Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web services security I

Published byMeryl Oliver Modified over 8 years ago

Similar presentations

Presentation on theme: "Web services security I"— Presentation transcript:

1 Web services security I
Uyen Dang & Michel Foé

2 Agenda Context Basic concepts (prerequisites)
Architectural considerations of security issues in WS Security threats in Web services Basic concepts (prerequisites) XML independent tools or technologies SSL Kerberos Authentication on HTTP XML specific tools or technologies XML signature XML Encryption XKMS SAML XACML Summary and Q&A

3 Context (SOA) SOA facilitate service integration within and accross organization boundaries services are combined with each other in unanticipated ways  anonymous No more islands of security The drawback of SOA is that security systems should be integrated too Need of tracability in transaction Authencity Access control, identity, authentication Business impact

4 Architectural considerations of WS security
Where security issues occur in SOA? Network-level Application-level

5 Security threats for Web services
Unauthorized access Unauthorized alteration of messages Man in the middle Denial of service

6 Countermeasures (1) Network-level security: Firewalls
Intrusion detections systems and vulnerability assessment Securing network communications symmetric /asymmetric encryption Digital certificates and signatures

7 Countermeasures (2) Application-level security: Six requirements
Authentication Authorization Message integrity Confidentiality Operational defense Non repudiation

8 Basic concepts (1) Authentication Authorization
Verify the identity of an entity Authorization Specify access rights to a resource

9 Basic concepts (2) Integrity Confidentiality
Guarantee that a message did not change in transit/time Confidentiality Ensure that data is available only to those who are authorized to access

10 Basic concepts (3) Symmetric encryption /decryption
Secure communication between two parties Both parties share the same key

11 Basic concepts (4) Asymmetric encryption /decryption
Secure communication between two parties Requires public/private keys pair for each party

12 Basic Concepts(5) Digital signature and certificate
Proof the authenticity and integrity of a document/message Ensure accountability and non-repudiation (certificates)

13 SSL (Secure Sockets Layer )
What is SSL? Web protocol secure communication over TCP/IP connections, provides server and client authentication, data encryption, message integrity.

14 Kerberos What is Kerberos? 3rd party Authentication protocol
Use ticket and a session key Centralized key management Allows single-sign-on Ticket: pieces of information (session key + expire date) used for authentication or authorization added to a SOAP header Session key: secret key randomly generated by kerberos

15 Authentication on HTTP
Login/password authentication Support two methods: Basic authentication Base64 algorithm to encrypt the string login:password Highly vulnerable Digest Apply a hash function to the password

16 http basic authentication example

17 XML signature Ensure : 3 types of signatures: data integrity,
message authentication, and non-repudiation. 3 types of signatures: Enveloping Enveloped Detached signatures or Provides proof of identity and authenticity which the sender cannot deny

18 XML signature (schema)
SignedInfo Signature Key information

19 XML signature (SignedInfo)

20 XML Signature (key information)

21 XML Signature (How does it work?)
Generate references Transformation (eventually) Compute the digest Generate the signature Build SignedInfo element Apply CanonicalizationMethod Compute the signature on hash with SignatureMethod Just SignedInfo is signed not referenced resources

22 XML Signature (Example)
enveloping enveloped

23 XML Encryption Encrypts part/whole XML document Ensure confidentiality
Use symmetric encryption

24 XML Encryption (schema)
Encryption method Cipher text

25 XML Encryption (How does it work?)
Choose the cryptographic algorithm (3DES , AES, etc..) Get or generate the key Serialize data to encrypt Encrypt Decryption Identify algorithm and key used Get the key Decrypt Integrate data in the final document

26 XML Encryption (Example)

27 Are XML encryption and signature tied to WS - *?
XML Encryption can be applied to any Web resource (including non-XML content).

28 XKMS (XML Key Management Spec)
Alternative to a complex PKI Ease integration of Authentication, signature and certificates, and encryption for XML- based trust services; Support three major services: Register Locate validate Register service: for registering key pairs Locate service: retrieving public registered key Validate service: locate and verify that a public key registered with the XKMS server is not revoked and is still valid in time

29 XKMS (example) 4

30 SAML Security assertion Markup Language OASIS standard framework for
creating, requesting, and exchanging security assertions between business partners  Ease Single Sign-On Why SAML?

31 SAML components

32 SAML assertion SAML Assertions provide a means to distribute security-related information that may be used for a number of purposes

33 SAML example The subject (e.g. user) that the authentication pertains to is “j.doe”. The format of the subject has been defined. In this case its an address, a number of predefined formats have been provided in the SAML specification, including custom formats and X.509 subject names. Joe was originally authenticated using a protected password mechanism at “ T12:00:00Z"

34 XACML eXtensible Access Control Markup Language Two basics components
extension to SAML define how to use access information and security policies offer a vocabulary and syntax for managing authorization decisions Two basics components Access control policy language Request /response language SAML just define how identity and access information is exchanged between partners

35 Typical use of XACML and SAML

36 Summary and Q&A Technology Main purposes XML signature
data integrity, authentication, non -repudation of services XML encryption promote the trusted use of web applications by encrypting XML entities XKMS simplify the integration of PKI and management of digital certificates with XML applications SAML Standards or exchanging authorization and authentication assertions between services to facilitate Single Sign On XACML Language for managing authorization decisions

Download ppt "Web services security I"

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography and Network Security

Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Authentication & Kerberos

Authentication & Kerberos
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Core Web Service Security Patterns

Core Web Service Security Patterns
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Similar presentations

Ads by Google