes encryption, digital signatures, Security management, firewall and so on. SOAP, the basis of Web Service transport protocol, plays an important role in the implementation of Web Services Security.
This paper introduces the specification that proposes a standard set of SOAP extensions that can be used when building secure Web services to implement integrity and confidential. We refer to this set of extensions as the "Web Services Security Language" or "WS-Security". WS-Security uses SOAP header to carry security message. If uses XML Signature, this header should embody the message defined of XML Signature, which includes signature methods, using key and signature value. If some elements use XML encryption, the header should embody the message defined of XML Encryption. WS-Security not restricts the format of XML Encryption or XML Signature, but restricts how to embed some message defined by other standards. WS-Security is mostly a standard using XML security elements container. In the SOAP header, message can be used saved the information of call direction, signature method and encryption method. WS-Security saves total security information into SOAP header of the message, so it can provide end to end
security solution for security of Web Services.
In this thesis we discuss the standard set of SOAP and its security system, and status and limitation existing in current solution of Web Services Security. In this paper, we can learn how to use WS-Security and other methods WSE to embed security mechanism into SOAP message. We can understand identity validate, Signature and Encryption of WS-Security. On the basis of standard, the paper brings forward and analyses the principle of Trust SOAP security system architecture, and expounds the key technology Security Token, XML Encryption and XML Signature of WS Security. Inspired by WS Security design thought, the paper tried to utilize
available security technologies to design and realize the WS Security system architecture base on Trust SOAP, and, explains the implementation of every part's function, especially of XML Signature and XML Encryption.
引文
[1]XML Web Service基础.中文JAVA技术网,2002-05-07
[2]BUILDER.COM.Web 服务防黑谈.ZDNet China技术与开发,http://www. zdnet. com. cn/developer/tech/story/0,2000081602,39034759,00. htm, 2002年5月
[3]石伟鹏,杨小虎.基于SOAP协议的Web Service安全基础规范(WS-Security).计算机应用研究,2003.2
[4]周刚,朱晴波等.Web服务解决方案分析.计算机工程,2002.28(6):47~49
[5]卫东编译.企业技术官员关注数据安全与交换问题.计算机世界网,2002-09-20
[6]曾铮,吴明晖等.简单对象访问协议SOAP综述.计算机应用研究,2002.2:5~7
[7]王春樵.面向服务架构---分布式网络应用的方向---Web Service及其相关技术.广东通信技术,2002.22(1):40~44
[8]包路跃.Web Services概述.天极网webservice专栏,2002-04-30
[9]周新莲,蔡培中.构建XML在电子商务中应用的研究与开发.计算机工程与应用,2002.2:204~206
[10]戚克涛,汪良主等.基于XML的Web应用研究.计算机工程,2002.28(1):45~46
[11]简单对象访问协议(SOAP)初级指南.中文JAVA技术网2002-05-07
[12]岳桦,王恩波.SOAP协议在电子商务中的应用.北方工业大学学报,2002.14(1)
[13]李东,周晓宇等.Soap及其对Web服务的影响.计算机科学与应用,2002.12:78-81
[14]曾建明,杨永田.简单对象访问协议(SOAP)与防火墙.应用科技,2002.29(4)
[15]段智华.浅谈SOAP.IBM:developerWorks中国网站,http://www-900. ibm. com/developerWorks/cn/xml/x-sisoap/index. shtml, 2001年8月
[16]Scott Seely.SOAP:XML跨平台Web Service开发技术.北京:机械工业出版社,2002.4:16~166
[17]James Snell,Doug Tidwell E,胡军.O'Reilly:SOAP Web服务开发.北京:中国电力出版社,2002.10
[18]Don Box. A Young Person's Guide to The Simple Object Access Protocol SOAP Increases Interoperability Across Platforms and Languages. The Microsoft Journal for Developers. 2001.15(3)
[19]段智华.SOAP技术及其安全性研究.开发系统世界XML专栏,2001.11
[20]王锋,金远平.SOAP安全性及其在电子政务中的应用.数据通信,2003.4
[21]BUILDER.COM.用户认证和数字证书为Web服务保安全.ZDNet China技术与开发,http://www. zdnet. com. cn/developer/tech/story/0, 2000081602,39033883,00. htm,2002-04-30
[22] IBM Corporation, Microsoft Corporation. WS-Security应用注解. IBM:developerWorks中国网站,http://www-9OO. ibm. com/developerWorks/cn/webservices/ws-secapp/index. shtml,2002.8
