slides

466 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
466
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

slides

  1. 1. Securing service oriented architectures with WS-Security Matias Cuenca-Acuna Aug, 2007
  2. 2. Talk Outline • Motivation • Introducing the technology • WS-Security in action • Performance Considerations • Doing SOA with FLOSS • Summary – Q&A Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 3
  3. 3. The evolution of Internet services customer supplier partner Internet Pages, mash-ups SaaS, … firewall SOA Enterprise services Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 4
  4. 4. The evolution of Internet services Customer + Other services Supplier Pages, mash-ups partner SaaS, … firewall Open API SOA Enterprise services Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 5
  5. 5. Why looking at SOA, Why Security? • SOA is a huge success… – 71% of the companies have already invested in SOA, 85% is predicted for 2008 (Source: IDC 2006) – Microsoft just launched their SOA stack called Windows Communication Foundation (March 2007) – Sun released Java 6, the first version to include a SOA stack (Dec 2006) • B2B integration is becoming a reality – $7000B will be spent on B2B transactions in 2007 (i.e. 45% of the total) (Source IDC) • SOA simplifies B2B but also exposes a bigger attack front – Shared APIs allow partners and attackers to access the core business apps. – Automated attacks are easier than ever • Web Services Description Language (WSDL) • Universal description, discovery, and integration (UDDI) • Off the shelve software stacks are everywhere – 75% of hacks occur at the Application/Service level (Source: Gartner) • WS-Security is to SOA what SSL is to HTTP (albeit at different rates )… – WS-Security is the only standard way to secure SOA • backed by the big guys (IBM, MS, Verisign) at OASIS (2006) • WS-Security adoption doubled in 2005 WS-Security is needed to support SOA growth… Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 6
  6. 6. Introducing the technology Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 7
  7. 7. What is SOA? • A service-oriented architecture is essentially a collection of services – These services communicate with each other and the communication can involve either simple data passing or direct application execution; – also it could involve two or more services coordinating some activity. • What is a Service? – A service is a function that is well-defined, self-contained, and does not depend on the context or state of others. • What is a Web Service? – Typically a web service is XML/SOAP based and most often described by WSDL and Schemas. In most SOA implementations a directory system known as UDDI is used to for Web Service discovery and central publication. Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 8
  8. 8. The SOA reference architecture Increase business agility reducing integration expense Increase asset reuse SOA enables new business processes and composite applications from existing services Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 9
  9. 9. The OSI model meets the SOA Stack Perspective DATA Data Representation Layer (XML) • More layers are being constantly added Perspective NETWORK – Security – Reliable messaging – Manageability Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 10
  10. 10. Simple Object Access Protocol (SOAP) • SOAP is a protocol for exchanging XML-based messages over computer networks – Normally using HTTP • SOAP forms the foundation layer of the Web Services (WS) stack • Inside a SOAP message – Envelope, Header & Body Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 11
  11. 11. WS-Security Anatomy Secured SOAP Message <soap:Envelope> <soap:Header> Security Feature Function <wsse:Security> SOAP Header <Signature> WS-Security •Attaches signature, encryption, security tokens to SOAP messages </Signature> SAML Token •Authenticates initiator of SOAP request. •Enables role based authorization. </wsse:Security> •Time-limited. </soap:Header> •Interoperable. X.509 Certificate •Encryption and signature verification. <soap:Body> XML Signature, DSIG •Multiple signed areas of header and body. <A> •Integrity protection via PKI based cryptography. </A> •Prevents tampering. SOAP Body <B> XML Encryption •Multiple encrypted areas of body. </B> •Prevents disclosure. </soap:Body> </soap:Envelope> Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 12
  12. 12. A signed SOAP message WS-Security headers Signature block Signed references Signature value Signature key The content is selectively signed (not the message) Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 13
  13. 13. WS-Security in action Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 14
  14. 14. Anatomy of the SOA Security challenge The need for content based security Internet, Intranet Perimeter Web (HTTP) Application (XML) DB and/or Extranet & DMZ Distribution Web Services Layer Layer Layer Oracle VPN Termination Firewall (XML Traffic) IPS SSL Termination Network Threats SOAP TCP/IP Unsecured APIs enable attackers to go deep into the company Perimeter defense is not enough, WS-Security can help with data integrity and authentication Copyright © 2007, Intel Corporation. All rights reserved. 15 *Other brands and names are the property of their respective owners
  15. 15. Anatomy of the SOA Security challenge The need for end to end security Today’s technologies like SSL do not provide end to end protection <XML> <PayInfo> <Type>MasterCard</Type> <Number>5094289200882312</Number> <ExpDate>032007</ExpDate> </PayInfo> </XML> John Doe <XML> <WS ProdInfo destination info> <WS ShipInfo destination info> <WS PayInfo destination info> <ProdInfo> <ProdID>OnlyTheParanoidSurvive</ProdID> <Quantity>1</Quantity> <Price>34.90</Price> </ProdInfo> <ShipInfo> <Address>2111 NE 25th Avenue</Address> <City>Hillsboro</City> <State>OR</State> <ZIPCode>97124</ZIPCode> <Country>USA</Country> </ShipInfo> <PayInfo> <Type>MasterCard</Type> <Number>5094289200882312</Number> <ExpDate>032007</ExpDate> <XML> </PayInfo> <ShipInfo> </XML> <Address>2111 NE 25th Avenue</Address> <City>Hillsboro</City> <State>OR</State> <ZIPCode>97124</ZIPCode> <Country>USA</Country> WS-Security enables content owners to </ShipInfo> </XML> control who has access to it Content based security is the only solution for securing enterprise integration Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 16
