Web Services Security

Mark O’Neill
with Phillip Hallam-Baker
Se n Mac Cann
Mike Shema
Ed Simon
Paul A. Watters
and Andrew White

McGraw-Hill/Osborne2600 Tenth StreetBerkeley, California 94710U.S.A.

To arrange bulk purchase discounts for sales promotions, premiums, or fund-raisers, please contact McGraw-Hill/Osborne at the above address. For information on translations or book distributors outside the U.S.A., please see the International Contact Information page immediately following the index of this book.

Web Services Security

Copyright 2003 by The McGraw-Hill Companies. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

1234567890 DOC DOC 019876543

ISBN 0-07-222471-1

Publisher: Brandon A. Nordin

Vice President & Associate Publisher: Scott Rogers

Editorial Director: Tracy Dunkelberger

Project Editors: Elizabeth Seymour, LeeAnn Pickrell

Acquisitions Coordinator: Martin Przybyla

Technical Editor: Ed Simon

Copy Editor: Dennis Weaver

Proofreader: Mike McGee

Indexer: Robert J. Richardson

Computer Designers: George T. Charbak, Melinda Lytle

Illustrators: Melinda Lytle, Michael Mueller, Lyssa Wald

Series Design: Peter Hancik, Lyssa Wald

Cover Series Design: Jeff Weeks

This book was composed with Corel VENTURA™ Publisher.

Information has been obtained by McGraw-Hill/Osborne from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill/Osborne, or others, McGraw-Hill/Osborne does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.

To Kristen and Ben.
—Mark O’Neil

For Karen.
—Phillip Hallam-Baker

To Orla, Se n g, and Neil.
—Se n Mac Cann

To my family, for all your support throughout the years.
—Ed Simon

My chapters are dedicated to my new daughter Nellie.
—Paul Watters

I’d like to dedicate my contribution to this book to my parents, who gave me my past, and to Anne, Robbie and Becky, who are creating my present.
—Andrew White

About the Authors

Mark O’Neill

As Chief Technical Officer at Vordel, Mark O’Neill oversees the development of Vordel’s technical strategy and product development in the areas of XML and security. Mr. O’Neill is also an advisor to the XML.org industry newsletter. He regularly presents at industry conferences on the security issues affecting Web Services and writes in publications including Web Services Journal, XML Journal, EAI Journal, ComputerWeekly, and the Identrus eTrend Quarterly.

Prior to Vordel, Mr. O’Neill designed and implemented EDI-over-Internet solutions for Ireland’s largest EDI Value-Added Network. He then formed a software development company, developing security solutions for clients including Sony Europe, Intel, Royal & SunAlliance, AXA Group, the Irish Government, and Critical Path. Mr. O’Neill holds a double major in Mathematics and Psychology from Trinity College Dublin and studied neural network modelling at Oxford University.

Phillip Hallam-Baker

Dr. Phillip Hallam-Baker BSc, DPhil, FBCS, C.Eng is a leading contributor to numerous XML and Web Services security standards including XKMS (Editor), SAML (co-Editor), WS-Security (co-Editor), XML Signature, and XML Encryption. In addition to speaking at numerous conferences, he was the co-chair of the recent ACM Workshop on XML Security.

Before joining VeriSign, Dr. Hallam-Baker held research posts at the MIT Laboratory for Computer Science and Artificial Intelligence Laboratory, CERN, and DESY where he contributed to the design of HTTP and the World Wide Web. Dr. Hallam-Baker holds degrees from Oxford University and Southampton University and is a Fellow of the British Computer Society.

Se n Mac Cann

Se n Mac Cann is a commercial lawyer from Co. Tyrone, Ireland. He has worked in private practice as a commercial litigator with the London City law firm, DJ Freeman, and as a commercial lawyer with the Dublin commercial firm Gerrard, Scallan & O’Brien. He has worked in the public sector for the Irish telecommunications regulator, ComReg, as its Internet lawyer. He has also worked in industry for a wide variety of public and private companies, such as Shell (energy) and Burberry Limited (fashion). He helped to set up Vordel Limited. Currently, he works mostly with technology start-ups. He maintains a free tech-legal weblog at http://www.maccann.com.

