Without Security, Web Services are Dead on Arrival - PowerPoint PPT Presentation

1 / 26

About This Presentation

Title:

Without Security, Web Services are Dead on Arrival

Description:

The mainframe running Cobol from dusty decks. Connecting to external ... Must be a static. mechanism. Application. XKMS. XKMS. XKMS. 26. WS-KeyAgreement ' ... – PowerPoint PPT presentation

Number of Views:37

Avg rating:3.0/5.0

Slides: 27

Provided by: djcr

Category:

more less

Transcript and Presenter's Notes

Title: Without Security, Web Services are Dead on Arrival

1
Without Security, Web Services are Dead on Arrival
Phillip Hallam-Baker Principal Scientist
2
Walking the WalkVeriSign and Web Services

Provider of Web Services
XKMS Service live over 1 year
VeriSign Trust Gateway
Visit trade show booth for details
User of Web Services
Integrate multiple IT infrastructures
VeriSign
Signio
Network Solutions
Illuminet
HO Systems

3
Web Services is about

Efficiently interfacing to legacy applications
Legacy meaning it works
The mainframe running Cobol from dusty decks
Connecting to external computing resources
Supply chain infrastructure
Automatically place receive orders
Outsourced computing infrastructure
Accounting Facilities
Payroll
Inventory
Etc.

4
Example Common Interface to Legacy Systems
5
Software Industry Strategy

Key Strategy High volume
Amortize development costs over more users
Reduce unit cost to purchaser
Sell more copies, make more profits.
Problem
Purchase cost is no longer main principal
software cost
Total Cost of Ownership is considered
Price of software approaches cost of production
As a result of the Internet this is approximately
zero
Solution Amortize Deployment, Maintenance costs

6
Objective

Web Services like email
Anyone can talk to everyone

Not like Power Cord
Different Mains Adapter for Every Device
600 service fee to repair broken connector

7
And Security?

Dont want our Power Cords Web Services to
catch Fire

8
Why Security Is Needed

Without Trust and Security
Web Services are Dead on Arrival

9
Web Services Security Groups
10
The Problem
Operating System
11
What Parts of Web Services Security Should Be
Infrastructure?

Replicate security context provided by O/S
Protected Memory
Prevents modification of process state
Prevents interception of function calls
Prevent disclosure
Access Control
Authentication
Authorization
Auditing

12
Is SSL Enough?

For some applications
Yes
As Infrastructure
No
SSL Only supports data in transit, not in storage
SSL does not support multi-party transactions
SSL is all or nothing
Messages are opaque to firewalls
SSL does not support non-Repudiation

13
Routing

SOAP supports message routing
E.g. to channel through a SOAP Firewall/Trust
Gateway

Internet
Enterprise B
Enterprise A
X
TG
14
WS-Security

SOAP Message Level Security
Confidentiality
Integrity
Authentication
Builds on XML Standards
XML Signature Encryption

15
WS-SecureConversation
16
WS-Policy, WS-PolicyAttachments WS-SecurityPolicy
Which version ?
I speak standard YAWS(Yet Another Web Service)
Which options?

What Encryption
Do you support?
Do you require?

Etc. etc etc.
17
Part III Web Services Infrastructure Security
Applications

Key Management
XKMS
Key Agreement TBA
Distributed Access Control
SAML
XACML
XrML
Ancillary
Provisioning SPML
Biometrics XCBF
Privacy Profile P3P

18
XML Key Management Specification (XKMS)

Management of Public Keys
Because all you need to know to communicate
securely with anyone is their public key
Registration
Alice registers her email signature public key
Alice might later request reissue, revocation,
recovery
Information
Bob looks up the key for alice_at_somecorp.com
Bob checks to see if it is valid
Core Objective
Shield the client from the complexity of PKI

19
Traditional PKI
Directory
Alice
Bob
ASN1
PKIX
20
XKMS PKI Interface
Alice
Bob
ASN1
PKIX
21
Example Federal BridgeCertificate Location
Validation
Federal Bridge CA Infrastructure
FBCA Code
XKMS xkms.a1.eop.gov
Alice alice_at_a1.eop.gov
Bob bob_at_navy.mil
22
Distributed Access Control