Web Services

and
Web Services Security
Presented
August 7, 2004
at
AMCIS2004
New York, New York
by
Dr. Robert J. Boncella
Washburn University
1
 Overview of Presentation

• Concept of a Web Service (WS)

• Required Technology for Web Services
• Security Requirements for Web Services
• Require Technology for Web Services
Security
• WS-Security
• Web Services Threats and attacks
2
 Concept of a Web Service
• Web Service
– self-contained modular application
– that provides a computation upon request
• Request via a Computer Network
– Internet, Intranet, or Extranet
• Computer Network Used To
– Describe
– Publish
– Locate
– Invoke (provide service) 3
 Example of a Web Service
• Function
– Provide verification of a customer’s shipping
address (e.g. Is zip code correct?)
– Current price of a particular stock

4
 Implications of Web Services
Computing Paradigm
• Interoperability
– implied standardization
• Substitutability of services
• Services become commodities
• Information Systems developed with least cost
– competition to provide service
– service providers responsible to provide QOS
• Firm not required to provide service
– not unusual
– e.g. ship package via DHL, FedEx, UPS, or USPS
5
 Acceptance of Web Services

• Firm must trust service provider

• Assurance of Web Services Security required
– Overview of Web Services architecture required
for understanding of Web Service Security

6
Web Services Architecture

Service Oriented Architecture

(SOA)
7
 Implementation of SOA
• Required Components
– Any Communication Protocol
• TCP, HTTP, SMTP, Message Queuing (e.g.MSMQ)
– SOAP 1.1 (Simple Object Access Protocol )
– WSDL 1.1 (Web Services Description Language )
– UDDI ver. 2.04 API (Universal Description, Discovery, and
Integration )
– XML 1.0
– XML Schema Part 1: Structures
– XML Schema Part 2: Datatypes

8
 Component Details
• SOAP 1.1
– Simple Object Access Protocol is a message protocol that enables
requests and responses to be sent in XML format from client to a
server.
– SOAP defines an envelope that contains a header and a body. The
SOAP body contains the payload. See http://www.w3.org/TR/soap/
for more details.
• WSDL 1.1
– Web Services Description Language is a specification that details how
to describe a web service. A WSDL document for a service is an
XML document that contains information a programmer needs in
order to contract for that service. See http://www.w3.org/TR/wsdl for
more details.

9
 Component Details

• UDDI ver. 2.04 API

– Universal Description, Discovery, and Integration is a specification of
the registry that lists web services that are of interest to a service
requestor entity. It uses taxonomies that categorize web services in a
way meaningful to clients. See http://www.uddi.org/ for more details.

10
 Component Details
• XML 1.0
– XML is a tag-oriented language whose tags can be user defined
and are used to describe the data contained in the document. See
http://www.w3.org/XML/ for more details.
• XML Schema Part 1: Structures
– XML Schema: Structures can be used to define, describe and
catalogue XML vocabularies for classes of XML documents. See
http://www.w3.org/TR/xmlschema-1/ for more details.
• XML Schema Part 2: Datatypes
– XML Schema: Datatypes can be used to define datatypes in XML
vocabularies and documents. See
http://www.w3.org/TR/xmlschema-2/ for more details.

11
 An Example

4) An SOA Bind()

2) IT department A is creating 1) IT department B

information system Y and needs creates service X -
service X - An SOA Find() An SOA Publish()

3) IT department A uses the URL posted in

the public registry to download a copy of
the WSDL specification for service X 12
Web Services Security

13
 Information Security Requirements
– Confidentiality
• assures user privacy and prevents the theft of information both in transit and stored.
– Integrity
• assures that information either in transit or in storage was not modified,
– Nonrepudiation
• assures that the sender of a message cannot legitimately claim they did not send the
message.
– Authentication
• assures that the sender and receiver are who the claim to be.
– Authorization
• assures that an authentication entity can access only those information resources they
are required to have either to request or provide a service.
– Availability
• assures that uninterrupted service is provided to authenticated and authorized users.