Mike Shema

Mike Shema is a security consultant and trainer for Foundstone. He has performed dozens of security reviews for clients in the financial, telecommunications, software, and e-commerce industries. His familiarity with computer technology ranges from firewalls, to Windows platforms, to several Unix platforms. In addition to network security, Mr. Shema has worked on Web application security assessments and computer forensics investigations. He used his experience with computer security to co-author two titles from McGraw Hill/Osborne: The Anti-Hacker Toolkit and Hacking Exposed: Web Applications.

Mr. Shema has also worked at a product development company where he configured and deployed high-capacity Apache Web and Oracle database servers used in e-commerce applications. Previous to that, he worked at Booz, Allen & Hamilton where he conducted information assurance reviews for government and military clients. Mr. Shema holds a B.S. in Electrical Engineering and a B.S. in French from Penn State University.

Ed Simon (Contributing Author and Technical Editor)

Ed Simon has been an ardent advocate and implementer of XML since 1997 and is co-author of both the XML Signature and XML Encryption specifications. Today, he provides consulting and training services in the area of XML, Web Services, and security through his company XMLsec (www.xmlsec.com).

Prior to starting XMLsec, Mr. Simon served as Entrust’s XML Security Architect, explored new online information technologies at IBM, and developed biomedical research software at the University of Calgary’s Faculty of Medicine. Mr. Simon holds a Master of Engineering degree from the University of Alberta.

Paul A. Watters

Paul A. Watters received his Ph.D. in computer science from Macquarie University. He also has degrees from the University of Cambridge, the University of Tasmania, and the University of Newcastle. He has worked in both commercial and R&D organizations, designing systems and software on the Solaris platform. His commercial interests are focused on Java, Web Services, and e-commerce systems in the enterprise. His research areas include virtual enterprises, secure distributed storage, and complex systems. He has previously written Solaris 9: The Complete Reference and Solaris 9 Administration: A Beginner’s Guide, both published by McGraw Hill/Osborne.

Andrew White

Andrew White is Chief Security Architect at Vordel. He has been working in software development for twenty years, and in that time has been involved in a broad range of application areas, including financial services, CRM, and intruder/fire detection systems. For the past ten years, he’s been working in the information security field. Specific security related projects he’s been involved with in previous employments include HushMail, the award winning secure Web-based e-mail solution, and a number of high-value financial systems for European financial institutions.

Married with two children, Mr. White’s hobbies include walking Wicklow hills and tending to the growing inventory of his personal antique computer museum, the latter causing much discord with his wife.

ACKNOWLEDGMENTS

Thanks to Tracy and her team at McGraw-Hill/Osborne for chasing chapters while I was in between Barcelona, Boston, Dublin, and California. Thanks to Ed at XMLSec, Inc., for his expert technical review and comments. Thanks to the other authors for their excellent contributions. Thanks to everyone at Vordel for the privilege of tapping into their knowledge and hard work.

—Mark O’Neill

I would like to thank the W3C XML Key Management Working Group for its work on the XKMS protocol and the VeriSign Web Services Engineering team, in particular Scott Lurndal for providing the original code on which the examples in the text were based.

—Phillip Hallam-Baker

Thanks to Tracy Dunkelberger at McGraw Hill/Osborne for organizing everything; to Elizabeth Seymour and Dennis Weaver at McGraw Hill/Osborne for their comments; to Ed Simon at XMLSec, Inc., for his technical comments; to Colin Larkin at Ericsson and in particular to Mark O’Neill, Andrew White, Tony Palmer, Karl Nesbitt, and the technical team at Vordel Limited for answering questions since 1999.

—Se n Mac Cann

Thanks to Paul Madsen of Entrust for his technical review of the Liberty Alliance Project chapter. It was a pleasure working with Mark (the lead author) and Tracy and her team at McGraw-Hill/Osborne.

—Ed Simon

To everyone at my agency, Studio B, thanks for your past and continued support. To Neil Salkind, my agent, thanks for your wisdom and pragmatic advice. To Bill Moffitt, at Sun Microsystems, thanks for your continued support of my publishing efforts. Finally, thanks to my family, especially my wife Maya, for always being there, through good times and tough times.

—Paul A. Watters