Next Frontiers of Web Services Security

Document Sample
Next Frontiers of Web Services Security Powered By Docstoc
					Next Frontiers of Web Services Security

2002 UNC Charlotte Symposium on
Information Security and Privacy

Ray Lai
Sun Services, Sun Microsystems
Oct 22, 2002 Version 1.1
Speaker’s Background

 •   Ray has a total of about 14 years working experience,
     with about 8 years in the financial services and 6 years in
     transportation / logistics area. He is specialized in
     financial / securities solutions and Web Services
     solutions. He has joined SUN since mid-Jan 2001, and has
     been engaged in strategic Financial Services accounts
     including HSBC, Visa, American Express and Daiwa
     Securities. He has also co-authored a Use Case Modeling
     course material, and is currently writing the first official
     Web Services book for Sun.
In a Nutshell

  • Business Challenges
  • Some Myths
  • Frontiers of Web Services Security
  • Best Practices
  • Conclusion – the Next Frontier
Web Services Phenomenon

 • Harvard Business Review (Oct 2001) describes
   Web Services as the next IT strategy
    §   A solution approach to address “data silos” or
        restrictive ERP-based enterprise architecture
    §   A cost-effective approach to addressing integration
        with external processes and institutions
    §   A risk mitigation to obsolete technology
    §   Easier for adopting outsourced or managed services
        using standardized and plug-and-play Web Services
Web Services Basics

  • Simple Object Access Protocol (SOAP) is an XML-
    based specification for network communication
    between services
  • It is used for sending and receiving documents
    between end-points (RPC or documents)
  • It can be sent over different data transport, e.g.
    HTTP, HTTPS, JMS
  • 2 Web Services variants – WSDL-UDDI-SOAP and
    ebXML
Web Services Interaction
   Service             Codes Implementation          Service
   Provider                                       Implementation
                                                                                             Service
                  1
                  1    Register/Publish Service
                                                                                            Description
Authors Config Files / WSDL

      Service
   Description and
                                                                                  4
                                                                                  4    Fetch Service Descriptions
    Configuration
                                                   Internet                                                    Message
                                                                                                               Envelope
                                                                          Search Services


                                                                          3
                                                                          3                     Service
                   2
                   2    Find Services                         Return Service Descriptions       Registry


              Service                   Bind Services
                                                                Service
                                                                                            5
                                                                                            5    Invoke Services

             Requester                                           Proxy
SOAP Messaging - Example
                                                                   Service
 <?xml version='1.0' ?>                                            Provider
 <env:Envelope xmlns:env="http://www.w3.org/2002/06/soap-
 envelope">
  <env:Header>
   <m:reservation
 xmlns:m="http://travelcompany.example.org/reservation"
            env:role="http://www.w3.org/2002/06/soap-                SOAP
 envelope/role/next"
             env:mustUnderstand="true">                             Envelope
    <m:reference>uuid:093a2da1-q345-739r-ba5d-
 pqff98fe8j7d</m:reference>
    <m:dateAndTime>2002-10-22T13:00:00.000-05:00</m:dateAndTime>
   </m:reservation>
   <n:passenger xmlns:n="http://mycompany.example.com/employees"    Header
            env:role="http://www.w3.org/2002/06/soap-
 envelope/role/next"
             env:mustUnderstand="true">
    <n:name>Ray Lai</n:name>                                         Body
   </n:passenger>
  </env:Header>
  <env:Body>
   <p:itinerary>
    <p:departure>...</p:departure>
    <p:return>...</p:return>
   </p:itinerary>
   <q:lodging...</q:lodging>
  </env:Body>
 </env:Envelope>                                                    Service
                                                                   Requester
Web Services - Benefits

  • Interoperability – cross-vendor, cross-platform
  • Simplicity – XML messages are simple to read &
    process
  • Lower cost of integration – light-weight loosely
    coupled integration
  • Re-usability -- by exposing business functionality
    from legacy systems / existing apps
  • Availability – any where, any time
  • Scalability
Business Challenges
Security Requirements

 •   Authentication – how do I know your identity is true?
 •   Entitlement – are you allowed to invoke this transaction
 •   Traceability – records of all transactions /activities for
     audit trail
 •   Data privacy & confidentiality – nobody reads the data
     you sent me
 •   Availability – no Denial of Service attack etc
 •   Data integrity – is the data you sent the same as I
     received
 •   Non-repudiation – legal proof to third party
SOAP – What’s the Big Deal?
 Acquire a WSDL document and
 sniff in a copy of SOAP message from internal
 network:

