160 likes | 304 Views
Web Services Security – Challenges & Trends. Magan Pal Singh Technical Architect, Sopra Group mpsingh@in.sopragroup.com - www.sopragroup.com +91 120 4056100. Agenda. Web Services Introduction Web Services Security Elements Web Services Security Dimensions Web Services Security Standards
E N D
Web Services Security – Challenges & Trends • Magan Pal Singh • Technical Architect, Sopra Group • mpsingh@in.sopragroup.com - www.sopragroup.com • +91 120 4056100
Agenda • Web Services Introduction • Web Services Security Elements • Web Services Security Dimensions • Web Services Security Standards • Threats Facing Web Services • Threats Mitigation
Web Services Introduction • Increasingly becoming SOA implementation of choice • Distributed stand alone services • Platform independence • Heterogeneous environments and technologies • Spread across geographies • Publicly published interfaces – Service Contract • Discoverable universally – UDDI Rate Service 1 UDDI 2 Loan Service 3
Web Services Introduction • Web services Messaging – SOAP Web Portal End User 1 6 Loan Service 2 5 4 3 Rate Service Credit Service
Web Services Introduction • Web Services Coordination • Orchestration – Within the Organization (BPEL) • Choreography – Between Organizations Loan Service Credit Service Credit Bureau Service Federal Rate Service Rate Service Internal Rate Service1 Internal Rate Service2 Internal Rate Service3
Web Services Security Elements Applications must be secure and reliable to truly meet SOA goals • Web Services rely on HTTP and common web based architecture • Key security elements are: • Identification and Authentication Verification of Identity of the requestor service • Authorization Ascertaining the authority of the requestor service to access the resources • Integrity Ensuring that un-authorized alterations do not happen to the data, while in transit, processing or storage • Non-repudiation The provider is able to ascertain the identity of the requestor and gets the proof of the delivery from requestor • Confidentiality Preserving authorized access and disclosure of sensitive information; e.g. personal or proprietary information • Privacy Restricting the resources access in accordance to the organization policy or Federal laws
Web Services Security Dimensions • Security dimensions encompass the security elements • Each dimension affects a different layer of web service • Five Security Dimensions • Secure Messaging SOAP messages traversing over networks are not viewed/ modified by attackers • Protecting Resources Ensure that individual web service is adequately protected through appropriate identification, authentication and access control mechanism • Negotiation of Contracts Web services should be capable of negotiating the business contracts as well as QoP and QoS • Trust Relationships Entities involved in a business transaction must trust each other • Security Properties Ensure effective enforcement of service policy, security policy and availability of services
Threats Facing Web Services • Message Alteration Un-authorized insertion/ deletion/ modification of information in message in transit to deceive the receiver • Loss of Confidentiality Un-authorized discloser of message information to un-intended recipient • Falsified Messages Fictitious messages that are intended to make the receiver to believe are sent by valid sender • Man in the Middle Un-authorized interception and forwarding of message to third party • Principal Spoofing Malicious message that is constructed with credentials that appear to be from a different, authorized principal • Forged Claims Message created with false credentials that appear to be valid to the receiver • Replay of Messages Attacker resends a previously sent message • Replay of Message Parts Attacker includes part of previously sent message(s) in a new message • Denial of Service Attacker causes the system to expand its resources disproportionately so that valid requests can not be honored
Threats Mitigation • W3C XML Encryption Used to encrypt and provide confidentiality of part or all of SOAP message • W3C XML Signature Used to digitally sign the SOAP message and provide message integrity and senders authentication • WS Security Tokens Used to include senders credentials to aid the receiver to authenticate the sender • User Name/ Password • OASIS SAML Assertion • IETF X.509 certificate • ISO Rights Expression Language • W3C WS-Addressing IDs Allows message sender to supply a unique identifier for each message • IETF SSL/TLS Secures HTTP protocol that is used to exchange SOAP messages • SSL/TLS with client authentication • Both sender and receiver should authenticate each other before securing HTTP protocol • IETF HTTP authentication Allows user name and password or password digest to be sent as part of HTTP header
Threats Mitigation Threats Addressed By Current Web Services Standards
Conclusions • Variety of specifications and standards available – Mostly developed by individual/ group of organizations • Specifications contradict to each other • Certain areas of concern, like Contract Negotiation and Trust Management etc, are still not addressed fairly • Web Services standards organizations like OASIS and W3C are working to standardize the specifications • Coordinated effort and research is needed to define commonly acceptable specifications and to provide their implementations