1 / 64

Web Services Security – A Survey

Web Services Security – A Survey. Abu Uddin Shamual Rahaman. Web Services. Open standard (XML, SOAP, etc.) based Web applications that interact with other web applications for the purpose of exchanging data.

wyoming-gallegos
Download Presentation

Web Services Security – A Survey

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Services Security – A Survey Abu Uddin Shamual Rahaman

  2. Web Services • Open standard (XML, SOAP, etc.) based Web applications that interact with other web applications for the purpose of exchanging data. • Initially used for the exchange of data on large private enterprise networks, web services are evolving to include transactions over the public Internet. • Even though it’s framework in not 100% complete, people have been widely using it. • Heterogeneous, loosely coupled architecture.

  3. Hello Web Services

  4. Hello Web Services

  5. Hello Web Services

  6. Web Services Security • Importance of security in Web Services. • Security Issues in Web Services. • Our Survey.

  7. Selected Papers • Threats and security of Web services - a theoretical short study-Rao, Radha Krishna • Web service security - vulnerabilities and threats within the context of WS-security-Holgersson, J.; Soderstrom, E.; • Web Service Composition: A Security Perspective-Carminati, B.; Ferrari, E.; Hung, P.C.K.; • Algorithm Exchange of a Security Control System for Web Services Applications-Nasution, B.B.; Kendall, E.A.; Khan, A.I.;

  8. Paper 1: Threats and security of Web services - a theoretical short study • Various threats and remedies for web services. • This paper mainly focuses mainly on three different attacks: Dictionary Attack, Replay Attack, and Buffer Overflow. • Vital points in Web services security: • Authentication • Authorization • Confidentiality • Integrity • Non-repudiation All of these can be satisfied by using encryption except Authorization, where it can use SOAP messages.

  9. Dictionary Attack • Reverse Turing Test. • was developed to protect system from automated program that launches dictionary attack. • combine the traditional password authentication with a challenge that is very easy to answer for a human but not possible for an automated program. • widely used by many web sites, such as Hotmail, Yahoo.

  10. Dictionary Attack • Advantages of Reverse Turing Test: • does not affect the usability. • offers a much better protection. • no special hardware or software is needed to implement. • Disadvantages of Reverse Turing Test: • requires certain capabilities on the user side. • can frighten the user who are unwilling to solve the riddles . • can affect the scalability of the system. • not optimal for large scale system.

  11. Dictionary Attacks • Java Cryptography: • Dictionary attacks take twice the time to break a simple protection algorithm than doubly protected password. • now used in various critical applications. • Java Cryptography Architecture(JCA) • Java Cryptography Advantages: • Portability • permits controlled execution of less trusted code (vs. Activex) • fine grained permission control • Java Cryptography Disadvantages: • complex dependencies on other system, OS, browser, network(DNS), PKI • flexible policies accepted by user may permit hidden breaching interactions.

  12. Dictionary Attacks • Secure Socket Layer (SSL): • most popular transport layer security protocol for internet. • offers the basic security services of encryption, source authentication and integrity protection for data exchanged over underlying unprotected networks. • Many product and OS has support for SSL. Also many web services permits the SSL communication. • SSL has all available security functions that’s needed to make a project secure (authentication, asymmetric/symmetric encryption, MAC and certificates). • But the problem with SSL is that programmers have to know a lot of details about the OS, and system calls.

  13. Replay Attack • When an attacker simply listens and sniffs the packets and then later he resends the same packet, it’s called replay attack. • The intruder might extract information and alter or inject his own information in the message stream. • easier to detect with Web Services.

  14. Buffer Overflow • Buffer Overflow is one of the major threats on data integrity. • Some of the solutions to the buffer overflow problem are: • Applying patch to the affected code that will check the length of the data before saving it to the buffer. • Apply backup code to replace the overflowed one to gain back authorities of the system. • Use programming languages that has automatic bound checking .

  15. Paper 2:Web Service Security – Vulnerability And Threats within the context of WS-Security • The security issues in Web Services • Threats involved • Incompatibility of traditional Security techniques • WS-Security Basics • WS-Security vs. Web Services Threats

  16. Security Issues • Security of the information must be provided while the information is in transit and while it is in storage of the server • Similar criterion as of traditional security must be satisfied

  17. Security Issues • Confidentiality • Integrity • Non-repudiation • Authentication • Authorization • Availability

  18. The threats • Maintaining Security while Routing • Unauthorized access • Parameter manipulation/malicious input • Eavesdropping and Message Replay • Denial of Service (DoS) • Bypassing of Firewalls • Immaturity of the platform

  19. Short comings of Traditional Security mechanism • Traditional Security techniques works on the Lower level of the OSI stack of message transfer • Doesn’t provide security against Application level communication

