Lessons on Developing Enterprise Web Services by ewghwehws


									   Chapter 12
Web Services Security

   To explain how traditional security methods can
    protect Web services transmissions
   To discus Web services security standard,
    including Security Assertion Markup
    Language(SAML) and XML Signature
   To introduce XML Key Management
    Specification(XKMS) and XML Encryption
   To explore emerging Web services standards,
    including WS-Security
   To discuss how Web services affect network
   Web services
       Move transaction beyond firewalls
       Enable outside entities to invoke applications
          • Outsiders access to sensitive information
        => new security challenges
   Effective Web services security
       allow clients to access appropriate services while
        keeping sensitive information confidential
       Users must provide some form of authentication
       Require end-to-end security for transactions

   Interoperability is fundamental to Web services
       Transmissions occur across multiple platforms and
        must be secured at all times.
   Developed new security standards to address
    Web services-specific security issues
       Security Assertion Markup Language(SAML)
       XML Key Management Specification(XKMS)
       XML Signature
       XML Encryption

Basic Security for Transmissions over HTTP

 HTTP      enables    Web      servers  to
  authenticate users before allowing access
  to resources.
 A web server might check a user’s
  credentials against a database before
  granting or denying access.
 HTTP employs secret-key cryptography,
  message digests and other technologies
  discussed in the previous chapter.

Basic Security for Transmissions over HTTP(Cont.)

 The methods outlined in the HTTP
  specification are weak.
     HTTP provides no process for encrypting the
      body of a message.
     HTTP security should be used with other
      security technologies
       • SSL
       • Kerberos

Basic Security for Transmissions over HTTP(Cont.)

   Challenge-response authentication
       The method used in HTTP
       User must provide specific authentication information to verify
        their identities.
         • An unauthenticated user attempts to view a protected resource.
                The server returns a 401 Unauthorized response.
       User must provide the server with a username and a password
        to access the resource.
         • The user’s credentials are unacceptable.
                The server returns a 403 Forbidden response and denies access to the
       When used alone
         • Challenge-response authentication is a relatively weak security
                Passwords and credentials are transmitted in plain-text.

Basic Security for Transmissions over HTTP(Cont.)

   Digest authentication
       Part of the HTTP 1.0 specification
       Protocol in which user’s credentials are submitted to the server
        as checksum
       Message digest is a unique value derived from the message
         • Checksum using a user name, password, the request URI, the
           HTTP method, unique value
       Protect username and password from eavesdropping attackers
         • Credentials are not transmitted plain-text : using MD5
       Weakness
         • Non-encryption for the message content
         • Both server and client must support digest authentication

Basic Security for Transmissions over HTTP(Cont.)

A   server can restrict access on the basis
  of an IP address.
     IP spoofing possibility
 Password      authentication
     User often generate passwords using
      personal information.
     Simple password authentication does not
      encrypt message content.

             Web Services and SSL
 SSL is considered the next step beyond basic
  security for Web services
 SSL protocol secure the channel through which
  the data flows between a client and server and
  enable authentication of both parties.
 Problems
       Employ user credentials and certificates
       SSL encryption calculations use considerable
        processor power.
         • SSL Accelerators – are hardware devices or software
           programs that handle complex SSL-encryption calculations.

      Web Services and SSL(Cont.)
 SSL  protects data transmission, but does
  not provide end-to-end security.
     Secure communications by sending HTTP
      requests and responses over an SSL
     Take place over port 443
     Provide end-to-end security between a client
      and server or consumer and vendor
    XML Signature and XML Encryption

   XML Signature
       W3C’s XML Signature specification defines an XML-
        based standard for representing digital signatures.
       XML Signature was developed by the XML Signature
        Working Group of W3C and IETF.
       Provide authentication, message integrity and
       Sign an type of file, not just XML documents
       Compute the hash value using the canonical form of an
        XML document

XML Signature and XML Encryption(Cont.)

   Due to the complexity of online transaction,
    documents might signature from multiple parties.
       A customer uses a signature to authenticate identity,
        the submits the information to the seller.
       The seller checks the integrity of the customer’s
        signature and signs the document before submitting it
        to the credit-card company.
       The credit-card company receives signature that
        verify the authenticity of the customer and the seller.
       Fig. 12.1 – XML that marks up an online bookstore

XML Signature and XML Encryption(Cont.)

