Академический Документы
Профессиональный Документы
Культура Документы
and
Web Services Security
Presented
August 7, 2004
at
AMCIS2004
New York, New York
by
Dr. Robert J. Boncella
Washburn University
1
Overview of Presentation
4
Implications of Web Services
Computing Paradigm
• Interoperability
– implied standardization
• Substitutability of services
• Services become commodities
• Information Systems developed with least cost
– competition to provide service
– service providers responsible to provide QOS
• Firm not required to provide service
– not unusual
– e.g. ship package via DHL, FedEx, UPS, or USPS
5
Acceptance of Web Services
6
Web Services Architecture
8
Component Details
• SOAP 1.1
– Simple Object Access Protocol is a message protocol that enables
requests and responses to be sent in XML format from client to a
server.
– SOAP defines an envelope that contains a header and a body. The
SOAP body contains the payload. See http://www.w3.org/TR/soap/
for more details.
• WSDL 1.1
– Web Services Description Language is a specification that details how
to describe a web service. A WSDL document for a service is an
XML document that contains information a programmer needs in
order to contract for that service. See http://www.w3.org/TR/wsdl for
more details.
9
Component Details
10
Component Details
• XML 1.0
– XML is a tag-oriented language whose tags can be user defined
and are used to describe the data contained in the document. See
http://www.w3.org/XML/ for more details.
• XML Schema Part 1: Structures
– XML Schema: Structures can be used to define, describe and
catalogue XML vocabularies for classes of XML documents. See
http://www.w3.org/TR/xmlschema-1/ for more details.
• XML Schema Part 2: Datatypes
– XML Schema: Datatypes can be used to define datatypes in XML
vocabularies and documents. See
http://www.w3.org/TR/xmlschema-2/ for more details.
11
An Example
4) An SOA Bind()
13
Information Security Requirements
– Confidentiality
• assures user privacy and prevents the theft of information both in transit and stored.
– Integrity
• assures that information either in transit or in storage was not modified,
– Nonrepudiation
• assures that the sender of a message cannot legitimately claim they did not send the
message.
– Authentication
• assures that the sender and receiver are who the claim to be.
– Authorization
• assures that an authentication entity can access only those information resources they
are required to have either to request or provide a service.
– Availability
• assures that uninterrupted service is provided to authenticated and authorized users.
14
Information Security
• Information security requirements assured by
– SSL (Secure Sockets Layer)
– PKI (Public Key Infrastructure)
– Firewalls
• Restricted to conventional web traffic using
– HTTPS, FTPS, et. al.
• SSL inadequate for Web Services Security
• Firewalls inadequate for Web Services Security
15
SSL & Web Services Security
17
Firewalls & Web Services Security
• A SOAP level firewall should
– determine if the incoming SOAP request is
intended for a available Web Service
– determine if the SOAP request is valid
• does the SOAP message contain valid data
– type and size
– Content Filtering Firewall
18
Web Services Security Requirements
• Same as Information Security Requirements
• Assured by means other than SSL and
firewalls
• Requirement of persistent security
– SOAP messages require inclusion of security
data
19
Web Services Security Technology
• Confidentiality for Web Services
– XML Encryption is used to assure confidentiality in the case of a
security context that ranges beyond a simple HTTP/SSL
connection
– See http://www.w3.org/Encryption/2001/ for detailed information.
• Integrity for Web Services
– An XML signature is the XML equivalent of a digital signature
– Used digitally sign selected portions of an XML document
– Used to sign data and thereby assure its integrity
– See http://www.w3.org/Signature/ for detailed information
20
Web Services Security Technology
• Authentication and Authorization Web Services
– Single Sign On (SSO) process
– If user is authenticated by initial web service provider user is
automatically authenticated on all subsequent web service
providers.
– Two approaches to SSO
• 1) Include authentication information for each web service in the initial
SOAP message
• 2) Maintain a user's authentication list in a central repository
21
Web Services Security Technology
• Two approaches to SSO
– 1) Include authentication information for each web service in the
initial SOAP message
• Security Assertions Markup Language (SAML) and XML Access Control
Markup Language (XACML) work together to implement the first
approach
• For detailed information about SAML see
– http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
• and for XACML see
– http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.
– 2) Maintain a user's authentication list in a central repository
• Microsoft's Passport scheme and Sun's Liberty Alliance Project use the
centralized repository approach to user authentication
22
Web Services Security Technology
23
WS-Security
• Specification to extend SOAP
• Web Services Security Language
– WS-Security
• WS-Security Provides
– Multiple Security Tokens
• for authentication & authorization
– Multiple Trust Domains
– Multiple Signature Formats
– Multiple Encryption Technologies
– End to end message-level security
24
Web Services Security Specifications
IBM/Microsoft Architecture
(Proposed April, 2002)
25
Web Services Security Specifications
• WS-Security Specification
– describes how to attach signature and encryption
headers to SOAP messages
– describes how to attach security tokens to messages
• X.509 Certificates
• Kerberos Tickets.
26
Web Services Security Specifications
• WS-Policy
– will describe the capabilities and constraints of the security
policies on intermediaries and endpoints
– specifies the required security tokens, supported encryption
algorithms, privacy rules
– this information will be in the WSDL document for a service
• WS-Trust
– will describe a framework for trust models that enables Web
services to securely interoperate
• WS-Privacy
– will describe a model for how Web services and requesters state
privacy preferences and organizational privacy practice
27
statements.
