Web%20Services%20and%20Web%20Services%20Security%20Presented%20August%207,%202004%20at%20AMCIS2004%20New%20York,%20New%20York%20by%20Dr.%20Robert%20J.%20Boncella%20Washburn%20University

1
Web Servicesand Web Services SecurityPresented
August 7, 2004 atAMCIS2004New York, New
YorkbyDr. Robert J. BoncellaWashburn University
2
Overview of Presentation

• Concept of a Web Service (WS)
• Required Technology for Web Services
• Security Requirements for Web Services
• Require Technology for Web Services Security
• WS-Security
• Web Services Threats and attacks

3
Concept of a Web Service

• Web Service
• self-contained modular application
• that provides a computation upon request
• Request via a Computer Network
• Internet, Intranet, or Extranet
• Computer Network Used To
• Describe
• Publish
• Locate
• Invoke (provide service)

4
Example of a Web Service

• Function
• Provide verification of a customers shipping
  address (e.g. Is zip code correct?)
• Current price of a particular stock

5
Implications of Web Services Computing Paradigm

• Interoperability
• implied standardization
• Substitutability of services
• Services become commodities
• Information Systems developed with least cost
• competition to provide service
• service providers responsible to provide QOS
• Firm not required to provide service
• not unusual
• e.g. ship package via DHL, FedEx, UPS, or USPS

6
Acceptance of Web Services

• Firm must trust service provider
• Assurance of Web Services Security required
• Overview of Web Services architecture required
  for understanding of Web Service Security

7
Web Services Architecture
Service Oriented Architecture (SOA)
8
Implementation of SOA

• Required Components
• Any Communication Protocol
• TCP, HTTP, SMTP, Message Queuing (e.g.MSMQ)
• SOAP 1.1 (Simple Object Access Protocol )
• WSDL 1.1 (Web Services Description Language )
• UDDI ver. 2.04 API (Universal Description,
  Discovery, and Integration )
• XML 1.0
• XML Schema Part 1 Structures
• XML Schema Part 2 Datatypes

9
Component Details

• SOAP 1.1
• Simple Object Access Protocol is a message
  protocol that enables requests and responses to
  be sent in XML format from client to a server.
• SOAP defines an envelope that contains a header
  and a body. The SOAP body contains the payload.
  See http//www.w3.org/TR/soap/ for more details.
• WSDL 1.1
• Web Services Description Language is a
  specification that details how to describe a web
  service. A WSDL document for a service is an XML
  document that contains information a programmer
  needs in order to contract for that service. See
  http//www.w3.org/TR/wsdl for more details.

10
Component Details

• UDDI ver. 2.04 API
• Universal Description, Discovery, and Integration
  is a specification of the registry that lists web
  services that are of interest to a service
  requestor entity. It uses taxonomies that
  categorize web services in a way meaningful to
  clients. See http//www.uddi.org/ for more
  details.

11
Component Details

• XML 1.0
• XML is a tag-oriented language whose tags can be
  user defined and are used to describe the data
  contained in the document. See
  http//www.w3.org/XML/ for more details.
• XML Schema Part 1 Structures
• XML Schema Structures can be used to define,
  describe and catalogue XML vocabularies for
  classes of XML documents. See http//www.w3.org/T
  R/xmlschema-1/ for more details.
• XML Schema Part 2 Datatypes
• XML Schema Datatypes can be used to define
  datatypes in XML vocabularies and documents.
  See http//www.w3.org/TR/xmlschema-2/ for more
  details.

12
An Example
4) An SOA Bind()
2) IT department A is creating information system
Y and needs service X - An SOA Find()
1) IT department B creates service X -An SOA
Publish()
3) IT department A uses the URL posted in the
public registry to download a copy of the WSDL
specification for service X
13
Web Services Security
14
Information Security Requirements

• Confidentiality
• assures user privacy and prevents the theft of
  information both in transit and stored.
• Integrity
• assures that information either in transit or in
  storage was not modified,
• Nonrepudiation
• assures that the sender of a message cannot
  legitimately claim they did not send the message.
  
• Authentication
• assures that the sender and receiver are who the
  claim to be.
• Authorization
• assures that an authentication entity can access
  only those information resources they are
  required to have either to request or provide a
  service.
• Availability
• assures that uninterrupted service is provided to
  authenticated and authorized users.