 Three    type of signature
     Enveloping signature
       • contain the signed data as part of the signature
     Enveloped signature
       • Reside within the data to be signed
     Detached signature
       • Store separately from the signed data, but contain
         a reference to the signed data
       • Fig.12.2 – Detached XML Signature referencing an
                    element in an external XML document

XML Signature and XML Encryption(Cont.)

 XML   Encryption
    Handle the encryption and decryption of XML
     documents that are secured with XML
    Protect any form of data, including XML
     element and its contents
    Fig. 12.3 – XML document with the personal
               element encrypted
    Fig. 12.4 – XML document with the
               CreditCard element encrypted

XML Key Management Specification (XKMS)

   XKMS
       Specification for registering and distributing encryption keys for
        Public Key Infrastructure (PKI)
       Developed by Microsoft, Verisign and Web methods, but now is
        a W3C initiative
       Simplify the steps necessary to implement PKI(particularly key
         • Providing an easy and user-friendly method for secure transactions
         • Easy implementation
       Be designed for use with XML Signature and XML Encryption
         • XML Signature and XML Encryption do not address trust
           management(the handling of public and private keys)
         • XKMS provides the necessary thrust management.

    XML Key Management Specification (XKMS) (Cont.)

   XKMS two specifications:
       XML Key Information Service Specification (X-KISS)
         • set of protocol that processes key information
                XML encrypted data, digital signatures, other aspects of public-
                 key cryptography
         • Locate public keys and bind user information to the keys
       XML Key Registration Service Specification (X-KRSS)
         • set of certificate management protocols that addresses the
           life of digital certificate –from registration to revocation and
                During registration of a certificate, the user registering the key
                 pair submits the public key to a trusted registration server
                 through a digitally signed request.
         • Fig.12.5 – X-KRSS registration request for a key pair

Security Assertion Markup Language (SAML)

   SAML
       An emerging standard for transferring authentication,
        authorization and permissions information over the
       OASIS Security Services Technical Committee(SSTC)
        is developing SAML.
         • As a standard    XML   specification   for   B2B   and   B2C
       Form of Permissions Management Infrastructure (PMI),
        a system that uses a set of policies to handle access
        control and authorization.
       Combining Securant Technologies’s AuthXML and
        Netegrity’s Security Services Markup Language(S2ML)
     Security Assertion Markup Language (SAML) (Cont.)

   SAML provides a method for single sign-on authentication and authorization
        Fig.12.6 – Single sign-on example using SAML

   SAML can be used for B2B communication
        Fig.12.7 – Authentication assertion sample
        Fig.12.8 – Attribute assertion sample
    Extensible Access Control Markup Language (XACML)

       Be developed by OASIS
       allow organization to communicate           their
        policies for accessing online information
   XACML defines:
       which clients can access information
       what information is available to clients
       when clients can access the information and
       how clients can gain access to information
Extensible Access Control Markup Language (XACML) (Cont.)

    XACML security policies can regulate information access
     using factors
        Client’s identity
        Client’s method of authentication
        Port through which the client is communicating
    XACML can enforce Digital Rights Management(DRM)
     for content delivered over the internet.
    XACML policies can provide the basis for authoritative
     decision-making at a Policy Decision Point.
    Fig. 12.10 – XACML policy that allows customers to view
                 their purchase history

Technology                       Fundamentals Addressed (purpose)
Basic HTTP                       Authentication
Digest Authentication            Authentication, Authorization, Privacy
SSL (HTTPS)                      Authentication, Privacy, Integrity
XML Signature                    Authentication, Integrity
XML Encryption                   Integrity, Privacy
XKMS                             Authentication, Privacy, Integrity
SAML                             Authentication, Authorization, Non-
                                 Repudiation, Integrity
XACML                            Authorization
                        [ Web services security solutions ]

Authentication and Authorization for Web Services

 Basic authentication and authorization is not
  sufficient to secure Web services.
 The latest Web services products use a
  combination of security mechanisms, including
  Kerberos and single sign-on
 Some        example    of   Authentication and
  Authorization systems
       MS Passport
       Sun’s Liberty Alliance
       AOL Time Warner’s Screen Name Service.
   Other standards: XKMS, SAML, XACML
  Web Services and Network Security

 The    biggest concern regarding Web
  services security is the immaturity of
  underlying standards.
 As    any      new     technology,    certain
  vulnerabilities are not discovered until
  attacks occur in a real world setting
 A combination of traditional and Web
  services-specific security methods can be
  used to protect networks while Web
  services security standards mature.

To top