SE 690 - Survey 1

Gap Assessment of the Top Web Service Specifications

Managing the Security of Web Services

Cristina FhiedSE690 Final Presentation Advisor: Xiaoping Jia, Luigi

Guadagno

SE 690 - Survey 2

Outline 1. Project Goal 2. Overview of Web Services introduction 3. Security Enterprise Requirements 4. Security Specifications

Comparison Overview (how do they map req.) Drawbacks and Benefits of each Model

5. Current Enterprise State Survey 6. Conclusion and Recommendations 7. Potential Future Work

SE 690 - Survey 3

Project Goal Research available web service specifications. Conduct an enterprise state survey exploring

problems and experiences facing network professionals.

Research the Enterprise communication and architecture requirements for a secure Web Services.

Prepare gap assessment tables mapping the communication and network enterprise req. against the researched available security specifications.

Prepare a model showing the interpolation of Ws-Security specification with the interaction of the researched available web service specifications.

SE 690 - Survey 4

What are Web Services? “Software pieces that interact with each other using internet standards

to create an application in responseto requests that conform to agreed-upon formats.” [Infravio, 2003]

SE 690 - Survey 5

What Are the Characteristics…

A web service is accessible over the internet.

Provides an interface that can be called from one application to another.

Interface can be called from any type of application client or service.

Acts as a liaison between the web and the application logic that implements the service.

SE 690 - Survey 6

How Does a Web Service Communicate? Uses XML on top of HTTP XML is a widely accepted format for

exchanging data and its semantics The Web service STACK consists of:

XML (eXtensible Markup Language) SOAP (Simple Object Access Protocol) WSDL (Web Services Definition Language) UDDI (Universal Discovery Description

Language)

SE 690 - Survey 7

Web Services Stack

HTTP (SMTP, FTP, other)XMLSOAPWSDLUDDI

                                                                                                      

Returns the WSDL reference used to bind to

web service

Specifies how to connect to a

web service

Better describes the

data being sent

Acts as the envelope for

XML messages

Transport layer

SE 690 - Survey 8

What About Current Web Security? To date much of web security is built around

encryption through secure socket layers (SSL) using simple object access protocol (SOAP).

Not enough to protect supply-chain operations and other business to business transactions because SOAP is based on XML.

One way transmission, easy to steal and resend messages.

SE 690 - Survey 9

Enterprise Requirements

NetworkCommunication

SE 690 - Survey 10

Communication based Enterprise Security Requirements… Authentication Authorization Data protection Non-repudiation

SE 690 - Survey 11

Defining Requirements Authentication – involves accepting credentials

from the entity and validating them against an authority.

Authorization – determines whether the service has granted access to the web service to the requestor.

Data protection – ensures that the web services request and response have not tampered with en route. Requires both integrity and privacy.

Nonrepudiation – guarantees that the message sender is the same as the creator of the message.

SE 690 - Survey 12

Network based Enterprise Security Requirements… Confidentiality Integrity Accessibility

SE 690 - Survey 13

Defining Requirements Cont. Confidentiality – contains information

required for protection against unauthorized use or disclosure.

Accessibility – must be able on a timely basis to meet mission requirements or to avoid substantial losses.

Integrity – contained information must be protected from unauthorized, unanticipated or unintentional modifications.

SE 690 - Survey 14

Available Industry Specification

Definitions and FeaturesComparison Mapping OverviewDrawbacks and Benefits Model

SE 690 - Survey 15

PKI Public Key Infrastructure is an

open specification. Published by VeriSign in 2002. Integrates digital certificates and

certificate authorities into enterprise-wide network security architecture.

SE 690 - Survey 16

PKI Cont. Provides protection by:

Authenticating identity Verifying Integrity Ensuring Privacy Authorizing Access Authorizing Transactions Supporting Nonrepudiation

SE 690 - Survey 17

PKI Cont. Strengths:

Integrates Authentication and digital signatures. Allows confidential validation on the identity of

each party in an internet transaction. Ensures that the message or documents the

digital certificate signs has not been changed in transit online.

Protects information from interception during Internet transmission.

Validates a user identity making it possible to later update a digitally signed transaction (single sign-on).

SE 690 - Survey 18

PKI Cont. Weaknesses:

Complications associated with the usage of proprietary PKI software toolkits.

Complex deployment associated with server side components.