  16. 16. Anatomy of the SOA Security challenge The need for multiple signatures Finally, the City clerk verifies the signatures NYC’s townhouse of the resolution, and Each council member Council publishes it on the The Mayor verifies the signs the resolution, no member signatures, decides to City’s charter matter if they voted yes approve or veto the or no  resolution, and finally signs it City clerk signature City council Council Mayor member Resolution  signature Bill verification signature signature voting signature Council verification member  signature City’s charter Content based security allows distributed transactions to be executed across vendors solutions Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 17
  17. 17. Anatomy of the SOA Security challenge The need for multiple levels of clearance Headquarters Field officers Troops Field officer verifies Field troops decrypt their signature and decrypts the orders top secret information Logistic Secret information clearance Mission execution details Top level Mission Goal clearance Headquarters sends The rest of the information to field information is forwarded officer. Information is to field troops. Message both encrypted and could include all the signed orders, or just the Confidential specifics to each rank clearance Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 18
  18. 18. So what is new in all of this? • The solution for all theses problems are well known – All this can be done with standard cryptography • But…. – Security is tricky: one mistake and it’s over – Custom solutions rarely help systems integration • WS-Security is – An OPEN STANDARD • It is the work of lots of smart individuals – It is implemented by several vendors (IBM, MS, Oracle, BEA, etc.) • It is easy to provide security across systems – There open source implementations • More on this later… Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 19
  19. 19. Performance Considerations (i.e. there is no free lunch) Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 20
  20. 20. How expensive is all this? SSL vs. WS-Security in Grid Computing • The experiment (by Shirasuna et.al., 2004) – Goal: compare SSL & WS-Security for message integrity • 8 clients saturate a server with small messages (5 bytes payload) – Environment • XSUL using Apache XML Security library (XSUL is faster than GT3.2) • Tomcat 4.1.30. Sun J2SE 1.4.2_04, Linux 2.4.21 • Dual Xeon 2.8GHz with 2GB of RAM 1000 500 90 100 RTT (ms) 10 5.5 1 No security SSL WS-Security SSL adds a 10X slowdown, WS-Security adds 100X! (most of this cost is XML processing) Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 21
  21. 21. What is the culprit? • Let’s do some back of the envelope calculations WS-Security HTTPS (enc.only) RSA (No. operations) 6 6 DES (% of content processed) 150% 300% XML overhead (% of content processed) 150% 0 No. SSL Negotiations 0 6 – SSL requires more crypto than WS-Security!! • About the XML overhead (Liu et.al., 2005) – It takes 10 ms to sign or encrypt 100KB – Using WS-Security takes 100-200ms to do the same – Environment • Sun’s J2SE 1.4.2 with Bouncy Castle (JCE) & Apache’s WSS4J • Linux 2.4.10 • Pentium 4 CPU 2.79 GHz with 768MB of RAM Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 22
  22. 22. What determines WS-Security performance? • Traditionally size is the main latency determinant • This question help us to encompass every existing workload – Remember the best case assumption It is not your father’s Word Document! Shape affects performance Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 23
  23. 23. Doing SOA with FLOSS Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 24
  24. 24. Step One: Open Standards WS-Trust WS-SecureConversation WS-Security SAML 2.0 XML Encryption XML DSig SOAP 1.2 WS-ReliableMessaging XPATH 2.0 WS-SecurityPolicy XML Schema XML WSDL UDDI Open standards help Open Source compete on a level plain field Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 25
  25. 25. Step Two: Open Software Stacks App App App Tomcat / JBoss App App App Axis Stack WS-Security Standalone App Rampart/WSS4J gSOAP Sun JVM / Harmony Apache XML Security IBM JVM gcc Linux Linux AIX Over $10k in software Communication, Persistence, Management, Security, Transactions, Clustering/Scalability comes for FREE!! Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 26
  26. 26. Summary of the talk • SOA has changed the way we think about software • Business integration is now possible • We need to address security in order to keep the momentum – Eventually we will have large & agile B2B systems • WS-Security is open standard which is ready for the challenge • There are plenty of open software stacks to build SOA Q&A Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 27
  27. 27. Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 28
  28. 28. Why is c14n so demanding? Rules for canonicalization 1. The document is encoded in UTF-8 2. Line breaks normalized to #xA on input, before parsing 3. Attribute values are normalized, as if by a validating processor • This means that special characters inside an attribute value are replaces by they corresponding character reference 4. Character and parsed entity references are replaced • This means that character references such as #xD are replaces by their real value. 5. CDATA sections are replaced with their character content 6. The XML declaration and document type declaration (DTD) are removed 7. Empty elements are converted to start-end tag pairs • An empty element is one that does not contain any text or sub-elements, and is generally denoted by <element/> 8. Whitespace outside of the document element and within start and end tags is normalized 9. All whitespace in character content is retained (excluding characters removed during line feed normalization) 10. Attribute value delimiters are set to quotation marks (double quotes) 11. Special characters in attribute values and character content are replaced by character references 12. Superfluous namespace declarations are removed from each element • If a node contains a namespace that is already present in an ancestor element, then the namespace node will be removed. 13. Default attributes are added to each element • This means that default attributes will be added to the c14n output (the ones that are defined on the DTD, if it is present) 14. Lexicographic order is imposed on the namespace declarations and attributes of each element Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 29
  29. 29. Canonicalization example •Demonstrates: Retention of namespace prefixes from original document Empty element conversion to start-end tag pair Normalization of whitespace in start and end tags Relative order of namespace and attribute axes Lexicographic ordering of namespace and attribute axes Elimination of superfluous namespace declarations Addition of default attribute Original XML Canonicalized XML Copyright © 2007, Intel Corporation. All rights reserved. *Other brands and names are the property of their respective owners 30

×