Gap Assessment of the Top Web Service Specifications Managing the Security of Web Services - PowerPoint PPT Presentation

1 / 49
About This Presentation
Title:

Gap Assessment of the Top Web Service Specifications Managing the Security of Web Services

Description:

Does not define any technology or approaches for Authentication. ... at the same time, in order for higher security, Not a stand-alone application: ... – PowerPoint PPT presentation

Number of Views:251
Avg rating:3.0/5.0
Slides: 50
Provided by: Cris360
Category:

less

Transcript and Presenter's Notes

Title: Gap Assessment of the Top Web Service Specifications Managing the Security of Web Services


1
Gap Assessment of the Top Web Service
SpecificationsManaging the Security of Web
Services
  • Cristina Fhied
  • SE690 Final Presentation
  • Advisor Xiaoping Jia, Luigi Guadagno

2
Outline
  • 1. Project Goal
  • 2. Overview of Web Services introduction
  • 3. Security Enterprise Requirements
  • 4. Security Specifications
  • Comparison Overview (how do they map req.)
  • Drawbacks and Benefits of each
  • Model
  • 5. Current Enterprise State Survey
  • 6. Conclusion and Recommendations
  • 7. Potential Future Work

3
Project Goal
  • Research available web service specifications.
  • Conduct an enterprise state survey exploring
    problems and experiences facing network
    professionals.
  • Research the Enterprise communication and
    architecture requirements for a secure Web
    Services.
  • Prepare gap assessment tables mapping the
    communication and network enterprise req. against
    the researched available security specifications.
  • Prepare a model showing the interpolation of
    Ws-Security specification with the interaction
    of the researched available web service
    specifications.

4
What are Web Services?
  • Software pieces that interact with
  • each other using internet standards
  • to create an application in response
  • to requests that conform to agreed-upon
    formats. Infravio, 2003

5
What Are the Characteristics
  • A web service is accessible over the internet.
  • Provides an interface that can be called from one
    application to another.
  • Interface can be called from any type of
    application client or service.
  • Acts as a liaison between the web and the
    application logic that implements the service.

6
How Does a Web Service Communicate?
  • Uses XML on top of HTTP
  • XML is a widely accepted format for exchanging
    data and its semantics
  • The Web service STACK consists of
  • XML (eXtensible Markup Language)
  • SOAP (Simple Object Access Protocol)
  • WSDL (Web Services Definition Language)
  • UDDI (Universal Discovery Description Language)

7
Web Services Stack
Returns the WSDL reference used to bind to web
service
UDDI
Specifies how to connect to a web service
WSDL
Better describes the data being sent
SOAP
XML
Acts as the envelope for XML messages
HTTP (SMTP, FTP, other)
Transport layer
8
What About Current Web Security?
  • To date much of web security is built around
    encryption through secure socket layers (SSL)
    using simple object access protocol (SOAP).
  • Not enough to protect supply-chain operations and
    other business to business transactions because
    SOAP is based on XML.
  • One way transmission, easy to steal and resend
    messages.

9
Enterprise Requirements
  • Network
  • Communication

10
Communication based Enterprise Security
Requirements
  • Authentication
  • Authorization
  • Data protection
  • Non-repudiation

11
Defining Requirements
  • Authentication involves accepting credentials
    from the entity and validating them against an
    authority.
  • Authorization determines whether the service
    has granted access to the web service to the
    requestor.
  • Data protection ensures that the web services
    request and response have not tampered with en
    route. Requires both integrity and privacy.
  • Nonrepudiation guarantees that the message
    sender is the same as the creator of the message.

12
Network based Enterprise Security Requirements
  • Confidentiality
  • Integrity
  • Accessibility

13
Defining Requirements Cont.
  • Confidentiality contains information required
    for protection against unauthorized use or
    disclosure.
  • Accessibility must be able on a timely basis to
    meet mission requirements or to avoid substantial
    losses.
  • Integrity contained information must be
    protected from unauthorized, unanticipated or
    unintentional modifications.

14
Available Industry Specification
  • Definitions and Features
  • Comparison Mapping Overview
  • Drawbacks and Benefits
  • Model

15
PKI
  • Public Key Infrastructure is an open
    specification.
  • Published by VeriSign in 2002.
  • Integrates digital certificates and certificate
    authorities into enterprise-wide network security
    architecture.

