Web services security I Uyen Dang & Michel Foé
35 Slides1.19 MB
Web services security I Uyen Dang & Michel Foé
Agenda Context – Architectural considerations of security issues in WS – Security threats in Web services Basic concepts (prerequisites) XML independent tools or technologies – SSL – Kerberos – Authentication on HTTP XML specific tools or technologies – – – – – XML signature XML Encryption XKMS SAML XACML Summary and Q&A
Context (SOA)
Architectural considerations of WS security Where security issues occur in SOA? – Network-level – Application-level
Security threats for Web services Unauthorized access Unauthorized alteration of messages Man in the middle Denial of service
Countermeasures (1) Network-level security: – Firewalls – Intrusion detections systems and vulnerability assessment – Securing network communications symmetric /asymmetric encryption Digital certificates and signatures
Countermeasures (2) Application-level security: – Six requirements Authentication Authorization Message integrity Confidentiality Operational defense Non repudiation
Basic concepts (1) Authentication — Verify the identity of an entity Authorization — Specify access rights to a resource
Basic concepts (2) Integrity — Guarantee that a message did not change in transit/time Confidentiality — Ensure that data is available only to those who are authorized to access
Basic concepts (3) Symmetric encryption /decryption – Secure communication between two parties – Both parties share the same key
Basic concepts (4) Asymmetric encryption /decryption – Secure communication between two parties – Requires public/private keys pair for each party
Basic Concepts(5) Digital signature and certificate — Proof the authenticity and integrity of a document/message — Ensure accountability and non-repudiation (certificates)
SSL (Secure Sockets Layer ) What is SSL? – – – – Web protocol secure communication over TCP/IP connections, provides server and client authentication, data encryption, message integrity.
Kerberos What is Kerberos? – – – – 3rd party Authentication protocol Use ticket and a session key Centralized key management Allows single-sign-on
Authentication on HTTP Login/password authentication Support two methods: Basic authentication – Base64 algorithm to encrypt the string login:password – Highly vulnerable Digest – Apply a hash function to the password
http basic authentication example
XML signature Ensure : –data integrity, –message authentication, –and non-repudiation. 3 types of signatures: – Enveloping – Enveloped – Detached signatures or
XML signature (schema) SignedInfo Signature Key information
XML signature (SignedInfo)
XML Signature (key information)
XML Signature (How does it work?) Generate references – Transformation (eventually) – Compute the digest Generate the signature – – – – Build SignedInfo element Apply CanonicalizationMethod Compute the digest Compute the signature on hash with SignatureMethod Just SignedInfo is signed not referenced resources
XML Signature (Example) enveloping enveloped
XML Encryption Encrypts part/whole XML document Ensure confidentiality Use symmetric encryption
XML Encryption (schema) Encryption method Cipher text
XML Encryption (How does it work?) Encryption – – – – Choose the cryptographic algorithm (3DES , AES, etc.) Get or generate the key Serialize data to encrypt Encrypt Decryption – – – – Identify algorithm and key used Get the key Decrypt Integrate data in the final document
XML Encryption (Example)
XKMS (XML Key Management Spec) Alternative to a complex PKI Ease integration of – Authentication, – signature and certificates, – and encryption for XML- based trust services; Support three major services: – Register – Locate – validate
XKMS (example) 4
SAML Security assertion Markup Language – OASIS standard – framework for creating, requesting, and exchanging security assertions between business partners Ease Single Sign-On
SAML components
SAML assertion
SAML example
XACML eXtensible Access Control Markup Language – extension to SAML – define how to use access information and security policies – offer a vocabulary and syntax for managing authorization decisions Two basics components – Access control policy language – Request /response language
Typical use of XACML and SAML
Summary and Q&A Technology XML signature Main purposes data integrity, authentication, non repudation of services XML encryption promote the trusted use of web applications by encrypting XML entities XKMS simplify the integration of PKI and management of digital certificates with XML applications SAML Standards or exchanging authorization and authentication assertions between services to facilitate Single Sign On XACML Language for managing authorization decisions