  20. OSI Stack

  21. WS-Security • Is a new security standard • Published in April 2004 • Still incomplete but promising

  22. WS-Security Basics • Adds security to the SOAP message • Passes the security information in the Header of the SOAP Message • 3 Basic Elements • Security tokens • XML Encryption • XML Signature

  23. WS-Security, Tokens • Tokens are the security artifact included in a SOAP message • Provide authentication and authorization • Can use simple user id and password based authentication • Also capable of advanced certificate based authentication like X.509

  24. XML Encryption • A specification developed by W3C • Prevents unauthorized access to the XML document • Require a decryption key to read the Document • Different part of the document may require different key to decrypt

  25. XML Encryption • Therefore XML Encrypted Document can have multiple recipients • Each recipient will use their own decryption key without violating the privacy of others

  26. XML Signature • Also developed by W3C • Serves the same purpose that of a traditional signature • Authenticates the credentials of the token • This provides message integrity • Just like XML Encryption different part of the document may have different signature associated with it

  27. WS-Security VS Threats Remember the threats….. • Maintaining Security while Routing • Unauthorized access • Parameter manipulation/malicious input • Eavesdropping and Message Replay • Denial of Service (DoS) • Bypassing of Firewalls • Immaturity of the platform • All of them satisfied except • Denial of Service • Bypassing of firewalls • Immaturity of the platform

  28. Ws-Security: The Road Map

  29. Paper 3: Web Service Composition: A security Perspective • The papers describes a security conscious Web Service composition framework that supports different security requirement criterion imposed by different WS provider and requestor

  30. Web Service Composition

  31. Composition With Security Restrictions • Different WS may have different security requirement e.g. some WS may require the X.509 based authentication as a security measurement for authentication and authorization • Some service requestor may want his service to be processed by a WS that use P3P based privacy policy

  32. Secure WS Broker ArchitectureImage ref [3]

  33. Secure WS Broker Architecture • Four main components • Modeler • Web Services Locator • Security Match Maker • WSBPEL Generator

  34. SWS Broker: Modeler • Given the service request try to build a work flow • For example given a task A The modeler tries to divide the task in a sequence of tasks say {A1, A2, A3, A4} which must be carried in sequence • The A1, A2 etc are the activities

  35. SWS Broker: SWs Locator • The locator is actually a simple old fashioned Web Service locator that finds the Web Services that capable of servicing the request • The locator finds all the sets of Web Services that are capable of servicing A1, A2 etc.

  36. SWS Broker: Match Maker • This is the model that employs the security constrains imposed by all the involved Web Service Providers and Requestors • The algorithm is explained with an example in the next slide

  37. Match Maker: Algorithm/Methodology • Lets say the service locator provides the following WSs for each of the activities in previous example

  38. Match Maker: Algorithm/Methodology • We can build a following tree structure for the Wss. (Figure ref [3])

  39. SWS Broker: WSBPEL • Web Service Business Process Execution Language • Beyond the scope of this Paper

  40. Defining Security Requirement • All the previously mentioned techniques sounds easy • But how to search and compare security requirement and Constraints • WSDL, SOAP none provides such mechanism

  41. Modeling Security Information • Two Classes • Capability Description • Constraint Description • Compatibility • General • Final

  42. Capabilities Description • Uses SAML description of following type (Figure ref [3])

  43. Compatibility Constraint Description • Compatibility Constraints can be put into the WSDL using the extensibility element of WSDL

  44. Other Constraint Description • The other two constraint criterion general constraint and final constraint goes into the SOAP definition

  45. Future Work • The author working on implementing additional constraints like quality of service constraints • They are trying to produce a better version of the Match Maker Algorithm

  46. Paper 4: Algorithm Exchange of a Security Control System for Web Services Applications • Problem with WS-Security standard. • This papers takes system approach rather than analytical approach. • Two parts of the paper: • TTSN(Trusted Tansient Simple Network) Architecture. • Algorithm Exchange.

  47. Trusted Transient Simple Network • 3rd parties in web services. • it is necessary for each party to provide itself with a sophisticated security system which can be very independently of any other middle parties. • The most frequent strategies to solve the security problem have mainly focused on already known risks. But such strategy will fail when an unknown risk occurs.

  48. TTSN • TTSN General Architecture: • The traffic package leaving from A through one path will be sent back to B through the other path. • Also, B will also append the reversed traffic package to B with the response. • In this way, A will know enough information regarding the state of the transaction and some behavior of its counterpart. • Can be activated/deactivated dynamically

  49. TTSN • TTSN Security control system: • Plant of the control system. • If the plant is not stable, A must maintain the process in a continuous stable state.

  50. TTSN • The reasoning mechanism. • Interdependency of all security properties: • Each property will be occupied by an intelligent agent.

More Related