Web Services Security: UsernameToken Profile 1.0

1 2 3 4 Web Services Security: UsernameToken Profile 1.0 OASIS Standard 200401, March 2004 5 6 7 (Japanese Translation): XML (XML Consortium Security SIG) (Editors): YAMANE, Toshio NISHIMURA, Toshihiro 8 (Contributors): AKIMOTO, Satoshi MATSUNAGA, Yutaka OKAMURA, Kazuhide NAKAYAMA, Kojiro 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 (disclaimer notice): This translated document is provided by XML Consortium as an informational service to the global community. This is an unofficial, non-normative translation of the official document, Web Services Security: Username Token Profile 1.0, located at http://docs.oasisopen.org/wss/2004/01/ oasis-200401-wss-username-token-profile-1.0.pdf, copyright OASIS 2002-2004. This translation is published with acknowledgement of and in agreement with terms specified in the OASIS Translation Policy. Neither OASIS nor XML Consortium assume responsibility for any errors contained herein. XML http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wssusername-token-profile-1.0.pdf Web Services Security UsernameToken Profile 1.0, copyright OASIS 2002-2004 OASIS Translation Policy OASIS XML THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL XML CONSORTIUM, BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, DIRECT, INDIRECT, SPECIAL, PUNITIVE, OR OTHER DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR OTHER PECUNIARY LOSS) ARISING OUT OF THIS DOCUMENT. Copyright OASIS Open 2002-2006. All Rights Reserved. Page 1 of 19

36 37 38 39 40 41 42 43 44 45 46 47 Web Services Security UsernameToken Profile 1.0 OASIS Standard 200401, March 2004 Document identifier: {WSS: SOAP Message Security }-{UsernameToken Profile }-{1.0} (Word) (PDF) Location: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0 Errata Location: http://www.oasis-open.org/committees/wss Editor: Anthony Nadalin IBM Phil Griffin Individual Chris Kaler Microsoft Phillip Hallam-Baker VeriSign Ronald Monzillo Sun Contributors: Gene Thurston AmberPoint Frank Siebenlist Argonne National Lab Merlin Hughes Baltimore Technologies Irving Reid Baltimore Technologies Peter Dapkus BEA Hal Lockhart BEA Symon Chang CommerceOne Srinivas Davanum Computer Associates Thomas DeMartini ContentGuard Guillermo Lao ContentGuard TJ Pannu ContentGuard Shawn Sharp Cyclone Commerce Ganesh Vaideeswaran Documentum Sam Wei Documentum John Hughes Entegrity Tim Moses Entrust Toshihiro Nishimura Fujitsu Tom Rutt Fujitsu Yutaka Kudo Hitachi Jason Rouault HP Paula Austel IBM Bob Blakley IBM Joel Farrell IBM Copyright OASIS Open 2002-2006. All Rights Reserved. Page 3 of 19

Satoshi Hada IBM Maryann Hondo IBM Michael McIntosh IBM Hiroshi Maruyama IBM David Melgar IBM Anthony Nadalin IBM Nataraj Nagaratnam IBM Wayne Vicknair IBM Kelvin Lawrence IBM (co-chair) Don Flinn Individual Bob Morgan Individual Bob Atkinson Microsoft Keith Ballinger Microsoft Allen Brown Microsoft Paul Cotton Microsoft Giovanni Della-Libera Microsoft Vijay Gajjala Microsoft Johannes Klein Microsoft Scott Konersmann Microsoft Chris Kurt Microsoft Brian LaMacchia Microsoft Paul Leach Microsoft John Manferdelli Microsoft John Shewchuk Microsoft Dan Simon Microsoft Hervey Wilson Microsoft Chris Kaler Microsoft (co-chair) Prateek Mishra Netegrity Frederick Hirsch Nokia Senthil Sengodan Nokia Lloyd Burch Novell Ed Reed Novell Charles Knouse Oblix Steve Anderson OpenNetwork (Sec) Vipin Samar Oracle Jerry Schwarz Oracle Eric Gravengaard Reactivity Stuart King Reed Elsevier Andrew Nash RSA Security Rob Philpott RSA Security Peter Rostin RSA Security Martijn de Boer SAP Blake Dournaee Sarvega Pete Wenzel SeeBeyond Jonathan Tourzan Sony Yassir Elley Sun Microsystems Jeff Hodges Sun Microsystems Ronald Monzillo Sun Microsystems Jan Alexander Systinet Michael Nguyen The IDA of Singapore Don Adams TIBCO John Weiland US Navy Phillip Hallam-Baker VeriSign Mark Hays Verisign Hemma Prafullchandra VeriSign Copyright OASIS Open 2002-2006. All Rights Reserved. Page 4 of 19

