310 likes | 434 Views
“Web Services” and its security. Overview. Web Services Definition What they said Web Services components How it is working Success factors W.S. Security Authentication Access Control Secrecy Integrity DOS in Web Services. Definition.
E N D
“Web Services” and its security (c) Khaled Alghathbar
Overview • Web Services • Definition • What they said • Web Services components • How it is working • Successfactors • W.S. Security • Authentication • Access Control • Secrecy • Integrity • DOS in Web Services (c) Khaled Alghathbar
Definition “Loosely coupled, reusable software components that semantically encapsulate discrete functionality and are distributed and programmatically accessible over standard Internet protocols.”[1] • It is lightweight, • Platform and language independent [1] Sleeper, Brent, and Bill Robins. "Defining Web Services." Stencil Group June 2001. 01 Oct. 2001 (c) Khaled Alghathbar
What they said • Bill Gates points Web Services as one of the key technology milestones of the past 20 years. • Alfred Chuang, “The universal umbrella of Web Services will fuel the next wave. ” COO and founder of BEA System PC Internet Web Services (c) Khaled Alghathbar
Web Services components • HTTP Protocol • XML • (SOAP) Simple Object Access Protocol • (WSDL) Web Services Description Language • (UDDI) Universal Description, Discovery, and Integration • Others: • (ebXML) Electronic Business XML • (WSFL) Web Services Flow Language (c) Khaled Alghathbar
How it is working (c) Khaled Alghathbar
How it is working Changing inner system or even changing to another company dose not require much modification (c) Khaled Alghathbar
Working Examples • Rent a car at Hertz • Temperature and weather conditions • Sales Rank and Price for online bookstores • Credit card validator • Locates Healthcare providers in USA • News headlines on six topics • Stock quote with currency conversion • Returns airfare/flight information • Access to FedEx Tracking information • German <-> English translation • From Xmethods.com (c) Khaled Alghathbar
Supporters IBM And More… (c) Khaled Alghathbar
Successfactors • Platform independent: • Programming language, DBMS independent. • Execute lightly not like DCOM and IIOP • Easy to adapt. • Maintainability is low and economical. • Reduce integration cost and complexity. • Use HTTP as a transport layer. • Using XML as data representation • Easy to be accessed through the internet, not like traditional distributing object module. (c) Khaled Alghathbar
SOAP vs. DCOM & IIOP • DCOM and IIOP protocols not appropriate to the Internet. • Both protocols require a large amount of dedicated runtime support. • many firewalls do not permit access by non-HTTP protocols. • Because SOAP requires less organization and recourses to achieve security because of HTTP usage. DCOM= Distributed Component Object Model IIOP = Internet Interoperable Orb Protocol (c) Khaled Alghathbar
Web Services vs. CORBA • One, Web Services is loosely coupled. • Two, Web Services is built on top of everywhere infrastructure such as HTTP and XML. • Three, Web Services is meant to be simple “the problem with CORBA was a little too big” [2] [2] Dyck, Timothy. "Web Services Wave." eWEEK. 10 Sept. 2001 (c) Khaled Alghathbar
Web Services Security • Authentication • Access Control • Secrecy • Integrity • DOS in Web Services (c) Khaled Alghathbar
Authentication • While the web site is often accessed by users, Web Services is often accessed by program running of behalf of users. For example, Web Services may access other Web Services to gather specific information needed for the requester (c) Khaled Alghathbar
Authentication • Different kinds of techniques helps authentication: • Basic authentication. • Basic authentication over SSL. • Kerberos. • Client certificate • XKMS (c) Khaled Alghathbar
XKMS XKMS(XML Key Management Specification) “Developers can allow applications to delegate all or part of the processing of XML digital signatures and encrypted elements to VeriSign, shielding the application from the complexity of the underlying PKI.”VeriSign XKMS created by Microsoft, VeriSign, webMethods (c) Khaled Alghathbar
XKMS XKMS – benefits: • No need to delay PKI deployment pending client support. • Be “future proof” against new PKI developments. • Allow mobile devices to access full-featured PKI (c) Khaled Alghathbar
