An Analysis of SOAP Security

1
An Analysis of SOAP Security

• Vinod Pandarinathan
• Vijay Asokan
• Parthiv Nayak

2
Agenda

• Introduction
• Skeleton SOAP Message
• SOAP Message Format and Transmission
• Why Message Layer Security?
• CIA in MLS
• Current Problems and Trends
• Conclusion
• ???

3
Introduction

• SOAP 1.1
• Simple Object Access Protocol
• SOAP 1.2
• A wrapper protocol
• Written in XML
• Independent of Platform, OS, Programming Language
• Independent of the wrapped data
• Independent of the transport protocol
• A uni-directional message exchange paradigm
• Simple and Extensible
• N4S
• - http//www.w3schools.com/SOAP/soap_intro.asp

4
Skeleton SOAP Message

• lt?xml version"1.0"?gt
• ltsoapEnvelope
• xmlnssoaphttp//www.w3.org/2001/12/soap-envelope
  
• soapencodingStyle"http//www.w3.org/2001/12/soap
  -encoding"gt
• ltsoapHeadergt
• ...
• ...
• lt/soapHeadergt
• ltsoapBodygt
• ...
• ...
• ltsoapFaultgt
• ...
• ...
• lt/soapFaultgt
• lt/soapBodygt
• lt/soapEnvelopegt

5
Message Transmission

• Typical Binding
• - Serl.cs.colorado.edu/downloads/serl-talks/2002.0
  2.04-SOAP.ppt

6
Uni-directional Exchange
Intermediary
Intermediary
Intermediary
InitialSender
UltimateReceiver
- Serl.cs.colorado.edu/downloads/serl-talks/2002.0
2.04-SOAP.ppt
7
Bi-directional Exchange Series
Intermediary
InitialSender
UltimateReceiver
- Serl.cs.colorado.edu/downloads/serl-talks/2002.0
2.04-SOAP.ppt
8
Remote Procedure Call

• To invoke a SOAP RPC, the following information
  is needed
• The address of the target SOAP node.
• The procedure or method name.
• The identities and values of any arguments to be
  passed to the procedure or method together with
  any output parameters and return value.
• A clear separation of the arguments used to
  identify the Web resource which is the actual
  target for the RPC, as contrasted with those that
  convey data or control information used for
  processing the call by the target resource.
• The message exchange pattern which will be
  employed to convey the RPC, together with an
  identification of the so-called "Web Method" (on
  which more later) to be used.
• Optionally, data which may be carried as a part
  of SOAP header blocks.

- Serl.cs.colorado.edu/downloads/serl-talks/2002.0
2.04-SOAP.ppt
9
Example Request Code

• lt?xml version'1.0' ?gt
• ltenvEnvelope xmlnsenv"http//www.w3.org/2003/05
  /soap-envelope" gt
• ltenvHeadergt
• ltttransaction xmlnst"http//thirdparty.example.
  org/transaction" envencodingStyle"http//example
  .com/encoding" envmustUnderstand"true"
  gt5lt/ttransactiongt
• lt/envHeadergt
• ltenvBodygt
• ltmchargeReservation envencodingStyle"http//www
  .w3.org/2003/05/soap-encoding" xmlnsm"http//www
  .southwest.com/"gt
• ltmreservation xmlnsm"http//
  www.southwest.com/reservation"gt
  ltmcodegtAB123CDlt/mcodegt
• lt/mreservationgt
• ltocreditCard xmlnso"http//www.visa.com/financi
  al"gt
• ltnname xmlnsn"http//www.visa.com/employees"gt
• Parthiv Nayak
• lt/nnamegt
• ltonumbergt1234567890123456lt/onumbergt
• ltoccvgt123lt/occvgt
• ltoexpirationgt12/12lt/oexpirationgt
• lt/ocreditCardgt
• lt/mchargeReservationgt

10
Example Response Code

• lt?xml version'1.0' ?gt
• ltenvEnvelope xmlnsenv"http//www.w3.org/2003/05
  /soap-envelope" gt
• ltenvHeadergt
• ltttransaction xmlnst"http//thirdparty.example.
  org/transaction" envencodingStyle"http//example
  .com/encoding" envmustUnderstand"true"gt5lt/ttran
  sactiongt
• lt/envHeadergt
• ltenvBodygt
• ltmchargeReservationResponse envencodingStyle"ht
  tp//www.w3.org/2003/05/soap-encoding"
  xmlnsm"http//www.southwest.com/"gt
• ltmcodegtAB123CDlt/mcodegt
• ltmviewAtgt http//www.southwest.com/reservations?c
  odeAB123CD lt/mviewAtgt
• lt/mchargeReservationResponsegt
• lt/envBodygt
• lt/envEnvelopegt
• - http//www.w3.org/TR/soap12-part0/L1185