 <message name="transferFundRequest">

   <part name="account1" type="xsd:string"/>

   <part name="account2" type="xsd:string"/>
 </message>                                                                       Man-in-the-middle Attack
 <message name="transferFundResponse">

   <part name="Result" type="xsd:float"/>
                                                                       Original                    Modified
 </message>
                                                                        SOAP                        SOAP
                                                                       Message                     Message


                                                      Web Service       Web Service                           Web Service
                                                      RPC Router       (Application 1)                       (Application 2)

         SOAP messages sent in clear text over HTTP
                                                           Modify SOAP Message and post it to the service end-point URL:
          Web Service                 Web Service
            Client                      Proxy              <transferFundRequest>
                                                             <account1 name="Mr Good Guy" operation="debit"
                                                                    amount="230,000" currency="USD" number="320-2330-234" />
                X.509v3                                      <account2 name="Mr Bad Guy" operation="credit"
                                                                    amount="230,000" currency="USD" number="822-1220-212" />
                                                           </transferFundRequest>
SOAP Security Concerns

 • Firewall – SOAP messaging over HTTP/S can send
   messages right thru firewalls
 • Reliability – HTTP POST/GET is not reliable
 • Business transaction – support of non-
   repudiation? End-to-end security?
 • Network security – HTTPS protects client-server,
   not end-to-end; man-in-the-middle attack?
 • Identity management – what about
   authentication, entitlement, etc
Business Scenario
      Client       Presentation           Business   Integration              Resource
       Tier            Tier                 Tier         Tier                   Tier


                                   Login             ACL           ACL            ACL

        Login                               Apps                   Policy       Mainframe
                         Web                Server
                                           Apps       Messaging
                        Server             Server       Hub                                        Domain 1
 Invoke multiple                                                                                   (Service
                                                                                Database
  business apps                                                                                    Provider)
    & services




   Service               Multiple logins                                    Silos infrastructure
  Requester




                                                      Some infrastructure do not support
           Login
                         Web               Apps        end-to-end transactional security
                        Server             Server
                                                                                                   Domain 2
                                                                   Policy                          (Service
                                                                                                   Provider)
                                                                                Database
                                  Login                            ACL      ACL
Some Myths of Web Services
        Security
Myths 1

 • Web Services security depends on PKI
   implementation
   §   Not true
 • Clarification
   §   What if no PKI deployment, then XML Key
       Management (XKMS)
Myths 2

 • SOAP security is the Web Services security
   §   Not true
 • Clarification
   §   SOAP-SEC (now WS-Security) defines the data
       security for SOAP messaging using XML
       Encryption and XML Digital Signature
   §   Other security aspects: platform security, data
       transport security, application security
Myths 3

 • Secure SOAP messaging = HTTPS + digital
   signature
   §   Partially true
 • Clarification
   §   HTTPS only protects client-to-server
   §   There are other security risks, e.g. DoS, man-in-
       the-middle
Frontiers of Web Services Security
Major Initiatives

  • Web Services Security (WS-Security) roadmap
  • Security Assertion Markup Language (SAML)
  • Liberty
  • Assumptions
    §   Building blocks – XML Encryption, XML Digital
        Signature
    §   WS-Security includes XML Key Management
        Specification
WS-Security - Overview

  •   IBM, Microsoft and VeriSign publish WS-Security doc that
      describes how to exchange signed & encrypted messages
      in Web Services environment. WS-Security supersedes
      previous Microsoft’s WS-Security, IBM’s SOAP-SEC, etc
  •   Design objective – support of data integrity and
      confidentiality for SOAP messages using different kinds of
      security tokens
  •   Benefits
      §   Encompass multiple security tokens (e.g. X.509v3 certificates,
          Kerberos ticket)
      §   Resolve similar & competing SOAP messaging specifications /
          proposals
WS-Security - Concept




