Multi-party Authentication in Web Services Madhumita Chatterjee Dt :28th October 2004 12/8/2018 5:03 PM

Overview Web Services Architecture Typical Scenario Security Threats Challenges and issues Need for Session Authentication Maruyama’s Protocol A Proposal 12/8/2018 5:03 PM

Web Service Components Internet based modular applications Program to program communication XML WSDL SOAP UDDI 12/8/2018 5:03 PM

Web Service Architecture Implementation of Services (components) UDDI Interface Description with WSDL 1. Request 4. Request Service requester Service Broker Web Server For SOAP S E R V I C e 12/8/2018 5:03 PM

Web Service Workflows Dynamic composition Multiple instances Workflow involves service instances belonging to different Web services Multiple parties belong to a flow. 12/8/2018 5:03 PM

Typical Web Service Scenario Buyer Govt service Financer Provider Shipper B.1 G.1 P.2 S.1 P.1 F.2 Service Instance Insurance I.1 F.1 12/8/2018 5:03 PM

Web Service Security Authentication: Establishing identity of user by providing a set of credentials. In return user receives a security token that can be used to access the server. Authorization: Establishing what a user is allowed to do. 12/8/2018 5:03 PM

Web Service Security……cont Confidentiality: Ensuring that only the intended recipient can read the message, accompanied by encryption. Integrity: Ensuring that the message has not been tampered with, generally accomplished with digital signatures. 12/8/2018 5:03 PM

Threats…. Unauthorized access Parameter manipulation Network eavesdropping Message replay 12/8/2018 5:03 PM

Challenges Dealing with un-trusted clients. Application internals are exposed. SOAP messages are not point to point Challenge is to preserve security of SOAP message from initial SOAP sender to ultimate SOAP receiver. 12/8/2018 5:03 PM

SSL is inadequate SSL provides point-to-point security Web Services need end-to-end security SSL does not support End-to-end confidentiality Element wise signing and encryption Non-repudiation 12/8/2018 5:03 PM

Need for session Authentication TA-1 TA-2 Hotel Flight Car#1 Car#2 12/8/2018 5:03 PM

Maruyama’s protocol Session Authenticator component responsible for distributing keys and authenticating messages Each instance belonging to a session gets the shared key 12/8/2018 5:03 PM

Maruyama’s protocol….cont Message authentication protocol transports authentication information between session participants Session management protocol responsible for starting, running and ending a particular session. 12/8/2018 5:03 PM

Message Authentication Session Authenticator Allows service instances to mutually verify transient membership Service Authenticator Protocol for sending Web service to send MACed SOAP envelope to receiving Web Service 12/8/2018 5:03 PM

Session Authenticator Sending instance prepares SOAP envelope Optionally uses XML encryption Adds authentication to SOAP header Using SOAP-DSIG applies MAC to envelope under session key. 12/8/2018 5:03 PM

Session Auth….cont… Receiver checks for session key. Else obtains key from session manager. Validates MAC and accepts SOAP envelope. Decrypts encrypted message. Receiver now has authenticated mesg and session handle. 12/8/2018 5:03 PM

Service Authenticator Sending service prepares SOAP envelope. Adds authentication header. Uses SOAP-DSIG to digitally sign mesg. Optionally uses XML encryption. Receiver decrypts, validates signature, verifies its own sign and accepts. 12/8/2018 5:03 PM

Session Management Initiator of session could be SA Assigning session Ids. Creating session secrets. Maintaining status information for each session. Keeping participants informed of the status. Shutting down sessions. 12/8/2018 5:03 PM

Online session Management 12/8/2018 5:03 PM

Drawbacks .. SA cannot measure the validity of service instance Anyone who has session ID can contact SA. An attacker who has compromised an instance can request to join session No unique identifier for each instance 12/8/2018 5:03 PM

Issues not considered What if Session Manager is malicious?? 12/8/2018 5:03 PM

A Proposal….Adaptive approach Requirements of users may vary. Is there need for stringent measures uniformly to every node and transaction Can we apply as much security as a particular transaction requires? 12/8/2018 5:03 PM

Sophisticated Web Services E.g order for aircraft engine Spawns multiple supporting transactions Orders to individual parts Orders for shipping containers Etc Involves handling huge volumes of traffic 12/8/2018 5:03 PM

Adaptive approach ….cont For Simple Web services existing security measures may suffice. For sophisticated Web Services involving long transactions trusted third party model desirable. Can an adaptive/hybrid approach be implemented??? 12/8/2018 5:03 PM

References 1. S. Hada and H. Maruyama, “Session Authentication Protocol for Web Services,” Proc. 2002 IEEE Symposium on Application and the Internet, pp. 158-165, Jan. 2002. 2. Dacheng Zhang and Jie Xu, “Multi-Party Authentication for Web Services: Protocols, Implementation and Evaluation,” Proc. 2004 IEEE Symposium on Object Oriented Real-time Distributed Computing. 3. M.Hondo, N. Nagaratnam, A.Nadalin, “Securing Web Services,” IBM Systems Journal, Vol 41, No. 2, 2002. 4. David Geer, “Taking Steps to Secure Web Services,” IEEE Computer, Vol 36, Oct 2003. 5. V Vasudevan, “A Web Services Primer”, http://www.xml.com/pub/a/2001/04/04/Webservices/, April 2001. 6. Y. Nakamur, S. Hada and R. Neyama, “Towards the Integration of Web Services Security on Enterprise Environments,” Proc. 2002 Symposium on Applications and the Internet, pp. 166-177, Jan 2002. 7. W3C NOTE, Simple Object Access Protocol (SOAP) 1.1, http://www.w3.org/TR/SOAP/ 12/8/2018 5:03 PM

References 8. W3C NOTE, SOAP Security Extensions: Digital Signature, http://www.w3.org/TR/SOAP-dsig. 9. Web `Services Security(WS-Security), http://www.ibm/developerworks/library/ws-secure. 10. Web Services Security Threats and Countermeasures, Microsoft Corporation, Jan 2004. 12/8/2018 5:03 PM