11
Message Layer Security

• Why do we need another layer of security ?
• End to end security
• Transport layer independence
• Common Infrastructure
• Security for stored messages

12
Confidentiality with MLS

• ltSOAP-SECEncryption xmlnsSOAP-SEC"http//schema
  s.xmlsoap.org/soap/security/"gt ltxencDecryptionInf
  o Id"decInfo1" xmlnsxenc"http//www.w3.org/2000
  /10/xmlenc"gt
• ltxencMethod Algorithm"http//www.w3.org/200
  0/10/xmlencdes-cbc-pkcs5padding"/gt
• ltxencReferenceListgt
• ltxencReference URI"encData1"/gt
  lt/xencReferenceListgt
• lt/xencDecryptionInfogt
• lt/SOAP-SECEncryptiongt
• ltxencEncryptedData xmlnsxenc"http//www.w3.org/
  2000/10/xmlenc" Id"encData1" DecryptionInfoURI"
  decInfo1" IV"x40tN1mAZSY"gt 0rqGM/nMhGNHY0U6Zhbku
  PDEpYaqD/nwqtt0iw361RLeVGvJgn37GeNkdaVYJizNWsqR//
  TDeOG
• lt/xencEncryptedDatagt

13
Authentication - Digitally signed messages

• ltSOAP-ENVHeadergt
• ltSOAP-SECSignature xmlnsSOAP-SEChttp//sc
  hemas.xmlsoap.org/soap/security/ 
• SOAP-ENVactor"urnvalidator"
  SOAP-ENVmustUnderstand"1"gt ltdsSignature
  Id"MyFirstSignature" xmlnsds"http//www.w3.org/
  2000/02/xmldsig"gt
• ltdsSignedInfogt
  ltdsSignatureMethod Algorithm"http//www.w3.org/2
  000/09/xmldsighmac-sha1"/gt
• ltdsReference URI"Body"gt
  lt/dsReferencegt
• lt/dsSignedInfogt
  ltdsSignatureValuegtMC0CFFrVLtRlk...lt/dsSignature
  Valuegt lt/dsSignaturegt
• lt/SOAP-SECSignaturegt
• lt/SOAP-ENVHeadergt

14
Authorization - MLS

• ltSOAP-ENVEnvelope xmlnsSOAP-ENV"http//schemas
  .xmlsoap.org/soap/envelope/"gt
• ltSOAP-ENVHeadergt
• ltSOAP-SECAuthorization
  xmlnsSOAP-SEChttp//schemas.xmlsoap.org/soap/sec
  urity/
• SOAP-ENVactor"a URI of an actor
• SOAP-ENVmustUnderstand"1"gt
• ltAttributeCertgt
• lt/AttributeCertgt
• lt/SOAP-SECAuthorizationgt
• lt/SOAP-ENVHeadergt ltSOAP-ENVBodygt
  lt/SOAP-ENVBodygtlt/SOAP-ENVEnvelopegt

15
Current Problem

• SOAP uses HTTP,and can transfer binart files
• HTTP traffic is not blocked by Firewalls
• Network Security is breached.
• "SOAP goes through firewalls like a knife through
  butter."
• -http//www.prescod.net/rest/security.html
• Possible Solution
• Parsing XML data.
• CPU intensive, and lower performance.
• Also hard to find patterns because of XMLs
  dynamic nature.

16
Current Trend

• Axis 2 Apache Software Foundation
• Provides web service engines designed for SOAP
  and XML with emphasis on security, and
  modularization.

http//ws.apache.org/axis2/1_2/userguide.htmlhand
lessoap
17
Cont

• SOAP Security Extensions - W3C
• Provides SOAP Security Extensions. Currently we
  have the SOAP Security Extensions Digital
  Signatures
• WS-Security (Web Service Security) - OASIS
• Provides the mechanism for Security tokens
  within SOAP messages, and also detail the use of
  Kerberos, X.509 certificate with SOAP.

18
Cont

• Current Goal of OASIS (http//docs.oasis-open.org/
  wss/2004/01/oasis-200401-wss-soap-message-security
  -1.0.pdf)
• Multiple security token formats
• Multiple trust domains
• Multiple signature formats
• Multiple encryption technologies
• End-to-end message content security and not just
  transport-level security
• The OASIS consortium would come up with the
  security guidelines, and after an approval/
  implementation phases would ratify it as a
  standard.

19
Conclusion

• SOAP is new.
• More standardization required.
• Needs modularization is security.
• Going in the right direction.

20

• We hope NOT!!! -)