Unissons nos Talents T O G E T H E RT A L E N T E D 1 Web Services Security – Challenges & Trends Magan Pal Singh Technical Architect, Sopra Group

2 Agenda Web Services Introduction Web Services Security Elements Web Services Security Dimensions Web Services Security Standards Threats Facing Web Services Threats Mitigation

3 Web Services Introduction Increasingly becoming SOA implementation of choice Distributed stand alone services Platform independence Heterogeneous environments and technologies Spread across geographies Publicly published interfaces – Service Contract Discoverable universally – UDDI Rate Service Loan Service UDDI 1 2 3

4 Web Services Introduction Web services Messaging – SOAP Web Portal Loan Service Rate ServiceCredit Service End User

5 Web Services Introduction Web Services Coordination Orchestration – Within the Organization (BPEL) Choreography – Between Organizations Loan Service Credit Service Credit Bureau Service Rate Service Internal Rate Service1 Internal Rate Service2 Internal Rate Service3 Federal Rate Service

6 Web Services Security Elements Applications must be secure and reliable to truly meet SOA goals Web Services rely on HTTP and common web based architecture Key security elements are: Identification and Authentication Verification of Identity of the requestor service Authorization Ascertaining the authority of the requestor service to access the resources Integrity Ensuring that un-authorized alterations do not happen to the data, while in transit, processing or storage Non-repudiation The provider is able to ascertain the identity of the requestor and gets the proof of the delivery from requestor Confidentiality Preserving authorized access and disclosure of sensitive information; e.g. personal or proprietary information Privacy Restricting the resources access in accordance to the organization policy or Federal laws

7 Web Services Security Dimensions Security dimensions encompass the security elements Each dimension affects a different layer of web service Five Security Dimensions Secure Messaging SOAP messages traversing over networks are not viewed/ modified by attackers Protecting Resources Ensure that individual web service is adequately protected through appropriate identification, authentication and access control mechanism Negotiation of Contracts Web services should be capable of negotiating the business contracts as well as QoP and QoS Trust Relationships Entities involved in a business transaction must trust each other Security Properties Ensure effective enforcement of service policy, security policy and availability of services

8 Web Services Security Standards DimensionRequirementSpecifications Messaging Confidentiality & IntegrityWS-Security SSL/ TLS AuthenticationWS Security Tokens SSL/TLS X.509 Certificates Resource AuthorizationXACML XrML RBAC, ABAC PrivacyEPAL XACML AccountabilityNone Negotiation RegistriesUDDI ebXML Semantic DiscoverySWSA OWL-S Business ContractebXML

9 Web Services Security Standards DimensionRequirementSpecifications Trust EstablishmentWS-Trust XKMS X.509 Trust ProxyingSAML WS-Trust FederationWS-Federation Liberty IDFF Shibboleth Security Properties PolicyWS-Policy Security PolicyWS-SecurityPolicy ReliabilityWS-ReliableMessaging WS-Reliability

10 Threats Facing Web Services Message Alteration Un-authorized insertion/ deletion/ modification of information in message in transit to deceive the receiver Loss of Confidentiality Un-authorized discloser of message information to un-intended recipient Falsified Messages Fictitious messages that are intended to make the receiver to believe are sent by valid sender Man in the Middle Un-authorized interception and forwarding of message to third party Principal Spoofing Malicious message that is constructed with credentials that appear to be from a different, authorized principal Forged Claims Message created with false credentials that appear to be valid to the receiver Replay of Messages Attacker resends a previously sent message Replay of Message Parts Attacker includes part of previously sent message(s) in a new message Denial of Service Attacker causes the system to expand its resources disproportionately so that valid requests can not be honored

11 Threats Mitigation W3C XML Encryption Used to encrypt and provide confidentiality of part or all of SOAP message W3C XML Signature Used to digitally sign the SOAP message and provide message integrity and senders authentication WS Security Tokens Used to include senders credentials to aid the receiver to authenticate the sender User Name/ Password OASIS SAML Assertion IETF X.509 certificate ISO Rights Expression Language W3C WS-Addressing IDs Allows message sender to supply a unique identifier for each message IETF SSL/TLS Secures HTTP protocol that is used to exchange SOAP messages SSL/TLS with client authentication Both sender and receiver should authenticate each other before securing HTTP protocol IETF HTTP authentication Allows user name and password or password digest to be sent as part of HTTP header

12 Threats Mitigation Threats Addressed By Current Web Services Standards Message AlterationLoss of ConfidentialityFalsified MessageMan in the MiddlePrincipal SpoofingForged ClaimsReplay of Message PartReplay of MessageDenial of Service XML EncryptionXXXXX XML SignatureXXXXXX WS-Security TokensXXX WS-AddressingX SSL/ TLSXXX*X X SSL/ TLS with Client CertificatesXXXXXXX HTTP AuthenticationXXX

13 Conclusions Variety of specifications and standards available – Mostly developed by individual/ group of organizations Specifications contradict to each other Certain areas of concern, like Contract Negotiation and Trust Management etc, are still not addressed fairly Web Services standards organizations like OASIS and W3C are working to standardize the specifications Coordinated effort and research is needed to define commonly acceptable specifications and to provide their implementations

14 Q & A

15 Thank You