se 690 - survey1 gap assessment of the top web service specifications managing the security of web...
Post on 20-Dec-2015
221 views
TRANSCRIPT
SE 690 - Survey 1
Gap Assessment of the Top Web Service Specifications
Managing the Security of Web Services
Cristina FhiedSE690 Final Presentation Advisor: Xiaoping Jia, Luigi
Guadagno
SE 690 - Survey 2
Outline 1. Project Goal 2. Overview of Web Services introduction 3. Security Enterprise Requirements 4. Security Specifications
Comparison Overview (how do they map req.) Drawbacks and Benefits of each Model
5. Current Enterprise State Survey 6. Conclusion and Recommendations 7. Potential Future Work
SE 690 - Survey 3
Project Goal Research available web service specifications. Conduct an enterprise state survey exploring
problems and experiences facing network professionals.
Research the Enterprise communication and architecture requirements for a secure Web Services.
Prepare gap assessment tables mapping the communication and network enterprise req. against the researched available security specifications.
Prepare a model showing the interpolation of Ws-Security specification with the interaction of the researched available web service specifications.
SE 690 - Survey 4
What are Web Services? “Software pieces that interact with each other using internet standards
to create an application in responseto requests that conform to agreed-upon formats.” [Infravio, 2003]
SE 690 - Survey 5
What Are the Characteristics…
A web service is accessible over the internet.
Provides an interface that can be called from one application to another.
Interface can be called from any type of application client or service.
Acts as a liaison between the web and the application logic that implements the service.
SE 690 - Survey 6
How Does a Web Service Communicate?
Uses XML on top of HTTP XML is a widely accepted format for
exchanging data and its semantics The Web service STACK consists of:
XML (eXtensible Markup Language) SOAP (Simple Object Access Protocol) WSDL (Web Services Definition Language) UDDI (Universal Discovery Description
Language)
SE 690 - Survey 7
Web Services Stack
HTTP (SMTP, FTP, other)
XML
SOAP
WSDL
UDDI
Returns the WSDL reference used to bind to
web service
Specifies how to connect to a
web service
Better describes the
data being sent
Acts as the envelope for
XML messages
Transport layer
SE 690 - Survey 8
What About Current Web Security?
To date much of web security is built around encryption through secure socket layers (SSL) using simple object access protocol (SOAP).
Not enough to protect supply-chain operations and other business to business transactions because SOAP is based on XML.
One way transmission, easy to steal and resend messages.
SE 690 - Survey 9
Enterprise Requirements
NetworkCommunication
SE 690 - Survey 10
Communication based Enterprise Security Requirements…
Authentication Authorization Data protection Non-repudiation
SE 690 - Survey 11
Defining Requirements Authentication – involves accepting credentials
from the entity and validating them against an authority.
Authorization – determines whether the service has granted access to the web service to the requestor.
Data protection – ensures that the web services request and response have not tampered with en route. Requires both integrity and privacy.
Nonrepudiation – guarantees that the message sender is the same as the creator of the message.
SE 690 - Survey 12
Network based Enterprise Security Requirements…
Confidentiality Integrity Accessibility
SE 690 - Survey 13
Defining Requirements Cont. Confidentiality – contains information
required for protection against unauthorized use or disclosure.
Accessibility – must be able on a timely basis to meet mission requirements or to avoid substantial losses.
Integrity – contained information must be protected from unauthorized, unanticipated or unintentional modifications.
SE 690 - Survey 14
Available Industry Specification
Definitions and FeaturesComparison Mapping OverviewDrawbacks and Benefits Model
SE 690 - Survey 15
PKI Public Key Infrastructure is an
open specification. Published by VeriSign in 2002. Integrates digital certificates and
certificate authorities into enterprise-wide network security architecture.
SE 690 - Survey 16
PKI Cont. Provides protection by:
Authenticating identity Verifying Integrity Ensuring Privacy Authorizing Access Authorizing Transactions Supporting Nonrepudiation
SE 690 - Survey 17
PKI Cont. Strengths:
Integrates Authentication and digital signatures. Allows confidential validation on the identity of
each party in an internet transaction. Ensures that the message or documents the
digital certificate signs has not been changed in transit online.
Protects information from interception during Internet transmission.
Validates a user identity making it possible to later update a digitally signed transaction (single sign-on).
SE 690 - Survey 18
PKI Cont. Weaknesses:
Complications associated with the usage of proprietary PKI software toolkits.
