1 / 44

Secure Web Services

Secure Web Services. Arvind Easwaran (arvinde@seas) CIS/TCOM 551 Spring 2004 Slide Set 7. Outline. Web Services (WS): An overview XML Basics SOAP Basics WSEmail : The real one Security in WS. Web Services (WS) Overview. Today’s Web.

shawn
Download Presentation

Secure Web Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Web Services Arvind Easwaran (arvinde@seas) CIS/TCOM 551 Spring 2004 Slide Set 7

  2. Outline • Web Services (WS): An overview • XML Basics • SOAP Basics • WSEmail : The real one • Security in WS

  3. Web Services (WS) Overview

  4. Today’s Web • Designed for applications involving human interactions • Intended purpose • Information sharing: a distributed content library • Enabled B2C e-commerce • Non-automated B2B interactions • How did it happen? • Built on very few standards: http + html • Shallow interaction model: very few assumptions • Result was ubiquity

  5. What’s next? • There is a lot more we can do ! • Open, automated B2B e-commerce • Business process integration on the Web • Resource sharing, distributed computing • Existing Web technology is ad hoc for this • Application-to-application interactions with HTML forms • Goal Enabling systematic application-to-application interaction on the Web

  6. Web Services “Web services” is an effort to build a distributed computing platform for the Web Web service applications are encapsulated, loosely coupled Web “components” that can bind dynamically to each other The Penn – Amazon example

  7. Typical Web Service Components

  8. Web Service A programmable application component accessible via standard Web protocols Open Internet Protocols UDDI Universal Description, Discovery, and Integration • Provide a Directory of Services on the Internet WSDL Web Services Description Language • Web Services are defined in terms of the formats and ordering of messages SOAP • Web Services consumers send and receive SOAP messages XML & HTTP • Built using open Internet protocols Web Services Architecture

  9. Web Services Framework • Framework can be described in terms of • What goes “on the wire” Formats and protocols : XML and SOAP using HTTP • What describes what goes on the wire Description languages : WSDL • What allows us to find these descriptions Discovery of services : UDDI

  10. XML

  11. What is XML? • Extensible Markup Language • Meta language that • Allows to create and format own document markups • a method for putting structured data into a text file - easy to read - unambiguous - extensible - platform-independent

  12. Sample XML Example <?xml version=“1.0” encoding=“…”?> <msg:message from=“id” to=“id” xmlns:msg=“URI” xmlns:po=“URI”> <msg:text> Hi please bill to the following address </msg:text> <msg:item> <po:po id=“123”> <po:billto> <po:company> Skateboard </po:company> <po:street> One Warehouse Park </po:street> <po:city> Boston </po:city> </po:billto> </po:po> </msg:item> </msg:message>

  13. XML Declaration <?xml version=“1.0” encoding=“…”?> • <?xml ?> the XML declaration • Not required, but typically used • Attributes include: • Version • Encoding – the character encoding

  14. XML Element <msg:message from=“id” to=“id” xmlns:msg=“URI” xmlns:po=“URI”> <msg:text> Hi please bill the following </msg:text> <msg:item> <po:po id=“123”> … </po:po> </msg:item> </msg:message> • <tag> text/element </tag> an element • Each element tag can be divided into 2 parts  Namespace, Tag name

  15. XML Attribute <msg:message from=“id” to=“id” xmlns:msg=“URI” xmlns:po=“URI”> … <po:po id=“123”> … </po:po> </msg:message> • XML Attribute • Describes additional information about an element • <tag key=”value”> text</tag> • Reserved attribute  xml:lang

  16. XML Namespaces <msg:message from=“id” to=“id” xmlns:msg=“URI” xmlns:po=“URI”> … </msg:message> • Namespaces • Not mandatory, but useful in giving uniqueness to an element • Declared using the xmlns:name= “value”

  17. SOAP

  18. SOAP • An XML envelope for XML messaging • Headers + body • SOAP is “transport independent” • A convention for doing RPC

  19. Soap Message Processing

  20. SOAP Message Example <?xml … ?> <SOAP-ENV:Envelope xmlns:SOAP-ENV=“URI” > <SOAP-ENV:Header> <t:Transaction xmlns:t=“URI” SOAP-ENV:mustUnderstand=“1” > 12345 </t:Transaction> <p:Priority xmlns:p=“URI”> Very High </p:Priority> </SOAP-ENV:Header> <SOAP-ENV:Body> “XML Document” </SOAP-ENV:Body> </SOAP-ENV:Envelope>