             Security Model
WS-Security - Example
Request message #1
------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
  <wsse:Security s:mustUnderstand="1"
     xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext/">
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
   <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>           SOAP Envelope
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#xpointer(/s:Envelope/s:Body)">
     <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
     </ds:Transforms>                                                                               SOAP Header
     <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
       <ds:DigestValue>2nEFD9/gnWcRrjRk0vHJtqfXqqU=</ds:DigestValue>
    </ds:Reference>
   </ds:SignedInfo>                                                                                      Security
<ds:SignatureValue>qKOD2oJUzjmk19vKc+pZ4jEVBeseYB1zZPwENI032XzEQEgSZCbqeVUsD0uDCPu9R2fIPBQs&#13;
+uw7++lSQNOjHvWVD1nUTPIOp38fNU6XMWfpqF+ww2tBdwkUDiM8noYtB8CnNx9Tv5ejlzd5&#13;
dxh3NJYblZ21WDLUC2MTzF7STMU=</ds:SignatureValue>                                                        Security Token
 <ds:KeyInfo>
   <ds:KeyName>Public key of certificate</ds:KeyName>
   <ds:KeyValue>                                                                                          Signature
   <ds:RSAKeyValue>
<ds:Modulus>tgpcm093Tjvxi/jVulUMvC5gov+8iamjVxkrwELUQqkFV+lwZcYrJwaXZvHlJLUw6vFCOl9m&#13;
vhbIGW3t1RKo8sygCqtqe/DBR+XMGYTy6SkP24TDDI43mBgkdVauHCTgV4JYNLcIlTlPIQEm&#13;
U+f8ftYPLVGFGiHGuYG/SfCnEUE=</ds:Modulus>
    <ds:Exponent>AQAB</ds:Exponent>
   </ds:RSAKeyValue>
  </ds:KeyValue>
  <ds:X509Data>
                                                                                                      SOAP Body
<ds:X509Certificate>MIIDmTCCA0OgAwIBAgIQN7Dt8b73agsj5f5CW8v+jDANBgkqhkiG9w0BAQQFADCBmTERMA8G&#13;
A1UEChMIVmVyaVNpZ24xLjAsBgNVBAsTJVZlcmlTaWduIENsYXNzIDIgT25TaXRlIEluZGl2&#13;
UR9EDaR70A==</ds:X509Certificate>
  </ds:X509Data>
  </ds:KeyInfo>                                                                                     (Encrypted Request)
</ds:Signature>
</wsse:Security>
</s:Header>
<s:Body>
  <request>
    <currency>hkd</currency>
  </request>
</s:Body>
</s:Envelope>
WS-Security Roadmap - 1

         WS-Secure           WS-             WS-
        Conversation       Federation    Authorization


         WS-Policy         WS-Trust      WS-Privacy



                         WS-Security



                       SOAP Foundation
WS-Security Roadmap - 2

 •   WS-Security – adding elements to SOAP messages for data integrity,
     confidentiality, and associating sender’s identity with the message
 •   WS-Policy – security, privacy & trust policies
 •   WS-Trust – trust relationship between business
 •   WS-Privacy – associating privacy policies & preferences with Web
     Services
 •   WS-SecureConversation – how collection messages are exchanged
     securely as part of a complex business transaction
 •   WS-Federation – integrating different identity management
     mechanisms
 •   WS-Authorization – how to represent application authorization
     requests and decisions
SAML - Overview

 • Security Assertion Markup Language (SAML) v1.0,
   currently managed by OASIS, defines XML
   vocabulary, protocol, transport bindings & usage
   profile for exchanging assertions about
    §   Authentication
    §   Attributes
    §   Authorization decision
 • Design objective – single sign-on
 • Benefits
    §   Easily extensible & flexible for access management
    §   Open Standards, currently managed by OASIS
SAML - Concept

                     Policy         Policy              Policy


                                                          Policy
     Credentials   Authentication   Attribute
                                                         Decision
      Collector      Authority      Authority
                                                          Point



                                                       Authorization
                   Authentication   Attribute
                                                         Decision
                     Assertion      Assertion
                                                        Assertion

                                                SAML


                    Application                            Policy
      System
                     Request                            Enforcement
       Entity
                                                           Point
SAML – Message Structure
    SOAP Envelope

                        <samlp:Request MajorVersion="1"
                        MinorVersion="0"
     SOAP Header        RequestID="1fgtTGzMXSqpN++/LcFpBmZWrQg=">
                        <samlp:RespondWith>AuthenticationStatement</sam
                        lp:RespondWith>
                        <samlp:AuthenticationQuery>
      SOAP Body         <saml:Subject>
                        <saml:NameIdentifier Name="test"/>
                        <saml:SubjectConfirmation>
      SAML Message      <saml:ConfirmationMethod>
                        http://www.oasis-
                        open.org/committies/security/docs/draft-sstc-
      SAML Assertion    core-25/password
                        </saml:ConfirmationMethod>
        This user has   <saml:SubjectConfirmationData>
          Access to     cGFzc3dvcmQ=
         SUN Server     </saml:SubjectConfirmationData>
                        </saml:SubjectConfirmation>
                        </saml:Subject>
                        </samlp:AuthenticationQuery>
                        </samlp:Request>
Liberty - Overview

