Title: Web%20Services%20and%20Web%20Services%20Security%20Presented%20August%207,%202004%20at%20AMCIS2004%20New%20York,%20New%20York%20by%20Dr.%20Robert%20J.%20Boncella%20Washburn%20University
1Web Servicesand Web Services SecurityPresented
August 7, 2004 atAMCIS2004New York, New
YorkbyDr. Robert J. BoncellaWashburn University
2Overview of Presentation
- Concept of a Web Service (WS)
- Required Technology for Web Services
- Security Requirements for Web Services
- Require Technology for Web Services Security
- WS-Security
- Web Services Threats and attacks
3Concept of a Web Service
- Web Service
- self-contained modular application
- that provides a computation upon request
- Request via a Computer Network
- Internet, Intranet, or Extranet
- Computer Network Used To
- Describe
- Publish
- Locate
- Invoke (provide service)
4Example of a Web Service
- Function
- Provide verification of a customers shipping
address (e.g. Is zip code correct?) - Current price of a particular stock
5Implications of Web Services Computing Paradigm
- Interoperability
- implied standardization
- Substitutability of services
- Services become commodities
- Information Systems developed with least cost
- competition to provide service
- service providers responsible to provide QOS
- Firm not required to provide service
- not unusual
- e.g. ship package via DHL, FedEx, UPS, or USPS
6Acceptance of Web Services
- Firm must trust service provider
- Assurance of Web Services Security required
- Overview of Web Services architecture required
for understanding of Web Service Security
7Web Services Architecture
Service Oriented Architecture (SOA)
8Implementation of SOA
- Required Components
- Any Communication Protocol
- TCP, HTTP, SMTP, Message Queuing (e.g.MSMQ)
- SOAP 1.1 (Simple Object Access Protocol )
- WSDL 1.1 (Web Services Description Language )
- UDDI ver. 2.04 API (Universal Description,
Discovery, and Integration ) - XML 1.0
- XML Schema Part 1 Structures
- XML Schema Part 2 Datatypes
9Component Details
- SOAP 1.1
- Simple Object Access Protocol is a message
protocol that enables requests and responses to
be sent in XML format from client to a server. - SOAP defines an envelope that contains a header
and a body. The SOAP body contains the payload.
See http//www.w3.org/TR/soap/ for more details. - WSDL 1.1
- Web Services Description Language is a
specification that details how to describe a web
service. A WSDL document for a service is an XML
document that contains information a programmer
needs in order to contract for that service. See
http//www.w3.org/TR/wsdl for more details.
10Component Details
- UDDI ver. 2.04 API
- Universal Description, Discovery, and Integration
is a specification of the registry that lists web
services that are of interest to a service
requestor entity. It uses taxonomies that
categorize web services in a way meaningful to
clients. See http//www.uddi.org/ for more
details.
11Component Details
- XML 1.0
- XML is a tag-oriented language whose tags can be
user defined and are used to describe the data
contained in the document. See
http//www.w3.org/XML/ for more details. - XML Schema Part 1 Structures
- XML Schema Structures can be used to define,
describe and catalogue XML vocabularies for
classes of XML documents. See http//www.w3.org/T
R/xmlschema-1/ for more details. - XML Schema Part 2 Datatypes
- XML Schema Datatypes can be used to define
datatypes in XML vocabularies and documents.
See http//www.w3.org/TR/xmlschema-2/ for more
details.
12An Example
4) An SOA Bind()
2) IT department A is creating information system
Y and needs service X - An SOA Find()
1) IT department B creates service X -An SOA
Publish()
3) IT department A uses the URL posted in the
public registry to download a copy of the WSDL
specification for service X
13Web Services Security
14Information Security Requirements
- Confidentiality
- assures user privacy and prevents the theft of
information both in transit and stored. - Integrity
- assures that information either in transit or in
storage was not modified, - Nonrepudiation
- assures that the sender of a message cannot
legitimately claim they did not send the message.
- Authentication
- assures that the sender and receiver are who the
claim to be. - Authorization
- assures that an authentication entity can access
only those information resources they are
required to have either to request or provide a
service. - Availability
- assures that uninterrupted service is provided to
authenticated and authorized users.
15Information Security
- Information security requirements assured by
- SSL (Secure Sockets Layer)
- PKI (Public Key Infrastructure)
- Firewalls
- Restricted to conventional web traffic using
- HTTPS, FTPS, et. al.
