Web Services and Web Services Security


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Web Services and Web Services Security

  1. 1. Web Services and Web Services Security Presented August 7, 2004 at AMCIS2004 New York, New York by Dr. Robert J. Boncella Washburn University
  2. 2. Overview of Presentation <ul><li>Concept of a Web Service (WS) </li></ul><ul><li>Required Technology for Web Services </li></ul><ul><li>Security Requirements for Web Services </li></ul><ul><li>Require Technology for Web Services Security </li></ul><ul><li>WS-Security </li></ul><ul><li>Web Services Threats and attacks </li></ul>
  3. 3. Concept of a Web Service <ul><li>Web Service </li></ul><ul><ul><li>self-contained modular application </li></ul></ul><ul><ul><li>that provides a computation upon request </li></ul></ul><ul><li>Request via a Computer Network </li></ul><ul><ul><li>Internet, Intranet, or Extranet </li></ul></ul><ul><li>Computer Network Used To </li></ul><ul><ul><li>Describe </li></ul></ul><ul><ul><li>Publish </li></ul></ul><ul><ul><li>Locate </li></ul></ul><ul><ul><li>Invoke (provide service) </li></ul></ul>
  4. 4. Example of a Web Service <ul><li>Function </li></ul><ul><ul><li>Provide verification of a customer’s shipping address (e.g. Is zip code correct?) </li></ul></ul><ul><ul><li>Current price of a particular stock </li></ul></ul>
  5. 5. Implications of Web Services Computing Paradigm <ul><li>Interoperability </li></ul><ul><ul><li>implied standardization </li></ul></ul><ul><li>Substitutability of services </li></ul><ul><li>Services become commodities </li></ul><ul><li>Information Systems developed with least cost </li></ul><ul><ul><li>competition to provide service </li></ul></ul><ul><ul><li>service providers responsible to provide QOS </li></ul></ul><ul><li>Firm not required to provide service </li></ul><ul><ul><li>not unusual </li></ul></ul><ul><ul><li>e.g. ship package via DHL, FedEx, UPS, or USPS </li></ul></ul>
  6. 6. Acceptance of Web Services <ul><li>Firm must trust service provider </li></ul><ul><li>Assurance of Web Services Security required </li></ul><ul><ul><li>Overview of Web Services architecture required for understanding of Web Service Security </li></ul></ul>
  7. 7. Web Services Architecture Service Oriented Architecture (SOA)
  8. 8. Implementation of SOA <ul><li>Required Components </li></ul><ul><ul><li>Any Communication Protocol </li></ul></ul><ul><ul><ul><li>TCP, HTTP, SMTP, Message Queuing (e.g.MSMQ) </li></ul></ul></ul><ul><ul><li>SOAP 1.1 ( Simple Object Access Protocol ) </li></ul></ul><ul><ul><li>WSDL 1.1 ( Web Services Description Language ) </li></ul></ul><ul><ul><li>UDDI ver. 2.04 API ( Universal Description, Discovery, and Integration ) </li></ul></ul><ul><ul><li>XML 1.0 </li></ul></ul><ul><ul><li>XML Schema Part 1: Structures </li></ul></ul><ul><ul><li>XML Schema Part 2: Datatypes </li></ul></ul>
  9. 9. Component Details <ul><li>SOAP 1.1 </li></ul><ul><ul><li>Simple Object Access Protocol is a message protocol that enables requests and responses to be sent in XML format from client to a server. </li></ul></ul><ul><ul><li>SOAP defines an envelope that contains a header and a body . The SOAP body contains the payload . See http://www.w3.org/TR/soap/ for more details. </li></ul></ul><ul><li>WSDL 1.1 </li></ul><ul><ul><li>Web Services Description Language is a specification that details how to describe a web service. A WSDL document for a service is an XML document that contains information a programmer needs in order to contract for that service. See http://www.w3.org/TR/wsdl for more details. </li></ul></ul>
  10. 10. Component Details <ul><li>UDDI ver. 2.04 API </li></ul><ul><ul><li>Universal Description, Discovery, and Integration is a specification of the registry that lists web services that are of interest to a service requestor entity. It uses taxonomies that categorize web services in a way meaningful to clients. See http://www.uddi.org/ for more details. </li></ul></ul>