  • Liberty Alliance is an industry initiative for
    federated identity management
     §   User profile is self-managed, rather than by a central
         authority
     §   Liberty extends SAML schema for single sign-on
  • Design objective – to solve authentication
    problems for users logging on to Web Services
  • Benefits
     §   Platform neutral, vendor interoperability
     §   Common standard for single sign-on with
         authentication and open authorization
Liberty - Federated Identity
Liberty Concept - 1
                                                Web Services




                       Identity                                                 Service
                       Provider                                                 Provider

                                         5. User Agent sends authentication            1. User Agent sends HTTP request to
                                         request to Service Provider with URI          Service Provider for Single Sign-on

3. User Agent sends request to Identity                                             2. Service Provider responds by re-
Provider                                                                            directing to Identity Provider
                                                   User Agent
  4. Identity Provider responds by re-               (User)
  directing to Service Provider

                                                    Web Re-
                                                    direction
Liberty Concept - 2
                                    Service
                                     Service                             Identity
                                                                          Identity
 User Agent
 User Agent                         Provider
                                    Provider                             Provider
                                                                         Provider

       HTTP Authentication request


                                           Obtain Identity Provider ID
        Response to Authentication
        request
       Re-direct Authentication request to Identity Provider

                                                                               Process Authentication request
        Authentication request response / artifact

       Request with Authentication response / artifact

                                           HTTP request with artifact

                                            HTTP response with Authentication assertion


                                           Process Authentication assertion
         HTTP response with
         Authentication assertion
Liberty Concept - 3
                                   Identity
                                    Identity            Common
                                                        Common
 User Agent
 User Agent                        Provider
                                   Provider             Domain
                                                         Domain


       Re-direct User Agent to cookie-writing service


       Access cookie-writing service
       URL
                                                            Process request to write cookies

       Re-direct to Identity Provider Return URL


        Access Identity Provider Return URL
Web Services Security Best
        Practices
Some Best Practices

  • Define and customize your security
    framework
  • De-couple message security from data
    transport security
  • Adopt Open Standards to implement Single
    Sign-on
Defining Security Framework

  • Trust Domains
     §   Key management – XKMS, host hardening
     §   Authentication – SSO with SAML, Identity Server
     §   Transactional security – XML-ENC, XML-DSIG, XACML,
         WS-Security, platform hardening
  • Thread Profiling
     §   Web Services objects – UDDI, WSDL, etc
     §   Hacker attacks – profiling of transaction loading,
         platform hardening, virus protection, IDS
Web Services Security Stack
                            WS-        WS-Secure          WS-                     WS-
                Liberty                                               WS-Policy           WS-Privacy
 Service                  Federation   Conversation   Authorization               Trust

 Negotiation
                SAML       XACML          XKMS




Service                    ebXML
                UDDI       (ebRIM         WSDL
Discovery                  /ebRS)




Transaction                               WS-
               XML-ENC    XML-DSIG                       XKMS
Routing                                  Security




Transport      HTTPS       HTTPR          IPSec




Internet        TCP/IP
Security Framework - 1
                                       Threat Profiling

                                                    Service Registry
                                                                Query
                                                                                          Service
                                                                                          Service
                                                    ebXML                                Requester
                                                                                         Requester
                                                    Registry       Bind                   (Supplier)
                                                                                           (Supplier)
                       Web Services
                                                                                          Identity
                                                                                           Identity
                                                                        Trust?
       Publish or un-publish
                                    Service
                                     Service
                                    Provider                            Policy
     Trust?            WSDL
                                    Provider
                                     Identity
                                      Identity
     Policy

                                                                                          Service
                                                                                          Service
               Service                                                                   Requester
                                                                                         Requester
               Service                                                   Bind              (Buyer)
                                                                                            (Buyer)
               Broker
               Broker
                                                                                          Identity
                                                                                           Identity
                                   Service Registry
                Identity
                 Identity
                                                                                Trust?
                        ebXML                         Discover / Find
                                       UDDI
                        Registry      Registry
Security Framework - 2
                                               Threat Profiling




                                                                   Service         Policy
                                                                                            e.g. XACML /
     Consumer                             Trust?                                            WS-Policy / etc
                                                                  Provider 1
      Identity
       Identity                   e.g. Liberty, SAML, etc
                                                                    Identity
                                                                     Identity
     Messaging
      Messaging                                                    Messaging
                                                                    Messaging
       Security
       Security                    e.g. WS-Security, XML -           Security
                                                                     Security
    Data Transport                  ENC, XML-DSIG, etc            Data Transport
    Data Transport                                                Data Transport
       Security
       Security                        e.g. HTTPS
                                                                     Security
                                                                     Security
       Platform
       Platform                                                      Platform
                                                                     Platform
       Security
       Security                                                      Security
                                                                     Security



