Upload
david-bambang-tri-wijaya
View
223
Download
0
Embed Size (px)
Citation preview
8/11/2019 WS 08 Security
1/47
!
#$%&'()*+ ,-!- ./0(12 #2''( 3 4'15/6 7$8/92:
Web Services
Web Service Security
8/11/2019 WS 08 Security
2/47
,
Where Are We?
# Title
1 Distributed Information Systems
2 Middleware
3 Web Technologies
4 Web Services
5 Basic Web Service Technologies
6 Web Service Composition
7 Web 2.0 Services
8 Web Service Security
8/11/2019 WS 08 Security
3/47
;
Outline
Motivation
Technical solution
Basic techniques
Channel and data security
SOAP services security
Web 2.0 services security
Summary
Resources
8/11/2019 WS 08 Security
4/47
Is Security Different?
8/11/2019 WS 08 Security
7/47
?
How Much Security?
There is no 100% security
Which does not mean that we shouldnt bother about it...
The security engineer needs to evaluate the security
requirementsof the case, the value of the informationto be protected, the costs and drawbacks of security
measures... and select adequate security measures
What can be adequate for my personal mailbox is probably not
adequate for some military secrets...
8/11/2019 WS 08 Security
8/47
@
Basic Security Aspects
Confidentiality
Protect information from unauthorised disclosure
Integrity
Ensure that information has not been changed by an
unauthorised party
Authentication
Ensure that the communicating partys identity is what it is
claimed to be (who are you?)
Authorisation
Prevent unauthorised usage of resources (what can you do?)
Non-repudiation
Ensure that parties cannot deny their previous actions
Availability Ensure that information/service is available when needed
8/11/2019 WS 08 Security
9/47
A
Technical Solution
Basic Techniques
8/11/2019 WS 08 Security
10/47
!-
Encryption
Encryption is used to protect information fromdisclosure (it guarantees confidentiality) Information is transformed so that unauthorised parties cannot
understand it
It is achieved using encryption algorithms
E.g. AES(Advanced Encryption Standard), DES(DataEncryption Standard obsolete but still widespread)
The algorithm uses a parameter called key
Often the same key is used to encrypt and decrypt, andtherefore it must be secret (symmetric cryptography)
Public key cryptography can be used to establish a shared secret
key between communicating parties (public key cryptography iscomputationally expensive)
The key must be difficult to guess, so it must be long (many bits)
8/11/2019 WS 08 Security
11/47
8/11/2019 WS 08 Security
12/47
8/11/2019 WS 08 Security
13/47
!;
Digital Signatures
+,-"./0$!
-!"!$.'("
document
+,-"./0$!
1!$,2#.'("
senders
private key
document
+ signature
document
+ signature
senders
public key
ok
invalid
ABC ABC
ABC
8/11/2019 WS 08 Security
14/47
!
Certificates
8/11/2019 WS 08 Security
17/47
!?
