Web Services Security - PowerPoint PPT Presentation

1 / 48
About This Presentation
Title:

Web Services Security

Description:

Web Services Security dr. Joris Claessens European Microsoft Innovation Center Outline Introduction: Web Services ? Secure, reliable, and ... – PowerPoint PPT presentation

Number of Views:298
Avg rating:3.0/5.0
Slides: 49
Provided by: JorisCl3
Learn more at: https://people.cs.vt.edu
Category:

less

Transcript and Presenter's Notes

Title: Web Services Security


1
Web Services Security
  • dr. Joris Claessens
  • European Microsoft Innovation Center
  • ltjorisc_at_microsoft.comgt

2
Outline
  • Introduction Web Services ?
  • Secure, reliable, and transacted web services for
    business processing
  • Web Services Security specifications
  • Web Services Enhancements (WSE)
  • Relationship to trust management in VOs

3
Web Service high-level definition
  • Web Services bring the paradigm of
    service-oriented architecture in practice.
  • They offer an interoperable framework for
    stateless, message-based and loosely-coupled
    interaction between software components.
  • These components can be spread across different
    companies and organizations, can be implemented
    on different platforms, and can reside in
    different computing infrastructures.

4
Web Service technical definition
Requester
Web Service
  • A Web Service exposes useful functionality on the
    Internet via XML messages exchanged through a
    standard protocol, SOAP.
  • The interfaces of a Web Service are described in
    detail in an XML document using WSDL.
  • A Web Service is registered at a UDDI server, and
    is as such discoverable.

5
XML fundamentals
  • eXtensible Markup Language
  • XML 1.1, W3C Recommendation, February 2004
  • meta-language subset of SGML
  • elements and attributes
  • XML Namespaces
  • collections of names, identified by URI
    references, which are used in XML documents as
    element types and attribute names.
  • XML Schema
  • provide a means for defining the structure,
    content and semantics of XML documents
  • cfr. Document Type Definition (DTD)
  • eXtensible Stylesheet Language (XSL)
  • family of recommendations for defining XML
    document transformation and presentation
    (including XSLT and XPath)

6
Web Services Description Language
  • A WSDL document defines web services as
    collections of concrete network endpoints,
    (re)using abstract definitions of operations and
    messages.
  • The following elements define a web service (WSDL
    1.1)
  • ltmessagegts are abstract, typed definitions of the
    data being communicated
  • lttypesgt encloses data type definitions that are
    relevant for the exchanged messages (preferably
    using XSD)
  • ltportTypegt is a named set of abstract
    ltoperationgts and the abstract ltinputgt, ltoutputgt,
    and ltfaultgt messages involved
  • different transmission primitives one-way,
    request-response, solicit-response, and
    notification.
  • ltbindinggt defines concrete message format and
    protocol details for operations and messages
    defined by a particular ltportTypegt
  • e.g., use SOAP (ltsoapheadergt, ltsoapbodygt,
    ltsoapoperationgt).
  • ltservicegt groups a set of related ltportgts
    together
  • ltportgt defines an individual endpoint by
    specifying a single address for a binding e.g.,
    a ltsoapaddressgt a URL (SOAP over HTTP) or email
    address (SOAP over SMTP)
  • Latest WSDL 2.0, November 2003, W3C Working
    Draft
  • ltportTypegt ? ltinterfacegt
  • ltportgt ? ltendpointgt

7
SOAP
  • Latest SOAP 1.2, June 2003, W3C Recommendation
  • Simple Object Access Protocol (deprecated)
  • SOAP extensible XML messaging framework
  • SOAP messages flow from initial SOAP sender to
    ultimate SOAP receiver
  • message path, possibly through multiple SOAP
    intermediaries
  • different message exchange patterns are
    supported
  • a SOAP node can act in one or more SOAP roles
  • messages can be exchanged over a variety of
    underlying protocols
  • A SOAP message is an ltEnvelopegt containing one or
    more ltHeadergts and a ltBodygt
  • Body and Headers can have specific attributes
  • encodingStyle (body),
  • mustUnderstand (header).
  • role (indicates recipient of header if not final
    destination, but intermediary),
  • relay (header, if not processed)
  • Body can be any XML message, particularly a SOAP
    ltFaultgt
  • SOAP binding defines how to carry a SOAP
    message within or on top of another (underlying)
    protocol e.g., within an HTTP body, or over a
    TCP stream

