web services security lin yan department of ece university of manitoba manitoba, canada
TRANSCRIPT
2
Web Services Security
Introduction Technologies for Web Services Security Credit Card Web Service Architecture Building a Credit Card Web Service using
SOAP, WSDL and UDDI Credit Card Web Service Implementation Comparison and Conclusions
3
Introduction
The Internet Conceived in the 1960s ARPANET went online in the 1970s TCP/IP was created in 1980s Changed the way business operate
Web Services Definition Purpose Architecture
4
Introduction
ServiceBroker
ServiceRequester
ServiceProvider
Publish
Find
Bind
Web Services Architecture
5
Introduction
Associated Web Services Standards Extensible Markup Language - XML
A Syntax to define markup language To structure the document in a standard way and make it
machine-readable Operating system independent
Simple Object Access Protocol - SOAP XML based protocol for the exchange of information in a
decentralized, distributed environment Consists of three parts: envelope, encoding rules and
convention for representing RPCs and responses
6
Introduction
Associated Web Services Standards Web Services Description Language - WSDL
Creates a standard way for specifying the details of a Web service
Clients can use Web service even they have no prior knowledge of the service
Universal Description, Discovery, Integration - UDDI Directory service where businesses and organizations can
register, deregister and look up Web services Platform-independent framework for describing services,
discovering businesses, and integrating business services
7
Introduction
Motivations and Objectives Provide security issues while users access Web
services over the Internet Confidentiality Integrity Non-repudiation Accountability
8
Technologies for Web Services Security
Public Key Infrastructure Security through cryptography
Encryption key pair Signing key pair
Certificates Contain the basic information detailing a person’s identity
and his/her public key Certification Authority
A trusted entity that issues the certificates
9
Technologies for Web Services Security
Public Key Infrastructure Public Key Infrastructure
Enabling trust through a Certification Authority Certificate retrieval from a certificate repository Certificate revocation Key backup and recovery Automatic update of key pairs and certificates Non-repudiation
10
Technologies for Web Services Security
XML Signature A specification for encrypting data and tags within
an XML document A digital signature expressed in XML Allows for signing part of an XML document Example
11
Technologies for Web Services Security<Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> </DigestMethod>
</Reference>
</SignedInfo>
<SignatureValue>MC0CFFrVLtRlk=...</SignatureValue>
<KeyInfo>
<KeyValue>
<DSAKeyValue>
…….
</DSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
12
Technologies for Web Services Security
XML Encryption A specification for encrypting and decrypting digital
content Encrypted content can be represented in XML The portions of a document can be selectively
encrypted Example
13
Technologies for Web Services Security
Encrypting the CreditCard Element<?xml version='1.0'?>
<PaymentInfo xmlns='http://UM.edu/details'>
<Name>Alice</Name>
<EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element'
xmlns='http://www.w3.org/2001/04/xmlenc#'>
<CipherData>
<CipherValue>A23B45C56…</CipherValue>
</CipherData>
</EncryptedData>
</PaymentInfo>
14
Technologies for Web Services Security
XML Key Management Specification - XKMS Outlines protocols for the distribution and registration of
public keys Supports XML Encryption and XML Signature Contains two parts:
XML Key Information Service Specification X-KISS XML Key Registration Service Specification X-KRSS
15
Technologies for Web Services Security
XML Key Information Service Specification Locates public key
Clients send a locate request to the XKMS service. The locate service resolves the <ds:KeyInfo> element to
get the public key and its binding information XKMS sends it back to client
Validates public key The validate service validates the returned key according
to the policy of the validate service
16
Technologies for Web Services Security
XML Key Registration Service Specification Register
Enables the client to register a public key pair with an XKMS service.
