1 / 45

Web Services Security

Web Services Security. Lin Yan Department of ECE University of Manitoba Manitoba, Canada. Web Services Security. Introduction Technologies for Web Services Security Credit Card Web Service Architecture Building a Credit Card Web Service using SOAP, WSDL and UDDI

kimn
Download Presentation

Web Services Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Services Security Lin Yan Department of ECE University of Manitoba Manitoba, Canada

  2. Web Services Security • Introduction • Technologies for Web Services Security • Credit Card Web Service Architecture • Building a Credit Card Web Service using SOAP, WSDL and UDDI • Credit Card Web Service Implementation • Comparison and Conclusions

  3. Introduction • The Internet • Conceived in the 1960s • ARPANET went online in the 1970s • TCP/IP was created in 1980s • Changed the way business operate • Web Services • Definition • Purpose • Architecture

  4. Service Provider Publish Bind Service Broker Service Requester Find Introduction Web Services Architecture

  5. Introduction • Associated Web Services Standards • Extensible Markup Language - XML • A Syntax to define markup language • To structure the document in a standard way and make it machine-readable • Operating system independent • Simple Object Access Protocol - SOAP • XML based protocol for the exchange of information in a decentralized, distributed environment • Consists of three parts: envelope, encoding rules and convention for representing RPCs and responses

  6. Introduction • Associated Web Services Standards • Web Services Description Language - WSDL • Creates a standard way for specifying the details of a Web service • Clients can use Web service even they have no prior knowledge of the service • Universal Description, Discovery, Integration - UDDI • Directory service where businesses and organizations can register, deregister and look up Web services • Platform-independent framework for describing services, discovering businesses, and integrating business services

  7. Introduction • Motivations and Objectives • Provide security issues while users access Web services over the Internet • Confidentiality • Integrity • Non-repudiation • Accountability

  8. Technologies for Web Services Security • Public Key Infrastructure • Security through cryptography • Encryption key pair • Signing key pair • Certificates • Contain the basic information detailing a person’s identity and his/her public key • Certification Authority • A trusted entity that issues the certificates

  9. Technologies for Web Services Security • Public Key Infrastructure • Public Key Infrastructure • Enabling trust through a Certification Authority • Certificate retrieval from a certificate repository • Certificate revocation • Key backup and recovery • Automatic update of key pairs and certificates • Non-repudiation

  10. Technologies for Web Services Security • XML Signature • A specification for encrypting data and tags within an XML document • A digital signature expressed in XML • Allows for signing part of an XML document • Example

  11. Technologies for Web Services Security <Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> <Transforms> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> </DigestMethod> </Reference> </SignedInfo> <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> ……. </DSAKeyValue> </KeyValue> </KeyInfo> </Signature>

  12. Technologies for Web Services Security • XML Encryption • A specification for encrypting and decrypting digital content • Encrypted content can be represented in XML • The portions of a document can be selectively encrypted • Example

  13. Technologies for Web Services Security • Encrypting the CreditCard Element <?xml version='1.0'?> <PaymentInfo xmlns='http://UM.edu/details'> <Name>Alice</Name> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C56…</CipherValue> </CipherData> </EncryptedData> </PaymentInfo>

  14. Technologies for Web Services Security • XML Key Management Specification - XKMS • Outlines protocols for the distribution and registration of public keys • Supports XML Encryption and XML Signature • Contains two parts: • XML Key Information Service Specification X-KISS • XML Key Registration Service Specification X-KRSS

  15. Technologies for Web Services Security • XML Key Information Service Specification • Locates public key • Clients send a locate request to the XKMS service. • The locate service resolves the <ds:KeyInfo> element to get the public key and its binding information • XKMS sends it back to client • Validates public key • The validate service validates the returned key according to the policy of the validate service

  16. Technologies for Web Services Security • XML Key Registration Service Specification • Register • Enables the client to register a public key pair with an XKMS service. • Reissue • Allows the previously registered key binding to be issued again • Revoke • Recover

  17. Technologies for Web Services Security • WS-Security • A mechanism for signing and encrypting parts of a SOAP message • A standard set of SOAP extensions to be used to build secure Web services • Provides three major mechanism • Message integrity • Message confidentiality • Ability to pass around security tokens as part of a message • IBM/Microsoft Web Services Security Road Map