  21. WSEmail Carl Gunter Kevin Lux Michael May

  22. WSEmail • Traditional Internet Email • Based on a collection of protocols • SMTP, POP, IMAP • Evolved over a vast installed base • Shortcomings • Flexibility • Security and • Integration

  23. WSEmail : The Solution • Aims to exploit advantages of web service protocols • Uses web service security features to support integrity, authentication, and access control for both end-to-end and hop-by-hop message transmissions • A collection of services that can be added to the base system

  24. The Solution (Contd) • A way to integrate different messaging systems • Prototype system is built using Microsoft .Net • On-demand attachments • Integrated instant messaging

  25. Architecture

  26. Architecture (Contd) • Sender Client SC makes a call on its Sender Server SS • All calls are SOAP calls over TCP • The server SS then makes a call on the Receiver Server RS • The Receiver Client RC periodically makes calls to RC • Security based on standards for web service security possibly supported by encrypted tunnels

  27. Architecture (Contd) • Hop-by-hop confidentiality, so communications between the nodes can be protected by TLS • Clients like SC and RC are typically authenticated by a password • Servers authenticate themselves using certificates • Such certificates are used in TLS and used to sign messages using XMLDSIG

  28. Variations – Security Token

  29. Security Token (Contd) • SC contacts SS to obtain a security token recognized by RS • SC sends a message authenticated with this credential to RS • Instant messages are posted directly to the client • RS and RC apply access control for this function based on the security token from SC • Token is recognized because of a form of federated identity between SS and RS

  30. Security

  31. Why Web Services Security is a Challenge Practice: In this environment we need 4 wheel drive Theory: This thing has 4 wheel drive But we only take it to the Mall

  32. Message Level Security

  33. Example : SC to SS <wsse:Security SOAP-ENV:mustUnderstand="1“ SOAP-ENV:actor=“…” xmlns:wsse=“…"> <wsse:UsernameToken xmlns:wsu=“…“ wsu:Id="SecurityToken…"> <wsse:Username>SC</wsse:Username> <wsse:Nonce>…</wsse:Nonce> <wsu:Created>Date</wsu:Created> </wsse:UsernameToken>

  34. <Signature> <SignedInfo> <CanonicalizationMethod Algorithm=“…" /> <SignatureMethod Algorithm=“hmac- sha1" /> <Reference URI="#Id…"> <Transforms> <Transform Algorithm="xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="xmldsig#sha1" /> <DigestValue>…</DigestValue> </Reference> </SignedInfo>

  35. <SignatureValue>…</SignatureValue> <KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI=“…" /> </wsse:SecurityTokenReference> </KeyInfo> </Signature> </wsse:Security>

  36. Canonicalization • Logically equivalent physically different XML snippets • <p a=“1” b=“2”> </p> • <p a=“1” b=“2” />

  37. XML Element Specific Security <po xmlns=“URI” id=“123”> <enc:EncryptedData Type=“URI”> <enc:EncryptionMethod Algorithm=“…”/> <ds:KeyInfo> <ds:KeyName> Shared Key </ds:KeyName> </ds:KeyInfo> <enc:CipherData>…</enc:CipherData> </enc:EncryptedData> … </po>

  38. XML Key Management Specification (XKMS) • Management of Public Keys • Registration • Alice registers her email signature public key • Information • Bob looks up the key for Alice • Bob checks to see if it is valid • Core Objective • Shield the client from the complexity of PKI

  39. Platform Level Security

  40. Security Terminology • Authentication • Positively identifying the clients • User ID password pairs, X509 certificate etc • Authorization • Defining what authenticated clients are allowed to see and do • ACLs • Non Repudiation • Digital Signatures • Secure Communication • Ensuring that messages remain private and unaltered as they cross networks • SSL point-to-point

  41. Is SSL Alone Enough? • For some applications  Yes • As Infrastructure  No • SSL does not support multi-party transactions • Intermediate Node • SSL does not support non-Repudiation • Does not leave any audit trail

  42. Demo

  43. Conclusions • Without Security and Trust • Web Services are Dead On Arrival • Considerable progress has already been made • Industry wide consensus on value of standards • Basic Infrastructure is in place or in development • There is considerable consensus on the roadmap • Web Services is certainly moving towards a secure architecture

More Related