web services security lin yan department of ece university of manitoba manitoba, canada

Web Services Security

Lin Yan

Department of ECE

University of Manitoba

Manitoba, Canada

2

Web Services Security

Introduction Technologies for Web Services Security Credit Card Web Service Architecture Building a Credit Card Web Service using

SOAP, WSDL and UDDI Credit Card Web Service Implementation Comparison and Conclusions

3

Introduction

The Internet Conceived in the 1960s ARPANET went online in the 1970s TCP/IP was created in 1980s Changed the way business operate

Web Services Definition Purpose Architecture

4

Introduction

ServiceBroker

ServiceRequester

ServiceProvider

Publish

Find

Bind

Web Services Architecture

5

Introduction

Associated Web Services Standards Extensible Markup Language - XML

A Syntax to define markup language To structure the document in a standard way and make it

machine-readable Operating system independent

Simple Object Access Protocol - SOAP XML based protocol for the exchange of information in a

decentralized, distributed environment Consists of three parts: envelope, encoding rules and

convention for representing RPCs and responses

6

Introduction

Associated Web Services Standards Web Services Description Language - WSDL

Creates a standard way for specifying the details of a Web service

Clients can use Web service even they have no prior knowledge of the service

Universal Description, Discovery, Integration - UDDI Directory service where businesses and organizations can

register, deregister and look up Web services Platform-independent framework for describing services,

discovering businesses, and integrating business services

7

Introduction

Motivations and Objectives Provide security issues while users access Web

services over the Internet Confidentiality Integrity Non-repudiation Accountability

8

Technologies for Web Services Security

Public Key Infrastructure Security through cryptography

Encryption key pair Signing key pair

Certificates Contain the basic information detailing a person’s identity

and his/her public key Certification Authority

A trusted entity that issues the certificates

9


Public Key Infrastructure Public Key Infrastructure

Enabling trust through a Certification Authority Certificate retrieval from a certificate repository Certificate revocation Key backup and recovery Automatic update of key pairs and certificates Non-repudiation

10


XML Signature A specification for encrypting data and tags within

an XML document A digital signature expressed in XML Allows for signing part of an XML document Example

11

Technologies for Web Services Security<Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">

<SignedInfo>

<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>

<Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">

<Transforms>

<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>

</Transforms>

<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> </DigestMethod>

</Reference>

</SignedInfo>

<SignatureValue>MC0CFFrVLtRlk=...</SignatureValue>

<KeyInfo>

<KeyValue>

<DSAKeyValue>

…….

</DSAKeyValue>

</KeyValue>

</KeyInfo>

</Signature>

12


XML Encryption A specification for encrypting and decrypting digital

content Encrypted content can be represented in XML The portions of a document can be selectively

encrypted Example

13


Encrypting the CreditCard Element<?xml version='1.0'?>

<PaymentInfo xmlns='http://UM.edu/details'>

<Name>Alice</Name>

<EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element'

xmlns='http://www.w3.org/2001/04/xmlenc#'>

<CipherData>

<CipherValue>A23B45C56…</CipherValue>

</CipherData>

</EncryptedData>

</PaymentInfo>

14


XML Key Management Specification - XKMS Outlines protocols for the distribution and registration of

public keys Supports XML Encryption and XML Signature Contains two parts:

XML Key Information Service Specification X-KISS XML Key Registration Service Specification X-KRSS

15


XML Key Information Service Specification Locates public key

Clients send a locate request to the XKMS service. The locate service resolves the <ds:KeyInfo> element to

get the public key and its binding information XKMS sends it back to client

Validates public key The validate service validates the returned key according

to the policy of the validate service

16


XML Key Registration Service Specification Register

Enables the client to register a public key pair with an XKMS service.

Reissue Allows the previously registered key binding to be issued

again Revoke Recover

17


WS-Security A mechanism for signing and encrypting parts of a

SOAP message A standard set of SOAP extensions to be used to build

secure Web services Provides three major mechanism

Message integrity Message confidentiality Ability to pass around security tokens as part of a

message IBM/Microsoft Web Services Security Road Map

18

Credit Card Web Service Architecture

The Client/Server Model Describes the relationship between two computer

programs One program, the client, makes a service request to

another program, the server The server fulfills the request

3-tier Architecture User interface Business logic Databases and programming related to managing it

19


3-tier Architecture in a Credit Card Web Service The presentation layer

Contains the presentation objects responsible for presenting information to end-users

In our application, Input.jsp, Method.jsp and Result.jsp are presentation objects to allow the user to input a credit card number and perform the get limit action and display the result

The business layer Contains the business objects, each of which is

responsible for a specific business process In our application, CreditCardService.java was defined as

a business object which is responsible for validating a credit card

20


3-tier Architecture in Credit Card Web Service The data layer

Contains the data objects (DO) and the methods used to handle the different data components

In our application, a card DO contains the information of a credit card. It can contain attributes such as card number, card type, expiration date, etc.