[23] Donald F. Ferguson, Tony Storey, Brad Lovering, John Shewchuk. 安全、可靠、事务化Web服务.IBM:developerWorks中国网站,http://www-900. ibm. com/developerWorks/cn/webservices/ws-securtrans/index. shtml, 2003. 11
[24] James Snell. 保护 Web服务. IBM: developerWorks中国网站,http://www-900. ibm. com/developerWorks/cn/webservices/ws-securews/index. shtml,2002. 11
[25] Sam Thompson. 实现WS-Security. IBM: developerWorks中国网站,http://www-900. ibm. com/developerWorks/cn/webservices/ws-security/index. shtml,2003.7
[26] 柴晓路. SOAP Header 扩展: WS-Security和WS-License. IBM: developerWorks中国网站,http://www-900. ibm. com/developerWorks/cn/webservices/ws-soapheadext/part1/index. shtml, 2001-12-15
[27] 柴晓路. SOAP应用模式:基础与安全. IBM: developerWorks 中国网站,http://www-900. ibm. com/developerWorks/cn/xml/x-soapapp/part1/index, shtml,2002.8
[28] Manish Verma. XML 安全:实现安全层. IBM: developerWorks 中国网站,http://www-900. ibm. com/developerWorks/cn/xml/x-seclayl/index, shtml, 2003.12
[29] Larry Loeb. XML 签名:幕后. IBM: developerWorks中国网站,http://www-900. ibm. com/developerWorks/cn/xml/x-digsig/index. shtml, 2001年12月
[30] Bilal Siddiqui. 探索XML 加密. IBM: developerWorks 中国网站,http://www-900. ibm. com/developerWorks/cn/xml/x-encrypt/index. shtml, 2002.3
[31] Murdoch Mactaggart. 启用XML安全性: XML加密和XML签名简介. IBM:developerWorks中国网站,http://www-900. ibm. com/developerWorks/cn/xml/s-xmlsec/index. shtml, 2001年9月
[32] 马晓轩.基于SOAP的Web服务调用框架的研究与实现[硕士学位论文].北京:北京航空航天大学,2002
[33] Mark Barrel, John Boyer, Barb Fox. XML-Signature Syntax and Processing. W3C Recommendation, 2002.2
[34] Takeshi Imamura, Blair Dillaway, Ed Simon. XML Encryption Syntax and Processing. W3C Recommendation, 2002.12
[35] Merlin Hughes, Takeshi Imamura, Hiroshi Maruyama. Decryption Transform for XML Signature. 2002.12
[36] Bob Atkinson, Giovanni Della-Libera, Satoshi Hada. Microsoft Web Services Security (WS-Security) Version 1.0. International Business Machines Corporation, Microsoft Corporation, VeriSign, Inc, 2002.4
[37] Giovanni Della-Libcra, Phillip Hallam-Baker, Maryann Hondo. Web Services Security Addendum Version 1.0. International Business Machines Corporation, Microsoft Corporation, VeriSign, 2002.8
[38] Jeannine Hall Gailey. Encrypting SOAP Messages Using Web Services Enhancements. 2003.3
[39] Tim Ewald. Inside the Web Services Enhancements Pipeline. 2002.12
[40] Tim Ewald. Programming with Web Services Enhancements 1.0 for Microsoft. NET. 2002.12
[41] Aaron Skonnard. Routing SOAP Messages with Web Services Enhancements 1.0. 2003.1
[42] Matt Powell. WS-Security Authentication and Digital Signatures with Web Services Enhancements. 2002.12
[43] IBM公司与Microsoft公司联合发布.Web服务世界的安全性:提议的体系架构和指南.IBM-developerWorks中国网站,http://www-9OO. ibm. com/developerWorks/cn/webservices/ws-secmap/index. shtml,2002-04-07
[44] Ashish Banerjee,Aravind Corera,康博译.Wrox:c#Web服务高级编程——使用.NETRemoting和ASP.NET创建Web服务.北京:清华大学出版社,2002.8
[2]BUILDER.COM.Web 服务防黑谈.ZDNet China技术与开发,http://www. zdnet. com. cn/developer/tech/story/0,2000081602,39034759,00. htm, 2002年5月
[3]石伟鹏,杨小虎.基于SOAP协议的Web Service安全基础规范(WS-Security).计算机应用研究,2003.2
[4]周刚,朱晴波等.Web服务解决方案分析.计算机工程,2002.28(6):47~49
[5]卫东编译.企业技术官员关注数据安全与交换问题.计算机世界网,2002-09-20
[6]曾铮,吴明晖等.简单对象访问协议SOAP综述.计算机应用研究,2002.2:5~7
[7]王春樵.面向服务架构---分布式网络应用的方向---Web Service及其相关技术.广东通信技术,2002.22(1):40~44
[8]包路跃.Web Services概述.天极网webservice专栏,2002-04-30
[9]周新莲,蔡培中.构建XML在电子商务中应用的研究与开发.计算机工程与应用,2002.2:204~206
[10]戚克涛,汪良主等.基于XML的Web应用研究.计算机工程,2002.28(1):45~46
[11]简单对象访问协议(SOAP)初级指南.中文JAVA技术网2002-05-07
[12]岳桦,王恩波.SOAP协议在电子商务中的应用.北方工业大学学报,2002.14(1)
[13]李东,周晓宇等.Soap及其对Web服务的影响.计算机科学与应用,2002.12:78-81
[14]曾建明,杨永田.简单对象访问协议(SOAP)与防火墙.应用科技,2002.29(4)