Constraint of complexity in integrating authentication and digital signatures in web service applications.

SE 690 - Survey 19

SAML Security Assertions Markup

Language is an XML-based framework for Web Services.

Security Specification from OASIS, released in February 2002.

First industry standard for enabling secure e-commerce transactions through XML.

SE 690 - Survey 20

SAML Cont. Gives guidelines on assertions to request

and response messages to provide: Authentication. Authorization. Interoperability

Also shows how single sign-on can be achieved when several web-services are interacting; achieved by adding XML assertions.

SE 690 - Survey 21

SAML Cont. Strengths:

Supports real-time Authentication and Authorization.

Can interoperate with any kind of system. Makes it possible to have message integrity and

non-repudiation of the sender. Establishes assertions and protocol schemas for

the structure of the document that transport security.

Links back to the actual authentication and makes its assertions based on the requests of that event.

SE 690 - Survey 22

SAML Cont. Weaknesses:

Security of SAML conversation is not a stand-alone application; depends on a trust model, typically PKI.

Does not address privacy policies. Does not define any technology or

approaches for Authentication. Only makes assertions about

credentials; does not authenticate or authorize users.

SE 690 - Survey 23

XKMS XML Key Management Specification

is an open specification. Published by the W3C as a technical

note. Provides a standard XML-based

messaging protocol to outsource the processing of key management to dedicated services.

SE 690 - Survey 24

XKMS Cont. XML version of PKI handling. Integrates:

Authentication. Authorization. Malicious Attack Support.

Uses SOAP over an HTTP based network. Makes it easy for applications to

interface with key-related services.

SE 690 - Survey 25

XKMS Cont. Strengths:

Integrates Authentication and Authorization. Does status checking in a matter of hours. Rapidly implements trust features incorporating

cryptographic support for XML digital signatures. Moves the complexity associated with PKI

integration to server side components. Specification toolkit is completely platform,

vendor, and transport protocol independent. Developer friendly, syntax used eliminates the

necessary plug-ins PKI requires.

SE 690 - Survey 26

XKMS Cont. Weaknesses:

Has no implemented prototype depicting its available techniques.

Needs to have three standards to be used at the same time, in order for higher security, Not a stand-alone application:

X-KISS (XML Key Information Serv. Spec.). X-KRSS (XML Key Requirement Serv. Spec.). Protocol Binding Specification.

SE 690 - Survey 27

WS-Security Cont. Published in April 2002 by IBM,

Microsoft, and VeriSign. Helps enterprises build secure web

services, and applications based on them that are broadly interoperable.

Proposes a set of SOAP extensions, used when building secure web services to implement: Integrity. Confidentiality.

SE 690 - Survey 28

WS-Security Cont. Does not limit itself to a specific model or

mechanism, can be used as a guideline. Has support for several models and

security mechanisms. Supports:

Multiple Security Tokens. Cryptography Technologies. Requester Security. Transport Security.

SE 690 - Survey 29

Ws-Security Cont. Microsoft, VeriSign and IBM are announcing

the publication of 5 new specifications. When used with Ws-Security they provide a

framework that is extensible and flexible in a infrastructure. WS-Trust: provides Interoperability WS-Secure Conversation: Cent. Management WS-Secure Policy:protects against Malicious

Attack WS-Policy: provides Authentication WS-Authorization: provides Authorization

SE 690 - Survey 30

WS-Security Cont. Strengths:

Implements integrity and confidentiality. Building block or better yet a blueprint to be

used in conjunction with other web service specifications.

Integrates, unifies and supports many popular security models and technologies.

Defines how signatures can be used. Provides for a generic mechanism to

associate security tokens with messages; does not require any type of security tokens.

SE 690 - Survey 31

WS-Security Cont. Weaknesses:

Does not discuss how proof-of-possession must be implemented.

Does not discuss how subject confirmations must be implemented.

Their needs to be effort applied to ensure that security protocols that are implemented are not exposed to a wide range of attacks.

Not approved as a standard as of yet, there are not commercial web-services that use this specification as of yet.

SE 690 - Survey 32

Gap Assessment Table Summary Comparison mapping of

Communication Enterprise Security Requirements.

