The Web Services Security Landscape Mikhael Felker, CISSP, CISA The Aerospace Corporation May 13 th ISACA Spring Conference

Agenda Introduction to Web Services Organizations, Standards, Timelines Web Services Security Concepts Web Services Security Languages Cryptographic Representation SOAP Message Security Authentication & Access Control Summary

Introduction to Web Services

Organizations, Standards, Timelines

Web Services Security Concepts

Web Services Security Languages

Cryptographic Representation

SOAP Message Security

Authentication & Access Control

Summary

Web Services Web services provide a means for applications on different platforms written in different programming languages to communicate. = Interoperability -W 3 C

Web services provide a means for applications on different platforms written in different programming languages to communicate.

= Interoperability

-W 3 C

Web Services Standards Organizations Source: Thomas Erl, Service-Oriented Architecture W3C OASIS WS-I Established 1994 1993 as SGML Open, 1998 OASIS 2002 Membership 400+ 600+ 200+ SOA Goals Create standards to improve information sharing Promote online trade and commerce via specialized Web services standards Foster standardized interoperability using web services standards Products/Standards XML, XML Schema, XQuery, XML Signature, XML Encryption, XPath, WSDL, SOAP, and others UDDI, ebXML, SAML, XACML, WS-Security, and others Basic Profile, Basic Security Profile

Core Standards (1 st Generation) Extensible Markup Language (XML) Defines a schema of expressing structured information. SOAP Defines how messages will be encapsulated before being transferred between hosts. Web Services Description Language (WSDL) Defines an XML-based specification used to describe web services. A WSDL document provides concrete information on what functionality is offered and how to request that functionality. Universal Description, Discovery and Integration (UDDI) A directory of Web Services that can be queried. Web Services are published to UDDI using the WSDL specification. Image source: Wikipedia Commons

Extensible Markup Language (XML)

Defines a schema of expressing structured information.

SOAP

Defines how messages will be encapsulated before being transferred between hosts.

Web Services Description Language (WSDL)

Defines an XML-based specification used to describe web services. A WSDL document provides concrete information on what functionality is offered and how to request that functionality.

Universal Description, Discovery and Integration (UDDI)

A directory of Web Services that can be queried. Web Services are published to UDDI using the WSDL specification.

Forest of Web Services Security Specifications Standards/Specifications XML Signature XML Encryption XML Key Management (XKMS) WS-Security Over 10 different specifications for securing web services Security Assertion Markup Language (SAML) Extensible Access Control Markup Language (XACML) Extensible Rights Markup Language (XrML) Open Digital Rights Language (ODRL) WS-SecurityPolicy WS-Trust WS-SecureConversation WS-Federation Today’s Focus (Fundamentals) Brief Discussion Out of Scope

Standards/Specifications

XML Signature

XML Encryption

XML Key Management (XKMS)

WS-Security

Web Services Security Stack Courtesy of NIST. See Special Publication 800-95

Web Services Security Timeline Time XrML 1.0 (2000) DPRL 1.0 (1996) XrML 2.0 (2001) ODRL 0.5 (2000) ODRL 1.1 (2002) SAML 1.0 (2002) SAML 1.1 (2003) SAML 2.0 (2005) XACML 1.0 (2003) XACML 2.0 (2005) XML-SIG (2002) XML-ENC (2002) XKMS (2005) W 3 C OASIS ODRL Initiative ContentGuard ODRL 1.0 (2001)

Questions to consider when considering adoption What security services does each standard/specification provide? How well adopted is the “standard”? Does it compete/compliment another standard? Are there tools to check for interoperability? Is the standard open or proprietary?

What security services does each standard/specification provide?

How well adopted is the “standard”?

Does it compete/compliment another standard?

Are there tools to check for interoperability?

Is the standard open or proprietary?

Common Security Goals Confidentiality Integrity Authentication Authorization Sender non-repudiation How do these fit in the framework of web services?

Confidentiality

Integrity

Authentication

Authorization

Sender non-repudiation

Traditional Client/Server Security User Web Site HTTP SSL/TLS Simple use of SSL protocol for point-to-point Communication. Encrypted, authenticated, ensures integrity.