Web Services Security Specifications
• WS-SecureConversation:
– will describe how to manage and authenticate message
exchanges between parties including security context
exchange and establishing and deriving session keys.
• WS-Federation:
– will describe how to manage and broker the trust
relationships in a heterogeneous federated environment
including support for federated identities.
• WS-Authorization:
– will describe how to manage authorization data and
authorization policies
28
Status of IBM/Microsoft Architecture
• Web Services Security:
– Kerberos Binding -
• published as a public specification on 19 December 2003.
– SOAP Message Security
• published as an OASIS Standard in March of 2004.
– UsernameToken Profile 1.0
• published as an OASIS Standard in March of 2004.
– X.509 Certificate Token Profile
• published as an OASIS Standard in March of 2004.
– OASIS -
• Organization for the Advancement of Structured Information
29
Status of IBM/Microsoft Architecture
• WS-Trust
– published as a public specification on 24 May 2004.
• WS-SecureConversation
– was published as a public specification on 24 May 2004.
• WS-SecurityPolicy
– was published as a public specification on 18 December
2002.
• WS-Federation
– published as public specifications on 8 July 2003
30
Web Services Security Threats
• Attacks on the application or the computing system that
provides the Web Service
– threat to availability
• A SOAP message containing malicious data that would
cause the web service application to execute in an
unintended mode
• The SOAP message could contain a request for a service
that is not advertised on that site is provided
• SOAP messages easily pass through firewalls
– Needed: firewalls that filter the content of SOAP messages
requesting passage through the firewall
31
Summary
The purpose of this tutorial was to provide a foundation for an
understanding of the need for and techniques of web services
security.
32
Slides:
http://www.washburn.edu/cas/cis/boncella
E-mail:
bob.boncella@washburn.edu
33
Bibliography
Albrecht, C. (2004) How Clean Is the Future of SOAP?, Communication of the ACM, 47,2,Feb. 2004.
Atkinson, B., Della-Libera, G., Hada, S., Hondo, M., Hallam-Baker, P., Klein, J., LaMacchia, B.,
Leach, P., Manferdelli, J., Maruyama, H., Nadalin, A., Nagaratnam, N., Prafullchandra, H., Shewchuk,
J., Simon, D. (2002) "Web Services Security (WS-Security)", http://www-
106.ibm.com/developerworks/webservices/library/ws-secure/ (current Feb. 22, 2004)
Biron, P.V. and Malhotra, A. (2001) "XML Schema Part 2: Datatypes"
http://www.w3.org/TR/xmlschema-2/ (current Feb. 22, 2004)
Boncella, R. (2000) "Web Security for E-Commerce", Communications of the AIS, 4, 11, Nov. 2000.
Boncella, R. (2003) SSL in The Internet Encyclopedia, Hossein Bidgoli (Editor), New York, New York,
J. Wiley, 2003.
Christensen, E., Curbera, F., Meredith, G., Weerawarana, S. (2001) " Web Services Description
Language (WSDL) 1.1", http://www.w3.org/TR/wsdl (current Feb. 22, 2004)
Fielding, R., Gettys, J., Mogul, J.,. Frystyk, H., Masinter,. L.,. Leach, P., and Berners-Lee, T. (1999)
"Hypertext Transfer Protocol HTTP/1.1", http://www.ietf.org/rfc/rfc2616.txt (current Feb. 22, 2004).
Eastlake, D., and Reagle, J (2001) " XML Signature", http://www.w3.org/Signature/ (current Feb. 22,
2004)
34
Bibliography
Ford, W., Hallam-Baker, P., Fox, B., Dillaway, B., LaMacchia, B., Epstein, J., Lapp, J., (2001) " XML Key
Management Specification (XKMS)", http://www.w3.org/TR/xkms/ (current Feb. 22, 2004)
Gudgin, M., Hadley, M., Mendelsohn, N., Moreau, J., Nielsen H. F. (2003) "SOAP Version 1.2 Part 1:
Messaging Framework", http://www.w3.org/TR/soap/ (current Feb. 22, 2004)
Kristol, D, and Montulli, L. (2000), " HTTP State Management Mechanism",
http://www.ietf.org/rfc/rfc2965.txt (current Feb. 22, 2004)
OASIS (2001) (Organization for the Advancement of Structured Information Standards), " Universal
Description, Discovery and Integration", http://www.uddi.org/ (current Feb. 22, 2004)
OASIS (2003), (Organization for the Advancement of Structured Information Standards), " eXtensible
Access Control Markup Language", http://www.oasis-
open.org/committees/tc_home.php?wg_abbrev=xacml.(current Feb. 22, 2004)
OASIS (2004), (Organization for the Advancement of Structured Information Standards), "Security
Assertion Markup Language (SAML)", http://www.oasis-
open.org/committees/tc_home.php?wg_abbrev=security (current Feb. 22, 2004)
Reagle, J. (2001) " XML Encryption", http://www.w3.org/Encryption/2001/ (current Feb. 22, 2004)
Thompson, H.S.,Beech, D., Maloney, M., Mendelsohn N. (2001) " XML Schema Part 1: Structures",
http://www.w3.org/TR/xmlschema-1/ (current Feb. 22, 2004)
W3C (1996) ' Extensible Markup Language (XML)", http://www.w3.org/XML/ (current Feb. 22, 2004)
35