web services security – challenges & trends
DESCRIPTION
Web Services Security – Challenges & Trends. Magan Pal Singh Technical Architect, Sopra Group [email protected] - www.sopragroup.com +91 120 4056100. Agenda. Web Services Introduction Web Services Security Elements Web Services Security Dimensions Web Services Security Standards - PowerPoint PPT PresentationTRANSCRIPT
Unissons nos Talents
T O G E T H E RT A L E N T E D
1
Web Services Security – Challenges & Trends
Magan Pal Singh
Technical Architect, Sopra Group
[email protected] - www.sopragroup.com
+91 120 4056100
2
Agenda
Web Services Introduction
Web Services Security Elements
Web Services Security Dimensions
Web Services Security Standards
Threats Facing Web Services
Threats Mitigation
3
Web Services Introduction
Increasingly becoming SOA implementation of choice
Distributed stand alone services Platform independence Heterogeneous environments and technologies Spread across geographies
Publicly published interfaces – Service Contract
Discoverable universally – UDDI
Rate Service
Loan Service
UDDI
1
2
3
4
Web Services Introduction
Web services Messaging – SOAP
Web Portal
Loan Service
Rate Service Credit Service
1
2
34 5
6End User
5
Web Services Introduction
Web Services Coordination Orchestration – Within the Organization (BPEL) Choreography – Between Organizations
Loan Service
Credit Service
Credit Bureau Service
Rate Service
Internal Rate Service1
Internal Rate Service2
Internal Rate Service3
Federal Rate Service
6
Web Services Security Elements
Applications must be secure and reliable to truly meet SOA goals
Web Services rely on HTTP and common web based architecture
Key security elements are: Identification and Authentication
Verification of Identity of the requestor service Authorization
Ascertaining the authority of the requestor service to access the resources Integrity
Ensuring that un-authorized alterations do not happen to the data, while in transit, processing or storage
Non-repudiationThe provider is able to ascertain the identity of the requestor and gets the proof
of the delivery from requestor Confidentiality
Preserving authorized access and disclosure of sensitive information; e.g. personal or proprietary information
PrivacyRestricting the resources access in accordance to the organization policy or
Federal laws
7
Web Services Security Dimensions
Security dimensions encompass the security elements
Each dimension affects a different layer of web service
Five Security Dimensions Secure Messaging
SOAP messages traversing over networks are not viewed/ modified by attackers
Protecting ResourcesEnsure that individual web service is adequately protected through
appropriate identification, authentication and access control mechanism
Negotiation of ContractsWeb services should be capable of negotiating the business contracts
as well as QoP and QoS Trust Relationships
Entities involved in a business transaction must trust each other Security Properties
Ensure effective enforcement of service policy, security policy and availability of services
8
Web Services Security Standards
Dimension Requirement Specifications
Messaging
Confidentiality & Integrity WS-Security
SSL/ TLS
Authentication WS Security Tokens
SSL/TLS X.509 Certificates
Resource
Authorization XACML
XrML
RBAC, ABAC
Privacy EPAL
XACML
Accountability None
Negotiation
Registries UDDI
ebXML
Semantic Discovery SWSA
OWL-S
Business Contract ebXML
9
Web Services Security Standards
Dimension Requirement Specifications
Trust
Establishment WS-Trust
XKMS
X.509
Trust Proxying SAML
WS-Trust
Federation WS-Federation
Liberty IDFF
Shibboleth
Security Properties
Policy WS-Policy
Security Policy WS-SecurityPolicy
Reliability WS-ReliableMessaging
WS-Reliability
10
Threats Facing Web Services Message Alteration
Un-authorized insertion/ deletion/ modification of information in message in transit to deceive the receiver
Loss of ConfidentialityUn-authorized discloser of message information to un-intended recipient
Falsified MessagesFictitious messages that are intended to make the receiver to believe are sent by valid sender
Man in the MiddleUn-authorized interception and forwarding of message to third party
Principal SpoofingMalicious message that is constructed with credentials that appear to be from a different, authorized
principal
Forged ClaimsMessage created with false credentials that appear to be valid to the receiver
Replay of MessagesAttacker resends a previously sent message
Replay of Message PartsAttacker includes part of previously sent message(s) in a new message
Denial of ServiceAttacker causes the system to expand its resources disproportionately so that valid requests can not be
honored
11
Threats Mitigation W3C XML Encryption
Used to encrypt and provide confidentiality of part or all of SOAP message
W3C XML SignatureUsed to digitally sign the SOAP message and provide message integrity and senders
authentication
WS Security TokensUsed to include senders credentials to aid the receiver to authenticate the sender User Name/ Password OASIS SAML Assertion IETF X.509 certificate ISO Rights Expression Language
W3C WS-Addressing IDsAllows message sender to supply a unique identifier for each message
IETF SSL/TLSSecures HTTP protocol that is used to exchange SOAP messages
SSL/TLS with client authentication Both sender and receiver should authenticate each other before securing HTTP protocol
IETF HTTP authenticationAllows user name and password or password digest to be sent as part of HTTP header
12
Threats Mitigation
Threats Addressed By Current Web Services Standards
Messag
e Alteratio
n
Lo
ss of C
on
fiden
tiality
Fals
ified M
essag
e
Man
in th
e Mid
dle
Prin
cipal S
po
ofin
g
Fo
rge
d C
laims
Rep
lay of M
essag
e P
art
Rep
lay of M
essag
e
Den
ial of S
ervice
XML Encryption X X X X X
XML Signature X X X X X X
WS-Security Tokens X X X
WS-Addressing X
SSL/ TLS X X X* X X* X* X
SSL/ TLS with Client Certificates X X X X X X X
HTTP Authentication X X X
13
Conclusions
Variety of specifications and standards available – Mostly developed by individual/ group of organizations
Specifications contradict to each other
Certain areas of concern, like Contract Negotiation and Trust Management etc, are still not addressed fairly
Web Services standards organizations like OASIS and W3C are working to standardize the specifications
Coordinated effort and research is needed to define commonly acceptable specifications and to provide their implementations
14
Q & A
15
Thank You