Requirement WS-Security SAML XKMS PKI

Interoperability Support

X X

Scalability Support

  X  

Centralized Management

Support

  X

Malicious Attack Support

    X

X

SE 690 - Survey 33

Gap Assessment Table Summary Comparison mapping of

Network Enterprise Security Requirements.Requirement WS-Security SAML XKMS PKI

Authentication Support

X X X X

Authorization Support

  X X  

Data Protection/

Confidentiality Support

X     X

Data Integrity Support

X     X

SE 690 - Survey 34

ModelW S - S e c u r i t y

Authentication

Authorization

Data Protection/Confidentiality

Data Integrity

Interoperability

Scalability

Centralized Management

Malicious Attack

SAMLPKI XKMS

SAML

XKMS

PKIWS-Security

PKI

WS-Security

PKI

WS-Security

WS-Security

XKMS

SAML

WS-Policy Assertion

WS-Secure Conversation

WS-Security Policy

WS-Trust

WS-Authorization

SAML XKMSPKI

SE 690 - Survey 35

Survey Results

Current Enterprise State

SE 690 - Survey 36

About the Survey Explores areas of interest and

experiences for those responsible in ensuring network/web service securities

Survey was voluntary and consisted of eight questions

Final survey was sent to 25 individuals 20 individuals submitted a completed

survey

SE 690 - Survey 37

Key Research Questions Rank web-based communication

security requirements based on security framework importance

Rank networking issue requirements based on security framework importance

Rank security methods in terms of effectiveness in acquiring information security at an organization

SE 690 - Survey 38

Survey Findings Experience any of these Security Breaches:

Security Breach Yes No

Viruses or Worms95% 5%

Attacks related to Protocol Weaknesses

43% 57%

Attacks related to insecure passwords

19% 81%

Attacks on bugs in Web Servers

52% 48%

SE 690 - Survey 39

Survey Findings Indicate level of concern in the following issues

Level of Concern Issue1 (Highest) Malicious Code Infection2 System Unavailability3 Loss of

Confidentiality/Privacy4 (Lowest) Physical Security

SE 690 - Survey 40

Survey Findings Method effectiveness in terms of acquiring

information security in an organization:

Effectiveness Method1 (Most) Conduct Vulnerability

Assessment2 Scare them with hacker stories3 Argue that security should be

funded out of indiv.4 (Least) Exp. The relationship btw.

Security and complying with legal industry requirements

SE 690 - Survey 41

Survey Findings Priority of the following items Importance to an organization

Priority Item1 (Most) Security and availability for Web site

and e-commerce operations2 Strengthening the network perimeter to

prevent external intrusions3 Securing remote access for traveling

employees/remote offices4 Centralized management of control data5 (Least) Preventing employees or outsiders from

abusing access rights

SE 690 - Survey 42

Survey Findings Prioritize the Networking Issue Requirements based

on security framework importance.

Priority Requirement1 (Greatest) Interoperability

2 Scalability

3 Malicious Attack

4 (Least) Centralized Management

SE 690 - Survey 43

Survey Findings Prioritize the web-based Communication Security

Requirements based on security framework importance:

Priority Requirement1 (Greatest) Data Protection/Confidentiality

2 Data Integrity

3 Authorization

4 (Least) Authentication

SE 690 - Survey 44

Conclusion and Recommendation

SE 690 - Survey 45

Managing Web Security Difficult to determine a single best strategy. When dealing with applications with strong

authentication and authorization, Ws-Security and SAML specifications should be considered.

When dealing with concerns of malicious attack and data protection, XKMS and SAML should be considered.

XKMS when joined with WS-Security has a stronger use for digitally signing and SAML assertions.

SE 690 - Survey 46

Managing Web Security Cont. SAML when combined with Ws-

Security should use techniques such as XML signatures and encryptions.

SAML assertions should be carried as security tokens defined in Ws-Security.

SAML traffic should be secured by XKMS-based PKI.

SE 690 - Survey 47

Managing Web Security Cont. Most effective method in acquiring

information security in an organization is by conducting vulnerability assessments and explaining the differences between security and legal requirements.

To reduce obstacles in achieving web service security is to greatly reduce the technical challenges and complexity of using security specification toolkit products.

SE 690 - Survey 48

Potential Future Work Research and analyze whether an

implementation of Ws-Security, PKI, SAML and XKMS on Web Services is enough to provide a system with the needed securities.

SE 690 - Survey 49

Conclusion For more information please visit

project web site: http://shrike.depaul.edu/~cfhied/se69

0/abstract.htmlThank you!!!