- SSL inadequate for Web Services Security
- Firewalls inadequate for Web Services Security
16SSL Web Services Security
- Example shows need for persistent security
- Persistent Security
- requires the security of the SOAP
request/response message be assured over more
than one client/server connection - SSL does not
- Provide end-to-end security
- Assure Integrity
- Generally, only uses one-way authentication
- No end-to-end audit trail
17Firewalls Web Services Security
- SOAP bypasses firewalls
- Firewalls function at
- Layer 3 - packet filtering on IP and/or port
- Layer 4 - circuit-level uses TCP handshaking to
determine a sessions legitimacy - Application layer - filters on basis of
application being requested e.g. HTTP/SSL
POP/SMTP maybe allowed others refused - SOAP messages often bound to HTTP or SMTP
18Firewalls Web Services Security
- A SOAP level firewall should
- determine if the incoming SOAP request is
intended for a available Web Service - determine if the SOAP request is valid
- does the SOAP message contain valid data
- type and size
- Content Filtering Firewall
19Web Services Security Requirements
- Same as Information Security Requirements
- Assured by means other than SSL and firewalls
- Requirement of persistent security
- SOAP messages require inclusion of security data
20Web Services Security Technology
- Confidentiality for Web Services
- XML Encryption is used to assure confidentiality
in the case of a security context that ranges
beyond a simple HTTP/SSL connection - See http//www.w3.org/Encryption/2001/ for
detailed information. - Integrity for Web Services
- An XML signature is the XML equivalent of a
digital signature - Used digitally sign selected portions of an XML
document - Used to sign data and thereby assure its
integrity - See http//www.w3.org/Signature/ for detailed
information
21Web Services Security Technology
- Authentication and Authorization Web Services
- Single Sign On (SSO) process
- If user is authenticated by initial web service
provider user is automatically authenticated on
all subsequent web service providers. - Two approaches to SSO
- 1) Include authentication information for each
web service in the initial SOAP message - 2) Maintain a user's authentication list in a
central repository
22Web Services Security Technology
- Two approaches to SSO
- 1) Include authentication information for each
web service in the initial SOAP message - Security Assertions Markup Language (SAML) and
XML Access Control Markup Language (XACML) work
together to implement the first approach - For detailed information about SAML see
- http//www.oasis-open.org/committees/tc_home.php?w
g_abbrevsecurity - and for XACML see
- http//www.oasis-open.org/committees/tc_home.php?w
g_abbrevxacml. - 2) Maintain a user's authentication list in a
central repository - Microsoft's Passport scheme and Sun's Liberty
Alliance Project use the centralized repository
approach to user authentication
23Web Services Security Technology
- Nonrepudiation - PKI for Web Services
- XML Key Management specification (XKMS) provides
PKI services (registering, locating, and
validating keys) through XML. - See http//www.w3.org/TR/xkms/ for detailed
information
24WS-Security
- Specification to extend SOAP
- Web Services Security Language
- WS-Security
- WS-Security Provides
- Multiple Security Tokens
- for authentication authorization
- Multiple Trust Domains
- Multiple Signature Formats
- Multiple Encryption Technologies
- End to end message-level security
25Web Services Security SpecificationsIBM/Microsoft
Architecture(Proposed April, 2002)
26Web Services Security Specifications
- WS-Security Specification
- describes how to attach signature and encryption
headers to SOAP messages - describes how to attach security tokens to
messages - X.509 Certificates
- Kerberos Tickets.
27Web Services Security Specifications
- WS-Policy
- will describe the capabilities and constraints of
the security policies on intermediaries and
endpoints - specifies the required security tokens, supported
encryption algorithms, privacy rules - this information will be in the WSDL document for
a service - WS-Trust
- will describe a framework for trust models that
enables Web services to securely interoperate - WS-Privacy
- will describe a model for how Web services and
requesters state privacy preferences and
organizational privacy practice statements.
28Web Services Security Specifications
- WS-SecureConversation
- will describe how to manage and authenticate
message exchanges between parties including
security context exchange and establishing and
deriving session keys. - WS-Federation
- will describe how to manage and broker the trust
relationships in a heterogeneous federated
environment including support for federated
identities. - WS-Authorization
- will describe how to manage authorization data
and authorization policies
29Status of IBM/Microsoft Architecture
- Web Services Security
- Kerberos Binding -
- published as a public specification on 19
December 2003. - SOAP Message Security
- published as an OASIS Standard in March of 2004.
- UsernameToken Profile 1.0
- published as an OASIS Standard in March of 2004.
- X.509 Certificate Token Profile
- published as an OASIS Standard in March of 2004.
