Upload
rubix-bv
View
120
Download
2
Embed Size (px)
Citation preview
www.rubix.nl
SOA Security an Introduction
Ingrid Cox
03-05-2023
Agenda
Why SOA Security?
Fundamental Security Terminology and Concepts
Fundamental Security Mechanisms
Security Industry Standards and Technologies
Common SOA Security Threat Definitions
Service Security Patterns
SOA School / Certified SOA Security Specialist
03-05-2023
Why SOA Security?
03-05-2023
Why SOA Security?
Services and service compositions can be subject to distinct security threats due to tendencies, such as:• Reliance on open networks• Openly published technical contracts• Reuse by and exposure to widely distributed
service consumers• Involvement of service intermediaries and
service agents• Exchange of data as plain text XML messages
03-05-2023
Fundamental Security Terminology and Concepts
03-05-2023
Fundamental Security Terminology and Concepts
TrustClaims
Tokens
IntegrityConfidentiality
Authorization
Authentication
IdentificationNon-repudiation
Policies
Message Layer Security
Transport Layer Security
03-05-2023
CIA Triad (Information Security)
Services
Confidentiality
AvailabilityIntegrity
03-05-2023
Confidentiality
“Information is not made available or disclosed to unauthorized individuals, entities, or processes”
Sender Recipient
“Can this document be disclosed to
unauthorized parties?”
03-05-2023
Integrity
“Maintaining and assuring the accuracy and completeness of data over its entire life-cycle.
This means that data cannot be modified in an unauthorized or undetected manner.”
Sender Recipient
“Has this message been changed since you send it?”
03-05-2023
Availability
“For any information system to serve its purpose, the information must be available when it is needed.”
• The computing systems used to store and process the information• The security controls used to protect it• The communication channels used to access it• But also preventing common security threats
03-05-2023
Non-repudiation
In digital security, the cryptologic meaning and application of non-repudiation shifts to mean:• A service that provides proof of
the integrity and origin of data.• An authentication that can be asserted to be genuine
with high assurance.
Sender Recipient
“Is this document
actually send by you?”
03-05-2023
Transport Layer Security vs Message Layer Security
Secure Not secure
Sender RecipientIntermediary Intermediary
Not secure SecureSecure
TLS
Sender RecipientIntermediary
Secure
IntermediaryMLS
03-05-2023
Fundamental Security Mechanisms
03-05-2023
Security Mechanisms
Hashing Encryption Decryption
Digital SignatureIdentity & Access Management
Public Key Infrastructure
Digital Certificates
Single Sign-OnSymmetric EncryptionAsymmetric Encryption
Secret Key Cryptography
Public Key Cryptography
03-05-2023
Hashing
Cryptographic Hash Function
----------------------------Plain Text----------------------------
Used to verify the integrity of the message
DigestInput
03-05-2023
Hashing functions
input MD5 Digest SHA-256 Digest
rubix 32cab8d5115f0c7814994a65257e2014
D093570cb166eeb9d17a4c8358a2f6ceeccb5679af1c08ccd72b104133b665d1
Rubix D89525d0a4550368ba8085a36a6ddb78
97b6ef22acaf52f4dab67ffa5ab7b481d9cb09b1228351bc7ecbf6b308c511dc
Rubix ID 708739c108aab7f15c2e1b8edb72b626
B5a1c516688ccb7125aa65f800abd5af29b1004de8ebe903f39083793771d733
Rubix ID event 3fe0453a093464a5abafe7e0f6bdadd3
C6f301b80a4f9a93bfd91af56bb26de8f9d8f27f326ea4eb09b65950c16867c1
Rubix ID event, a very interesting event organized by Rubix ....
5bd80cd151f14dac32476238fe5f5f47
E376e493a9d3a7ccf3004b1ddfd0bed641369fb9393c0231a4146a4f2c4dd8e6
03-05-2023
Encryption / Decryption
Encryption Algorithm
----------------------------Plain Text----------------------------
Key
Cipher Text
Decryption Algorithm
----------------------------Plain Text----------------------------
Key
Can be used for confidentiality
03-05-2023
Symmetric Encryption
• Same key for encryption and decryption• Key needs to be known by both parties• Very efficient (100 times faster than asymmetric)• Challenges:• Reliance on a single key (secret key)• Not for non-repudiation
• Examples: • DES, RC4, RC5, AES
03-05-2023
Asymmetric Encryption
• Private key decrypts cipher text encrypted with public key• Public key decrypts cipher text encrypted with private
key• Public key is public, no security needed• Private key should stay private• losing it compromises the identity of the owner
• PKI can be used for administration of keys and owners
03-05-2023
Asymmetric EncryptionConfidentiality
03-05-2023
Asymmetric EncryptionDigital Signature
• A message digest encrypted by a private key• It proves that the message:• Is sent by the intended
sender• Is not altered
• Can be used for:• Authentication• Integrity• Non-repudiation
03-05-2023
Security Industry Standards and Technologies
03-05-2023
Security Industry Standards and Technologies
XML encryption XML signature
Security assertion markup language (SAML)
Decrypt transform for XML signatureCanonical XML
Web service security (WS-Security)
03-05-2023
XML Encryption
• Most commonly used to apply encryption for confidentiality for XML data• It specifies how to encrypt elements within a XML doc• Plaintext replaced with cipher text -> still well formed• All or part of the XML doc can be encrypted
03-05-2023
XML Signature
• The specific XML syntax used to represent a digital signature over any arbitrary digital content.• Is generated from a hash over
the canonical form of a signature manifest.