Reissue Allows the previously registered key binding to be issued
again Revoke Recover
17
Technologies for Web Services Security
WS-Security A mechanism for signing and encrypting parts of a
SOAP message A standard set of SOAP extensions to be used to build
secure Web services Provides three major mechanism
Message integrity Message confidentiality Ability to pass around security tokens as part of a
message IBM/Microsoft Web Services Security Road Map
18
Credit Card Web Service Architecture
The Client/Server Model Describes the relationship between two computer
programs One program, the client, makes a service request to
another program, the server The server fulfills the request
3-tier Architecture User interface Business logic Databases and programming related to managing it
19
Credit Card Web Service Architecture
3-tier Architecture in a Credit Card Web Service The presentation layer
Contains the presentation objects responsible for presenting information to end-users
In our application, Input.jsp, Method.jsp and Result.jsp are presentation objects to allow the user to input a credit card number and perform the get limit action and display the result
The business layer Contains the business objects, each of which is
responsible for a specific business process In our application, CreditCardService.java was defined as
a business object which is responsible for validating a credit card
20
Credit Card Web Service Architecture
3-tier Architecture in Credit Card Web Service The data layer
Contains the data objects (DO) and the methods used to handle the different data components
In our application, a card DO contains the information of a credit card. It can contain attributes such as card number, card type, expiration date, etc.
A database manager controls an application’s pool of database connections
21
Credit Card Web Service Architecture
Use Case Analysis Explore the UML modeling technique to describe the
credit card system development In our credit card checking scenario, there are four
actors: The client Browser Controller Database server
22
Credit Card Web Service Architecture
Entrust PKI Entrust PKI Architecture
Authority Authority Master Control Registration Authority Authority Database Directory
23
Credit Card Web Service Architecture
Entrust PKI Entrust PKI User Roles
Master user Security officer Administrator Directory Administrator Auditor End user
24
Credit Card Web Service Architecture
Public-Key Cryptographic Standard #7 PKCS #7 is the Cryptographic Message Syntax
standard which describes a general syntax for data that may have cryptography applied to it
Supports many different content types PKCS #7 was used in the Credit Card Web Services
application to encrypt and digitally sign the sensitive information
25
Building Credit Card Web Service using SOAP, WSDL and UDDI
Credit Card Web Service Overview Provides credit card validation and limit check
business functions Also a Web Services consumer. It consumes other
Web Services such as update card service, cancel card service
Credit card validation service example
26
Building Credit Card Web Service using SOAP, WSDL and UDDI SOAP Message Structure
SOAP request for the getLimit service The request takes a string parameter, an
encrypted credit card number<soap:Body>
<m:getLimitRequest xmlns:
m=”http://tempuri.org/um.edu.CreditCardService”>
<cardNo xsi:type=’xsd:string’ >ATKEKDL…</cardNo>
</m:getLimitRequest>
</soap:Body>
27
Building Credit Card Web Service using SOAP, WSDL and UDDI
SOAP Message Structure SOAP response for the getLimit service The response returns a float, the limit amount of
the card<soap:Body>
<m:getLimitResponse xmlns:
m=”http://tempuri.org/um.edu.CreditCardService”>
<Limit>3000.00</Limit>
</m:getLimitResponse>
</soap:Body>
28
Building Credit Card Web Service using SOAP, WSDL and UDDI
SOAP Message Encoding Provides a standard data encoding scheme Makes use of types defined in XML schema and
creates the mapping for language-specific type definition to ensure interoperability
“xsd:string” indicates a mapping from Java type String t XML Schema type string
29
Building Credit Card Web Service using SOAP, WSDL and UDDI
WSDL A WSDL document provides the necessary details for a
service requestor to contact and consume a service Consists of a set of definitions
Definition Types Message PortType Binding Port Service
30
Building Credit Card Web Service using SOAP, WSDL and UDDI
UDDI UDDI Business Registry
An implementation of the UDDI specification Public UDDI Business Registry
Operator site Node operators
Private UDDI Business Registry
31
Building Credit Card Web Service using SOAP, WSDL and UDDI
UDDI Using UDDI to Register and Find a Service
Register Credit Card Web Service through IBM UDDI Business Registry Obtain a user account Register the business information and get a unique
business ID Register the Credit Card Web Service to get a unique
