View
218
Download
2
Category
Preview:
Citation preview
Agenda
What is Web Service? Examples and Advantages of Web Service Common Security Threads on Web Service Web Service Security Model Confidentiality Data Integrity Authentication
What are Web Services? A Web Service is a URL-addressable software
resource that performs functions (or a function).
Web Services communicate using standard protocol known as SOAP (Simple Object Access Protocol).
A Web Service is located by its listing in a Universal Discovery, Description and Integration (UDDI) directory.
A Component now Becomes a Service Running Outside the Consumer Boundaries
DB
CCI CCI CCI
ERP CRM
Service Service Service
Registry
11register
ConsumerConsumer
SOAP SOAP SOAP
XML XML XML
33 invoke22
Discover and/or Bind
Policies
Where are Web Services being used?
Dollar Rent A Car : Created an interface to expose its existing mainframe-based reservation system for access by existing and
potential business partners.
Bank of America::The Ecommerce Web service for processing online credit card payment;
Kansas Department of Human Resources: Developed a Web Services based system to streamline unemployment claims processing. By using Web Services they were able to leverage and integrate ‘shrink wrapped’ software with custom screens to develop and deploy a solution very quickly.
Some Web Service ThreatsThreat Description
Message Alteration: The message content is changed in some way.
Message Snooping: An unauthorized entity “sees” the message (perhaps processing it).
Impersonation: an entity pretends to be another entity, sending or receiving unauthorized messages.
Message Replay: Can involve both partial and complete message replay.
Man-in-the-Middle: The MITM impersonates both the sender and the recipient.
Denial of Service Death by a thousand cuts
Security Challenges for Web Services SOAP allows for other
messaging patterns:– Multiple relaying brokers.– Multiple recipients.
Each hop represents a different network connection.– May want to authenticate
peers at each step.– Nodes may partially process
messages.
MessageCreator
MessageRecipient
MessageRecipient
MessageRecipient
Node
Node
Node
WS Security at Different Layers Network Level: IPSec
– Secure sessions with host authentication, data integrity, data confidentiality
Transport Layer: SSL/TLS
Authentication, data integrity, data confidentiality– Point-to-Point secure sessions
Above Transport Layer: SOAP/XML Security
SOAP allows intermediaries and routing above transport– End-to-end versus point-to-point
Manage Web Service Security
Confidentiality
Used to keep message transmissions private.
– Typically, just encryption/description as we normally think of it.
Confidentiality
Transmission Level Mechanisms– SSL, IPSec
Message level: SOAP Security– Different sections may be encrypted by different keys.
– Sections of XML may have layered protections
Example: when transmitting credit card info, different processors may have the right to see your name, your purchase, the cost, your card number, etc.
SOAP Security and Headers
SOAP headers are the extensibility point for SOAP messages.
This is where we put the security metadata– Security tokens, message digests, signing
algorithms, etc.
SOAP security builds on XML-Encryption and XML-Digital Signatures
Sample SOAP message <?xml version="1.0" encoding="utf-8"?> <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="..." xmlns:ds="..."> <S11:Header> <wsse:Security xmlns:wsse="..."> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm= ""/> <ds:SignatureMethod Algorithm=""/> </ds:SignedInfo> <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#MyID"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody“>…</S11:Body> </S11:Envelope>
XML Encryption Encrypted XML is still XML
– The encrypted value (in base64 encoding) of the original document is placed in another XML document.
Encryption is granular– You can encrypt portions of a document– Example: child and grandchild elements become more sensitive,
so apply encryptions to them in succession.
XML encryption is mechanism-independent. – Specify the mechanism with a URL. The URL contains the
detailed specification of the mechanism. Example: “Encryption Algorithm used”
A Simple XML Encryption Example Before<?xml version='1.0'?><PaymentInfo> <Name>John Smith</Name> <CreditCard Limit='5,000'
Currency='USD'> <Number>…</Number>
<Issuer>…</Issuer> <Expiration>…</Expiration>
</CreditCard> </PaymentInfo>
After<?xml version='1.0'?> <PaymentInfo><Name>John Smith</Name><EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <EncryptionMethod Algorithm=“[http://www.DES URI]”> <CipherData> <CipherValue>A23B45C56
</CipherValue> </CipherData> </EncryptedData> </PaymentInfo>
Manage Web Service Security
Confidentiality Data Integrity – Message level, XML
encryption and signatures
XML Signature The XML Signature specification represents a general way of signing
XML content. Cryptographic “signing” involves the following steps:
– A one-way hash of the message is created.– The hash is signed with a private key.– The signed hash and the message are transmitted.
The recipient verifies the signature by hashing the received message and comparing this to the decrypted signature.– Use the sender’s public key to decrypt.– The two hashes should be bitwise identical.
XML Signature tags provide both the signature and the tags necessary to verify it.– Envoloped/enveloping signatures that wrap child elements are not allowed
by WS-Security.– Detached signatures apply to some other part of the document outside the
tree, or even a remote document.
XML Signature (Cont.)
HashMessage
DigestXML
ContentSign with
Private KeySigned XML
XML Content
Signed XML
Send Send
XML Content
Hash
Message Digest
Signed XML
Decrypt with Sender’s Public
Key
Message Digest
Compare
XML Signature Example<Signature Id="MyFirstSignature" xmlns=http://www.w3.org/2000/09/xmldsig#> <SignedInfo>
<CanonicalizationMethod Algorithm=“…"/> <SignatureMethod Algorithm=“…"/> <Reference URI=“…">
<Transforms> <Transform Algorithm=“…"/>
</Transforms> <DigestMethod Algorithm=“…"/>
<DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue></Reference>
</SignedInfo> <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> <KeyInfo> <KeyValue>
<DSAKeyValue> </DSAKeyValue> </KeyValue>
</KeyInfo> </Signature>
Manage Web Service Security
Confidentiality – Message level and Transport level
Integrity – Message level, XML encryption and digital signatures
Authentication - SAML - Security Assertion Markup Language for communicating security tokens
Security Tokens Terminology
– Claim: a declaration made by an entity.• Identity, group membership, privilege, etc.
– Security Token: is a collection of claims
Tokens may be signed or unsigned.
More on Web Service Security
More security considerations:– Availability– Authorization– Federation– Etc.
Far from standardized and mature
References [1] Security in a Web Services World: A Proposed
Architecture and Roadmap, A joint security whitepaper from IBM Corporation and Microsoft
Corporation. April 7, 2002, [2] Secure Web Services, Geoffrey Fox, Marlon
Pierce, Community Grids Lab, Indiana University [3] Intro to Web Services, David M. Rubin,
Softstar [4] Manage Web Service Security, Charles Burke,
The OWASP foundation
Recommended