Web Services Security

1
Web Services Security

• Lin Yan
• Department of ECE
• University of Manitoba
• Manitoba, Canada

2
Web Services Security

• Introduction
• Technologies for Web Services Security
• Credit Card Web Service Architecture
• Building a Credit Card Web Service using SOAP,
  WSDL and UDDI
• Credit Card Web Service Implementation
• Comparison and Conclusions

3
Introduction

• The Internet
• Conceived in the 1960s
• ARPANET went online in the 1970s
• TCP/IP was created in 1980s
• Changed the way business operate
• Web Services
• Definition
• Purpose
• Architecture

4
Introduction
Web Services Architecture
5
Introduction

• Associated Web Services Standards
• Extensible Markup Language - XML
• A Syntax to define markup language
• To structure the document in a standard way and
  make it machine-readable
• Operating system independent
• Simple Object Access Protocol - SOAP
• XML based protocol for the exchange of
  information in a decentralized, distributed
  environment
• Consists of three parts envelope, encoding rules
  and convention for representing RPCs and
  responses

6
Introduction

• Associated Web Services Standards
• Web Services Description Language - WSDL
• Creates a standard way for specifying the details
  of a Web service
• Clients can use Web service even they have no
  prior knowledge of the service
• Universal Description, Discovery, Integration -
  UDDI
• Directory service where businesses and
  organizations can register, deregister and look
  up Web services
• Platform-independent framework for describing
  services, discovering businesses, and integrating
  business services

7
Introduction

• Motivations and Objectives
• Provide security issues while users access Web
  services over the Internet
• Confidentiality
• Integrity
• Non-repudiation
• Accountability

8
Technologies for Web Services Security

• Public Key Infrastructure
• Security through cryptography
• Encryption key pair
• Signing key pair
• Certificates
• Contain the basic information detailing a
  persons identity and his/her public key
• Certification Authority
• A trusted entity that issues the certificates

9
Technologies for Web Services Security

• Public Key Infrastructure
• Public Key Infrastructure
• Enabling trust through a Certification Authority
• Certificate retrieval from a certificate
  repository
• Certificate revocation
• Key backup and recovery
• Automatic update of key pairs and certificates
• Non-repudiation

10
Technologies for Web Services Security

• XML Signature
• A specification for encrypting data and tags
  within an XML document
• A digital signature expressed in XML
• Allows for signing part of an XML document
• Example

11
Technologies for Web Services Security
ltSignature Id"MyFirstSignature"
xmlns"http//www.w3.org/2000/09/xmldsig"gt
ltSignedInfogt ltCanonicalizationMet
hod Algorithm"http//www.w3.org/TR/2001/REC-xml-c
14n-20010315"/gt ltSignatureMethod
Algorithm"http//www.w3.org/2000/09/xmldsigdsa-s
ha1"/gt ltReference
URI"http//www.w3.org/TR/2000/REC-xhtml1-20000126
/"gt ltTransformsgt
ltTransform
Algorithm"http//www.w3.org/TR/2001/REC-xml-c14n-
20010315"/gt
lt/Transformsgt
ltDigestMethod Algorithm"http//www.w3.org/2000/09
/xmldsigsha1"/gt
ltDigestValuegtj6lwx3rvEPO0vKtMup4NbeVu8nklt/DigestV
aluegt
lt/DigestMethodgt lt/Referencegt
lt/SignedInfogt ltSignatureValuegtMC0CFFrVL
tRlk...lt/SignatureValuegt ltKeyInfogt
ltKeyValuegt
ltDSAKeyValuegt .

lt/DSAKeyValuegt lt/KeyValuegt
lt/KeyInfogt lt/Signaturegt
12
Technologies for Web Services Security

• XML Encryption
• A specification for encrypting and decrypting
  digital content
• Encrypted content can be represented in XML
• The portions of a document can be selectively
  encrypted
• Example

13
Technologies for Web Services Security

• Encrypting the CreditCard Element
• lt?xml version'1.0'?gt
• ltPaymentInfo xmlns'http//UM.edu/details'
  gt
• ltNamegtAlicelt/Namegt
• ltEncryptedData
  Type'http//www.w3.org/2001/04/xmlencElement'
• 
  xmlns'http//www.w3.org/2001/04/xmlenc'gt
• ltCipherDatagt
• 
  ltCipherValuegtA23B45C56lt/CipherValuegt
• lt/CipherDatagt
• lt/EncryptedDatagt
• lt/PaymentInfogt

14
Technologies for Web Services Security

• XML Key Management Specification - XKMS
• Outlines protocols for the distribution and
  registration of public keys
• Supports XML Encryption and XML Signature
• Contains two parts
• XML Key Information Service Specification X-KISS
• XML Key Registration Service Specification X-KRSS