  11. 11. Component Details <ul><li>XML 1.0 </li></ul><ul><ul><li>XML is a tag-oriented language whose tags can be user defined and are used to describe the data contained in the document. See http://www.w3.org/XML/ for more details. </li></ul></ul><ul><li>XML Schema Part 1: Structures </li></ul><ul><ul><li>XML Schema: Structures can be used to define, describe and catalogue XML vocabularies for classes of XML documents. See http://www.w3.org/TR/xmlschema-1/ for more details. </li></ul></ul><ul><li>XML Schema Part 2: Datatypes </li></ul><ul><ul><li>XML Schema: Datatypes can be used to define datatypes in XML vocabularies and documents. See http://www.w3.org/TR/xmlschema-2/ for more details. </li></ul></ul>
  12. 12. An Example 1) IT department B creates service X -An SOA Publish() 2) IT department A is creating information system Y and needs service X - An SOA Find() 3) IT department A uses the URL posted in the public registry to download a copy of the WSDL specification for service X 4) An SOA Bind()
  13. 13. Web Services Security
  14. 14. Information Security Requirements <ul><ul><li>Confidentiality </li></ul></ul><ul><ul><ul><li>assures user privacy and prevents the theft of information both in transit and stored. </li></ul></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><ul><li>assures that information either in transit or in storage was not modified, </li></ul></ul></ul><ul><ul><li>Nonrepudiation </li></ul></ul><ul><ul><ul><li>assures that the sender of a message cannot legitimately claim they did not send the message. </li></ul></ul></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><ul><li>assures that the sender and receiver are who the claim to be. </li></ul></ul></ul><ul><ul><li>Authorization </li></ul></ul><ul><ul><ul><li>assures that an authentication entity can access only those information resources they are required to have either to request or provide a service. </li></ul></ul></ul><ul><ul><li>Availability </li></ul></ul><ul><ul><ul><li>assures that uninterrupted service is provided to authenticated and authorized users. </li></ul></ul></ul>
  15. 15. Information Security <ul><li>Information security requirements assured by </li></ul><ul><ul><li>SSL (Secure Sockets Layer) </li></ul></ul><ul><ul><li>PKI (Public Key Infrastructure) </li></ul></ul><ul><ul><li>Firewalls </li></ul></ul><ul><li>Restricted to conventional web traffic using </li></ul><ul><ul><li>HTTPS, FTPS, et. al. </li></ul></ul><ul><li>SSL inadequate for Web Services Security </li></ul><ul><li>Firewalls inadequate for Web Services Security </li></ul>
  16. 16. SSL & Web Services Security <ul><li>Example shows need for persistent security </li></ul><ul><li>Persistent Security </li></ul><ul><ul><li>requires the security of the SOAP request/response message be assured over more than one client/server connection </li></ul></ul><ul><li>SSL does not </li></ul><ul><ul><li>Provide end-to-end security </li></ul></ul><ul><ul><li>Assure Integrity </li></ul></ul><ul><ul><li>Generally, only uses one-way authentication </li></ul></ul><ul><ul><li>No end-to-end audit trail </li></ul></ul>
  17. 17. Firewalls & Web Services Security <ul><li>SOAP bypasses firewalls </li></ul><ul><li>Firewalls function at </li></ul><ul><ul><li>Layer 3 - packet filtering on IP and/or port </li></ul></ul><ul><ul><li>Layer 4 - circuit-level uses TCP handshaking to determine a session’s legitimacy </li></ul></ul><ul><ul><li>Application layer - filters on basis of application being requested e.g. HTTP/SSL POP/SMTP maybe allowed others refused </li></ul></ul><ul><ul><ul><li>SOAP messages often bound to HTTP or SMTP </li></ul></ul></ul>