48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 Abstract: WSS: SOAP Message Security specification [WSS]. Status: OASIS Web Services Security (WSS) wss@lists.oasis-open.org wss-comment@lists.oasis-open.org "subscribe" wss-commentrequest@lists.oasis-open.org email http://www.oasisopen.org/committees/wss/ipr.php OASIS Web Services Security Technical Committee (WSS TC) Intellectual Property Rights OASIS IPR http://www.oasis-open.org/who/intellectualproperty.shtml Copyright OASIS Open 2002-2006. All Rights Reserved. Page 5 of 19

63 Table of Contents 64 65 66 67 68 69 70 71 72 73 74 75 76 1... 7 2... 8 2.1... 8 2.2... 8 2.3... 9 3... 10 3.1... 10 3.2... 13 3.3... 14 4... 15 5...16 Appendix A.... 17 Appendix B. Notices... 18 77 Copyright OASIS Open 2002-2006. All Rights Reserved. Page 6 of 19

85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 2 2.1 MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY OPTIONAL [RFC2119] XML Infoset ( [some property]) XML [XML-Schema] WSS: SOAP Message Security [children] [attributes] XPath [XPath] ( /x:myheader/x:someproperty/@value1) {any} (<xs:any/>) @{any} (<xs:anyattribute/>) Internet Security Glossary [SECGLO] Web Services Security 2.2 ( "some-uri" ) URI RFC 2396 [URI] URI SOAP [SOAP11, SOAP12] SOAP SOAP 1.1 URI SOAP ( URI - ) Prefix S11 S12 wsse wsu Namespace http://schemas.xmlsoap.org/soap/envelope/ http://www.w3.org/2003/05/soap-envelope http://docs.oasis-open.org/wss/2004/01/oasis-200401-wsswssecurity-secext-1.0.xsd http://docs.oasis-open.org/wss/2004/01/oasis-200401-wsswssecurity-utility-1.0.xsd 112 113 wsse wsu URL Copyright OASIS Open 2002-2006. All Rights Reserved. Page 8 of 19

114 115 2.3 ( ) Term SHA SOAP URI UCS UTF8 XML Definition Secure Hash Algorithm Simple Object Access Protocol Uniform Resource Identifier Universal Character Set UCS Transformation Format, 8-bit form Extensible Markup Language Copyright OASIS Open 2002-2006. All Rights Reserved. Page 9 of 19

116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 3 3.1 <wsse:usernametoken> WSS: SOAP Message Security <wsse:usernametoken> <wsse:password> wsse:passwordtext wsse:passworddigest S/KEY ( ) wsse:passwordtext wsse:passworddigest " " " " (password) wsse:passwordtext wsse:passworddigest UTF8 ( ) SHA-1 Base64 [XML-Schema] wsse:passwordtext wsse:passworddigest <wsse:nonce> <wsu:created> 2 <wsse:usernametoken> nonce nonce nonce nonce nonce " " <wsse:nonce> <wsu:created> (MUST) Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) ) nonce (created) ( ) SHA-1 Base64 ( ) web 3 (RECOMMENDED): 1. web nonce (RECOMMENDED) 2. web " " " " Copyright OASIS Open 2002-2006. All Rights Reserved. Page 10 of 19

157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 (RECOMMENDED) 5 3. nonce ( ) nonce (RECOMMENDED) nonce UTF8 wsse:passworddigest ( ) SHA-1 -- nonce/created nonce nonce+created created ( ) ( ) ( ) / nonce ( 2 ) XML <wsse:usernametoken wsu:id="example-1"> <wsse:username>... </wsse:username> <wsse:password Type="...">... </wsse:password> <wsse:nonce EncodingType="...">... </wsse:nonce> <wsu:created>... </wsu:created> </wsse:usernametoken> /wsse:usernametoken/wsse:password ( ) ( HTTP/S) (RECOMMENDED) /wsse:usernametoken/wsse:password/@type Copyright OASIS Open 2002-2006. All Rights Reserved. Page 11 of 19

201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 URI (URI URI ) URI #PasswordText (default) #PasswordDigest /wsse:usernametoken/wsse:password/@{any} S/KEY nonce SHA1 ( nonce / ) /wsse:usernametoken/wsse:nonce nonce <wsse:nonce> web nonce (MUST) /wsse:usernametoken/wsse:nonce/@encodingtype URI nonce ( <wsse:binarysecuritytoken> ) Base64 /wsse:usernametoken/wsu:created <wsu:created> <wsu:timestamp> <wsse:usernametoken> (MUST) WSS: SOAP Message Security <wsse:keyidentifier> <ds:keyname> <S11:Envelope xmlns:s11="..." xmlns:wsse="..."> <S11:Header>... <wsse:security> <wsse:usernametoken> <wsse:username>zoe</wsse:username> <wsse:password>ilovedogs</wsse:password> </wsse:usernametoken> Copyright OASIS Open 2002-2006. All Rights Reserved. Page 12 of 19

