Gap Assessment of the Top Web Service Specifications Managing the Security of Web Services

1
Gap Assessment of the Top Web Service
SpecificationsManaging the Security of Web
Services

• Cristina Fhied
• SE690 Final Presentation
• Advisor Xiaoping Jia, Luigi Guadagno

2
Outline

• 1. Project Goal
• 2. Overview of Web Services introduction
• 3. Security Enterprise Requirements
• 4. Security Specifications
• Comparison Overview (how do they map req.)
• Drawbacks and Benefits of each
• Model
• 5. Current Enterprise State Survey
• 6. Conclusion and Recommendations
• 7. Potential Future Work

3
Project Goal

• Research available web service specifications.
• Conduct an enterprise state survey exploring
  problems and experiences facing network
  professionals.
• Research the Enterprise communication and
  architecture requirements for a secure Web
  Services.
• Prepare gap assessment tables mapping the
  communication and network enterprise req. against
  the researched available security specifications.
• Prepare a model showing the interpolation of
  Ws-Security specification with the interaction
  of the researched available web service
  specifications.

4
What are Web Services?

• Software pieces that interact with
• each other using internet standards
• to create an application in response
• to requests that conform to agreed-upon
  formats. Infravio, 2003

5
What Are the Characteristics

• A web service is accessible over the internet.
• Provides an interface that can be called from one
  application to another.
• Interface can be called from any type of
  application client or service.
• Acts as a liaison between the web and the
  application logic that implements the service.

6
How Does a Web Service Communicate?

• Uses XML on top of HTTP
• XML is a widely accepted format for exchanging
  data and its semantics
• The Web service STACK consists of
• XML (eXtensible Markup Language)
• SOAP (Simple Object Access Protocol)
• WSDL (Web Services Definition Language)
• UDDI (Universal Discovery Description Language)

7
Web Services Stack
Returns the WSDL reference used to bind to web
service
UDDI
Specifies how to connect to a web service
WSDL
Better describes the data being sent
SOAP
XML
Acts as the envelope for XML messages
HTTP (SMTP, FTP, other)
Transport layer
8
What About Current Web Security?

• To date much of web security is built around
  encryption through secure socket layers (SSL)
  using simple object access protocol (SOAP).
• Not enough to protect supply-chain operations and
  other business to business transactions because
  SOAP is based on XML.
• One way transmission, easy to steal and resend
  messages.

9
Enterprise Requirements

• Network
• Communication

10
Communication based Enterprise Security
Requirements

• Authentication
• Authorization
• Data protection
• Non-repudiation

11
Defining Requirements

• Authentication involves accepting credentials
  from the entity and validating them against an
  authority.
• Authorization determines whether the service
  has granted access to the web service to the
  requestor.
• Data protection ensures that the web services
  request and response have not tampered with en
  route. Requires both integrity and privacy.
• Nonrepudiation guarantees that the message
  sender is the same as the creator of the message.

12
Network based Enterprise Security Requirements

• Confidentiality
• Integrity
• Accessibility

13
Defining Requirements Cont.

• Confidentiality contains information required
  for protection against unauthorized use or
  disclosure.
• Accessibility must be able on a timely basis to
  meet mission requirements or to avoid substantial
  losses.
• Integrity contained information must be
  protected from unauthorized, unanticipated or
  unintentional modifications.

14
Available Industry Specification

• Definitions and Features
• Comparison Mapping Overview
• Drawbacks and Benefits
• Model

15
PKI

• Public Key Infrastructure is an open
  specification.
• Published by VeriSign in 2002.
• Integrates digital certificates and certificate
  authorities into enterprise-wide network security
  architecture.

16
PKI Cont.

• Provides protection by
• Authenticating identity
• Verifying Integrity
• Ensuring Privacy
• Authorizing Access
• Authorizing Transactions
• Supporting Nonrepudiation

17
PKI Cont.

• Strengths
• Integrates Authentication and digital signatures.
• Allows confidential validation on the identity of
  each party in an internet transaction.
• Ensures that the message or documents the digital
  certificate signs has not been changed in transit
  online.
• Protects information from interception during
  Internet transmission.
• Validates a user identity making it possible to
  later update a digitally signed transaction
  (single sign-on).

18
PKI Cont.

• Weaknesses
• Complications associated with the usage of
  proprietary PKI software toolkits.
• Complex deployment associated with server side
  components.
• Constraint of complexity in integrating
  authentication and digital signatures in web
  service applications.

19
SAML

• Security Assertions Markup Language is an
  XML-based framework for Web Services.
• Security Specification from OASIS, released in
  February 2002.
• First industry standard for enabling secure
  e-commerce transactions through XML.

20
SAML Cont.

• Gives guidelines on assertions to request and
  response messages to provide
• Authentication.
• Authorization.
• Interoperability
• Also shows how single sign-on can be achieved
  when several web-services are interacting
  achieved by adding XML assertions.

21
SAML Cont.

• Strengths
• Supports real-time Authentication and
  Authorization.
• Can interoperate with any kind of system.
• Makes it possible to have message integrity and
  non-repudiation of the sender.
• Establishes assertions and protocol schemas for
  the structure of the document that transport
  security.
• Links back to the actual authentication and makes
  its assertions based on the requests of that
  event.

22
SAML Cont.

• Weaknesses
• Security of SAML conversation is not a
  stand-alone application depends on a trust
  model, typically PKI.
• Does not address privacy policies.
• Does not define any technology or approaches for
  Authentication.
• Only makes assertions about credentials does not
  authenticate or authorize users.

23
XKMS

• XML Key Management Specification is an open
  specification.
• Published by the W3C as a technical note.
• Provides a standard XML-based messaging protocol
  to outsource the processing of key management to
  dedicated services.