- OASIS -
- Organization for the Advancement of Structured
Information
30Status of IBM/Microsoft Architecture
- WS-Trust
- published as a public specification on 24 May
2004. - WS-SecureConversation
- was published as a public specification on 24 May
2004. - WS-SecurityPolicy
- was published as a public specification on 18
December 2002. - WS-Federation
- published as public specifications on 8 July 2003
31Web Services Security Threats
- Attacks on the application or the computing
system that provides the Web Service - threat to availability
- A SOAP message containing malicious data that
would cause the web service application to
execute in an unintended mode - The SOAP message could contain a request for a
service that is not advertised on that site is
provided - SOAP messages easily pass through firewalls
- Needed firewalls that filter the content of SOAP
messages requesting passage through the firewall
32Summary
The purpose of this tutorial was to provide a
foundation for an understanding of the need for
and techniques of web services security. An
overview of the architecture of WS-Security an
its status was presented as well. An overview of
web services - its architecture and its
components was included as well.
33- Slides
- http//www.washburn.edu/cas/cis/boncella
- E-mail
- bob.boncella_at_washburn.edu
34Bibliography
Albrecht, C. (2004) How Clean Is the Future of
SOAP?, Communication of the ACM, 47,2,Feb.
2004. Atkinson, B., Della-Libera, G., Hada, S.,
Hondo, M., Hallam-Baker, P., Klein, J.,
LaMacchia, B., Leach, P., Manferdelli, J.,
Maruyama, H., Nadalin, A., Nagaratnam, N.,
Prafullchandra, H., Shewchuk, J., Simon, D.
(2002) "Web Services Security (WS-Security)",
http//www-106.ibm.com/developerworks/webservices/
library/ws-secure/ (current Feb. 22,
2004) Biron, P.V. and Malhotra, A. (2001) "XML
Schema Part 2 Datatypes" http//www.w3.org/TR/xml
schema-2/ (current Feb. 22, 2004) Boncella, R.
(2000) "Web Security for E-Commerce",
Communications of the AIS, 4, 11, Nov.
2000. Boncella, R. (2003) SSL in The Internet
Encyclopedia, Hossein Bidgoli (Editor), New York,
New York, J. Wiley, 2003. Christensen, E.,
Curbera, F., Meredith, G., Weerawarana, S. (2001)
" Web Services Description Language (WSDL) 1.1",
http//www.w3.org/TR/wsdl (current Feb. 22,
2004) Fielding, R., Gettys, J., Mogul, J.,.
Frystyk, H., Masinter,. L.,. Leach, P., and
Berners-Lee, T. (1999) "Hypertext Transfer
Protocol HTTP/1.1", http//www.ietf.org/rfc/rfc261
6.txt (current Feb. 22, 2004). Eastlake, D., and
Reagle, J (2001) " XML Signature",
http//www.w3.org/Signature/ (current Feb. 22,
2004)
35Bibliography
Ford, W., Hallam-Baker, P., Fox, B., Dillaway,
B., LaMacchia, B., Epstein, J., Lapp, J., (2001)
" XML Key Management Specification (XKMS)",
http//www.w3.org/TR/xkms/ (current Feb. 22,
2004) Gudgin, M., Hadley, M., Mendelsohn, N.,
Moreau, J., Nielsen H. F. (2003) "SOAP Version
1.2 Part 1 Messaging Framework",
http//www.w3.org/TR/soap/ (current Feb. 22,
2004) Kristol, D, and Montulli, L. (2000), "
HTTP State Management Mechanism",
http//www.ietf.org/rfc/rfc2965.txt (current
Feb. 22, 2004) OASIS (2001) (Organization for
the Advancement of Structured Information
Standards), " Universal Description, Discovery
and Integration", http//www.uddi.org/ (current
Feb. 22, 2004) OASIS (2003), (Organization for
the Advancement of Structured Information
Standards), " eXtensible Access Control Markup
Language", http//www.oasis-open.org/committees/tc
_home.php?wg_abbrevxacml.(current Feb. 22,
2004) OASIS (2004), (Organization for the
Advancement of Structured Information Standards),
"Security Assertion Markup Language (SAML)",
http//www.oasis-open.org/committees/tc_home.php?w
g_abbrevsecurity (current Feb. 22,
2004) Reagle, J. (2001) " XML Encryption",
http//www.w3.org/Encryption/2001/ (current Feb.
22, 2004) Thompson, H.S.,Beech, D., Maloney, M.,
Mendelsohn N. (2001) " XML Schema Part 1
Structures", http//www.w3.org/TR/xmlschema-1/
(current Feb. 22, 2004) W3C (1996) ' Extensible
Markup Language (XML)", http//www.w3.org/XML/
(current Feb. 22, 2004)