234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 </wsse:security>... </S11:Header>... </S11:Envelope> nonce <S11:Envelope xmlns:s11="..." xmlns:wsse="..." xmlns:wsu= "..."> <S11:Header>... <wsse:security> <wsse:usernametoken> <wsse:username>nnk</wsse:username> <wsse:password Type="...#PasswordDigest"> weyi3nxd8ljmnvksckfv8t3rghh3rw== </wsse:password> <wsse:nonce>wscqanjceac4mqobe07saq==</wsse:nonce> <wsu:created>2003-07-16t01:24:32z</wsu:created> </wsse:usernametoken> </wsse:security>... </S11:Header>... </S11:Envelope> 3.2 UsernameToken <wsse:securitytokenreference> ValueType <wsse:usernametoken> (MUST) (URI URI ) URI #UsernameToken UsernameToken UsernameToken <ds:keyinfo> UsernameToken KeyIdentifier KeyIdentifier UsernameToken (MUST NOT) UsernameToken KeyName KeyName UsernameToken (MUST NOT) wsu:id Copyright OASIS Open 2002-2006. All Rights Reserved. Page 13 of 19

284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 4 nonce <UsernameToken> ( ) 2 : 1 nonce nonce nonce : ( ) WSS: SOAP Message Security 13 Copyright OASIS Open 2002-2006. All Rights Reserved. Page 15 of 19

311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 5 [SECGLO] Informational RFC 2828, "Internet Security Glossary," May 2000. [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels," RFC 2119, Harvard University, March 1997 [WSS] OASIS standard, "WSS: SOAP Message Security," TBD. [SOAP11] W3C Note, "SOAP: Simple Object Access Protocol 1.1," 08 May 2000. [SOAP12] W3C Working Draft, SOAP Version 1.2 Part 1: Messaging Framework, 26 June 2002. [URI] T. Berners-Lee, R. Fielding, L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax," RFC 2396, MIT/LCS, U.C. Irvine, Xerox Corporation, August 1998. [XML-Schema] W3C Recommendation, "XML Schema Part 1: Structures,"2 May 2001. W3C Recommendation, "XML Schema Part 2: Datatypes," 2 May 2001. [XPath] W3C Recommendation, "XML Path Language", 16 November 1999 [WS-Security] OASIS, Web Services Security: SOAP Message Security 19 January 2004, http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wsssoap-message-security-1.0 [XML-C14N] W3C Recommendation, "Canonical XML Version 1.0," 15 March 2001 [EXC-C14N] W3C Recommendation, "Exclusive XML Canonicalization Version 1.0," 8 July 2002. [XML-Encrypt] W3C Working Draft, "XML Encryption Syntax and Processing," 04 March 2002 W3C Recommendation, Decryption Transform for XML Signature, 10 December 2002. [XML-ns] W3C Recommendation, "Namespaces in XML," 14 January 1999. [XML Signature] W3C Recommendation, "XML Signature Syntax and Processing," 12 February 2002. [XPointer] "XML Pointer Language (XPointer) Version 1.0, Candidate Recommendation", DeRose, Maler, Daniel, 11 September 2001. Copyright OASIS Open 2002-2006. All Rights Reserved. Page 16 of 19

343 Appendix A. Rev Date By Whom What Wd-1.0 2002-12-16 Phil Griffin Initial version cloned from the WSS core specification Wd-1.1 2003-01-26 Anthony Nadalin Bring in line with WSS-Core Update Wd-1.2 2003-02-23 Anthony Nadalin Editorial Updates Wd-1.3 2003-06-30 Anthony Nadalin Editorial Updates Wd-1.4 2003-08-11 Anthony Nadalin Editorial Updates Cd-1.5 2003-12-09 Anthony Nadalin, Chris Kaler Cd-1.5 2003-12-15 Anthony Nadalin, Chris Kaler Editorial Updates based on Issue List #30 Editorial Updates based on Editorial feedback Cd-1.6 2003-12-22 Anthony Nadalin Editorial Updates based on Editorial feedback Cd-1.7 & 1.8 2003-12-29 Anthony Nadalin, Chris Kaler Editorial Updates based on Editorial feedback Cd-1.8 2004-01-19 Anthony Nadalin, Chris Kaler Editorial corrections for name space and document name Cd-1.9 2004-02-17 Anthony Nadalin Editorial corrections per Karl Best Copyright OASIS Open 2002-2006. All Rights Reserved. Page 17 of 19

344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 Appendix B. Notices OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification, can be obtained from the OASIS Executive Director. OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director. Copyright The Organization for the Advancement of Structured Information Standards [OASIS] 2002-2004. All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns. This document and the information contained herein is provided on an AS IS basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. OASIS OASIS OASIS OASIS OASIS Executive Director OASIS OASIS Executive Director Copyright OASIS Open 2002-2004. All Rights Reserved. Copyright OASIS Open 2002-2006. All Rights Reserved. Page 18 of 19