  18. 18. Firewalls & Web Services Security <ul><li>A SOAP level firewall should </li></ul><ul><ul><li>determine if the incoming SOAP request is intended for a available Web Service </li></ul></ul><ul><ul><li>determine if the SOAP request is valid </li></ul></ul><ul><ul><ul><li>does the SOAP message contain valid data </li></ul></ul></ul><ul><ul><ul><ul><li>type and size </li></ul></ul></ul></ul><ul><ul><li>Content Filtering Firewall </li></ul></ul>
  19. 19. Web Services Security Requirements <ul><li>Same as Information Security Requirements </li></ul><ul><li>Assured by means other than SSL and firewalls </li></ul><ul><li>Requirement of persistent security </li></ul><ul><ul><li>SOAP messages require inclusion of security data </li></ul></ul>
  20. 20. Web Services Security Technology <ul><li>Confidentiality for Web Services </li></ul><ul><ul><li>XML Encryption is used to assure confidentiality in the case of a security context that ranges beyond a simple HTTP/SSL connection </li></ul></ul><ul><ul><li>See http://www.w3.org/Encryption/2001/ for detailed information . </li></ul></ul><ul><li>Integrity for Web Services </li></ul><ul><ul><li>An XML signature is the XML equivalent of a digital signature </li></ul></ul><ul><ul><li>Used digitally sign selected portions of an XML document </li></ul></ul><ul><ul><li>Used to sign data and thereby assure its integrity </li></ul></ul><ul><ul><li>See http://www.w3.org/Signature/ for detailed information </li></ul></ul>
  21. 21. Web Services Security Technology <ul><li>Authentication and Authorization Web Services </li></ul><ul><ul><li>Single Sign On (SSO) process </li></ul></ul><ul><ul><li>If user is authenticated by initial web service provider user is automatically authenticated on all subsequent web service providers. </li></ul></ul><ul><ul><li>Two approaches to SSO </li></ul></ul><ul><ul><ul><li>1) Include authentication information for each web service in the initial SOAP message </li></ul></ul></ul><ul><ul><ul><li>2) Maintain a user's authentication list in a central repository </li></ul></ul></ul>
  22. 22. Web Services Security Technology <ul><li>Two approaches to SSO </li></ul><ul><ul><li>1) Include authentication information for each web service in the initial SOAP message </li></ul></ul><ul><ul><ul><li>Security Assertions Markup Language (SAML) and XML Access Control Markup Language (XACML) work together to implement the first approach </li></ul></ul></ul><ul><ul><ul><li>For detailed information about SAML see </li></ul></ul></ul><ul><ul><ul><ul><li>http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security </li></ul></ul></ul></ul><ul><ul><ul><li>and for XACML see </li></ul></ul></ul><ul><ul><ul><ul><li>http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml. </li></ul></ul></ul></ul><ul><ul><li>2) Maintain a user's authentication list in a central repository </li></ul></ul><ul><ul><ul><li>Microsoft's Passport scheme and Sun's Liberty Alliance Project use the centralized repository approach to user authentication </li></ul></ul></ul>
  23. 23. Web Services Security Technology <ul><li>Nonrepudiation - PKI for Web Services </li></ul><ul><ul><li>XML Key Management specification (XKMS) provides PKI services (registering, locating, and validating keys) through XML . </li></ul></ul><ul><ul><li>See http://www.w3.org/TR/xkms/ for detailed information </li></ul></ul>
  24. 24. WS-Security <ul><li>Specification to extend SOAP </li></ul><ul><li>Web Services Security Language </li></ul><ul><ul><li>WS-Security </li></ul></ul><ul><li>WS-Security Provides </li></ul><ul><ul><li>Multiple Security Tokens </li></ul></ul><ul><ul><ul><li>for authentication & authorization </li></ul></ul></ul><ul><ul><li>Multiple Trust Domains </li></ul></ul><ul><ul><li>Multiple Signature Formats </li></ul></ul><ul><ul><li>Multiple Encryption Technologies </li></ul></ul><ul><ul><li>End to end message-level security </li></ul></ul>
  25. 25. Web Services Security Specifications IBM/Microsoft Architecture (Proposed April, 2002)