service ID and specify the access point Find a registered business
32
Credit Card Web Service Implementation
Implementation Language Java 1.5
Portability Extensibility Cost effectiveness Performance
Implementation Tools Entrust Authority Security Toolkit for Java IBM Websphere Studio
33
Credit Card Web Service Implementation
Entrust Authority Security Toolkit for Java Overview
Gives the ability to add trusted security to our application Gives our application access to the underlying security
structure of a PKI Architecture
Low-level API resides on top of JCE (Java Cryptography Extension
High-level API provides classes that implement frequently used cryptographic tasks
34
Credit Card Web Service Implementation
Entrust Authority Security Toolkit for Java Credentials
Used to describe a set of data that contains a user’s critical cryptographic information
In an Entrust PKI, an Entrust Profile is used to contain a user’s public and private credentials
Identifying a User The process of logging in involves reading and verifying a
user’s credentials In our case, we use an Entrust Profile yanlin.epf to
perform the log in task
35
Credit Card Web Service Implementation
IBM Websphere Studio State-of-art Java IDE Provides development tools to enable the creation,
development and deployment of Web service Logic flow of Credit Card Web Service in WSAD
Create a Credit Card Web Service Generate Deployment Descriptor to deploy this Web
Service on the server Generated CreditCardServiceProxy to accept the
client requests Used SOAP to encode invocation parameters and
results over HTTP
36
Credit Card Web Service Implementation
PKCS #7 Implementation with Entrust Toolkit Encode
Instantiate, and log in, a user Create PKCS7EncodeStream object Specify the digest and encryption algorithms Specify the input data and write the encrypted and
signed data to the output stream Decode
Instantiate, and log in, a user Create PKCS7DecodeStream object Read the decrypted and signed data
37
Credit Card Web Service Implementation
Database Design and Implementation IBM DB2 Universal Database was chosen as the
DBMS system Established a database with a name CCARD which
stores the information of credit cards and card holders
Two tables were defined, linked by the card number attribute
JDBC is used to access the database through the business layer
38
Comparison with other Web Services Security Solutions
Benefits/Limitations of existing technologies Security Assertions Markup Language – SAML Extensible Access Control Markup Language –
XACML Put web services security technologies together
Benefits/Limitations of the proposed solutions
39
Comparison with other Web Services Security Solutions
SAML Includes four main components
Assertions, which are declarations of fact about a subject Request/response protocol to exchange assertions Bindings to transport SAML assertion messages Profiles defines constraints and/or extensions of the core
protocols and assertions Enables cross-domain trust
Single sign-on Distributed transaction An authorization service
40
Comparison with other Web Services Security Solutions
XACML Describes both an access control policy language and a
request/response language Consistent with and builds on SAML Reduces the cost of developing an application-specific
access control language Helps applications interoperate more easily Extensible Too complicated, needs too much configuration while
setting up hierarchical resources Response message is more verbose
41
Comparison with other Web Services Security Solutions
Putting It Together How Web services security standards work together The standards are new emerging technologies, not yet
mature Adding the security information into the SOAP header
increases the overhead, may affect the efficiency XML encryption and XML signatures are complex Identity collisions may occur when encrypted contents
generated in one context are dropped in another context
42
Comparison with other Web Services Security Solutions Benefits of the proposed solutions
Mature technology PKI as our basic underlying security infrastructure
PKI is the fundamental component of Web services security architecture
PKI can let the companies to build their own security system Act as their own Certificate Authority (CA) Confidentiality Authentication Non-repudiation Integrity Automatic key management
43
Comparison with other Web Services Security Solutions Limitations of the proposed solutions
Discovery and validation of the certification paths is complex
Cost Build and manage circles of trust
44
Conclusions
Designed and developed a Credit Card Web Service using SOAP, WSDL and UDDI
Presented a viable approach for securing the Credit Card Web service through the use of PKI and PKCS #7 standard
Increased the security of transferring XML messages over the Internet
Drew a comparison between this approach and the new emerging Web services security standards