Web Services Withdraw Example Service Requestor Service Intermediary Service Provider Service Provider Withdraw Service Check Balance Service Check Pre-authorization Hold Service Check Deposit Holds Service Body Header Body SOAP Header Header Body Header Header SOAP message 1 3 2 4

Comparison of Transport and Message Security Service Requestor Service Intermediary Service Provider HTTP SSL/TLS Intermediary could compromise confidentiality, integrity, and authenticity of Data Service Requestor Service Intermediary Service Provider Transport Layer Security (SSL/TLS) Message Security using XML Encryption and XML Signature HTTP SSL/TLS HTTP Data signed and encrypted in XML document HTTP Data protected With two separate TLS/SSL sessions Ensure confidentiality and integrity while passing through intermediary

Same concepts, different technologies Protection based on Layers Security Properties Network Layer Security Message Based Security Confidentiality IPSec, SSL/TLS XML Encryption Integrity IPSec, SSL/TLS XML Signature Authentication IPSec, SSL/TLS SAML, XrML Authorization XACML, XrML Sender non-repudiation XML Signature OSI Layers Protocol/ standard Application XML security Transport SSL/TLS Network IPSec

XML Encryption XML Encryption provides an XML syntax for encrypting data W3C Recommendation (2002) Security services: Confidentiality Integrity Decryption Encryption

XML Encryption provides an XML syntax for encrypting data

W3C Recommendation (2002)

Security services:

Confidentiality

Integrity

XML Signature XML Signature provides an XML syntax for digital signatures W3C Recommendation (2002) Security services: Data integrity Sender non-repudiation Signature Types Enveloped Enveloping Detached Signature Generation Signature Verification

XML Signature provides an XML syntax for digital signatures

W3C Recommendation (2002)

Security services:

Data integrity

Sender non-repudiation

Signature Types

Enveloped

Enveloping

Detached

XML Key Management Specification (XKMS) XKMS provides for PKI using two protocols XML Key Registration Service Specification (X-KRSS) Services: Register, reissue, revoke, recover XML Key Information Service Specification (X-KISS) Services: Locate, validate Competing Non-XML Web key servers (e.g., http://pgp.mit.edu/ ) XKMS Service Public Private Register Public Key of A Locate Public Key of A Service A Service B

XKMS provides for PKI using two protocols

XML Key Registration Service Specification (X-KRSS)

Services: Register, reissue, revoke, recover

XML Key Information Service Specification (X-KISS)

Services: Locate, validate

Competing Non-XML

Web key servers (e.g., http://pgp.mit.edu/ )

Security Assertion Markup Language (SAML) OASIS standard for exchanging authentication and authorization data Current version 2.0 Use cases: Single Sign-On (SSO) Distributed transactions Authorization Built upon: XML Signature, XML Encryption, SOAP, HTTP Major SAML adopters: BEA, HP, Google, Shibboleth, Liberty Alliance Authentication Methods supported: Password, Kerberos Ticket, Hardware Token, Certificate… Company A Supplier B Supplier C Authenticate <envelope> <header> <saml>..</saml> <body>…</body> </envelope>

OASIS standard for exchanging authentication and authorization data

Current version 2.0

Use cases:

Single Sign-On (SSO)

Distributed transactions

Authorization

Built upon: XML Signature, XML Encryption, SOAP,

HTTP

Major SAML adopters:

BEA, HP, Google,

Shibboleth, Liberty Alliance

Authentication Methods supported:

Password, Kerberos Ticket, Hardware Token, Certificate…

SAML Use Case (SSO) Source: Wikimedia Commons

XML based Access Control Languages XACML XrML ODRL

XACML

XrML

ODRL

ORDL vs. XrML vs. XACML

Extensible Access Control Markup Language (XACML) XACML defines an access control policy OASIS Standard, currently in version 2.0 Specification describes how rules can be created, and elements necessary to make authorization requests XACML policies include deny rules, unlike DRM languages (e.g., XrML) which only specify what is allowed XACML is integrated in over sixty products/services

XACML defines an access control policy

OASIS Standard, currently in version 2.0

Specification describes how rules can be created, and elements necessary to make authorization requests

XACML policies include deny rules, unlike DRM languages (e.g., XrML) which only specify what is allowed

XACML is integrated in over sixty products/services

Extensible Rights Markup Language (XrML) Owned by ContentGuard, current version 2.0 Primary usage (DRM): Distribution of digital works or services XrML Adoption: Microsoft(RMS), Rights Expression Language (REL) for MPEG-21, Sony, OverDrive, Content Works Builds upon: XML Encryption/Signature IPR Issues with ContentGuard

