Presentation on theme: "An Analysis of SOAP Security Vinod Pandarinathan Vijay Asokan Parthiv Nayak."— Presentation transcript:
An Analysis of SOAP Security Vinod Pandarinathan Vijay Asokan Parthiv Nayak
Agenda Introduction Skeleton SOAP Message SOAP Message Format and Transmission Why Message Layer Security? CIA in MLS Current Problems and Trends Conclusion ???
Introduction SOAP 1.1 Simple Object Access Protocol SOAP 1.2 A “wrapper” protocol Written in XML Independent of Platform, OS, Programming Language Independent of the wrapped data Independent of the transport protocol A uni-directional message exchange paradigm Simple and Extensible N4S - http://www.w3schools.com/SOAP/soap_intro.asp http://www.w3schools.com/SOAP/soap_intro.asp
Skeleton SOAP Message <soap:Envelope xmlns:soap=http://www.w3.org/2001/12/soap-envelope soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding">......... - http://www.w3schools.com/SOAP/soap_intro.asphttp://www.w3schools.com/SOAP/soap_intro.asp SOAP Envelope SOAP Header SOAP Body Header Block... Body Block...
Message Transmission Typical Binding - Serl.cs.colorado.edu/downloads/serl-talks/2002.02.04-SOAP.ppt Sender Receiver HTTP Request HTTP Body XML Syntax SOAP Envelope SOAP Body SOAP Body Block Textual Integer 0x0b66
Remote Procedure Call To invoke a SOAP RPC, the following information is needed: The address of the target SOAP node. The procedure or method name. The identities and values of any arguments to be passed to the procedure or method together with any output parameters and return value. A clear separation of the arguments used to identify the Web resource which is the actual target for the RPC, as contrasted with those that convey data or control information used for processing the call by the target resource. The message exchange pattern which will be employed to convey the RPC, together with an identification of the so-called "Web Method" (on which more later) to be used. Optionally, data which may be carried as a part of SOAP header blocks. - Serl.cs.colorado.edu/downloads/serl-talks/2002.02.04-SOAP.ppt
Authorization - MLS <SOAP-SEC:Authorization xmlns:SOAP- SEC=http://schemas.xmlsoap.org/soap/security/http://schemas.xmlsoap.org/soap/security/ SOAP-ENV:actor="a URI of an actor“ SOAP-ENV:mustUnderstand="1"> ……
Current Problem SOAP uses HTTP,and can transfer binart files HTTP traffic is not blocked by Firewalls Network Security is breached. "SOAP goes through firewalls like a knife through butter." -http://www.prescod.net/rest/security.htmlhttp://www.prescod.net/rest/security.html Possible Solution: Parsing XML data. CPU intensive, and lower performance. Also hard to find patterns because of XML’s dynamic nature.
Current Trend Axis 2 – Apache Software Foundation Provides web service engines designed for SOAP and XML with emphasis on security, and modularization. http://ws.apache.org/axis2/1_2/userguide.html#handlessoap
Cont… SOAP Security Extensions - W3C Provides SOAP Security Extensions. Currently we have the “SOAP Security Extensions: Digital Signatures” WS-Security (Web Service Security) - OASIS Provides the mechanism for Security tokens within SOAP messages, and also detail the use of Kerberos, X.509 certificate with SOAP.
Cont… Current Goal of OASIS ( http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf ): http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf Multiple security token formats Multiple trust domains Multiple signature formats Multiple encryption technologies End-to-end message content security and not just transport-level security The OASIS consortium would come up with the security guidelines, and after an approval/ implementation phases would ratify it as a standard.
Conclusion SOAP is new. More standardization required. Needs modularization is security. Going in the right direction.