15
Information Security

• Information security requirements assured by
• SSL (Secure Sockets Layer)
• PKI (Public Key Infrastructure)
• Firewalls
• Restricted to conventional web traffic using
• HTTPS, FTPS, et. al.
• SSL inadequate for Web Services Security
• Firewalls inadequate for Web Services Security

16
SSL Web Services Security

• Example shows need for persistent security
• Persistent Security
• requires the security of the SOAP
  request/response message be assured over more
  than one client/server connection
• SSL does not
• Provide end-to-end security
• Assure Integrity
• Generally, only uses one-way authentication
• No end-to-end audit trail

17
Firewalls Web Services Security

• SOAP bypasses firewalls
• Firewalls function at
• Layer 3 - packet filtering on IP and/or port
• Layer 4 - circuit-level uses TCP handshaking to
  determine a sessions legitimacy
• Application layer - filters on basis of
  application being requested e.g. HTTP/SSL
  POP/SMTP maybe allowed others refused
• SOAP messages often bound to HTTP or SMTP

18
Firewalls Web Services Security

• A SOAP level firewall should
• determine if the incoming SOAP request is
  intended for a available Web Service
• determine if the SOAP request is valid
• does the SOAP message contain valid data
• type and size
• Content Filtering Firewall

19
Web Services Security Requirements

• Same as Information Security Requirements
• Assured by means other than SSL and firewalls
• Requirement of persistent security
• SOAP messages require inclusion of security data

20
Web Services Security Technology

• Confidentiality for Web Services
• XML Encryption is used to assure confidentiality
  in the case of a security context that ranges
  beyond a simple HTTP/SSL connection
• See http//www.w3.org/Encryption/2001/ for
  detailed information.
• Integrity for Web Services
• An XML signature is the XML equivalent of a
  digital signature
• Used digitally sign selected portions of an XML
  document
• Used to sign data and thereby assure its
  integrity
• See http//www.w3.org/Signature/ for detailed
  information

21
Web Services Security Technology

• Authentication and Authorization Web Services
• Single Sign On (SSO) process
• If user is authenticated by initial web service
  provider user is automatically authenticated on
  all subsequent web service providers.
• Two approaches to SSO
• 1) Include authentication information for each
  web service in the initial SOAP message
• 2) Maintain a user's authentication list in a
  central repository

22
Web Services Security Technology

• Two approaches to SSO
• 1) Include authentication information for each
  web service in the initial SOAP message
• Security Assertions Markup Language (SAML) and
  XML Access Control Markup Language (XACML) work
  together to implement the first approach
• For detailed information about SAML see
• http//www.oasis-open.org/committees/tc_home.php?w
  g_abbrevsecurity
• and for XACML see
• http//www.oasis-open.org/committees/tc_home.php?w
  g_abbrevxacml.
• 2) Maintain a user's authentication list in a
  central repository
• Microsoft's Passport scheme and Sun's Liberty
  Alliance Project use the centralized repository
  approach to user authentication

23
Web Services Security Technology

• Nonrepudiation - PKI for Web Services
• XML Key Management specification (XKMS) provides
  PKI services (registering, locating, and
  validating keys) through XML.
• See http//www.w3.org/TR/xkms/ for detailed
  information

24
WS-Security

• Specification to extend SOAP
• Web Services Security Language
• WS-Security
• WS-Security Provides
• Multiple Security Tokens
• for authentication authorization
• Multiple Trust Domains
• Multiple Signature Formats
• Multiple Encryption Technologies
• End to end message-level security

25
Web Services Security SpecificationsIBM/Microsoft
Architecture(Proposed April, 2002)
26
Web Services Security Specifications

• WS-Security Specification
• describes how to attach signature and encryption
  headers to SOAP messages
• describes how to attach security tokens to
  messages
• X.509 Certificates
• Kerberos Tickets.

27
Web Services Security Specifications

• WS-Policy
• will describe the capabilities and constraints of
  the security policies on intermediaries and
  endpoints
• specifies the required security tokens, supported
  encryption algorithms, privacy rules
• this information will be in the WSDL document for
  a service
• WS-Trust
• will describe a framework for trust models that
  enables Web services to securely interoperate
• WS-Privacy
• will describe a model for how Web services and
  requesters state privacy preferences and
  organizational privacy practice statements.

28
Web Services Security Specifications

• WS-SecureConversation
• will describe how to manage and authenticate
  message exchanges between parties including
  security context exchange and establishing and
  deriving session keys.
• WS-Federation
• will describe how to manage and broker the trust
  relationships in a heterogeneous federated
  environment including support for federated
  identities.
• WS-Authorization
• will describe how to manage authorization data
  and authorization policies

29
Status of IBM/Microsoft Architecture

• Web Services Security
• Kerberos Binding -
• published as a public specification on 19
  December 2003.
• SOAP Message Security
• published as an OASIS Standard in March of 2004.
• UsernameToken Profile 1.0
• published as an OASIS Standard in March of 2004.
• X.509 Certificate Token Profile
• published as an OASIS Standard in March of 2004.
• OASIS -
• Organization for the Advancement of Structured
  Information