Complex deployment associated with server side components.
Constraint of complexity in integrating authentication and digital signatures in web service applications.
SE 690 - Survey 19
SAML Security Assertions Markup
Language is an XML-based framework for Web Services.
Security Specification from OASIS, released in February 2002.
First industry standard for enabling secure e-commerce transactions through XML.
SE 690 - Survey 20
SAML Cont. Gives guidelines on assertions to request
and response messages to provide: Authentication. Authorization. Interoperability
Also shows how single sign-on can be achieved when several web-services are interacting; achieved by adding XML assertions.
SE 690 - Survey 21
SAML Cont. Strengths:
Supports real-time Authentication and Authorization.
Can interoperate with any kind of system. Makes it possible to have message integrity
and non-repudiation of the sender. Establishes assertions and protocol schemas
for the structure of the document that transport security.
Links back to the actual authentication and makes its assertions based on the requests of that event.
SE 690 - Survey 22
SAML Cont. Weaknesses:
Security of SAML conversation is not a stand-alone application; depends on a trust model, typically PKI.
Does not address privacy policies. Does not define any technology or
approaches for Authentication. Only makes assertions about
credentials; does not authenticate or authorize users.
SE 690 - Survey 23
XKMS XML Key Management
Specification is an open specification.
Published by the W3C as a technical note.
Provides a standard XML-based messaging protocol to outsource the processing of key management to dedicated services.
SE 690 - Survey 24
XKMS Cont. XML version of PKI handling. Integrates:
Authentication. Authorization. Malicious Attack Support.
Uses SOAP over an HTTP based network.
Makes it easy for applications to interface with key-related services.
SE 690 - Survey 25
XKMS Cont. Strengths:
Integrates Authentication and Authorization. Does status checking in a matter of hours. Rapidly implements trust features incorporating
cryptographic support for XML digital signatures.
Moves the complexity associated with PKI integration to server side components.
Specification toolkit is completely platform, vendor, and transport protocol independent.
Developer friendly, syntax used eliminates the necessary plug-ins PKI requires.
SE 690 - Survey 26
XKMS Cont. Weaknesses:
Has no implemented prototype depicting its available techniques.
Needs to have three standards to be used at the same time, in order for higher security, Not a stand-alone application:
X-KISS (XML Key Information Serv. Spec.). X-KRSS (XML Key Requirement Serv. Spec.). Protocol Binding Specification.
SE 690 - Survey 27
WS-Security Cont. Published in April 2002 by IBM,
Microsoft, and VeriSign. Helps enterprises build secure web
services, and applications based on them that are broadly interoperable.
Proposes a set of SOAP extensions, used when building secure web services to implement: Integrity. Confidentiality.
SE 690 - Survey 28
WS-Security Cont. Does not limit itself to a specific model
or mechanism, can be used as a guideline.
Has support for several models and security mechanisms.
Supports: Multiple Security Tokens. Cryptography Technologies. Requester Security. Transport Security.
SE 690 - Survey 29
Ws-Security Cont. Microsoft, VeriSign and IBM are announcing
the publication of 5 new specifications. When used with Ws-Security they provide a
framework that is extensible and flexible in a infrastructure. WS-Trust: provides Interoperability WS-Secure Conversation: Cent. Management WS-Secure Policy:protects against Malicious
Attack WS-Policy: provides Authentication WS-Authorization: provides Authorization
SE 690 - Survey 30
WS-Security Cont. Strengths:
Implements integrity and confidentiality. Building block or better yet a blueprint to be
used in conjunction with other web service specifications.
Integrates, unifies and supports many popular security models and technologies.
Defines how signatures can be used. Provides for a generic mechanism to
associate security tokens with messages; does not require any type of security tokens.
SE 690 - Survey 31
WS-Security Cont. Weaknesses:
Does not discuss how proof-of-possession must be implemented.
Does not discuss how subject confirmations must be implemented.
Their needs to be effort applied to ensure that security protocols that are implemented are not exposed to a wide range of attacks.
Not approved as a standard as of yet, there are not commercial web-services that use this specification as of yet.
SE 690 - Survey 32
Gap Assessment Table Summary Comparison mapping of
Communication Enterprise Security Requirements.
Requirement WS-Security SAML XKMS PKI
Interoperability Support
X X
Scalability Support
X
Centralized Management
Support
X
Malicious Attack Support
X
X
SE 690 - Survey 33
Gap Assessment Table Summary Comparison mapping of
Network Enterprise Security Requirements.
