Making VLAB Secure

Javier I. Roman

What is VLAB?

An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary materials.

Interpreted seismic data in the context of likely geophysical processes.

Be used as input for more sophisticated and reliable modeling of planets.

The Three Main Goals In Security!

Authentication verifying the identity of a user

Confidentialityprotecting the privacy of the message contents

Integrityensures that a message has not been altered since its departure from the original sender

Common ways to Solve Web Services Security

Sent over HTTPS/SSL secure channel gives confidentiality during transport.

Doing your own signatures/encryption using XML signatures & encryption standards

Service ‘authentication’ using public key certificates Client ‘authentication’ using user/password sent over

secure channel SOAP formatted messages

Is HTTPS/SSL enough Security?

Transport Security a Point to Point Security Server authentication by client using public key certificate Encrypted whole messages to block eavesdroppers

Limitations that come from Transport Security Does not support intermediaries so router sees entire clear text

message

User > SSL > Router > SSL > Server Does not support signing a message to verified that the

message was not change on transit

OASIS Web Services Security

End to End SecurityData can be hidden from intermediaries

Transport Independent

Run over HTTP, TCP, UDP, email or whatever Framework for building security protocols

Integrity, Confidentiality and Authentication

Support for different types of Security algorithms

Encryption, Digest, Signature, Canonicalization, Transforms

How to achieve Authentication

Using UsernameToken with password Digest Digest = SHA1 ( nonce + created + password ) SHA1 is Secure hash algorithm Nonce is a unique sequence of random character

UsernameToken Digest

<S:Envelope xmlns:S="http://www.w3.org/2001/12/soap-envelope" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/xx/secext">

xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"> <S:Header>

... <wsse:UsernameToken

<wsse:Username>Javier</wsse:Username> <wsse:Password Type="wsse:PasswordDigest>OEdR...</wsse:Password>

<wsse:Nonce>FKJh...</wsse:Nonce> <wsu:Created>2007-07-14T09:00:00Z </wsu:Created>

</wsse:UsernameToken> ... </S:Header>

...</S:Envelope>

Adding Encryption too

Setting the Encrypt parameterThe encryption algorithm select AES A Special-purpose quantum computer in the

year 2015 will take 108 million years to break a key of 128 bits

You can select the parts you want to encrypt

in the message

Encrypting Body and UsernameToken

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Adding Integrity

Using UsernameTokenSignature can determine whether a message was altered in transit

Verify that message was sent by possessor of particular security token

Generate a key using the username and password to Signature a element of a message or the Body

Putting everything together