8
Universal Description, Discovery and Integration
  • Latest UDDI Version 3.0.1, OASIS TC Spec., Oct.
    2003
  • Describes the Web services, data structures and
    behaviours of all instances of a UDDI registry
  • A UDDI Registry is formed by one or more UDDI
    Nodes supporting one or more Node API Sets, and
    contains the following information
  • businessEntity (descriptive info of business)
  • businessService (descriptive info of Web service)
  • bindingTemplate (tech. description of Web
    service)
  • tModel (technical fingerprint of the Web
    service)
  • Extensive SOAP-based Node API Sets
  • Inquiry, Publication, Security, Custody Transfer,
    Subscription, Replication

9
Web Services Stack
Business Processing BPEL4WS
Secure
Reliable WS-ReliableMessaging
Transacted WS-Coordination WS-AtomicTransaction WS
-BusinessActivity
Metadata WSDL UDDI WS-Policy WS-PolicyAssertions W
S-PolicyAttachment WS-Discovery
Messaging SOAP, WS-Addressing, MTOM
(Attachments), WS-Eventing
XML
Transports e.g., http
10
Web Services Security specifications
11
Web Services Security ?
  • Why not use underlying security mechanisms at
    transport layer (SSL/TLS) and/or network layer
    (IPsec) ?
  • only security between intermediaries, no
    end-to-end
  • binding specific security (what if web service is
    exposed via email?)
  • channel security, but no message security
  • no digital signatures
  • not XML-aware no XML-based security
  • no security framework (tokens, keys, preferences,
    policies, )
  • no advanced security services (e.g., timestamps)

Web Services Security SOAP message security !
12
WS Security Roadmap (April 2002)
13
Security in a Web Services WorldProposed
Architecture and Roadmap
WS-Trust describes a framework for trust models
that enables Web services to securely interoperate
Policy
Security Token Service
WS-Policy describes the capabilities and
constraints of the security (and other business)
policies on intermediaries and endpoints (e.g.
required security tokens, supported encryption
algorithms, privacy rules)
Policy
Policy
Requester
Web Service
WS-Security how to attach signature and
encryption headers to SOAP messages how to attach
security tokens, including binary security tokens
such as X.509 certificates and Kerberos tickets,
to messages
WS-SecureConversation describes how to manage and
authenticate message exchanges between parties
including security context exchange and
establishing and deriving session keys
14
Security in a Web Services WorldProposed
Architecture and Roadmap
WS-Authorization will describe how to manage
authorization data and authorization policies
WS-Privacy will describe a model for how Web
services and requesters state privacy preferences
and organizational privacy practice statements
Policy
Policy
Security Token Service
Security Token Service
WS-Policy describes the capabilities and
constraints of the security (and other business)
policies on intermediaries and endpoints (e.g.
required security tokens, supported encryption
algorithms, privacy rules)
WS-Federation describes how to manage and broker
the trust relationships in a heterogeneous
federated environment including support for
federated identities
WS-Trust describes a framework for trust models
that enables Web services to securely interoperate
Policy
Policy
Requester
Web Service
WS-Security how to attach signature and
encryption headers to SOAP messages how to attach
security tokens, including binary security tokens
such as X.509 certificates and Kerberos tickets,
to messages
WS-SecureConversation describes how to manage and
authenticate message exchanges between parties
including security context exchange and
establishing and deriving session keys
15
Current WSS landscape in detail
WS-SecureConversation (12/2002)
WS-Federation (07/2003)
WS-Authorization
WS-ActiveProfile
WS-PassiveProfile
WS-Policy (05/2003)
WS-Trust(12/2002)
WS-Privacy
OASIS WSS Username
OASIS WSS X.509
WS-SecurityPolicy
WS Kerberos (12/2003)
OASIS SAML
WS-PolicyAttachment
OASIS XrML
OASIS WSS SOAP Message Security (03/2004)
W3C XML Signature (02/2002)
W3C XML Encryption (12/2002)
W3C SOAP 1.2 (06/2003)
16
Intermezzo XML security
  • XML Signature
  • W3C Recommendation, February 2002
  • provides data integrity and data origin
    authentication of (parts of) XML messages
  • supports both digital signatures and MACs
  • XML Encryption
  • W3C Recommendation, December 2002
  • provides data confidentiality of (parts of) XML
    messages
  • supports symmetric algorithms for data
    encryption, and asymmetric algorithms for
    (symmetric) key transport/establishment

