View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Web Services Security
Multimedia Information Engineering Lab.Yoon-Sik Yoo
Contents Introduction Basic Security for Transmission over HTTP Web Services and Secure Sockets Layer (SSL) XML Signature and XML Encryption XML Key Management Specification (XKMS) Security Assertion Markup Language (SAML) Extensible Access Control Markup Language (XACML) Authentication and Authorization for Web Services Web Services and Network Security
Introduction
Web services require end-to-end security for transactions that span multiple computers.
Interoperability is fundamental to Web services security, because transmissions often occur across multiple platforms and must be secured at all times.
Basic Security for Transmission over HTTP
Security methods outlined HTTP specification are weak (HTTP provides no process for encryption the body of message).
For stronger security, HTTP security should be used with other security technologies, such as SSL and Kerberos.
Web Services and Secure Sockets Layer (SSL)
SSL is considered the next step beyond basic security for Web services.
SSL employs user credential and certificates, which are sometimes too large and disables the ability to record who initiated each step of transaction.
Internet LayerInternet Layer
Transport LayerTransport Layer
SSLSSL
Application LayerApplication Layer
XML Signature and XML Encryption
XML-based applications raise significant security concerns, in part because XML documents are encoded in plan-text, rather than in a binary form.
Digital signatures solve this problem by verifying document integrity.
XML Signature and XML Encryption
Plain-text documentPlain-text document
XML Signature and XML EncryptionXML SignatureXML Signature : W3C Recommendation February 2002
<?xml?>…<Personal> … …</Personal>…
XML Signature and XML Encryption
XML EncryptionXML Encryption : W3C Recommendation 2002.12
XML Key Management Specification (XKMS)
XKMS is specification for registering and distributing encryption keys for Public Key Infrastructure (PKI) in Web services.
XKMS was developed by Microsoft, VeriSign and webMethods, but now is a W3C initiative.
XKMS was designed for use with XML Signature and XML Encryption.
XML Key Management Specification (XKMS)
XKMS is comprised of two specification XML Key Information Service Specification (X-KISS)
The set of protocols that process key Information (located in an XML signature’s Key-Info element).
XML Key Registration Service Specification (X-KRSS)The set of certificate-management protocols that addresses the life of a digital certificate-from registration to revocation and recovery.
XML Key Management Specification (XKMS)
XML Key Information Service Specification (X-KISS)
<Signature> … <KeyInfo> <KeyName> QR9432YZ5 </KeyName> </KeyInfo></Signature>
SignatureProcessingApplication
Key LocationService
KeyDatabase
X.509Cert
<KeyName> QR9432YZ5 </KeyName>
<X509Data> <X509Certificate> MIICXTCCA.. </X509Certificate></X509Data>
QR9432YZ5
XML Key Management Specification (XKMS)
XML Key Registration Service Specification (X-KRSS)
ClientPair
Generation
X-KRSSService
CertificateRepository
(HMAC [Name, PublicKey], Proof Of Possession)
Registration Result : Success
Security Assertion Markup Language (SAML)
SAML is an standard for transferring authentication, authorization and permissions information over the Internet.
SAML is a form Permissions Management Infrastructure (PMI).
The SAML protocol was developed by combining two computing XML security standard
Securant Technologies’ AuthXML Netegrity’s Security Services Markup Language
(S2ML)
Security Assertion Markup Language (SAML)
SAML also provides a method for single sign-on authentication and authorization
SAML-based applications can provide single sign-on across disparate site and platforms.
Security Assertion Markup Language (SAML)
Single sign-on example using SAML
Login PIP
Login
Protected
PresentLogin
Information
CreateSAML
assertionand token
AuthenticationPreviouslyestablished
trustPEP PDP
Enforcementpoint
1 2
34
5
6
BobsAppliances.com JoeFlooring.com
Extensible Access Control Markup Language (XACML)
Developed by OASIS XACML is a markup language that allows
organizations to communicate their policies for accessing online information.
XACML defines which clients can access information, what information is available to clients, when clients can access the information and how client can gain access to information.
Authentication and Authorization for Web Services
Basic authentication and authorization techniques are not sufficient to secure Web services transactions.
The latest Web services products use a combination of security mechanisms, including Kerberos and single sign-on.
Authentication and authorization systems designed for use with Web services
Microsoft’s Passport Sun’s Liberty Alliance and AOL Time Warner’s Screen Name Services
Web Services and Network Security
Networks typically authenticate users before allowing access to protected resources.
However, Web services often are designed to use single sign-on, which allows access to applications on the basis of another source’s authentication credentials.
Firewalls between Web services and internal resources prevents Web service user from accessing protected information.
Web Services and Network Security
Web services security is an ongoing process, not a one-time solution.
Thus, Administrator using Web services need to stay apprised of all security developments and update their systems regularly.