  18. Credit Card Web Service Architecture • The Client/Server Model • Describes the relationship between two computer programs • One program, the client, makes a service request to another program, the server • The server fulfills the request • 3-tier Architecture • User interface • Business logic • Databases and programming related to managing it

  19. Credit Card Web Service Architecture • 3-tier Architecture in a Credit Card Web Service • The presentation layer • Contains the presentation objects responsible for presenting information to end-users • In our application, Input.jsp, Method.jsp and Result.jsp are presentation objects to allow the user to input a credit card number and perform the get limit action and display the result • The business layer • Contains the business objects, each of which is responsible for a specific business process • In our application, CreditCardService.java was defined as a business object which is responsible for validating a credit card

  20. Credit Card Web Service Architecture • 3-tier Architecture in Credit Card Web Service • The data layer • Contains the data objects (DO) and the methods used to handle the different data components • In our application, a card DO contains the information of a credit card. It can contain attributes such as card number, card type, expiration date, etc. • A database manager controls an application’s pool of database connections

  21. Credit Card Web Service Architecture • Use Case Analysis • Explore the UML modeling technique to describe the credit card system development • In our credit card checking scenario, there are four actors: • The client • Browser • Controller • Database server

  22. Credit Card Web Service Architecture • Entrust PKI • Entrust PKI Architecture • Authority • Authority Master Control • Registration Authority • Authority Database • Directory

  23. Credit Card Web Service Architecture • Entrust PKI • Entrust PKI User Roles • Master user • Security officer • Administrator • Directory Administrator • Auditor • End user

  24. Credit Card Web Service Architecture • Public-Key Cryptographic Standard #7 • PKCS #7 is the Cryptographic Message Syntax standard which describes a general syntax for data that may have cryptography applied to it • Supports many different content types • PKCS #7 was used in the Credit Card Web Services application to encrypt and digitally sign the sensitive information

  25. Building Credit Card Web Service using SOAP, WSDL and UDDI • Credit Card Web Service Overview • Provides credit card validation and limit check business functions • Also a Web Services consumer. It consumes other Web Services such as update card service, cancel card service • Credit card validation service example

  26. Building Credit Card Web Service using SOAP, WSDL and UDDI • SOAP Message Structure • SOAP request for the getLimit service • The request takes a string parameter, an encrypted credit card number <soap:Body> <m:getLimitRequest xmlns: m=”http://tempuri.org/um.edu.CreditCardService”> <cardNo xsi:type=’xsd:string’ >ATKEKDL…</cardNo> </m:getLimitRequest> </soap:Body>

  27. Building Credit Card Web Service using SOAP, WSDL and UDDI • SOAP Message Structure • SOAP response for the getLimit service • The response returns a float, the limit amount of the card <soap:Body> <m:getLimitResponse xmlns: m=”http://tempuri.org/um.edu.CreditCardService”> <Limit>3000.00</Limit> </m:getLimitResponse> </soap:Body>

  28. Building Credit Card Web Service using SOAP, WSDL and UDDI • SOAP Message Encoding • Provides a standard data encoding scheme • Makes use of types defined in XML schema and creates the mapping for language-specific type definition to ensure interoperability • “xsd:string” indicates a mapping from Java type String t XML Schema type string

  29. Building Credit Card Web Service using SOAP, WSDL and UDDI • WSDL • A WSDL document provides the necessary details for a service requestor to contact and consume a service • Consists of a set of definitions • Definition • Types • Message • PortType • Binding • Port • Service

  30. Building Credit Card Web Service using SOAP, WSDL and UDDI • UDDI • UDDI Business Registry • An implementation of the UDDI specification • Public UDDI Business Registry • Operator site • Node operators • Private UDDI Business Registry

  31. Building Credit Card Web Service using SOAP, WSDL and UDDI • UDDI • Using UDDI to Register and Find a Service • Register Credit Card Web Service through IBM UDDI Business Registry • Obtain a user account • Register the business information and get a unique business ID • Register the Credit Card Web Service to get a unique service ID and specify the access point • Find a registered business