17
WS-Security OASIS, Web Services Security SOAP
Message Security 1.0, March 2004
  • Enhancements to SOAP messaging to provide
    end-to-end, and single message integrity, message
    authentication and message confidentiality
  • Leverages XML Signature (multiple) XML
    Encryption
  • Mechanism for associating security tokens with
    message content
  • Specifies how to encode binary security tokens,
    XML-based tokens, and how to include opaque
    encrypted keys
  • Can support any kind of security token

18
SOAP message security
ltSEnvelopegt
ltSHeadergt
ltwsseSecuritygt
ltwsuTimestampgt
ltxencReferenceListgt ltxencEncryptedKeygt
ltwsseUsernameTokengt
ltwsseSecurityTokenReferencegt
XML-based token ltwsse-Referencegt
ltwsse-KeyIdentifiergt ltwsse-Embeddedgt
or
ltwsseBinarySecurityTokengt
ltdsSignaturegt
ltSBodygt
ltxencEncryptedDatagt
19
WS-Policy IBM/Microsoft, Web Services Policy
Framework 1.1, May 2003
  • Provides a general purpose model and
    corresponding syntax to describe and communicate
    the policies of a Web Service
  • Policy expressions ltwspPolicygt
  • ltwspExactlyOnegt, ltwspAllgt, ltwspOneOrMoregt
  • WS-PolicyAssertions defines general
    messaging-related assertions for use with
    WS-Policy

20
WS-PolicyAttachment IBM/Microsoft, Web Services
Policy Attachment 1.1, May 2003
  • Defines a general-purpose mechanism for
    associating policy expressions with subjects.
  • provides for two approaches to making the
    associations
  • policy assertions may be defined as part of the
    definition of the subject
  • policy assertions may be defined independently
    and associated through an external binding to the
    subject.
  • Specifically
  • How to reference policies from WSDL definitions
  • How to associate policies with specific instances
    of WSDL services
  • How to associate policies with UDDI entities

21
WS-SecurityPolicy IBM/Microsoft, Web Services
Security Policy Language 1.0, December 2002
  • Specificies security policy assertions for
    WS-Policy
  • what kind of ltSecurityTokengt is required, from
    whom, and which claims should it provide
  • wsseX509v3
  • wsseKerberosv5TGT
  • wsseKerberosv5ST
  • wsseUsernameToken
  • wsseSAMLAssertion
  • wsseXrMLLicense
  • ltIntegritygt protection which message parts and
    how
  • ltConfidentialitygt protection which message parts
    and how
  • required ltVisibilitygt of message parts for
    intermediaries
  • specific behaviours of ltSecurityHeadergt
  • what is the maximum allowed ltMessageAgegt