15
Technologies for Web Services Security

• XML Key Information Service Specification
• Locates public key
• Clients send a locate request to the XKMS
  service.
• The locate service resolves the ltdsKeyInfogt
  element to get the public key and its binding
  information
• XKMS sends it back to client
• Validates public key
• The validate service validates the returned key
  according to the policy of the validate service

16
Technologies for Web Services Security

• XML Key Registration Service Specification
• Register
• Enables the client to register a public key pair
  with an XKMS service.
• Reissue
• Allows the previously registered key binding to
  be issued again
• Revoke
• Recover

17
Technologies for Web Services Security

• WS-Security
• A mechanism for signing and encrypting parts of a
  SOAP message
• A standard set of SOAP extensions to be used to
  build secure Web services
• Provides three major mechanism
• Message integrity
• Message confidentiality
• Ability to pass around security tokens as part of
  a message
• IBM/Microsoft Web Services Security Road Map

18
Credit Card Web Service Architecture

• The Client/Server Model
• Describes the relationship between two computer
  programs
• One program, the client, makes a service request
  to another program, the server
• The server fulfills the request
• 3-tier Architecture
• User interface
• Business logic
• Databases and programming related to managing it

19
Credit Card Web Service Architecture

• 3-tier Architecture in a Credit Card Web Service
• The presentation layer
• Contains the presentation objects responsible for
  presenting information to end-users
• In our application, Input.jsp, Method.jsp and
  Result.jsp are presentation objects to allow the
  user to input a credit card number and perform
  the get limit action and display the result
• The business layer
• Contains the business objects, each of which is
  responsible for a specific business process
• In our application, CreditCardService.java was
  defined as a business object which is responsible
  for validating a credit card

20
Credit Card Web Service Architecture

• 3-tier Architecture in Credit Card Web Service
• The data layer
• Contains the data objects (DO) and the methods
  used to handle the different data components
• In our application, a card DO contains the
  information of a credit card. It can contain
  attributes such as card number, card type,
  expiration date, etc.
• A database manager controls an applications pool
  of database connections

21
Credit Card Web Service Architecture

• Use Case Analysis
• Explore the UML modeling technique to describe
  the credit card system development
• In our credit card checking scenario, there are
  four actors
• The client
• Browser
• Controller
• Database server

22
Credit Card Web Service Architecture

• Entrust PKI
• Entrust PKI Architecture
• Authority
• Authority Master Control
• Registration Authority
• Authority Database
• Directory

23
Credit Card Web Service Architecture

• Entrust PKI
• Entrust PKI User Roles
• Master user
• Security officer
• Administrator
• Directory Administrator
• Auditor
• End user

24
Credit Card Web Service Architecture

• Public-Key Cryptographic Standard 7
• PKCS 7 is the Cryptographic Message Syntax
  standard which describes a general syntax for
  data that may have cryptography applied to it
• Supports many different content types
• PKCS 7 was used in the Credit Card Web Services
  application to encrypt and digitally sign the
  sensitive information

25
Building Credit Card Web Service using SOAP, WSDL
and UDDI

• Credit Card Web Service Overview
• Provides credit card validation and limit check
  business functions
• Also a Web Services consumer. It consumes other
  Web Services such as update card service, cancel
  card service
• Credit card validation service example

26
Building Credit Card Web Service using SOAP, WSDL
and UDDI

• SOAP Message Structure
• SOAP request for the getLimit service
• The request takes a string parameter, an
  encrypted credit card number
• ltsoapBodygt
• ltmgetLimitRequest xmlns
  mhttp//tempuri.org/um.edu.CreditCardServi
  cegt
• ltcardNo xsitypexsdstring
  gtATKEKDLlt/cardNogt
• lt/mgetLimitRequestgt
• lt/soapBodygt

27
Building Credit Card Web Service using SOAP, WSDL
and UDDI

• SOAP Message Structure
• SOAP response for the getLimit service
• The response returns a float, the limit amount of
  the card
• ltsoapBodygt
• ltmgetLimitResponse xmlns
  mhttp//tempuri.org/um.edu.CreditCardServi
  cegt
• ltLimitgt3000.00lt/Limitgt
• lt/mgetLimitResponsegt
• lt/soapBodygt

28
Building Credit Card Web Service using SOAP, WSDL
and UDDI

• SOAP Message Encoding
• Provides a standard data encoding scheme
• Makes use of types defined in XML schema and
  creates the mapping for language-specific type
  definition to ensure interoperability
• xsdstring indicates a mapping from Java type
  String t XML Schema type string

29
Building Credit Card Web Service using SOAP, WSDL
and UDDI

• WSDL
• A WSDL document provides the necessary details
  for a service requestor to contact and consume a
  service
• Consists of a set of definitions
• Definition
• Types
• Message
• PortType
• Binding
• Port
• Service

30
Building Credit Card Web Service using SOAP, WSDL
and UDDI

• UDDI
• UDDI Business Registry
• An implementation of the UDDI specification
• Public UDDI Business Registry
• Operator site
• Node operators
• Private UDDI Business Registry