Requirement WS-Security SAML XKMS PKI
Authentication Support
X X X X
Authorization Support
X X
Data Protection/
Confidentiality Support
X X
Data Integrity Support
X X
SE 690 - Survey 34
ModelW S - S e c u r i t y
Authentication
Authorization
Data Protection/Confidentiality
Data Integrity
Interoperability
Scalability
Centralized Management
Malicious Attack
SAMLPKI
XKMS
SAML
XKMS
PKI
WS-Security
PKI
WS-Security
PKI
WS-Security
WS-Security
XKMS
SAML
WS-Policy Assertion
WS-Secure Conversation
WS-Security Policy
WS-Trust
WS-Authorization
SAMLXKMS
PKI
SE 690 - Survey 35
Survey Results
Current Enterprise State
SE 690 - Survey 36
About the Survey Explores areas of interest and
experiences for those responsible in ensuring network/web service securities
Survey was voluntary and consisted of eight questions
Final survey was sent to 25 individuals 20 individuals submitted a completed
survey
SE 690 - Survey 37
Key Research Questions Rank web-based communication
security requirements based on security framework importance
Rank networking issue requirements based on security framework importance
Rank security methods in terms of effectiveness in acquiring information security at an organization
SE 690 - Survey 38
Survey Findings Experience any of these Security Breaches:
Security Breach Yes No
Viruses or Worms95% 5%
Attacks related to Protocol Weaknesses
43% 57%
Attacks related to insecure passwords
19% 81%
Attacks on bugs in Web Servers
52% 48%
SE 690 - Survey 39
Survey Findings Indicate level of concern in the following issues
Level of Concern Issue
1 (Highest) Malicious Code Infection
2 System Unavailability
3 Loss of Confidentiality/Privacy
4 (Lowest) Physical Security
SE 690 - Survey 40
Survey Findings Method effectiveness in terms of acquiring
information security in an organization:
Effectiveness Method
1 (Most) Conduct Vulnerability Assessment
2 Scare them with hacker stories
3 Argue that security should be funded out of indiv.
4 (Least) Exp. The relationship btw. Security and complying with legal industry requirements
SE 690 - Survey 41
Survey Findings Priority of the following items Importance to an organization
Priority Item
1 (Most) Security and availability for Web site and e-commerce operations
2 Strengthening the network perimeter to prevent external intrusions
3 Securing remote access for traveling employees/remote offices
4 Centralized management of control data
5 (Least) Preventing employees or outsiders from abusing access rights
SE 690 - Survey 42
Survey Findings Prioritize the Networking Issue Requirements based
on security framework importance.
Priority Requirement
1 (Greatest) Interoperability
2 Scalability
3 Malicious Attack
4 (Least) Centralized Management
SE 690 - Survey 43
Survey Findings Prioritize the web-based Communication Security
Requirements based on security framework importance:
Priority Requirement
1 (Greatest) Data Protection/Confidentiality
2 Data Integrity
3 Authorization
4 (Least) Authentication
SE 690 - Survey 44
Conclusion and Recommendation
SE 690 - Survey 45
Managing Web Security Difficult to determine a single best strategy. When dealing with applications with strong
authentication and authorization, Ws-Security and SAML specifications should be considered.
When dealing with concerns of malicious attack and data protection, XKMS and SAML should be considered.
XKMS when joined with WS-Security has a stronger use for digitally signing and SAML assertions.
SE 690 - Survey 46
Managing Web Security Cont.
SAML when combined with Ws-Security should use techniques such as XML signatures and encryptions.
SAML assertions should be carried as security tokens defined in Ws-Security.
SAML traffic should be secured by XKMS-based PKI.
SE 690 - Survey 47
Managing Web Security Cont. Most effective method in acquiring
information security in an organization is by conducting vulnerability assessments and explaining the differences between security and legal requirements.
To reduce obstacles in achieving web service security is to greatly reduce the technical challenges and complexity of using security specification toolkit products.
SE 690 - Survey 48
Potential Future Work
Research and analyze whether an implementation of Ws-Security, PKI, SAML and XKMS on Web Services is enough to provide a system with the needed securities.
SE 690 - Survey 49
Conclusion
For more information please visit project web site: http://shrike.depaul.edu/~cfhied/se69
0/abstract.htmlThank you!!!