22
WS-Trust IBM/Microsoft, Web Services Trust
Language 1.0, December 2002
  • Security Token Issuance, Validation, and Exchange
  • ltRequestSecurityTokengt
  • wsseReqIssue, wsseReqValidate, wsseReqExchange
  • ltRequestSecurityTokenResponsegt
  • ltRequestedSecurityTokengt
  • ltRequestedProofTokengt
  • Requirements and Extensions
  • scope requirements ltwspAppliesTogt, ltClaimsgt
  • key and encryption requirements
  • delegation, forwarding, and proxy requirements
  • ltOnBehalfOfgt, ltDelegateTogt
  • ltForwardable/gt, ltDelegatable/gt, ltProxiable/gt
    (e.g., Kerberos)
  • lifetime and renewal requirements
  • policies ltwspPolicygt, ltwspPolicyReferencegt
  • challenges
  • ltSignChallengegt and ltSignChallengeResponsegt
  • ltBinaryNegotiationgt

23
WS-SecureConversation IBM/Microsoft, Web
Services Secure Conversation Language 1.0, Dec.
2002
  • Defines extensions to allow
  • security context establishment and sharing
  • session key derivation
  • ltwsseSecurityContextTokengt
  • ltwsuIdentifiergt
  • ltwsuCreatedgt
  • ltwsuExpiresgt
  • ltwsseKeysgt
  • ltxencEncryptedKeygt
  • ltwsseSecurityTokenReferencegt
  • ltDerivedKeyTokengt
  • Security context token is created
  • by a security token service
  • by one of communicating parties propagated with
    a message
  • through negotiation

24
WS-Federation IBM/Microsoft, Web Services
Federation Language 1.0, July 2003
  • Models and framework for federation of identity,
    attribute, authentication, and authorization
    information
  • Key driving requirements
  • enable appropriate sharing of identity,
    authentication, and authorization data
  • brokering of trust and security token exchange
  • local identities are not required at target
    services
  • optional hiding of identity information and other
    attributes
  • Builds on the foundations specified in
    WS-Security, WS-Policy, and WS-Trust
  • Extends the WS-Trust model to allow attributes
    and pseudonyms to be integrated into the token
    issuance mechanism to provide federated identity
    mapping mechanisms

25
WS-Federation Models (1)Trust and Security Token
Issuance
26
WS-Federation Delegation
27
WS-Federation Models (2) and (3)Identity
Providers Attributes and Pseudonyms
28
WS-Federation (contd)
  • Federation of meta-data
  • Web service may want to indicate where requestors
    can obtain security tokens in order to satisfy
    the services claims requirements
  • mechanisms defined in WS-PolicyAssertions are
    therefore extended with a ltwsseRelatedServicegt
    assertion
  • wsseServiceIP, wsseServiceSTS, wsseServiceAS,
    wsseServicePS
  • Sign-out termination of SSO
  • ltwsseSignOutgt in ltSBodygt federating sign-out
    messages
  • clean up any cached state and security tokens
    that may exist within the federation
  • implication of sign-out on currently active
    transactions is undefined and is
    resource-specific
  • Attribute Service
  • possibility to expose attribute stores as UDDI
    endpoints
  • Pseudonym Service
  • ltwsseGetPseudonymgt and ltwsseGetPseudonymResponse
    gt
  • ltwsseSetPseudonymgt and ltwsseSetPseudonymResponse
    /gt
  • ltwsseDeletePseudonymgt and ltwsseDeletePseudonymRe
    sponse/gt
  • RequestPseudonym in RequestSecurityToken

29
WS-Federation (summary)
30
WS-Federation Requestor Profiles
  • Detail how different requestors apply the model
  • Active Requestor Profile
  • defines how the federation model is applied to
    active requestors such as SOAP applications
  • uses standard specifications
  • describes requirements on security tokens, etc
  • Passive Requestor Profile
  • defines how the WS-Federation model is applied to
    passive requestors such as Web browsers that
    support the HTTP protocol
  • specifies HTTP protocol syntax
  • describes requirements on cookies, etc

