Web Services Security

Multimedia Information Engineering Lab.Yoon-Sik Yoo

Contents Introduction Basic Security for Transmission over HTTP Web Services and Secure Sockets Layer (SSL) XML Signature and XML Encryption XML Key Management Specification (XKMS) Security Assertion Markup Language (SAML) Extensible Access Control Markup Language (XACML) Authentication and Authorization for Web Services Web Services and Network Security

Introduction

Web services require end-to-end security for transactions that span multiple computers.

Interoperability is fundamental to Web services security, because transmissions often occur across multiple platforms and must be secured at all times.

Basic Security for Transmission over HTTP

Security methods outlined HTTP specification are weak (HTTP provides no process for encryption the body of message).

For stronger security, HTTP security should be used with other security technologies, such as SSL and Kerberos.

Web Services and Secure Sockets Layer (SSL)

SSL is considered the next step beyond basic security for Web services.

SSL employs user credential and certificates, which are sometimes too large and disables the ability to record who initiated each step of transaction.

Internet LayerInternet Layer

Transport LayerTransport Layer

SSLSSL

Application LayerApplication Layer

XML Signature and XML Encryption

XML-based applications raise significant security concerns, in part because XML documents are encoded in plan-text, rather than in a binary form.

Digital signatures solve this problem by verifying document integrity.

XML Signature and XML Encryption

Plain-text documentPlain-text document

XML Signature and XML EncryptionXML SignatureXML Signature : W3C Recommendation February 2002

<?xml?>…<Personal> … …</Personal>…

XML Signature and XML Encryption

XML EncryptionXML Encryption : W3C Recommendation 2002.12

XML Key Management Specification (XKMS)

XKMS is specification for registering and distributing encryption keys for Public Key Infrastructure (PKI) in Web services.

XKMS was developed by Microsoft, VeriSign and webMethods, but now is a W3C initiative.

XKMS was designed for use with XML Signature and XML Encryption.

XML Key Management Specification (XKMS)

XKMS is comprised of two specification XML Key Information Service Specification (X-KISS)

The set of protocols that process key Information (located in an XML signature’s Key-Info element).

XML Key Registration Service Specification (X-KRSS)The set of certificate-management protocols that addresses the life of a digital certificate-from registration to revocation and recovery.

XML Key Management Specification (XKMS)

XML Key Information Service Specification (X-KISS)

<Signature> … <KeyInfo> <KeyName> QR9432YZ5 </KeyName> </KeyInfo></Signature>

SignatureProcessingApplication

Key LocationService

KeyDatabase

X.509Cert

<KeyName> QR9432YZ5 </KeyName>

<X509Data> <X509Certificate> MIICXTCCA.. </X509Certificate></X509Data>

QR9432YZ5

XML Key Management Specification (XKMS)

XML Key Registration Service Specification (X-KRSS)

ClientPair

Generation

X-KRSSService

CertificateRepository

(HMAC [Name, PublicKey], Proof Of Possession)

Registration Result : Success

Security Assertion Markup Language (SAML)

SAML is an standard for transferring authentication, authorization and permissions information over the Internet.

SAML is a form Permissions Management Infrastructure (PMI).

The SAML protocol was developed by combining two computing XML security standard

Securant Technologies’ AuthXML Netegrity’s Security Services Markup Language

(S2ML)

Security Assertion Markup Language (SAML)

SAML also provides a method for single sign-on authentication and authorization

SAML-based applications can provide single sign-on across disparate site and platforms.

Security Assertion Markup Language (SAML)

Single sign-on example using SAML

Login PIP

Login

Protected

PresentLogin

Information

CreateSAML

assertionand token

AuthenticationPreviouslyestablished

trustPEP PDP

Enforcementpoint

1 2

34

5

6

BobsAppliances.com JoeFlooring.com

Extensible Access Control Markup Language (XACML)

Developed by OASIS XACML is a markup language that allows

organizations to communicate their policies for accessing online information.

XACML defines which clients can access information, what information is available to clients, when clients can access the information and how client can gain access to information.

Authentication and Authorization for Web Services

Basic authentication and authorization techniques are not sufficient to secure Web services transactions.

The latest Web services products use a combination of security mechanisms, including Kerberos and single sign-on.

Authentication and authorization systems designed for use with Web services

Microsoft’s Passport Sun’s Liberty Alliance and AOL Time Warner’s Screen Name Services

Web Services and Network Security

Networks typically authenticate users before allowing access to protected resources.

However, Web services often are designed to use single sign-on, which allows access to applications on the basis of another source’s authentication credentials.

Firewalls between Web services and internal resources prevents Web service user from accessing protected information.

Web Services and Network Security

Web services security is an ongoing process, not a one-time solution.

Thus, Administrator using Web services need to stay apprised of all security developments and update their systems regularly.