03-05-2023
Canonical XML
• Two XML documents can be semantical identical but syntactical have differences • i.e. white spaces, different ordering of attributes.• XML canonicalization is the process of standardizing
the syntax of XML docs to be signed, so that when a digital signature is verified, it produces the same message digest for assessing message integrity
03-05-2023
Decrypt transform for XML signature
• A message can be encrypted and signed in any order• For the recipient to correctly verify and decrypt the
message it needs to know in which order the messages was signed and encrypted• Transform elements• A transform is an ordered list of actions to a
document before signing and verification
03-05-2023
Web service security (WS-Security)
• Foundational security architecture for web services• Message layer security• Encryption , Signature + more (not addressed today)
03-05-2023
Common Security Threat Definitions
Common Security Threat Definitions
03-05-2023
Buffer Overrun Information Leakage
XML External Entity AttackSQL InjectionXPath Injection
Exception GenerationXML Bomb Attack
XML Schema Poisoning AttackDocument Structure AttackXML Parser Attack
Malicious Intermediary
03-05-2023
Information Leakage Attacks (Data oriented)
• Specially crafted requests message, causing the service to include more information in its response than intended• The objective:
• Get access to confidential information• Get information that could be used to access underlying service
implementation resources• Consequences of this attack can ripple beyond a service
architecture.
03-05-2023
Information Leakage Exception Generation
• Send erroneous request messages to make the service logic trigger an exception • That may return error or fault data that includes
sensitive information• This could include connection strings, server names,
SQL queries. XPath commands, stack traces, and data schemas
03-05-2023
SQL Injection
03-05-2023
XML Parser Attack (Access oriented)
• Goal: to cause the XML parser to either consume an inordinate amount of resources and crash, or to execute the attacker’s own code.• Will affect any service composition that depends on
this service as well. • If a single hosting platform is used, all service
running on that host could become non-responsive if the runtime is unable to recover from this attack.
03-05-2023
XML Parser Attack Document Structure Attack
• A request message with an XML document structure that causes problems for the parser• Could be achieved by extremely deep nesting of
elements, or just an extremely large document
03-05-2023
Malicious Intermediary
• A given message can pass through several intermediaries before it reaches its ultimate receiver • An (active) intermediary can transmit an altered
message, the message confidentiality and integrity cannot be guaranteed
03-05-2023
Malicious Intermediary
• A (passive) intermediary can log the message when it is not authorized to do so, the confidentiality of the message cannot be guaranteed• Might need MLS to prevent this from happening
03-05-2023
Service Security Patterns
03-05-2023
Service Security Patterns
Exception Shielding
Trusted SubsystemService Perimeter Guard
Message Screening
03-05-2023
Exception Shielding
• Unsafe exception-related data is “sanitized”• Sanitized exception messages do not contain
sensitive data• Note that unhandled exceptions can be wrapped by
another exception. So check nesting!
03-05-2023
Message Screening
• Invalid request messages can cause the service or other downstream systems to behave in an undesirable manner• Accidentally inserted by a service consumer • Intentionally added by an attacker
• Assume that all input data is harmful, until proven otherwise• Specialized threat screening routines are added to the internal
service logic.
03-05-2023
Trusted Subsystem
• When underlying service recourses (i.e. databases), can be accessed directly by the service consumers the security of the resource can be compromised by malicious attackers• The service is the sole means by which underlying resources
can be accessed by service consumer programs• The service uses its own credentials to access the resource.
03-05-2023
Service Perimeter Guard
• External service consumers require access to services in a private network. • Exposing those service directly to the outside world, is too risky• Intermediate services at the perimeter of the private network
(DMZ) as the sole contact point for external service consumers.• The location and contract of the internal service remains
hidden.
03-05-2023
Access-Oriented ThreatsGeneral Mitigation
One of the best practical techniques for avoiding access-oriented threats is to apply the Service Perimeter Guard pattern in order to position a perimeter service as a buffer between potential attackers and internally protected services.These services can further act as policy enforcements points to establish a strong first layer of defense.
Service A
• Policy Enforcement Point• Schema validation• Attack Mitigation
Protected services
Service B
Service Perimeter
Guard
Service Consumer
Use Perimeter Services
03-05-2023
SOA School / Certified SOA Security Specialist
03-05-2023
SOA School / Certified SOA Security Specialist
Module 1: Fundamental SOA & Service-Oriented Computing
Module 2: SOA Technology Concepts
Module 3: SOA Design & Architecture
Module 18: Fundamental SOA Security
Module 19: Advanced SOA Security
Module 20: SOA Security Lab
03-05-2023
Questions?