Web Service Security

Emily Ren

Richard Mei

Agenda

What is Web Service? Examples and Advantages of Web Service Common Security Threads on Web Service Web Service Security Model Confidentiality Data Integrity Authentication

What are Web Services? A Web Service is a URL-addressable software

resource that performs functions (or a function).

Web Services communicate using standard protocol known as SOAP (Simple Object Access Protocol).

A Web Service is located by its listing in a Universal Discovery, Description and Integration (UDDI) directory.

A Component now Becomes a Service Running Outside the Consumer Boundaries

DB

CCI CCI CCI

ERP CRM

Service Service Service

Registry

11register

ConsumerConsumer

SOAP SOAP SOAP

XML XML XML

33 invoke22

Discover and/or Bind

Policies

Where are Web Services being used?

Dollar Rent A Car : Created an interface to expose its existing mainframe-based reservation system for access by existing and

potential business partners.

Bank of America::The Ecommerce Web service for processing online credit card payment;

Kansas Department of Human Resources: Developed a Web Services based system to streamline unemployment claims processing. By using Web Services they were able to leverage and integrate ‘shrink wrapped’ software with custom screens to develop and deploy a solution very quickly.

Some Web Service ThreatsThreat Description

Message Alteration: The message content is changed in some way.

Message Snooping: An unauthorized entity “sees” the message (perhaps processing it).

Impersonation: an entity pretends to be another entity, sending or receiving unauthorized messages.

Message Replay: Can involve both partial and complete message replay.

Man-in-the-Middle: The MITM impersonates both the sender and the recipient.

Denial of Service Death by a thousand cuts

Security Challenges for Web Services SOAP allows for other

messaging patterns:– Multiple relaying brokers.– Multiple recipients.

Each hop represents a different network connection.– May want to authenticate

peers at each step.– Nodes may partially process

messages.

MessageCreator

MessageRecipient

MessageRecipient

MessageRecipient

Node

Node

Node

Web Service Security Stack

WS Security at Different Layers Network Level: IPSec

– Secure sessions with host authentication, data integrity, data confidentiality

Transport Layer: SSL/TLS

Authentication, data integrity, data confidentiality– Point-to-Point secure sessions

Above Transport Layer: SOAP/XML Security

SOAP allows intermediaries and routing above transport– End-to-end versus point-to-point

Web Service Security Goals

Confidentiality Data Integrity Authentication And More …

Manage Web Service Security

Confidentiality

Used to keep message transmissions private.

– Typically, just encryption/description as we normally think of it.

Confidentiality

Transmission Level Mechanisms– SSL, IPSec

Message level: SOAP Security– Different sections may be encrypted by different keys.

– Sections of XML may have layered protections

Example: when transmitting credit card info, different processors may have the right to see your name, your purchase, the cost, your card number, etc.

SOAP Security and Headers

SOAP headers are the extensibility point for SOAP messages.

This is where we put the security metadata– Security tokens, message digests, signing

algorithms, etc.

SOAP security builds on XML-Encryption and XML-Digital Signatures

Sample SOAP message <?xml version="1.0" encoding="utf-8"?> <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="..." xmlns:ds="..."> <S11:Header> <wsse:Security xmlns:wsse="..."> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm= ""/> <ds:SignatureMethod Algorithm=""/> </ds:SignedInfo> <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#MyID"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody“>…</S11:Body> </S11:Envelope>

XML Encryption Encrypted XML is still XML

– The encrypted value (in base64 encoding) of the original document is placed in another XML document.

Encryption is granular– You can encrypt portions of a document– Example: child and grandchild elements become more sensitive,

so apply encryptions to them in succession.

XML encryption is mechanism-independent. – Specify the mechanism with a URL. The URL contains the

detailed specification of the mechanism. Example: “Encryption Algorithm used”

A Simple XML Encryption Example Before<?xml version='1.0'?><PaymentInfo> <Name>John Smith</Name> <CreditCard Limit='5,000'

Currency='USD'> <Number>…</Number>

<Issuer>…</Issuer> <Expiration>…</Expiration>

</CreditCard> </PaymentInfo>

After<?xml version='1.0'?> <PaymentInfo><Name>John Smith</Name><EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <EncryptionMethod Algorithm=“[http://www.DES URI]”> <CipherData> <CipherValue>A23B45C56

</CipherValue> </CipherData> </EncryptedData> </PaymentInfo>

Manage Web Service Security

Confidentiality Data Integrity – Message level, XML

encryption and signatures

XML Signature The XML Signature specification represents a general way of signing

XML content. Cryptographic “signing” involves the following steps:

– A one-way hash of the message is created.– The hash is signed with a private key.– The signed hash and the message are transmitted.

The recipient verifies the signature by hashing the received message and comparing this to the decrypted signature.– Use the sender’s public key to decrypt.– The two hashes should be bitwise identical.

XML Signature tags provide both the signature and the tags necessary to verify it.– Envoloped/enveloping signatures that wrap child elements are not allowed

by WS-Security.– Detached signatures apply to some other part of the document outside the

tree, or even a remote document.

XML Signature (Cont.)

HashMessage

DigestXML

ContentSign with

Private KeySigned XML

XML Content

Signed XML

Send Send

XML Content

Hash

Message Digest

Signed XML

Decrypt with Sender’s Public

Key

Message Digest

Compare

XML Signature Example<Signature Id="MyFirstSignature" xmlns=http://www.w3.org/2000/09/xmldsig#> <SignedInfo>

<CanonicalizationMethod Algorithm=“…"/> <SignatureMethod Algorithm=“…"/> <Reference URI=“…">

<Transforms> <Transform Algorithm=“…"/>

</Transforms> <DigestMethod Algorithm=“…"/>

<DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue></Reference>

</SignedInfo> <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> <KeyInfo> <KeyValue>

<DSAKeyValue> </DSAKeyValue> </KeyValue>

</KeyInfo> </Signature>

Manage Web Service Security

Confidentiality – Message level and Transport level

Integrity – Message level, XML encryption and digital signatures

Authentication - SAML - Security Assertion Markup Language for communicating security tokens

Security Tokens Terminology

– Claim: a declaration made by an entity.• Identity, group membership, privilege, etc.

– Security Token: is a collection of claims

Tokens may be signed or unsigned.

More on Web Service Security

More security considerations:– Availability– Authorization– Federation– Etc.

Far from standardized and mature

Questions?

???

References [1] Security in a Web Services World: A Proposed

Architecture and Roadmap, A joint security whitepaper from IBM Corporation and Microsoft

Corporation. April 7, 2002, [2] Secure Web Services, Geoffrey Fox, Marlon

Pierce, Community Grids Lab, Indiana University [3] Intro to Web Services, David M. Rubin,

Softstar [4] Manage Web Service Security, Charles Burke,

The OWASP foundation