  26. 26. Web Services Security Specifications <ul><li>WS-Security Specification </li></ul><ul><ul><li>describes how to attach signature and encryption headers to SOAP messages </li></ul></ul><ul><ul><li>describes how to attach security tokens to messages </li></ul></ul><ul><ul><ul><li>X.509 Certificates </li></ul></ul></ul><ul><ul><ul><li>Kerberos Tickets. </li></ul></ul></ul>
  27. 27. Web Services Security Specifications <ul><li>WS-Policy </li></ul><ul><ul><li>will describe the capabilities and constraints of the security policies on intermediaries and endpoints </li></ul></ul><ul><ul><li>specifies the required security tokens, supported encryption algorithms, privacy rules </li></ul></ul><ul><ul><li>this information will be in the WSDL document for a service </li></ul></ul><ul><li>WS-Trust </li></ul><ul><ul><li>will describe a framework for trust models that enables Web services to securely interoperate </li></ul></ul><ul><li>WS-Privacy </li></ul><ul><ul><li>will describe a model for how Web services and requesters state privacy preferences and organizational privacy practice statements. </li></ul></ul>
  28. 28. Web Services Security Specifications <ul><li>WS-SecureConversation: </li></ul><ul><ul><li>will describe how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys. </li></ul></ul><ul><li>WS-Federation: </li></ul><ul><ul><li>will describe how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities. </li></ul></ul><ul><li>WS-Authorization: </li></ul><ul><ul><li>will describe how to manage authorization data and authorization policies </li></ul></ul>
  29. 29. Status of IBM/Microsoft Architecture <ul><li>Web Services Security: </li></ul><ul><ul><li>Kerberos Binding - </li></ul></ul><ul><ul><ul><li>published as a public specification on 19 December 2003 . </li></ul></ul></ul><ul><ul><li>SOAP Message Security </li></ul></ul><ul><ul><ul><li>published as an OASIS Standard in March of 2004. </li></ul></ul></ul><ul><ul><li>UsernameToken Profile 1.0 </li></ul></ul><ul><ul><ul><li>published as an OASIS Standard in March of 2004. </li></ul></ul></ul><ul><ul><li>X.509 Certificate Token Profile </li></ul></ul><ul><ul><ul><li>published as an OASIS Standard in March of 2004 . </li></ul></ul></ul><ul><ul><li>OASIS - </li></ul></ul><ul><ul><ul><li>Organization for the Advancement of Structured Information </li></ul></ul></ul>
  30. 30. Status of IBM/Microsoft Architecture <ul><li>WS-Trust </li></ul><ul><ul><li>published as a public specification on 24 May 2004. </li></ul></ul><ul><li>WS-SecureConversation </li></ul><ul><ul><li>was published as a public specification on 24 May 2004. </li></ul></ul><ul><li>WS-SecurityPolicy </li></ul><ul><ul><li>was published as a public specification on 18 December 2002. </li></ul></ul><ul><li>WS-Federation </li></ul><ul><ul><li>published as public specifications on 8 July 2003 </li></ul></ul>
  31. 31. Web Services Security Threats <ul><li>Attacks on the application or the computing system that provides the Web Service </li></ul><ul><ul><li>threat to availability </li></ul></ul><ul><li>A SOAP message containing malicious data that would cause the web service application to execute in an unintended mode </li></ul><ul><li>The SOAP message could contain a request for a service that is not advertised on that site is provided </li></ul><ul><li>SOAP messages easily pass through firewalls </li></ul><ul><ul><li>Needed: firewalls that filter the content of SOAP messages requesting passage through the firewall </li></ul></ul>
  32. 32. Summary The purpose of this tutorial was to provide a foundation for an understanding of the need for and techniques of web services security. An overview of the architecture of WS-Security an its status was presented as well. An overview of web services - its architecture and its components was included as well.