A database manager controls an application’s pool of database connections

21


Use Case Analysis Explore the UML modeling technique to describe the

credit card system development In our credit card checking scenario, there are four

actors: The client Browser Controller Database server

22


Entrust PKI Entrust PKI Architecture

Authority Authority Master Control Registration Authority Authority Database Directory

23


Entrust PKI Entrust PKI User Roles

Master user Security officer Administrator Directory Administrator Auditor End user

24


Public-Key Cryptographic Standard #7 PKCS #7 is the Cryptographic Message Syntax

standard which describes a general syntax for data that may have cryptography applied to it

Supports many different content types PKCS #7 was used in the Credit Card Web Services

application to encrypt and digitally sign the sensitive information

25

Building Credit Card Web Service using SOAP, WSDL and UDDI

Credit Card Web Service Overview Provides credit card validation and limit check

business functions Also a Web Services consumer. It consumes other

Web Services such as update card service, cancel card service

Credit card validation service example

26

Building Credit Card Web Service using SOAP, WSDL and UDDI SOAP Message Structure

SOAP request for the getLimit service The request takes a string parameter, an

encrypted credit card number<soap:Body>

<m:getLimitRequest xmlns:

m=”http://tempuri.org/um.edu.CreditCardService”>

<cardNo xsi:type=’xsd:string’ >ATKEKDL…</cardNo>

</m:getLimitRequest>

</soap:Body>

27


SOAP Message Structure SOAP response for the getLimit service The response returns a float, the limit amount of

the card<soap:Body>

<m:getLimitResponse xmlns:

m=”http://tempuri.org/um.edu.CreditCardService”>

<Limit>3000.00</Limit>

</m:getLimitResponse>

</soap:Body>

28


SOAP Message Encoding Provides a standard data encoding scheme Makes use of types defined in XML schema and

creates the mapping for language-specific type definition to ensure interoperability

“xsd:string” indicates a mapping from Java type String t XML Schema type string

29


WSDL A WSDL document provides the necessary details for a

service requestor to contact and consume a service Consists of a set of definitions

Definition Types Message PortType Binding Port Service

30


UDDI UDDI Business Registry

An implementation of the UDDI specification Public UDDI Business Registry

Operator site Node operators

Private UDDI Business Registry

31


UDDI Using UDDI to Register and Find a Service

Register Credit Card Web Service through IBM UDDI Business Registry Obtain a user account Register the business information and get a unique

business ID Register the Credit Card Web Service to get a unique

service ID and specify the access point Find a registered business

32

Credit Card Web Service Implementation

Implementation Language Java 1.5

Portability Extensibility Cost effectiveness Performance

Implementation Tools Entrust Authority Security Toolkit for Java IBM Websphere Studio

33


Entrust Authority Security Toolkit for Java Overview

Gives the ability to add trusted security to our application Gives our application access to the underlying security

structure of a PKI Architecture

Low-level API resides on top of JCE (Java Cryptography Extension

High-level API provides classes that implement frequently used cryptographic tasks

34


Entrust Authority Security Toolkit for Java Credentials

Used to describe a set of data that contains a user’s critical cryptographic information

In an Entrust PKI, an Entrust Profile is used to contain a user’s public and private credentials

Identifying a User The process of logging in involves reading and verifying a

user’s credentials In our case, we use an Entrust Profile yanlin.epf to

perform the log in task

35


IBM Websphere Studio State-of-art Java IDE Provides development tools to enable the creation,

development and deployment of Web service Logic flow of Credit Card Web Service in WSAD

Create a Credit Card Web Service Generate Deployment Descriptor to deploy this Web

Service on the server Generated CreditCardServiceProxy to accept the

client requests Used SOAP to encode invocation parameters and

results over HTTP

36


PKCS #7 Implementation with Entrust Toolkit Encode

Instantiate, and log in, a user Create PKCS7EncodeStream object Specify the digest and encryption algorithms Specify the input data and write the encrypted and

signed data to the output stream Decode

Instantiate, and log in, a user Create PKCS7DecodeStream object Read the decrypted and signed data

37


Database Design and Implementation IBM DB2 Universal Database was chosen as the

DBMS system Established a database with a name CCARD which

stores the information of credit cards and card holders

Two tables were defined, linked by the card number attribute

JDBC is used to access the database through the business layer

38

Comparison with other Web Services Security Solutions

Benefits/Limitations of existing technologies Security Assertions Markup Language – SAML Extensible Access Control Markup Language –

XACML Put web services security technologies together

Benefits/Limitations of the proposed solutions

39


SAML Includes four main components

Assertions, which are declarations of fact about a subject Request/response protocol to exchange assertions Bindings to transport SAML assertion messages Profiles defines constraints and/or extensions of the core

protocols and assertions Enables cross-domain trust

Single sign-on Distributed transaction An authorization service

40


XACML Describes both an access control policy language and a

request/response language Consistent with and builds on SAML Reduces the cost of developing an application-specific

access control language Helps applications interoperate more easily Extensible Too complicated, needs too much configuration while

setting up hierarchical resources Response message is more verbose

41


Putting It Together How Web services security standards work together The standards are new emerging technologies, not yet

mature Adding the security information into the SOAP header

increases the overhead, may affect the efficiency XML encryption and XML signatures are complex Identity collisions may occur when encrypted contents

generated in one context are dropped in another context

42

Comparison with other Web Services Security Solutions Benefits of the proposed solutions

Mature technology PKI as our basic underlying security infrastructure

PKI is the fundamental component of Web services security architecture

PKI can let the companies to build their own security system Act as their own Certificate Authority (CA) Confidentiality Authentication Non-repudiation Integrity Automatic key management

43

Comparison with other Web Services Security Solutions Limitations of the proposed solutions

Discovery and validation of the certification paths is complex

Cost Build and manage circles of trust

44

Conclusions

Designed and developed a Credit Card Web Service using SOAP, WSDL and UDDI

Presented a viable approach for securing the Credit Card Web service through the use of PKI and PKCS #7 standard

Increased the security of transferring XML messages over the Internet

Drew a comparison between this approach and the new emerging Web services security standards

45

Thanks …...

web services security lin yan department of ece university of manitoba manitoba, canada

Documents