31
WSS Token Profiles (1) OASIS, WSS UsernameToken
Profile 1.0, March 2004 OASIS, WSS X.509
Certificate Token Profile, March 2004
  • Username/Password
  • ltwsseUsernameTokengt
  • ltwsseUsernamegt
  • ltwssePasswordgt (text or digest)
  • ltwsseNoncegt
  • ltwsuCreatedgt
  • X.509 certificate
  • ltwsseX509v3gt
  • ltwsseX509PKIPathv1gt
  • ltwssePKCS7gt

32
WSS Token Profiles (2) IBM/Microsoft, Web
Services Security Kerberos Binding, December 2003
  • WS Security Kerberos Binding
  • must use ltwsseBinarySecurityTokengt
  • GSS-API for Kerberos interoperability
  • use challenge/response in WS-Trust
  • use ltBinaryNegotiationgt in WS-SecureConversation
    (wskSPNEGO)
  • ltwsseSecurityContextTokengt may include
    ltwskCorrelationgt
  • Alternative general Kerberos interoperability
  • use Kerberosv5TGT and Kerberosv5ST

33
Web Services Securityin practice
34
Web Services Enhancements (WSE)
  • Web Services Enhancements 2.0 for Microsoft .NET
    (WSE) Technology Preview
  • implementation of WS- specifications on .NET
  • can be downloaded freely from msdn.microsoft.com
  • WSE 2.0 supports
  • securing XML Web services
  • routing SOAP messages
  • sending attachments with SOAP messages
  • WSE 2.0 supports
  • WS-Security
  • WS-(Security)Policy
  • WS-Trust
  • UsernameToken, X.509 certificates, Kerberos
    tokens
  • WS-SecureConversation
  • WS-Addressing

35
Example an AddUp web service
  • AddUp web service adds up 2 integers
  • only if request is digitally signed, and
    certificate contains appropriate claims.
  • Uses WS-Security and WS-SecurityPolicy
  • AddUpWSDL.xml, AddUpRequest.xml,
    AddUpResponse.xml
  • AddUpSecurityPolicy.xml, AddUpRequestSigned.xml

36
Some code snippets
WebService( Namespace"http//joris.claessens.ws
/2003/12/", Description"A simple AddUp web
service.") public class AddUp
System.Web.Services.WebService WebMethod(Descr
iption"This method adds up two
integers.") public int AddThemUp(int Num1, int
Num2)
Server
using Microsoft.Web.Services.Security AddWSClie
nt.AddUp.AddUpWse ws new AddWSClient.AddUp.Add
UpWse() SoapContext requestContext
ws.RequestSoapContext requestContext.Security.Tok
ens.Add(signatureToken) Signature sig new
Signature(signatureToken) requestContext.Security
.Elements.Add(sig) int Num3
ws.AddThemUp(Num1,Num2)
Client
Client reference
System.Web.Services.WebServiceBindingAttribute(Na
me"AddUpSoap", Namespace"http//joris.claessens.
ws/2003/12/") public class AddUp
Microsoft.Web.Services.WebServicesClientProtocol
37
Relationship to trust management in VOs
  • disclaimer preliminary thinking

38
Web Services Security and TrustCoM
  • How trust is established or determined, is out of
    scope of the current WSS specifications.
  • Question how can the WSS specifications support
    and complement, tools for
  • trust management
  • contract management
  • (autonomic) security policy management

39
Trust/policy domain A
Trust/policy domain B
WS-SecureConversation
data
WS-Security
requester
service request
secured service request
secured service request
data and/or resources
service request
service
security token identifier, claim
security token identifier, claim
WS-Federation
WS-Trust
authorisation policy enforcement
authorisation policy enforcement
WS-(Security)Policy
organisational security policy
organisational security policy
current Web Services Security specifications
addressed by WSS out of WSS scope
40
Notes on WSS specifications
  • Trust and contract management happen entirely
    out-of-band.
  • Secure exchange of root public keys must happen
    out-of-band (except if partners have single
    common trusted CA).
  • Security policy exchange is often out-of-band
    too.
  • Even if a services security policy is
    discoverable, security policy management remains
    fairly static.