Technical Solution
Channel and XML Data Security
8/11/2019 WS 08 Security
18/47
!@
Near the Wire: TLS/SSL
The TLSprotocol (Transport Layer Security IETF RFC
5246), together with its predecessor SSL(Secure Socket
Layer originally developed by Netscape), is the mostcommon security solution to protect Web communication
It is still common to say SSL even if what is used today ismostly TLS
TLS/SSL stays between TCP and the application-layer
protocol(usually HTTP), providing:
data flow confidentiality through encryption
data flow integrity through message authentication codes
endpoint authentication through public keys and certificates
HTTPSmeans HTTP over TLS/SSL
8/11/2019 WS 08 Security
19/47
!A
Near the Wire: TLS/SSL
TLS/SSL is well established and quite lightweight, butwhat it provides is basically a secure TCP connection
This has important consequences:
TLS/SSL protects the wire, not the message
Once the data reach the endpoint of the connection, no security
guarantee applies anymore It is not possible to selectively protect only part of the message
TLS/SSL only protects point-to-point (at TCP level)communications
Endpoints of the wire (at TCP level), not of the message
If there are higher-level intermediaries, they can read and modify all
data Endpoint authentication is between pairs of TCP endpoints, which
can differ from message-level endpoints (because of intermediaries)
8/11/2019 WS 08 Security
20/47
,-
Near the Wire: TLS/SSL
.&&3,#.'("
4556
5789887
.&&3,#.'("
4556
5789887
.&&3,#.'("
4556
5789887
sender intermediary ultimate receiver
ABC
ABC
ABC
ABC
ABC
ABC
8/11/2019 WS 08 Security
21/47
8/11/2019 WS 08 Security
22/47
,,
XML Data Security
With XML Signature, the signature and the signed data
can be in the same document (envelopedor
envelopingsignature) or in separate documents(detachedsignature)
B()621 1/+/
C4()6/+D'2E
CF2G2'26:2E
C4()6/+D'2E
CF2G2'26:2E
B()621 1/+/
C4()6/+D'2E
CF2G2'26:2E
B()621 1/+/
enveloped
signatureenveloping
signature
detached
signature
8/11/2019 WS 08 Security
23/47
,;
XML Data Security
XML Signature example (detached signature)!"#$%&'()* ,-./012#)3'"#$%&'()*/ 456%3.7''89::;;;- H6$>)#'75./7''89::;;;- H6$>)#'75./7''89::;;;
!Z*1,%D>C
!Z*1R&6(*C
!Q"HZ*1R&6(*C
![C
8/11/2019 WS 08 Security
24/47
,%CJ?:JJ!:P48#)&'#>%C
!:E)*-#'E&)-C
!:[&15*%',%D>C
![&15*%',%D>C
!\&5*C]>7% "5#'7!:\&5*C
!P%F)18'*-Q&'&C
8/11/2019 WS 08 Security
25/47
,=
Technical Solution
SOAP Services Security
8/11/2019 WS 08 Security
26/47
8/11/2019 WS 08 Security
27/47
,?
Identity: SAML
SAML(Security Assertion Markup Language OASISstandard) allows generating and exchanging securityassertions about subjects between trusting parties
Authentication statements
State that the subject has been successfully authenticated at the
specified time and using the specified method Used for single sign-on
Attribute statements
State that the subject is associated with the specified attributes(expressed as name-value pairs)
Used for ABAC
Authorisation decision statements
State that the subject has (or has not) been granted access to thespecified resource
Intentionally limited XACML provides much more
8/11/2019 WS 08 Security
28/47
,@
Identity: SAML
Example structure of a SAML assertion
!H33*)'#>%C
!,33(*)C
8/11/2019 WS 08 Security
29/47
,A
Identity: SAML
Example: SAML Web single sign-on profile
:3,!"/ 8!$1,#!8;
8/11/2019 WS 08 Security
30/47
;-
SOAP Message Security: WS-Security
WS-Security(OASIS Standard) specifies how to secure
a SOAP message
It leverages on other security standards as building blocks
WS-Security allows the inclusion in a SOAP message of:
Digital signatures Guarantee message integrity and origin
XML Signature is used
Encrypted parts (body blocks or header blocks)
Guarantee message confidentiality
XML Encryption is used
Security tokens
Assert claims, e.g. about identity or attributes of the client
8/11/2019 WS 08 Security
31/47
;!