30
Status of IBM/Microsoft Architecture

• WS-Trust
• published as a public specification on 24 May
  2004.
• WS-SecureConversation
• was published as a public specification on 24 May
  2004.
• WS-SecurityPolicy
• was published as a public specification on 18
  December 2002.
• WS-Federation
• published as public specifications on 8 July 2003

31
Web Services Security Threats

• Attacks on the application or the computing
  system that provides the Web Service
• threat to availability
• A SOAP message containing malicious data that
  would cause the web service application to
  execute in an unintended mode
• The SOAP message could contain a request for a
  service that is not advertised on that site is
  provided
• SOAP messages easily pass through firewalls
• Needed firewalls that filter the content of SOAP
  messages requesting passage through the firewall

32
Summary
The purpose of this tutorial was to provide a
foundation for an understanding of the need for
and techniques of web services security. An
overview of the architecture of WS-Security an
its status was presented as well. An overview of
web services - its architecture and its
components was included as well.
33

• Slides
• http//www.washburn.edu/cas/cis/boncella
• E-mail
• bob.boncella_at_washburn.edu

34
Bibliography
Albrecht, C. (2004) How Clean Is the Future of
SOAP?, Communication of the ACM, 47,2,Feb.
2004. Atkinson, B., Della-Libera, G., Hada, S.,
Hondo, M., Hallam-Baker, P., Klein, J.,
LaMacchia, B., Leach, P., Manferdelli, J.,
Maruyama, H., Nadalin, A., Nagaratnam, N.,
Prafullchandra, H., Shewchuk, J., Simon, D.
(2002) "Web Services Security (WS-Security)",
http//www-106.ibm.com/developerworks/webservices/
library/ws-secure/ (current Feb. 22,
2004) Biron, P.V. and Malhotra, A. (2001) "XML
Schema Part 2 Datatypes" http//www.w3.org/TR/xml
schema-2/ (current Feb. 22, 2004) Boncella, R.
(2000) "Web Security for E-Commerce",
Communications of the AIS, 4, 11, Nov.
2000. Boncella, R. (2003) SSL in The Internet
Encyclopedia, Hossein Bidgoli (Editor), New York,
New York, J. Wiley, 2003. Christensen, E.,
Curbera, F., Meredith, G., Weerawarana, S. (2001)
" Web Services Description Language (WSDL) 1.1",
http//www.w3.org/TR/wsdl (current Feb. 22,
2004) Fielding, R., Gettys, J., Mogul, J.,.
Frystyk, H., Masinter,. L.,. Leach, P., and
Berners-Lee, T. (1999) "Hypertext Transfer
Protocol HTTP/1.1", http//www.ietf.org/rfc/rfc261
6.txt (current Feb. 22, 2004). Eastlake, D., and
Reagle, J (2001) " XML Signature",
http//www.w3.org/Signature/ (current Feb. 22,
2004)
35
Bibliography
Ford, W., Hallam-Baker, P., Fox, B., Dillaway,
B., LaMacchia, B., Epstein, J., Lapp, J., (2001)
" XML Key Management Specification (XKMS)",
http//www.w3.org/TR/xkms/ (current Feb. 22,
2004) Gudgin, M., Hadley, M., Mendelsohn, N.,
Moreau, J., Nielsen H. F. (2003) "SOAP Version
1.2 Part 1 Messaging Framework",
http//www.w3.org/TR/soap/ (current Feb. 22,
2004) Kristol, D, and Montulli, L. (2000), "
HTTP State Management Mechanism",
http//www.ietf.org/rfc/rfc2965.txt (current
Feb. 22, 2004) OASIS (2001) (Organization for
the Advancement of Structured Information
Standards), " Universal Description, Discovery
and Integration", http//www.uddi.org/ (current
Feb. 22, 2004) OASIS (2003), (Organization for
the Advancement of Structured Information
Standards), " eXtensible Access Control Markup
Language", http//www.oasis-open.org/committees/tc
_home.php?wg_abbrevxacml.(current Feb. 22,
2004) OASIS (2004), (Organization for the
Advancement of Structured Information Standards),
"Security Assertion Markup Language (SAML)",
http//www.oasis-open.org/committees/tc_home.php?w
g_abbrevsecurity (current Feb. 22,
2004) Reagle, J. (2001) " XML Encryption",
http//www.w3.org/Encryption/2001/ (current Feb.
22, 2004) Thompson, H.S.,Beech, D., Maloney, M.,
Mendelsohn N. (2001) " XML Schema Part 1
Structures", http//www.w3.org/TR/xmlschema-1/
(current Feb. 22, 2004) W3C (1996) ' Extensible
Markup Language (XML)", http//www.w3.org/XML/
(current Feb. 22, 2004)