14
 Information Security
• Information security requirements assured by
– SSL (Secure Sockets Layer)
– PKI (Public Key Infrastructure)
– Firewalls
• Restricted to conventional web traffic using
– HTTPS, FTPS, et. al.
• SSL inadequate for Web Services Security
• Firewalls inadequate for Web Services Security

15
 SSL & Web Services Security

• Example shows need for persistent security

• Persistent Security
– requires the security of the SOAP request/response message be
assured over more than one client/server connection
• SSL does not
– Provide end-to-end security
– Assure Integrity
– Generally, only uses one-way authentication
– No end-to-end audit trail 16
 Firewalls & Web Services Security

• SOAP bypasses firewalls

• Firewalls function at
– Layer 3 - packet filtering on IP and/or port
– Layer 4 - circuit-level uses TCP handshaking to
determine a session’s legitimacy
– Application layer - filters on basis of application
being requested e.g. HTTP/SSL POP/SMTP maybe
allowed others refused
• SOAP messages often bound to HTTP or SMTP

17
 Firewalls & Web Services Security
• A SOAP level firewall should
– determine if the incoming SOAP request is
intended for a available Web Service
– determine if the SOAP request is valid
• does the SOAP message contain valid data
– type and size
– Content Filtering Firewall

18
Web Services Security Requirements
• Same as Information Security Requirements
• Assured by means other than SSL and
firewalls
• Requirement of persistent security
– SOAP messages require inclusion of security
data

19
 Web Services Security Technology
• Confidentiality for Web Services
– XML Encryption is used to assure confidentiality in the case of a
security context that ranges beyond a simple HTTP/SSL
connection
– See http://www.w3.org/Encryption/2001/ for detailed information.
• Integrity for Web Services
– An XML signature is the XML equivalent of a digital signature
– Used digitally sign selected portions of an XML document
– Used to sign data and thereby assure its integrity
– See http://www.w3.org/Signature/ for detailed information

20
 Web Services Security Technology
• Authentication and Authorization Web Services
– Single Sign On (SSO) process
– If user is authenticated by initial web service provider user is
automatically authenticated on all subsequent web service
providers.
– Two approaches to SSO
• 1) Include authentication information for each web service in the initial
SOAP message
• 2) Maintain a user's authentication list in a central repository

21
 Web Services Security Technology
• Two approaches to SSO
– 1) Include authentication information for each web service in the
initial SOAP message
• Security Assertions Markup Language (SAML) and XML Access Control
Markup Language (XACML) work together to implement the first
approach
• For detailed information about SAML see
– http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
• and for XACML see
– http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.
– 2) Maintain a user's authentication list in a central repository
• Microsoft's Passport scheme and Sun's Liberty Alliance Project use the
centralized repository approach to user authentication

22
 Web Services Security Technology

• Nonrepudiation - PKI for Web Services

– XML Key Management specification (XKMS) provides PKI
services (registering, locating, and validating keys) through
XML.
– See http://www.w3.org/TR/xkms/ for detailed information

23
 WS-Security
• Specification to extend SOAP
• Web Services Security Language
– WS-Security
• WS-Security Provides
– Multiple Security Tokens
• for authentication & authorization
– Multiple Trust Domains
– Multiple Signature Formats
– Multiple Encryption Technologies
– End to end message-level security
24
Web Services Security Specifications
IBM/Microsoft Architecture
(Proposed April, 2002)

25
 Web Services Security Specifications
• WS-Security Specification
– describes how to attach signature and encryption
headers to SOAP messages
– describes how to attach security tokens to messages
• X.509 Certificates
• Kerberos Tickets.

26
 Web Services Security Specifications
• WS-Policy
– will describe the capabilities and constraints of the security
policies on intermediaries and endpoints
– specifies the required security tokens, supported encryption
algorithms, privacy rules
– this information will be in the WSDL document for a service
• WS-Trust
– will describe a framework for trust models that enables Web
services to securely interoperate
• WS-Privacy
– will describe a model for how Web services and requesters state
privacy preferences and organizational privacy practice
27
statements.
 Web Services Security Specifications
• WS-SecureConversation:
– will describe how to manage and authenticate message
exchanges between parties including security context
exchange and establishing and deriving session keys.
• WS-Federation:
– will describe how to manage and broker the trust
relationships in a heterogeneous federated environment
including support for federated identities.
• WS-Authorization:
– will describe how to manage authorization data and
authorization policies

28
 Status of IBM/Microsoft Architecture
• Web Services Security:
– Kerberos Binding -
• published as a public specification on 19 December 2003.
– SOAP Message Security
• published as an OASIS Standard in March of 2004.
– UsernameToken Profile 1.0
• published as an OASIS Standard in March of 2004.
– X.509 Certificate Token Profile
• published as an OASIS Standard in March of 2004.
– OASIS -
• Organization for the Advancement of Structured Information
29
 Status of IBM/Microsoft Architecture