XKMS XKMS subsections: • The XML Key Information Service Specification (X-KISS): Key Information processing. • The XML Key Registration Service Specification (X-KRSS): Key Registration, Key Revocation, Key Recovery (c) Khaled Alghathbar
Access Control (c) Khaled Alghathbar
Secrecy • SSL is a slow mechanism • Web Services developer need to secure some parts of the message that are very sensitive to reduce the encryption overhead which SSL can not offer at this time. Solution: XML Encryption (c) Khaled Alghathbar
XML Encryption Example (c) Khaled Alghathbar
XML Encryption XML encryption uses: • AES or triple DES as block encryption • AES-RSA-OEAP or 3DES-RSA- v1.5 as a key transport (c) Khaled Alghathbar
Integrity XML Signature • It allows processing of a signature in a XML document • It provides a mechanism for verifying the signature (c) Khaled Alghathbar
XML Signature A fundamental feature of XML Signature is the ability to sign only specific portions of the XML tree rather than the complete document. (c) Khaled Alghathbar
XML Signature Integrity of signed XML document is checked by comparing the digest of the document and the decrypted digest that form the signature . Is there a problem? (c) Khaled Alghathbar
XML Signature Unfortunately, different XML applications, while uniformly processing the information content, may treat the physical representation of the XML document differently. • e.g. an extra space between an element name and the closing tag delimiter ‘>’ What is the solution? (c) Khaled Alghathbar
XML Signature Canonical XML: the canonical form of an XML document is a normalized physical representation that establishes a standard baseline for signature processing. (c) Khaled Alghathbar
XML Signature • To compute digest Secure Hash Standard (SHA1) is used. • To sign HMAC-SHA1 for MAC and DSA with SHA1 (DSS) is used. (c) Khaled Alghathbar
DOS in Web Services Web Services have the same threat as web sites do. However, most Web Services information is more valuable than a web site. (c) Khaled Alghathbar
DOS in Web Services DOS attacker (c) Khaled Alghathbar
Resources • Miller , Michael J. "View From the Top." PC Magazine. 4 Sept. 2001: 164+. • Jepsen, T. "SOAP cleans up interoperability problems on the Web ." IT Professional 3 (2001): 52-55. • Chester, T M. "Cross-platform integration with XML and SOAP ." IT Professional 3 (2001): 26-34. • Dyck, Timothy. "Web Services Wave." eWEEK. 10 Sept. 2001: 59+. • SOAP Service List. 01 Oct. 2001 <http://xmethods.com/>. • Sleeper, Brent, and Bill Robins. "Defining Web Services." Stencil Group June 2001. 01 Oct. 2001 <http://www.stencilgroup.com/ideas_scope_200106wsdefined.html>. • Oettinger, Ryan, and Steven Sachs. "The U.S. Web Services Revolution Will Not Reach Full Scale For Another 18 to 24 Months, Reports Jupiter Media Metrix." Jupiter Media Metrix 30 Aug. 2001. 01 Oct. 2001 <http://www.jmm.com/xp/jmm/press/2001/pr_083001.xml>. • Robins, Bill. "How Web Services Will Beat the 'New New Thing' Rap ." Stencil Group June 2001. 01 Oct. 2001 <http://www.stencilgroup.com/ideas_scope_200106newnew.html>. • "Simple Object Access Protocol (SOAP)." Microsoft 07 Jan. 2001. 01 Oct. 2001 <http://www.microsoft.com/WINDOWS2000/hpc/soap.asp>. • Gavrylyuk, Kirill. "Building Secure Web Services with Microsoft SOAP Toolkit 2.0." Microsoft July 2001. 01 Oct. 2001 <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsoap/html/soapsecurity.asp>. • Sundsted , Todd. "Building Security Into Web Services ." SUN Microsystems 17 Aug. 2001. 01 Oct. 2001 <http://dcb.sun.com/practices/devnotebook/webserv_security.jsp>. • "XML Web Services Security." Microsoft 12 Nov. 2000. N.d. <http://msdn.microsoft.com/vstudio/nextgen/Technology/security.asp>. • "Web Services Trust and XML Security Standards." Entrust 9 Apr. 2001. 01 Oct. 2001 <http://www.entrust.com/resources/pdf/TWS_apr9.pdf>. • Reagle , Joseph. "XML Encryption Requirements." The World Wide Web Consortium (W3C) 20 Apr. 2001. 01 Oct. 2001 <http://www.w3.org/TR/xml-encryption-req>. • Eastlake , Donald, Joseph Reagle , and David Solo . "XML-Signature Syntax and Processing." The World Wide Web Consortium (W3C) 20 Aug. 2001. 01 Oct. 2001 <http://www.w3.org/TR/xmldsig-core/>. (c) Khaled Alghathbar