24
XKMS Cont.

• XML version of PKI handling.
• Integrates
• Authentication.
• Authorization.
• Malicious Attack Support.
• Uses SOAP over an HTTP based network.
• Makes it easy for applications to interface with
  key-related services.

25
XKMS Cont.

• Strengths
• Integrates Authentication and Authorization.
• Does status checking in a matter of hours.
• Rapidly implements trust features incorporating
  cryptographic support for XML digital signatures.
• Moves the complexity associated with PKI
  integration to server side components.
• Specification toolkit is completely platform,
  vendor, and transport protocol independent.
• Developer friendly, syntax used eliminates the
  necessary plug-ins PKI requires.

26
XKMS Cont.

• Weaknesses
• Has no implemented prototype depicting its
  available techniques.
• Needs to have three standards to be used at the
  same time, in order for higher security, Not a
  stand-alone application
• X-KISS (XML Key Information Serv. Spec.).
• X-KRSS (XML Key Requirement Serv. Spec.).
• Protocol Binding Specification.

27
WS-Security Cont.

• Published in April 2002 by IBM, Microsoft, and
  VeriSign.
• Helps enterprises build secure web services, and
  applications based on them that are broadly
  interoperable.
• Proposes a set of SOAP extensions, used when
  building secure web services to implement
• Integrity.
• Confidentiality.

28
WS-Security Cont.

• Does not limit itself to a specific model or
  mechanism, can be used as a guideline.
• Has support for several models and security
  mechanisms.
• Supports
• Multiple Security Tokens.
• Cryptography Technologies.
• Requester Security.
• Transport Security.

29
Ws-Security Cont.

• Microsoft, VeriSign and IBM are announcing the
  publication of 5 new specifications.
• When used with Ws-Security they provide a
  framework that is extensible and flexible in a
  infrastructure.
• WS-Trust provides Interoperability
• WS-Secure Conversation Cent. Management
• WS-Secure Policyprotects against Malicious
  Attack
• WS-Policy provides Authentication
• WS-Authorization provides Authorization

30
WS-Security Cont.

• Strengths
• Implements integrity and confidentiality.
• Building block or better yet a blueprint to be
  used in conjunction with other web service
  specifications.
• Integrates, unifies and supports many popular
  security models and technologies.
• Defines how signatures can be used.
• Provides for a generic mechanism to associate
  security tokens with messages does not require
  any type of security tokens.

31
WS-Security Cont.

• Weaknesses
• Does not discuss how proof-of-possession must be
  implemented.
• Does not discuss how subject confirmations must
  be implemented.
• Their needs to be effort applied to ensure that
  security protocols that are implemented are not
  exposed to a wide range of attacks.
• Not approved as a standard as of yet, there are
  not commercial web-services that use this
  specification as of yet.

32
Gap Assessment Table

• Summary Comparison mapping of Communication
  Enterprise Security Requirements.

X
33
Gap Assessment Table

• Summary Comparison mapping of Network Enterprise
  Security Requirements.

34
Model

SAML
PKI
Authentication
WS-S ecur i ty
WS-Policy Assertion
XKMS
SAML
XKMS
Authorization
WS-Authorization
PKI
WS-Security
Data Protection/ Confidentiality
PKI
WS-Security
Data Integrity
PKI
WS-Security
Scalability
WS-Security
WS-Trust
Interoperability
SAML
Centralized Management
WS-Secure Conversation
SAML
PKI
XKMS
WS-Security Policy
XKMS
Malicious Attack
35
Survey Results

• Current Enterprise State

36
About the Survey

• Explores areas of interest and experiences for
  those responsible in ensuring network/web service
  securities
• Survey was voluntary and consisted of eight
  questions
• Final survey was sent to 25 individuals
• 20 individuals submitted a completed survey

37
Key Research Questions

• Rank web-based communication security
  requirements based on security framework
  importance
• Rank networking issue requirements based on
  security framework importance
• Rank security methods in terms of effectiveness
  in acquiring information security at an
  organization

38
Survey Findings

• Experience any of these Security Breaches

39
Survey Findings

• Indicate level of concern in the following issues

40
Survey Findings

• Method effectiveness in terms of acquiring
  information security in an organization

41
Survey Findings

• Priority of the following items Importance to an
  organization

42
Survey Findings

• Prioritize the Networking Issue Requirements
  based on security framework importance.

43
Survey Findings

• Prioritize the web-based Communication Security
  Requirements based on security framework
  importance

44
Conclusion and Recommendation
45
Managing Web Security

• Difficult to determine a single best strategy.
• When dealing with applications with strong
  authentication and authorization, Ws-Security and
  SAML specifications should be considered.
• When dealing with concerns of malicious attack
  and data protection, XKMS and SAML should be
  considered.
• XKMS when joined with WS-Security has a stronger
  use for digitally signing and SAML assertions.

46
Managing Web Security Cont.

• SAML when combined with Ws-Security should use
  techniques such as XML signatures and
  encryptions.
• SAML assertions should be carried as security
  tokens defined in Ws-Security.
• SAML traffic should be secured by XKMS-based PKI.

47
Managing Web Security Cont.

• Most effective method in acquiring information
  security in an organization is by conducting
  vulnerability assessments and explaining the
  differences between security and legal
  requirements.
• To reduce obstacles in achieving web service
  security is to greatly reduce the technical
  challenges and complexity of using security
  specification toolkit products.

48
Potential Future Work

• Research and analyze whether an implementation of
  Ws-Security, PKI, SAML and XKMS on Web Services
  is enough to provide a system with the needed
  securities.

49
Conclusion

• For more information please visit project web
  site
• http//shrike.depaul.edu/cfhied/se690/abstract.ht
  ml
• Thank you!!!