SOAP Message Security: WS-Security
A security tokencontains a set of claims about some
properties of an entity which are relevant for security
purposes
E.g. identity or other attributes
WS-Security supports different types of security tokens
E.g. username and password, X.509 certificates, SAMLassertions
Signed tokens are tokens endorsed by a third partyacting as an authority
E.g. X.509 certificates and SAML assertions
8/11/2019 WS 08 Security
32/47
;,
SOAP Message Security: WS-Security
WS-Security defines the header,
which contains signatures and security tokens
A single SOAP message can contain multiple headers, addressed to different entities
B$/%HI602J$%2
B$/%HK2/12'
B$/%HL$1&
MBB2H42:D'(+&.()(+/J B()6/+D'242:D'(+& +$N26
I6:'&%+21 *2/12'
I6:'&%+21 O$1&
8/11/2019 WS 08 Security
33/47
;;
SOAP Message Security: Other Standards
WS-Trust
Defines the concept of a Security Token Service (STS), and
provides methods for issuing, renewing, and validating security
tokens
OASIS Standard
WS-SecureConversation
Allows to establish a security context that can be reused
across multiple SOAP messages (for performance reasons),
rather than securing single messages (the security context is a
security token)
OASIS Standard
8/11/2019 WS 08 Security
34/47
;
Authorisation: XACML
Figure from XACML specification
XACML data flow
PAP: Policy Administration Point
PDP: Policy Decision PointPEP: Policy Enforcement Point
PIP: Policy Information Point
8/11/2019 WS 08 Security
37/47
;?
Technical Solution
Web 2.0 Services Security
8/11/2019 WS 08 Security
38/47
;@
REST Services and Security
REST lacks a well-articulated security model
Moreover, the idea of being quick and easy does not help
Basic techniques such as TLS/SSL can of course be
applied, but they only address part of the problem
Simple, ad-hoc solutions are often used
Some grassroot efforts towards standards exist, to
address some specific problems:
OpenID, to have a unified identity
OAuth, to delegate access rights (e.g. in mashups)
8/11/2019 WS 08 Security
39/47
;A
Identity: OpenID
OpenIDallows users to use a unified identity on the
Web, rather than a separate identity for each service
The user id (the OpenID) is a URI
The user identity is managed by an OpenID provider, which can
authenticate the user using some credential
Service providers such as Google, Yahoo, Flickr, Wordpress.com
are OpenID providers
Standalone OpenID providers also exist
The user provides only his OpenID to other services,which rely on the OpenID provider for authentication
The flow is very similar to SAML Web single sign-on profile SAML has however a broader scope, and is designed to be
extensible and used in different contexts
8/11/2019 WS 08 Security
40/47
8/11/2019 WS 08 Security
41/47
Authorisation & Delegation: OAuth
OAuth identifies three roles:
resource owner (user)
client(consumer)
server(service provider)
The main steps are:
The client redirects the user
to the server
The server asks the user if hewants to grant the client access
to his data
If the user agrees, the clientobtains a token that it can use
to access the serverPicture
Yaho
o!
8/11/2019 WS 08 Security
42/47
8/11/2019 WS 08 Security
43/47
8/11/2019 WS 08 Security
44/47
8/11/2019 WS 08 Security
45/47
8/11/2019 WS 08 Security
46/47
References
Reference reading
E. Bertino, L. Martino, F. Paci, A. Squicciarini. Security for Web Services and Service-Oriented
Architectures. Springer, 2010. 4thchapter
Wiki and Web references Information security http://en.wikipedia.org/wiki/Information_security
TLS/SSL http://en.wikipedia.org/wiki/Transport_Layer_Security
XML Signature http://en.wikipedia.org/wiki/XML_Signature
http://www.w3.org/TR/xmldsig-core/
XML Encryption http://en.wikipedia.org/wiki/XML_Encryption
http://www.w3.org/TR/xmlenc-core/
SAML http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
http://www.oasis-open.org/committees/security
WS-Security http://en.wikipedia.org/wiki/WS-Security
http://www.oasis-open.org/committees/wss
XACML http://en.wikipedia.org/wiki/XACML
http://www.oasis-open.org/committees/xacml/
OpenID http://en.wikipedia.org/wiki/OpenID
http://openid.net/
OAuth http://en.wikipedia.org/wiki/OAuth
http://oauth.net/
8/11/2019 WS 08 Security
47/47