16
PKI Cont.
  • Provides protection by
  • Authenticating identity
  • Verifying Integrity
  • Ensuring Privacy
  • Authorizing Access
  • Authorizing Transactions
  • Supporting Nonrepudiation

17
PKI Cont.
  • Strengths
  • Integrates Authentication and digital signatures.
  • Allows confidential validation on the identity of
    each party in an internet transaction.
  • Ensures that the message or documents the digital
    certificate signs has not been changed in transit
    online.
  • Protects information from interception during
    Internet transmission.
  • Validates a user identity making it possible to
    later update a digitally signed transaction
    (single sign-on).

18
PKI Cont.
  • Weaknesses
  • Complications associated with the usage of
    proprietary PKI software toolkits.
  • Complex deployment associated with server side
    components.
  • Constraint of complexity in integrating
    authentication and digital signatures in web
    service applications.

19
SAML
  • Security Assertions Markup Language is an
    XML-based framework for Web Services.
  • Security Specification from OASIS, released in
    February 2002.
  • First industry standard for enabling secure
    e-commerce transactions through XML.

20
SAML Cont.
  • Gives guidelines on assertions to request and
    response messages to provide
  • Authentication.
  • Authorization.
  • Interoperability
  • Also shows how single sign-on can be achieved
    when several web-services are interacting
    achieved by adding XML assertions.

21
SAML Cont.
  • Strengths
  • Supports real-time Authentication and
    Authorization.
  • Can interoperate with any kind of system.
  • Makes it possible to have message integrity and
    non-repudiation of the sender.
  • Establishes assertions and protocol schemas for
    the structure of the document that transport
    security.
  • Links back to the actual authentication and makes
    its assertions based on the requests of that
    event.

22
SAML Cont.
  • Weaknesses
  • Security of SAML conversation is not a
    stand-alone application depends on a trust
    model, typically PKI.
  • Does not address privacy policies.
  • Does not define any technology or approaches for
    Authentication.
  • Only makes assertions about credentials does not
    authenticate or authorize users.

23
XKMS
  • XML Key Management Specification is an open
    specification.
  • Published by the W3C as a technical note.
  • Provides a standard XML-based messaging protocol
    to outsource the processing of key management to
    dedicated services.

24
XKMS Cont.
  • XML version of PKI handling.
  • Integrates
  • Authentication.
  • Authorization.
  • Malicious Attack Support.
  • Uses SOAP over an HTTP based network.
  • Makes it easy for applications to interface with
    key-related services.

25
XKMS Cont.
  • Strengths
  • Integrates Authentication and Authorization.
  • Does status checking in a matter of hours.
  • Rapidly implements trust features incorporating
    cryptographic support for XML digital signatures.
  • Moves the complexity associated with PKI
    integration to server side components.
  • Specification toolkit is completely platform,
    vendor, and transport protocol independent.
  • Developer friendly, syntax used eliminates the
    necessary plug-ins PKI requires.

26
XKMS Cont.
  • Weaknesses
  • Has no implemented prototype depicting its
    available techniques.
  • Needs to have three standards to be used at the
    same time, in order for higher security, Not a
    stand-alone application
  • X-KISS (XML Key Information Serv. Spec.).
  • X-KRSS (XML Key Requirement Serv. Spec.).
  • Protocol Binding Specification.

27
WS-Security Cont.
  • Published in April 2002 by IBM, Microsoft, and
    VeriSign.
  • Helps enterprises build secure web services, and
    applications based on them that are broadly
    interoperable.
  • Proposes a set of SOAP extensions, used when
    building secure web services to implement
  • Integrity.
  • Confidentiality.

28
WS-Security Cont.
  • Does not limit itself to a specific model or
    mechanism, can be used as a guideline.
  • Has support for several models and security
    mechanisms.
  • Supports
  • Multiple Security Tokens.
  • Cryptography Technologies.
  • Requester Security.
  • Transport Security.