31
Building Credit Card Web Service using SOAP, WSDL
and UDDI

• UDDI
• Using UDDI to Register and Find a Service
• Register Credit Card Web Service through IBM UDDI
  Business Registry
• Obtain a user account
• Register the business information and get a
  unique business ID
• Register the Credit Card Web Service to get a
  unique service ID and specify the access point
• Find a registered business

32
Credit Card Web Service Implementation

• Implementation Language
• Java 1.5
• Portability
• Extensibility
• Cost effectiveness
• Performance
• Implementation Tools
• Entrust Authority Security Toolkit for Java
• IBM Websphere Studio

33
Credit Card Web Service Implementation

• Entrust Authority Security Toolkit for Java
• Overview
• Gives the ability to add trusted security to our
  application
• Gives our application access to the underlying
  security structure of a PKI
• Architecture
• Low-level API resides on top of JCE (Java
  Cryptography Extension
• High-level API provides classes that implement
  frequently used cryptographic tasks

34
Credit Card Web Service Implementation

• Entrust Authority Security Toolkit for Java
• Credentials
• Used to describe a set of data that contains a
  users critical cryptographic information
• In an Entrust PKI, an Entrust Profile is used to
  contain a users public and private credentials
• Identifying a User
• The process of logging in involves reading and
  verifying a users credentials
• In our case, we use an Entrust Profile yanlin.epf
  to perform the log in task

35
Credit Card Web Service Implementation

• IBM Websphere Studio
• State-of-art Java IDE
• Provides development tools to enable the
  creation, development and deployment of Web
  service
• Logic flow of Credit Card Web Service in WSAD
• Create a Credit Card Web Service
• Generate Deployment Descriptor to deploy this Web
  Service on the server
• Generated CreditCardServiceProxy to accept the
  client requests
• Used SOAP to encode invocation parameters and
  results over HTTP

36
Credit Card Web Service Implementation

• PKCS 7 Implementation with Entrust Toolkit
• Encode
• Instantiate, and log in, a user
• Create PKCS7EncodeStream object
• Specify the digest and encryption algorithms
• Specify the input data and write the encrypted
  and signed data to the output stream
• Decode
• Instantiate, and log in, a user
• Create PKCS7DecodeStream object
• Read the decrypted and signed data

37
Credit Card Web Service Implementation

• Database Design and Implementation
• IBM DB2 Universal Database was chosen as the DBMS
  system
• Established a database with a name CCARD which
  stores the information of credit cards and card
  holders
• Two tables were defined, linked by the card
  number attribute
• JDBC is used to access the database through the
  business layer

38
Comparison with other Web Services Security
Solutions

• Benefits/Limitations of existing technologies
• Security Assertions Markup Language SAML
• Extensible Access Control Markup Language XACML
• Put web services security technologies together
• Benefits/Limitations of the proposed solutions

39
Comparison with other Web Services Security
Solutions

• SAML
• Includes four main components
• Assertions, which are declarations of fact about
  a subject
• Request/response protocol to exchange assertions
• Bindings to transport SAML assertion messages
• Profiles defines constraints and/or extensions of
  the core protocols and assertions
• Enables cross-domain trust
• Single sign-on
• Distributed transaction
• An authorization service

40
Comparison with other Web Services Security
Solutions

• XACML
• Describes both an access control policy language
  and a request/response language
• Consistent with and builds on SAML
• Reduces the cost of developing an
  application-specific access control language
• Helps applications interoperate more easily
• Extensible
• Too complicated, needs too much configuration
  while setting up hierarchical resources
• Response message is more verbose

41
Comparison with other Web Services Security
Solutions

• Putting It Together
• How Web services security standards work together
• The standards are new emerging technologies, not
  yet mature
• Adding the security information into the SOAP
  header increases the overhead, may affect the
  efficiency
• XML encryption and XML signatures are complex
• Identity collisions may occur when encrypted
  contents generated in one context are dropped in
  another context

42
Comparison with other Web Services Security
Solutions

• Benefits of the proposed solutions
• Mature technology PKI as our basic underlying
  security infrastructure
• PKI is the fundamental component of Web services
  security architecture
• PKI can let the companies to build their own
  security system
• Act as their own Certificate Authority (CA)
• Confidentiality
• Authentication
• Non-repudiation
• Integrity
• Automatic key management

43
Comparison with other Web Services Security
Solutions

• Limitations of the proposed solutions
• Discovery and validation of the certification
  paths is complex
• Cost
• Build and manage circles of trust

44
Conclusions

• Designed and developed a Credit Card Web Service
  using SOAP, WSDL and UDDI
• Presented a viable approach for securing the
  Credit Card Web service through the use of PKI
  and PKCS 7 standard
• Increased the security of transferring XML
  messages over the Internet
• Drew a comparison between this approach and the
  new emerging Web services security standards

45
Thanks ...