WS 08 Security

8/11/2019 WS 08 Security

1/47

!

#$%&'()*+ ,-!- ./0(12 #2''( 3 4'15/6 7$8/92:

Web Services

Web Service Security


2/47

,

Where Are We?

# Title

1 Distributed Information Systems

2 Middleware

3 Web Technologies

4 Web Services

5 Basic Web Service Technologies

6 Web Service Composition

7 Web 2.0 Services

8 Web Service Security


3/47

;

Outline

Motivation

Technical solution

Basic techniques

Channel and data security

SOAP services security

Web 2.0 services security

Summary

Resources


4/47

Is Security Different?


7/47

?

How Much Security?

There is no 100% security

Which does not mean that we shouldnt bother about it...

The security engineer needs to evaluate the security

requirementsof the case, the value of the informationto be protected, the costs and drawbacks of security

measures... and select adequate security measures

What can be adequate for my personal mailbox is probably not

adequate for some military secrets...


8/47

@

Basic Security Aspects

Confidentiality

Protect information from unauthorised disclosure

Integrity

Ensure that information has not been changed by an

unauthorised party

Authentication

Ensure that the communicating partys identity is what it is

claimed to be (who are you?)

Authorisation

Prevent unauthorised usage of resources (what can you do?)

Non-repudiation

Ensure that parties cannot deny their previous actions

Availability Ensure that information/service is available when needed


9/47

A

Technical Solution

Basic Techniques


10/47

!-

Encryption

Encryption is used to protect information fromdisclosure (it guarantees confidentiality) Information is transformed so that unauthorised parties cannot

understand it

It is achieved using encryption algorithms

E.g. AES(Advanced Encryption Standard), DES(DataEncryption Standard obsolete but still widespread)

The algorithm uses a parameter called key

Often the same key is used to encrypt and decrypt, andtherefore it must be secret (symmetric cryptography)

Public key cryptography can be used to establish a shared secret

key between communicating parties (public key cryptography iscomputationally expensive)

The key must be difficult to guess, so it must be long (many bits)


11/47


12/47


13/47

!;

Digital Signatures

+,-"./0$!

-!"!$.'("

document

+,-"./0$!

1!$,2#.'("

senders

private key

document

+ signature

document

+ signature

senders

public key

ok

invalid

ABC ABC

ABC


14/47

!

Certificates


17/47

!?

Technical Solution

Channel and XML Data Security


18/47

!@

Near the Wire: TLS/SSL

The TLSprotocol (Transport Layer Security IETF RFC

5246), together with its predecessor SSL(Secure Socket

Layer originally developed by Netscape), is the mostcommon security solution to protect Web communication

It is still common to say SSL even if what is used today ismostly TLS

TLS/SSL stays between TCP and the application-layer

protocol(usually HTTP), providing:

data flow confidentiality through encryption

data flow integrity through message authentication codes

endpoint authentication through public keys and certificates

HTTPSmeans HTTP over TLS/SSL


19/47

!A


TLS/SSL is well established and quite lightweight, butwhat it provides is basically a secure TCP connection

This has important consequences:

TLS/SSL protects the wire, not the message

Once the data reach the endpoint of the connection, no security

guarantee applies anymore It is not possible to selectively protect only part of the message

TLS/SSL only protects point-to-point (at TCP level)communications

Endpoints of the wire (at TCP level), not of the message

If there are higher-level intermediaries, they can read and modify all

data Endpoint authentication is between pairs of TCP endpoints, which

can differ from message-level endpoints (because of intermediaries)


20/47

,-


.&&3,#.'("

4556

5789887

.&&3,#.'("

4556

5789887

.&&3,#.'("

4556

5789887

sender intermediary ultimate receiver

ABC

ABC

ABC

ABC

ABC

ABC


21/47


22/47

,,

XML Data Security

With XML Signature, the signature and the signed data

can be in the same document (envelopedor

envelopingsignature) or in separate documents(detachedsignature)

B()621 1/+/

C4()6/+D'2E

CF2G2'26:2E

C4()6/+D'2E

CF2G2'26:2E

B()621 1/+/

C4()6/+D'2E

CF2G2'26:2E

B()621 1/+/

enveloped

signatureenveloping

signature

detached

signature


23/47

,;

XML Data Security

XML Signature example (detached signature)!"#$%&'()* ,-./012#)3'"#$%&'()*/ 456%3.7''89::;;;- H6$>)#'75./7''89::;;;- H6$>)#'75./7''89::;;;

!Z*1,%D>C

!Z*1R&6(*C

!Q"HZ*1R&6(*C

![C


24/47

,%CJ?:JJ!:P48#)&'#>%C

!:E)*-#'E&)-C

!:[&15*%',%D>C

![&15*%',%D>C

!\&5*C]>7% "5#'7!:\&5*C

!P%F)18'*-Q&'&C


25/47

,=

Technical Solution

SOAP Services Security


26/47


27/47

,?