  32. Credit Card Web Service Implementation • Implementation Language • Java 1.5 • Portability • Extensibility • Cost effectiveness • Performance • Implementation Tools • Entrust Authority Security Toolkit for Java • IBM Websphere Studio

  33. Credit Card Web Service Implementation • Entrust Authority Security Toolkit for Java • Overview • Gives the ability to add trusted security to our application • Gives our application access to the underlying security structure of a PKI • Architecture • Low-level API resides on top of JCE (Java Cryptography Extension • High-level API provides classes that implement frequently used cryptographic tasks

  34. Credit Card Web Service Implementation • Entrust Authority Security Toolkit for Java • Credentials • Used to describe a set of data that contains a user’s critical cryptographic information • In an Entrust PKI, an Entrust Profile is used to contain a user’s public and private credentials • Identifying a User • The process of logging in involves reading and verifying a user’s credentials • In our case, we use an Entrust Profile yanlin.epf to perform the log in task

  35. Credit Card Web Service Implementation • IBM Websphere Studio • State-of-art Java IDE • Provides development tools to enable the creation, development and deployment of Web service • Logic flow of Credit Card Web Service in WSAD • Create a Credit Card Web Service • Generate Deployment Descriptor to deploy this Web Service on the server • Generated CreditCardServiceProxy to accept the client requests • Used SOAP to encode invocation parameters and results over HTTP

  36. Credit Card Web Service Implementation • PKCS #7 Implementation with Entrust Toolkit • Encode • Instantiate, and log in, a user • Create PKCS7EncodeStream object • Specify the digest and encryption algorithms • Specify the input data and write the encrypted and signed data to the output stream • Decode • Instantiate, and log in, a user • Create PKCS7DecodeStream object • Read the decrypted and signed data

  37. Credit Card Web Service Implementation • Database Design and Implementation • IBM DB2 Universal Database was chosen as the DBMS system • Established a database with a name CCARD which stores the information of credit cards and card holders • Two tables were defined, linked by the card number attribute • JDBC is used to access the database through the business layer

  38. Comparison with other Web Services Security Solutions • Benefits/Limitations of existing technologies • Security Assertions Markup Language – SAML • Extensible Access Control Markup Language – XACML • Put web services security technologies together • Benefits/Limitations of the proposed solutions

  39. Comparison with other Web Services Security Solutions • SAML • Includes four main components • Assertions, which are declarations of fact about a subject • Request/response protocol to exchange assertions • Bindings to transport SAML assertion messages • Profiles defines constraints and/or extensions of the core protocols and assertions • Enables cross-domain trust • Single sign-on • Distributed transaction • An authorization service

  40. Comparison with other Web Services Security Solutions • XACML • Describes both an access control policy language and a request/response language • Consistent with and builds on SAML • Reduces the cost of developing an application-specific access control language • Helps applications interoperate more easily • Extensible • Too complicated, needs too much configuration while setting up hierarchical resources • Response message is more verbose

  41. Comparison with other Web Services Security Solutions • Putting It Together • How Web services security standards work together • The standards are new emerging technologies, not yet mature • Adding the security information into the SOAP header increases the overhead, may affect the efficiency • XML encryption and XML signatures are complex • Identity collisions may occur when encrypted contents generated in one context are dropped in another context

  42. Comparison with other Web Services Security Solutions • Benefits of the proposed solutions • Mature technology PKI as our basic underlying security infrastructure • PKI is the fundamental component of Web services security architecture • PKI can let the companies to build their own security system • Act as their own Certificate Authority (CA) • Confidentiality • Authentication • Non-repudiation • Integrity • Automatic key management

  43. Comparison with other Web Services Security Solutions • Limitations of the proposed solutions • Discovery and validation of the certification paths is complex • Cost • Build and manage circles of trust

  44. Conclusions • Designed and developed a Credit Card Web Service using SOAP, WSDL and UDDI • Presented a viable approach for securing the Credit Card Web service through the use of PKI and PKCS #7 standard • Increased the security of transferring XML messages over the Internet • Drew a comparison between this approach and the new emerging Web services security standards

  45. Thanks …...

More Related