                  Cross-domain Single Sign-on
                                                                                            e.g. XACML,
                                                                   Service         Policy   WS-Policy, etc
                                          Trust?
         e.g. Liberty,SAML, etc                                   Provider 2

                                                                                            e.g. XACML,
                                                                   Service         Policy   WS-Policy, etc
                                          Trust?
         e.g. Liberty,SAML, etc                                    Registry
Secure Messaging Pattern
                       SOAP Envelope


                         SOAP Header

                            XML-DSIG

                         SOAP Body
                            Application
                                           Service
      Consumer               Message
                                           Provider
       Application
       Application                         Application
                                           Application
        Message
        Message                             Message
                                            Message
       Messaging
       Messaging                           Messaging
                                           Messaging
        Security
        Security                            Security
                                            Security
      SOAP Client
      SOAP Client                         SOAP Server
                                          SOAP Server
      Data Transport
      Data Transport                      Data Transport
                                          Data Transport
         Security
         Security                            Security
                                             Security
SSO Pattern - 1
       Client   Presentation   Business           Integration                      Resource
        Tier        Tier         Tier                 Tier                           Tier




                                 Apps
                                                                                    Mainframe
                      Web        Server
                                Apps                   Messaging
                     Server     Server                   Hub                                              Domain 1
 Invoke SSO                                                                                               (Service
 and business                                                                        Database             Provider)
   services

                               User Agent              User Agent     User Agent     User Agent

                                            Liberty/                SAML                  SAML
                                            SAML
   Service                                             Authenti-                   Authori-               Common
                                Identity                             Attribute                    XACML
  Requester                                             cation                      zation                 Domain
                                 Server                              Assertion
                                                       Assertion                   Assertion              (Identity
                                                                                                          Provider)
XKMS
                               User Agent                             User Agent    User Agent

    Trust
   Authority          Web       Apps
                     Server     Server
                                                                                                          Domain 2
                                                                                                          (Service
                                                                                                          Provider)
                                                                                     Database
SSO Pattern - 2
       Client   Presentation     Business           Integration                      Resource
        Tier        Tier           Tier                 Tier                           Tier




                                   Apps                                  Policy       Mainframe
                      Web          Server
                                  Apps                   Messaging
                     Server       Server                   Hub                                              Domain 1
 Invoke SSO                                                                                                 (Service
 and business                                                                          Database             Provider)
   services       Apps Request                                         PEP     PDP
                                 User Agent              User Agent     User Agent     User Agent

                                              Liberty/                SAML                  SAML
                                              SAML
   Service                                               Authenti-                   Authori-               Common
                                  Identity                             Attribute                    XACML
  Requester                                               cation                      zation                 Domain
                                   Server                              Assertion
                                                         Assertion                   Assertion              (Identity
                                                                                                            Provider)
XKMS
                                 User Agent                             User Agent    User Agent

    Trust
   Authority          Web         Apps
                     Server       Server
                                                                                                            Domain 2
                                                                         Policy                             (Service
                                                                                                            Provider)
                                                                                       Database
Conclusion – the Next Frontier
The Next Frontier

  • OASIS Web Services Security Technical
    Committee
  • Liberty version 2.0
  • Wireless Web Services security
  • JSR 183 Web Services message security API
Sun’s Contribution

  • Identity management
    §   Liberty
  • Web Services security standards
    §   W3C various security standards – XML-DSIG etc
    §   OASIS Web Services Security TC, SAML TC
Some Recent Experience

 • Identity management & Single Sign-on
   §   Major US financial institutions
 • Web Services best practices
   §   Major credit card / financial institutions
 • Reliable message services
   §   E.g. Trans-Canada Pipeline (TCPL)
 • Workflow and business transactions
   §   E.g. SABRE
Sun’s Web Services Offerings

  • Executive / Technical overview (half-day)
  • Java Web Services workshop (4-days)
  • Web Services strategy / best practices
  • Web Services architecture / design roadmap
  • Web Services implementation
  • Web Services best practices assessment
  • Web Services tuning assessment
  • Network identity workshop
Contact Information

  Local Sales Rep /      Skip Vail
  Sun Services Contact   skip.vail@sun.com
  Director               Edward Schwarz
  Solution Dev Center    edward.schwarz@sun.com
  Practice Manager       Glen Reece, PhD
  Solution Dev Center    glen.reece@sun.com
  Senior Architect       Ray Lai
  Solution Dev Center    ray.lai@sun.com
  Senior Architect       Stuart Sim
  Solution Dev Center    stuart.sim@sun.com