• WS-Trust
– published as a public specification on 24 May 2004.
• WS-SecureConversation
– was published as a public specification on 24 May 2004.
• WS-SecurityPolicy
– was published as a public specification on 18 December
2002.
• WS-Federation
– published as public specifications on 8 July 2003

30
 Web Services Security Threats
• Attacks on the application or the computing system that
provides the Web Service
– threat to availability
• A SOAP message containing malicious data that would
cause the web service application to execute in an
unintended mode
• The SOAP message could contain a request for a service
that is not advertised on that site is provided
• SOAP messages easily pass through firewalls
– Needed: firewalls that filter the content of SOAP messages
requesting passage through the firewall
31
 Summary
The purpose of this tutorial was to provide a foundation for an
understanding of the need for and techniques of web services
security.

An overview of the architecture of WS-Security an its status

was presented as well.

An overview of web services - its architecture and its

components was included as well.

32
Slides:

http://www.washburn.edu/cas/cis/boncella

E-mail:

bob.boncella@washburn.edu

33
 Bibliography
Albrecht, C. (2004) How Clean Is the Future of SOAP?, Communication of the ACM, 47,2,Feb. 2004.
Atkinson, B., Della-Libera, G., Hada, S., Hondo, M., Hallam-Baker, P., Klein, J., LaMacchia, B.,
Leach, P., Manferdelli, J., Maruyama, H., Nadalin, A., Nagaratnam, N., Prafullchandra, H., Shewchuk,
J., Simon, D. (2002) "Web Services Security (WS-Security)", http://www-
106.ibm.com/developerworks/webservices/library/ws-secure/ (current Feb. 22, 2004)
Biron, P.V. and Malhotra, A. (2001) "XML Schema Part 2: Datatypes"
http://www.w3.org/TR/xmlschema-2/ (current Feb. 22, 2004)
Boncella, R. (2000) "Web Security for E-Commerce", Communications of the AIS, 4, 11, Nov. 2000.
Boncella, R. (2003) SSL in The Internet Encyclopedia, Hossein Bidgoli (Editor), New York, New York,
J. Wiley, 2003.
Christensen, E., Curbera, F., Meredith, G., Weerawarana, S. (2001) " Web Services Description
Language (WSDL) 1.1", http://www.w3.org/TR/wsdl (current Feb. 22, 2004)
Fielding, R., Gettys, J., Mogul, J.,. Frystyk, H., Masinter,. L.,. Leach, P., and Berners-Lee, T. (1999)
"Hypertext Transfer Protocol HTTP/1.1", http://www.ietf.org/rfc/rfc2616.txt (current Feb. 22, 2004).
Eastlake, D., and Reagle, J (2001) " XML Signature", http://www.w3.org/Signature/ (current Feb. 22,
2004)

34
 Bibliography
Ford, W., Hallam-Baker, P., Fox, B., Dillaway, B., LaMacchia, B., Epstein, J., Lapp, J., (2001) " XML Key
Management Specification (XKMS)", http://www.w3.org/TR/xkms/ (current Feb. 22, 2004)
Gudgin, M., Hadley, M., Mendelsohn, N., Moreau, J., Nielsen H. F. (2003) "SOAP Version 1.2 Part 1:
Messaging Framework", http://www.w3.org/TR/soap/ (current Feb. 22, 2004)
Kristol, D, and Montulli, L. (2000), " HTTP State Management Mechanism",
http://www.ietf.org/rfc/rfc2965.txt (current Feb. 22, 2004)
OASIS (2001) (Organization for the Advancement of Structured Information Standards), " Universal
Description, Discovery and Integration", http://www.uddi.org/ (current Feb. 22, 2004)
OASIS (2003), (Organization for the Advancement of Structured Information Standards), " eXtensible
Access Control Markup Language", http://www.oasis-
open.org/committees/tc_home.php?wg_abbrev=xacml.(current Feb. 22, 2004)
OASIS (2004), (Organization for the Advancement of Structured Information Standards), "Security
Assertion Markup Language (SAML)", http://www.oasis-
open.org/committees/tc_home.php?wg_abbrev=security (current Feb. 22, 2004)
Reagle, J. (2001) " XML Encryption", http://www.w3.org/Encryption/2001/ (current Feb. 22, 2004)
Thompson, H.S.,Beech, D., Maloney, M., Mendelsohn N. (2001) " XML Schema Part 1: Structures",
http://www.w3.org/TR/xmlschema-1/ (current Feb. 22, 2004)
W3C (1996) ' Extensible Markup Language (XML)", http://www.w3.org/XML/ (current Feb. 22, 2004)

35