Making VLAB Secure

1
Making VLAB Secure

• Javier I. Roman

2
What is VLAB?

• An interdisciplinary consortium dedicated to the
  development and promotion of the theory of
  planetary materials.
• Interpreted seismic data in the context of likely
  geophysical processes.
• Be used as input for more sophisticated and
  reliable modeling of planets.

3
The Three Main Goals In Security!

• Authentication
• verifying the identity of a user
• Confidentiality
• protecting the privacy of the message contents
• Integrity
• ensures that a message has not been altered
  since its departure from the original sender

4
Common ways to Solve Web Services Security

• Sent over HTTPS/SSL secure channel gives
  confidentiality during transport.
• Doing your own signatures/encryption using XML
  signatures encryption standards
• Service authentication using public key
  certificates
• Client authentication using user/password sent
  over secure channel
• SOAP formatted messages

5
Is HTTPS/SSL enough Security?

• Transport Security a Point to Point Security
• Server authentication by client using public key
  certificate
• Encrypted whole messages to block eavesdroppers
• Limitations that come from Transport Security
• Does not support intermediaries so router sees
  entire clear text message
• User gt SSL gt Router gt SSL gt Server
• Does not support signing a message to verified
  that the message was not change on transit

6
OASIS Web Services Security

• End to End Security
• Data can be hidden from intermediaries
• Transport Independent
• Run over HTTP, TCP, UDP, email or whatever
• Framework for building security protocols
• Integrity, Confidentiality and Authentication
• Support for different types of Security
  algorithms
• Encryption, Digest, Signature, Canonicalization,
  Transforms

7
How to achieve Authentication

• Using UsernameToken with password Digest
• Digest SHA1 ( nonce created password )
• SHA1 is Secure hash algorithm
• Nonce is a unique sequence of random character

8
UsernameToken Digest

• ltSEnvelope xmlnsS"http//www.w3.org/2001/12/soa
  p-envelope" xmlnswsse"http//schema
  s.xmlsoap.org/ws/2002/xx/secext"gt
• xmlnswsu"http//schemas.xmlsoap.org/ws/2002/07/
  utility"gt
• ltSHeadergt
• ...
• ltwsseUsernameToken
• ltwsseUsernamegtJavierlt/wsseUsernamegt
• ltwssePassword Type"wssePasswordDigestgtOEdR...lt
  /wssePasswordgt
• ltwsseNoncegtFKJh...lt/wsseNoncegt
• ltwsuCreatedgt2007-07-14T090000Z lt/wsuCreatedgt
  lt/wsseUsernameTokengt ...
• lt/SHeadergt
• ...
• lt/SEnvelopegt

9
Adding Encryption too

• Setting the Encrypt parameter
• The encryption algorithm select AES
• A Special-purpose quantum computer in the year
  2015 will take 108 million years to break a key
  of 128 bits
• You can select the parts you want to encrypt
• in the message

10
Encrypting Body and UsernameToken
11
Adding Integrity

• Using UsernameTokenSignature can determine
  whether a message was altered in transit
• Verify that message was sent by possessor of
  particular security token
• Generate a key using the username and password to
  Signature a element of a message or the Body

12
Putting everything together