29
Ws-Security Cont.
  • Microsoft, VeriSign and IBM are announcing the
    publication of 5 new specifications.
  • When used with Ws-Security they provide a
    framework that is extensible and flexible in a
    infrastructure.
  • WS-Trust provides Interoperability
  • WS-Secure Conversation Cent. Management
  • WS-Secure Policyprotects against Malicious
    Attack
  • WS-Policy provides Authentication
  • WS-Authorization provides Authorization

30
WS-Security Cont.
  • Strengths
  • Implements integrity and confidentiality.
  • Building block or better yet a blueprint to be
    used in conjunction with other web service
    specifications.
  • Integrates, unifies and supports many popular
    security models and technologies.
  • Defines how signatures can be used.
  • Provides for a generic mechanism to associate
    security tokens with messages does not require
    any type of security tokens.

31
WS-Security Cont.
  • Weaknesses
  • Does not discuss how proof-of-possession must be
    implemented.
  • Does not discuss how subject confirmations must
    be implemented.
  • Their needs to be effort applied to ensure that
    security protocols that are implemented are not
    exposed to a wide range of attacks.
  • Not approved as a standard as of yet, there are
    not commercial web-services that use this
    specification as of yet.

32
Gap Assessment Table
  • Summary Comparison mapping of Communication
    Enterprise Security Requirements.

X
33
Gap Assessment Table
  • Summary Comparison mapping of Network Enterprise
    Security Requirements.

34
Model

SAML
PKI
Authentication
WS-S ecur i ty
WS-Policy Assertion
XKMS
SAML
XKMS
Authorization
WS-Authorization
PKI
WS-Security
Data Protection/ Confidentiality
PKI
WS-Security
Data Integrity
PKI
WS-Security
Scalability
WS-Security
WS-Trust
Interoperability
SAML
Centralized Management
WS-Secure Conversation
SAML
PKI
XKMS
WS-Security Policy
XKMS
Malicious Attack
35
Survey Results
  • Current Enterprise State

36
About the Survey
  • Explores areas of interest and experiences for
    those responsible in ensuring network/web service
    securities
  • Survey was voluntary and consisted of eight
    questions
  • Final survey was sent to 25 individuals
  • 20 individuals submitted a completed survey

37
Key Research Questions
  • Rank web-based communication security
    requirements based on security framework
    importance
  • Rank networking issue requirements based on
    security framework importance
  • Rank security methods in terms of effectiveness
    in acquiring information security at an
    organization

38
Survey Findings
  • Experience any of these Security Breaches

39
Survey Findings
  • Indicate level of concern in the following issues

40
Survey Findings
  • Method effectiveness in terms of acquiring
    information security in an organization

41
Survey Findings
  • Priority of the following items Importance to an
    organization

42
Survey Findings
  • Prioritize the Networking Issue Requirements
    based on security framework importance.

43
Survey Findings
  • Prioritize the web-based Communication Security
    Requirements based on security framework
    importance

44
Conclusion and Recommendation
45
Managing Web Security
  • Difficult to determine a single best strategy.
  • When dealing with applications with strong
    authentication and authorization, Ws-Security and
    SAML specifications should be considered.
  • When dealing with concerns of malicious attack
    and data protection, XKMS and SAML should be
    considered.
  • XKMS when joined with WS-Security has a stronger
    use for digitally signing and SAML assertions.

46
Managing Web Security Cont.
  • SAML when combined with Ws-Security should use
    techniques such as XML signatures and
    encryptions.
  • SAML assertions should be carried as security
    tokens defined in Ws-Security.
  • SAML traffic should be secured by XKMS-based PKI.

47
Managing Web Security Cont.
  • Most effective method in acquiring information
    security in an organization is by conducting
    vulnerability assessments and explaining the
    differences between security and legal
    requirements.
  • To reduce obstacles in achieving web service
    security is to greatly reduce the technical
    challenges and complexity of using security
    specification toolkit products.

48
Potential Future Work
  • Research and analyze whether an implementation of
    Ws-Security, PKI, SAML and XKMS on Web Services
    is enough to provide a system with the needed
    securities.

49
Conclusion
  • For more information please visit project web
    site
  • http//shrike.depaul.edu/cfhied/se690/abstract.ht
    ml
  • Thank you!!!
Write a Comment
User Comments (0)
About PowerShow.com