41
Trust/policy domain A
Trust/policy domain B
data
requester
service request
secured service request
secured service request
data and/or resources
service request
service
security token identifier, claim
security token identifier, claim
context time, locality,
authorisation policy enforcement
authorisation policy enforcement
business process
organisational security policy
specific VO security policy
organisational security policy
specific VO security policy
contract
42
Contract management
  • A specific web service is part of a particular
    business process in a particular context.
  • For this, a contract is negotiated (establishing
    the Virtual Organisation).
  • The security policies of the respective
    organisations give input (mutually agreed
    security policies based on contract).
  • WSS specifications may support secure contract
    negotiation, if there is a generic contract
    negotiation web service.

43
Security policy management and enforcement
  • Dynamic policy updates reflecting the contract.
  • Should there be mechanisms to be able to push new
    policies instead of others polling these?Or do
    policy updates only originate from contract
    negotiations?
  • Policy enforcement should take into account the
    business process and the context related to a
    specific web service request.
  • Enforcement must be done in consistent way across
    different layers (business process, web service,
    network).
  • WSS specs only deal with security on the level of
    web services, and assume that SOAP nodes are
    accessible on the network layer this assumption
    cannot be made in dynamic context.

44
Trust/policy domain A
Trust/policy domain B
data
requester
service request
secured service request
secured service request
data and/or resources
service request
service
security token identifier, claim
security token identifier, claim
WS-Trust
context time, locality,
authorisation policy enforcement
authorisation policy enforcement
business process
organisational security policy
specific VO security policy
organisational security policy
specific VO security policy
contract
trust reputation
trust reputation
trust reputation brokerage
WS-Federation attributes
UDDI
45
Trust management
  • Trust is about the expectation in the behaviour,
    and/or belief in statements, of another party.
  • WSS example trust in correct mapping by CA
    between identity and public key
  • Statements need to be securely communicated ?
    also need to establish trust in cryptographic
    keys with which authenticity of tokens and
    assertions can be verified.
  • WSS example root public key of CA must be
    obtained out-of-band
  • WSS allows to securely communicate trust
    statements (assuming verification keys are
    trusted!)
  • use UDDI to publish trust and reputation
    statements
  • use WS-Trust to request, issue, and validate
    trust and reputation statements/assertions
  • trust/reputation as attribute service
    (WS-Federation)

46
Trust management (contd)
  • Trust is a black or white issue in WSS either
    you trust or you dont trust.
  • What if trust is quantified?
  • has definitely an impact during contract
    negotiation
  • has indirectly an impact on VO specific security
    policies (more restrictive policy with partners
    who are less trusted)
  • should however not become a parameter within
    security policies (policy should remain fixed
    after contract has been negotiated, and within
    the scope of the policy, partners are fully
    trusted)
  • should certainly not become a parameter in
    authorisation and policy enforcement (e.g.,
    quantified authorisation statements, or partially
    trusted keys do not seem to make sense)
  • Note that (autonomic) security decisions should
    not become unpredictable !

47
Questions ?
  • jorisc_at_microsoft.com

48
References
  • IBM/Microsoft, Security in a Web Services World
    A Proposed Architecture and Roadmap, April 2002.
  • http//msdn.microsoft.com/webservices/?pull/libra
    ry/en-us/dnwssecur/html/securitywhitepaper.asp
  • IBM/Microsoft, Secure, Reliable, Transacted Web
    Services Architecture and Composition, Sept.
    2003.
  • http//msdn.microsoft.com/webservices/?pull/libra
    ry/en-us/dnwebsrv/html/wsoverview.asp
  • IBM/Microsoft, Federation of Identities in a Web
    Services World, July 2003.
  • http//msdn.microsoft.com/webservices/?pull/libra
    ry/en-us/dnglobspec/html/ws-federation-strategy.as
    p
  • Web Services specifications.
  • http//msdn.microsoft.com/webservices/understandin
    g/specs/
Write a Comment
User Comments (0)
About PowerShow.com