  33. 33. Slides: http://www.washburn.edu/cas/cis/boncella E-mail: [email_address]
  34. 34. Bibliography Albrecht, C. (2004) How Clean Is the Future of SOAP?, Communication of the ACM , 47,2,Feb. 2004. Atkinson, B., Della-Libera, G., Hada, S., Hondo, M., Hallam-Baker, P., Klein, J., LaMacchia, B., Leach, P., Manferdelli, J., Maruyama, H., Nadalin, A., Nagaratnam, N., Prafullchandra, H., Shewchuk, J., Simon, D. (2002) &quot; Web Services Security (WS-Security)&quot;, http://www-106.ibm.com/developerworks/webservices/library/ws-secure/ (current Feb. 22, 2004) Biron, P.V. and Malhotra, A. (2001) &quot;XML Schema Part 2: Datatypes&quot; http://www.w3.org/TR/xmlschema-2/ (current Feb. 22, 2004) Boncella, R. (2000) &quot;Web Security for E-Commerce&quot;, Communications of the AIS , 4, 11, Nov. 2000. Boncella, R. (2003) SSL in The Internet Encyclopedia , Hossein Bidgoli (Editor), New York, New York, J. Wiley, 2003. Christensen, E., Curbera, F., Meredith, G., Weerawarana, S. (2001) &quot; Web Services Description Language (WSDL) 1.1&quot;, http://www.w3.org/TR/wsdl (current Feb. 22, 2004) Fielding, R., Gettys, J., Mogul, J.,. Frystyk, H., Masinter,. L.,. Leach, P., and Berners-Lee, T. (1999) &quot;Hypertext Transfer Protocol HTTP/1.1&quot;, http://www.ietf.org/rfc/rfc2616.txt (current Feb. 22, 2004). Eastlake, D., and Reagle , J (2001) &quot; XML Signature&quot;, http://www.w3.org/Signature/ (current Feb. 22, 2004)
  35. 35. Bibliography Ford, W., Hallam-Baker, P., Fox, B., Dillaway, B., LaMacchia, B., Epstein, J., Lapp, J., (2001) &quot; XML Key Management Specification (XKMS)&quot;, http://www.w3.org/TR/xkms/ (current Feb. 22, 2004) Gudgin, M., Hadley, M., Mendelsohn, N., Moreau, J., Nielsen H. F. (2003) &quot;SOAP Version 1.2 Part 1: Messaging Framework&quot;, http://www.w3.org/TR/soap/ (current Feb. 22, 2004) Kristol, D, and Montulli, L. (2000), &quot; HTTP State Management Mechanism&quot;, http://www.ietf.org/rfc/rfc2965.txt (current Feb. 22, 2004) OASIS (2001) (Organization for the Advancement of Structured Information Standards), &quot; Universal Description, Discovery and Integration&quot;, http://www.uddi.org/ (current Feb. 22, 2004) OASIS (2003), (Organization for the Advancement of Structured Information Standards), &quot; eXtensible Access Control Markup Language&quot;, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml .(current Feb. 22, 2004) OASIS (2004), (Organization for the Advancement of Structured Information Standards), &quot; Security Assertion Markup Language (SAML)&quot;, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security (current Feb. 22, 2004) Reagle , J. (2001) &quot; XML Encryption&quot;, http://www.w3.org/Encryption/2001/ (current Feb. 22, 2004) Thompson, H.S.,Beech, D., Maloney, M., Mendelsohn N. (2001) &quot; XML Schema Part 1: Structures&quot;, http://www.w3.org/TR/xmlschema-1/ (current Feb. 22, 2004) W3C (1996) ' Extensible Markup Language (XML)&quot;, http://www.w3.org/XML/ (current Feb. 22, 2004)