Webservice安全的整合应用

上海交通大学硕士学位论文Webservice安全的整合应用姓名：宓吉琦申请学位级别：硕士专业：软件工程指导教师：尤晋元20060501SCORM2004e-LearningiWebserviceWebServiceInternetInternetWebServiceWebService//WebWebService(SOAP)WebServicePKI/PMIWebServiceWebServicePKI/PMIWebServiceWebService//Webservice,,WS-Security,PKISCORM2004e-LearningiiINTERGRATIONOFWEBSERVICESECURITYABSTRACTModerncorporateenterprisesrelyheavilyonITinfrastructuretofacilitatebusinessprocesses,reducetheprocesslifecycle,andmanageresources.Organizationswithlargevolumedeploycustomizedapplicationstomanagetheirinternalsales,purchase,payroll,finance,andHRdepartments.Suchapplicationsrunningwithintheenterpriseneedtobeintegratedwitheachotherforconsolidateddecisionmaking,accuratesysteminformation,andbetterperformanceandmonitoring.WebservicesissettobeoneofthebiggestsecuritychallengesforITprofessionalsin2002,ascorporationsattempttolinktheirinternalapplicationswiththosebelongingtoexternalpartnersandsuppliersusingXMLandSOAP.MicrosoftandIBMarecurrentlypushingdifferentmodelsoftrustandsecurity.Theessaywilltroduceawaytoensurethesecurityofwebservice,inthiscasethehighsecurityrequirementapplicationscanbesetupbaseonwebserviceandothernewtechninoledge.KEYWORDS:Webservice,Security,WS-Security,PKI12006612220066122006612Webservice11WebWebWebWebWeb1.11authentication.IDCertificateAuthorityVerisignX.509mutualauthenticationWebServicesWebServices2InternetX.509WebServicesSOAPBodySOAPIDTokenWebService3confidentialityWebService1.2WebWebWebWebWebSSLXMLXMLWebservice2WebXML-XML-XMLWebWebWebSSLXML1)XML2)XMLW3CXML(XMLKeyManagementServicesXKMS)1)2)Kerberos1)Web2)OASIS(AuthorizationandAuthenticationAssertionsSAML)3)OASIS(eXtensibleAccessControlMarkupLanguageXACML)SAMLWebservice3XMLOrganizationfortheAdvancementofStructuredInformationStandardsOASISWebWebServicesSecurityWS-SecurityWebServicesSecurityTechnicalCommitteeWS-SecurityTCOASIS2002723WS-SecurityWebWebSOAPMessageHeaderIBMVeriSignWS-SecurityWebWS-SecuritySOAPWS-SecurityWS-SecurityWS-SecurityX.509KerberosWS-SecurityPKIKerberosSSLWS-SecurityWS-SecurityWeb1.3WebSOAPNECOracleSonicSunITWeb(WebServicesReliability)WS-ReliabilityWebWS-ReliabilityWebWebWS-ReliabilitySOAPSOAP2001SOAPB2BSOAPSOAPSOAPSOAPW3CXMLXMLDigitalSignature,XMLencryption,andXMLKeyManagementServicesSOAPWebservice4SOAPSOAPSOAPSOAPSOAP1SOAP:SignatureSOAPSecurityExtensions:DigitalSignatureXMLXMLDigitalSignaturesyntax[XML-Signature]SOAPSOAPSOAP-SEC:Signature2SecurityToken-X.509KerberosSIMSOAPSOAP1.1XMLSignature:--------timestampsnonces,SOAPSOAPSOAPSOAP3)UDDIUDDIAPIUDDIUDDI--businessEntitytModelUDDI(OperatorSite)Webservice5UDDIWebservice622.1Web2.1.1SOAPSOAPWS-SecurityWS-SecurityWeb2.1.2CredentialsWS-SecurityCredentialsLicenselicense()CredentialsX.509KerberosticketsTestamenttestament()(X.509)(Kerberosticket)()2.1.3“2”“4”“”“”“”“”SHA1“”1995**64202**1602**250)MH(M)“M”MH(M)H'(M)MH(M)H(S+M)SH'(S+M)HMAC“”(HashedMesssageAuthenticationCode)Webservice7HMACSSSKerberosKerberos“”SHMACKerberosSMH'(S+M)KerberosRSAaz026+4hello8512121544444129161619+2226261291616192222222222343138384185121215helloRSARSAH(M){H(M)}private-keyMH'(M)H(M)H(M)H'(M)M“”2.1.4Webservice8testamentXMLSignatureWS-SecurityWS-Security1L[x]x2L[X-Y]xy3T[X]x4K[X]x5{m}(E=x)xm6{m}(S=x,E=y)xym7{m}(S=x,E=y/z){m}(S=x,E=y){y}(E=z)WS-SecurityAM1BM2A-B{M1}(S=T[A],E=K[B]),L[A]A-B{M2}(S=T[B],E=K[A]),L[B]AM1BABBM2ABWS-SecurityWS-SecurityABABAlice(L[B]).L[A]AliceBobAliceK[B]BobAliceWS-SecurityMWS-SecurityHeaderT[A]L[A]Webservice9AliceWS-SecurityM(RSA)AliceK[X]M(DES)K[B]K[X]XMLEncryptionAliceBobBobBobXMLEncryption(Tag)XMLBobT[B]BobT[B]K[X]K[X]BobBobAlice()BobAliceWS-SecurityAliceBobAliceBobWS-Security()AliceL[B-A]T[A]BobAliceL[B]K[B-A]L[B]L[B-A]ABBABobL[B-A]AliceBobT[B-A]K[B-A]BobT[B-A]AliceT[B-A]BobBobT[B]L[A-B]AliceAliceAlice-Bob:{M1}(S=T[A],E=K[X]/K[B]),L[A],L[B-A],Webservice10{T[B-A]}(S=T[A],E=K[B])Bob-Alice:{M2}(S=T[B],E=K[B]-[A])L[B],L[B-A],L[A-B],{T[A-B]}(S=T[B],E=K[B-A])Alice-Bob:{M3}(S=T[A],E=K[A-B]),L[A],L[A-B]Bob-Alice:{M4}(S=T[B],E=K[B-A]),L[B],L[B-A]AliceBobAliceK[X]T[B-A]M1AliceBobBobL[A-B]AliceL[B-A]AliceBob2.2WS-SecurityWebIBMMicrosoftVerisignWebWebKerberosWebWebSOAPWSDLXML(XMLDigitalSignature)XML(XMLEncryption)SSLWebIBMMicrosoftVerisignWS-SecuritySSLTransportLayerSecurity(TLS)IPSecWebWebWeb(Multi-Hop)WebWebservice11SOAPWS-SecurityWebWS-PolicyWS-TrustWS-PrivacyWebWS-SecureConversationWS-FederationWS-AuthorizationWebWS-SecuritySOAPX.509KerberosXMLXMLSOAPWS-PolicyWS-TrustWebWS-SecurityWS-PrivacyWebWS-PolicyWS-SecurityWS-TrustWS-PolicyWS-SecurityWS-TrustWebservice12WS-SecureConversationWS-FederationWS-SecurityWS-PolicyWS-TrustWS-SecureConversationKerberosPKIWS-AuthorizationWebWebSSLWebWS-SecurityPublicKeyInfrastructure(PKI)Kerberos(KeyDistributionCenter)WebUDDIWebUDDIUDDIWeb2.2.1SOAP1)2)“”“”Webservice13X.509“”BobBobXMLXMLSOAPBob2.2.2SecuritySOAPSOAPSecuritySOAPSecuritySecurityS:actorSecurityS:actorSecurityWebservice14S:actorSecurityWS-RoutingSecuritySecuritySecurityX.5092.2.3“RoutingTransf