[15]段智华.浅谈SOAP.IBM:developerWorks中国网站,http://www-900. ibm. com/developerWorks/cn/xml/x-sisoap/index. shtml, 2001年8月
[16]Scott Seely.SOAP:XML跨平台Web Service开发技术.北京:机械工业出版社,2002.4:16~166
[17]James Snell,Doug Tidwell E,胡军.O'Reilly:SOAP Web服务开发.北京:中国电力出版社,2002.10
[18]Don Box. A Young Person's Guide to The Simple Object Access Protocol SOAP Increases Interoperability Across Platforms and Languages. The Microsoft Journal for Developers. 2001.15(3)
[19]段智华.SOAP技术及其安全性研究.开发系统世界XML专栏,2001.11
[20]王锋,金远平.SOAP安全性及其在电子政务中的应用.数据通信,2003.4
[21]BUILDER.COM.用户认证和数字证书为Web服务保安全.ZDNet China技术与开发,http://www. zdnet. com. cn/developer/tech/story/0, 2000081602,39033883,00. htm,2002-04-30
[22] IBM Corporation, Microsoft Corporation. WS-Security应用注解. IBM:developerWorks中国网站,http://www-9OO. ibm. com/developerWorks/cn/webservices/ws-secapp/index. shtml,2002.8
[23] Donald F. Ferguson, Tony Storey, Brad Lovering, John Shewchuk. 安全、可靠、事务化Web服务.IBM:developerWorks中国网站,http://www-900. ibm. com/developerWorks/cn/webservices/ws-securtrans/index. shtml, 2003. 11
[24] James Snell. 保护 Web服务. IBM: developerWorks中国网站,http://www-900. ibm. com/developerWorks/cn/webservices/ws-securews/index. shtml,2002. 11
[25] Sam Thompson. 实现WS-Security. IBM: developerWorks中国网站,http://www-900. ibm. com/developerWorks/cn/webservices/ws-security/index. shtml,2003.7
[26] 柴晓路. SOAP Header 扩展: WS-Security和WS-License. IBM: developerWorks中国网站,http://www-900. ibm. com/developerWorks/cn/webservices/ws-soapheadext/part1/index. shtml, 2001-12-15
[27] 柴晓路. SOAP应用模式:基础与安全. IBM: developerWorks 中国网站,http://www-900. ibm. com/developerWorks/cn/xml/x-soapapp/part1/index, shtml,2002.8
[28] Manish Verma. XML 安全:实现安全层. IBM: developerWorks 中国网站,http://www-900. ibm. com/developerWorks/cn/xml/x-seclayl/index, shtml, 2003.12
[29] Larry Loeb. XML 签名:幕后. IBM: developerWorks中国网站,http://www-900. ibm. com/developerWorks/cn/xml/x-digsig/index. shtml, 2001年12月
[30] Bilal Siddiqui. 探索XML 加密. IBM: developerWorks 中国网站,http://www-900. ibm. com/developerWorks/cn/xml/x-encrypt/index. shtml, 2002.3
[31] Murdoch Mactaggart. 启用XML安全性: XML加密和XML签名简介. IBM:developerWorks中国网站,http://www-900. ibm. com/developerWorks/cn/xml/s-xmlsec/index. shtml, 2001年9月
[32] 马晓轩.基于SOAP的Web服务调用框架的研究与实现[硕士学位论文].北京:北京航空航天大学,2002
[33] Mark Barrel, John Boyer, Barb Fox. XML-Signature Syntax and Processing. W3C Recommendation, 2002.2
[34] Takeshi Imamura, Blair Dillaway, Ed Simon. XML Encryption Syntax and Processing. W3C Recommendation, 2002.12
[35] Merlin Hughes, Takeshi Imamura, Hiroshi Maruyama. Decryption Transform for XML Signature. 2002.12
[36] Bob Atkinson, Giovanni Della-Libera, Satoshi Hada. Microsoft Web Services Security (WS-Security) Version 1.0. International Business Machines Corporation, Microsoft Corporation, VeriSign, Inc, 2002.4
[37] Giovanni Della-Libcra, Phillip Hallam-Baker, Maryann Hondo. Web Services Security Addendum Version 1.0. International Business Machines Corporation, Microsoft Corporation, VeriSign, 2002.8
[38] Jeannine Hall Gailey. Encrypting SOAP Messages Using Web Services Enhancements. 2003.3
[39] Tim Ewald. Inside the Web Services Enhancements Pipeline. 2002.12
[40] Tim Ewald. Programming with Web Services Enhancements 1.0 for Microsoft. NET. 2002.12
[41] Aaron Skonnard. Routing SOAP Messages with Web Services Enhancements 1.0. 2003.1
[42] Matt Powell. WS-Security Authentication and Digital Signatures with Web Services Enhancements. 2002.12
[43] IBM公司与Microsoft公司联合发布.Web服务世界的安全性:提议的体系架构和指南.IBM-developerWorks中国网站,http://www-9OO. ibm. com/developerWorks/cn/webservices/ws-secmap/index. shtml,2002-04-07
[44] Ashish Banerjee,Aravind Corera,康博译.Wrox:c#Web服务高级编程——使用.NETRemoting和ASP.NET创建Web服务.北京:清华大学出版社,2002.8