Identity: SAML

SAML(Security Assertion Markup Language OASISstandard) allows generating and exchanging securityassertions about subjects between trusting parties

Authentication statements

State that the subject has been successfully authenticated at the

specified time and using the specified method Used for single sign-on

Attribute statements

State that the subject is associated with the specified attributes(expressed as name-value pairs)

Used for ABAC

Authorisation decision statements

State that the subject has (or has not) been granted access to thespecified resource

Intentionally limited XACML provides much more


28/47

,@

Identity: SAML

Example structure of a SAML assertion

!H33*)'#>%C

!,33(*)C


29/47

,A

Identity: SAML

Example: SAML Web single sign-on profile

:3,!"/ 8!$1,#!8;


30/47

;-

SOAP Message Security: WS-Security

WS-Security(OASIS Standard) specifies how to secure

a SOAP message

It leverages on other security standards as building blocks

WS-Security allows the inclusion in a SOAP message of:

Digital signatures Guarantee message integrity and origin

XML Signature is used

Encrypted parts (body blocks or header blocks)

Guarantee message confidentiality

XML Encryption is used

Security tokens

Assert claims, e.g. about identity or attributes of the client


31/47

;!


A security tokencontains a set of claims about some

properties of an entity which are relevant for security

purposes

E.g. identity or other attributes

WS-Security supports different types of security tokens

E.g. username and password, X.509 certificates, SAMLassertions

Signed tokens are tokens endorsed by a third partyacting as an authority

E.g. X.509 certificates and SAML assertions


32/47

;,


WS-Security defines the header,

which contains signatures and security tokens

A single SOAP message can contain multiple headers, addressed to different entities

B$/%HI602J$%2

B$/%HK2/12'

B$/%HL$1&

MBB2H42:D'(+&.()(+/J B()6/+D'242:D'(+& +$N26

I6:'&%+21 *2/12'

I6:'&%+21 O$1&


33/47

;;

SOAP Message Security: Other Standards

WS-Trust

Defines the concept of a Security Token Service (STS), and

provides methods for issuing, renewing, and validating security

tokens

OASIS Standard

WS-SecureConversation

Allows to establish a security context that can be reused

across multiple SOAP messages (for performance reasons),

rather than securing single messages (the security context is a

security token)

OASIS Standard


34/47

;

Authorisation: XACML

Figure from XACML specification

XACML data flow

PAP: Policy Administration Point

PDP: Policy Decision PointPEP: Policy Enforcement Point

PIP: Policy Information Point


37/47

;?

Technical Solution

Web 2.0 Services Security


38/47

;@

REST Services and Security

REST lacks a well-articulated security model

Moreover, the idea of being quick and easy does not help

Basic techniques such as TLS/SSL can of course be

applied, but they only address part of the problem

Simple, ad-hoc solutions are often used

Some grassroot efforts towards standards exist, to

address some specific problems:

OpenID, to have a unified identity

OAuth, to delegate access rights (e.g. in mashups)


39/47

;A

Identity: OpenID

OpenIDallows users to use a unified identity on the

Web, rather than a separate identity for each service

The user id (the OpenID) is a URI

The user identity is managed by an OpenID provider, which can

authenticate the user using some credential

Service providers such as Google, Yahoo, Flickr, Wordpress.com

are OpenID providers

Standalone OpenID providers also exist

The user provides only his OpenID to other services,which rely on the OpenID provider for authentication

The flow is very similar to SAML Web single sign-on profile SAML has however a broader scope, and is designed to be

extensible and used in different contexts


40/47


41/47

Authorisation & Delegation: OAuth

OAuth identifies three roles:

resource owner (user)

client(consumer)

server(service provider)

The main steps are:

The client redirects the user

to the server

The server asks the user if hewants to grant the client access

to his data

If the user agrees, the clientobtains a token that it can use

to access the serverPicture

Yaho

o!


42/47


43/47


44/47


45/47


46/47

References

Reference reading

E. Bertino, L. Martino, F. Paci, A. Squicciarini. Security for Web Services and Service-Oriented

Architectures. Springer, 2010. 4thchapter

Wiki and Web references Information security http://en.wikipedia.org/wiki/Information_security

TLS/SSL http://en.wikipedia.org/wiki/Transport_Layer_Security

XML Signature http://en.wikipedia.org/wiki/XML_Signature

http://www.w3.org/TR/xmldsig-core/

XML Encryption http://en.wikipedia.org/wiki/XML_Encryption

http://www.w3.org/TR/xmlenc-core/

SAML http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

http://www.oasis-open.org/committees/security

WS-Security http://en.wikipedia.org/wiki/WS-Security

http://www.oasis-open.org/committees/wss

XACML http://en.wikipedia.org/wiki/XACML

http://www.oasis-open.org/committees/xacml/

OpenID http://en.wikipedia.org/wiki/OpenID

http://openid.net/

OAuth http://en.wikipedia.org/wiki/OAuth

http://oauth.net/


47/47

Documents

WS 08 Security