Owned by ContentGuard, current version 2.0

Primary usage (DRM):

Distribution of digital works or services

XrML Adoption: Microsoft(RMS), Rights Expression Language (REL) for MPEG-21, Sony, OverDrive, Content Works

Builds upon: XML Encryption/Signature

IPR Issues with ContentGuard

Open Digital Rights Language (ODRL) Created by the ODRL Initiative ODRL version 1.1 ODRL designed for selling and using digital goods Language defines set of rights (e.g., print, execute, display) Can be more specific (e.g., print e-book 3 times) It’s possible to achieve some level of interoperability between ODRL and XrML (on simple policies)

Created by the ODRL Initiative

ODRL version 1.1

ODRL designed for selling and using digital goods

Language defines set of rights (e.g., print, execute, display)

Can be more specific (e.g., print e-book 3 times)

It’s possible to achieve some level of interoperability between ODRL and XrML (on simple policies)

Enterprise Privacy Authorization Language (EPAL) Developed by IBM Current version 1.2 Used for policy expressions Subset of XACML No or rare adoption

Developed by IBM

Current version 1.2

Used for policy expressions

Subset of XACML

No or rare adoption

Summary of Security Markup Languages Standard Description Provides Version Adoption Organizing Body XML – Encryption (XML ENC) Specifies encryption of XML files, elements, or attributes confidentiality, integrity N/A Widely Adopted W3C XML – Signature (XML SIG) Specifies digital signatures of XML files, elements, or attributes authentication, non-repudiation, integrity N/A Widely Adopted W3C XKMS Composed of two primary specifications: one to register public keys, the other support key retrieval/usage/processing Key publication and revocation 2.0 Minimally Adopted W3C/IETF SAML Presents authentication and authorization information authentication, authorization 2.0 Adopted OASIS

Summary of Security Markup Languages (2) Standard Description Provides Version Adoption Organizing Body XACML Formally expresses what resources can be accessed under a set of conditions authorization, access control 2.0 Highly Adopted OASIS XrML Grants rights to resources based on conditions authentication, authorization, access control 2.0 Minimal ContentGuard ODRL Access to digital goods based on certain conditions access control, authorization 1.1 Minimal ODRL Initiative EPAL Allows application and services to allow or deny actions for particular purposes authorization, access control 1.2 Rare IBM (Submitted to W3C)

A small sampling of Industry adoption Google adopts SAML for SSO Netflix using XrML for content protection (DRM) Windows has Rights Management Services (RMS) built in for Windows Server 2008 (AD RMS) DISA creates NCES (using SAML, XACML, and others) The Aerospace Corporation does not endorse, and is not affiliated With Google, Netflix, Microsoft and DISA

Google adopts SAML for SSO

Netflix using XrML for content protection (DRM)

Windows has Rights Management Services (RMS) built in for Windows Server 2008 (AD RMS)

DISA creates NCES

(using SAML, XACML, and others)

Summary Security hasn’t changed, but we need to think more in terms of web services and XML Don’t jump on “new standards” until it is adopted and really becomes one (e.g., how many people lost money on HD-DVD player—including myself) Network security hasn’t evaporated completely, we still need to protect infrastructure/servers, etc

Security hasn’t changed, but we need to think more in terms of web services and XML

Don’t jump on “new standards” until it is adopted and really becomes one (e.g., how many people lost money on HD-DVD player—including myself)

Network security hasn’t evaporated completely, we still need to protect infrastructure/servers, etc

Questions?

References Web Services Security (Mark O’Neill, et al.) Securing Web Services with WS-Security (Rosenberg & Remy) World Wide Web Consortium (W3C) www.w3c.org NIST Guide to Secure Web Services Special Publication 800-95

Web Services Security (Mark O’Neill, et al.)

Securing Web Services with WS-Security (Rosenberg & Remy)

World Wide Web Consortium (W3C)

www.w3c.org

NIST Guide to Secure Web Services Special Publication 800-95

References (2) XML Key Management Specification http://www.ibm.com/developerworks/xml/library/x-seclay3/

XML Key Management Specification http://www.ibm.com/developerworks/xml/library/x-seclay3/