Presentation is loading. Please wait.

Presentation is loading. Please wait.

REST/SOAP Security A Brief Introduction.

Published byPhyllis Thomas Modified over 6 years ago

Similar presentations

Presentation on theme: "REST/SOAP Security A Brief Introduction."— Presentation transcript:

1 REST/SOAP Security A Brief Introduction

2 Quick Review: Protocol Layering
The Internet can be viewed as a layered stack of protocols Each layer offers services to the layer above and consumes those provided by the underlying layer The services provided by a layer form its service model Two protocols that belong to the same layer should offer some common service: TCP and UDP both offer a transport service for application-layer messages But the general nature of the service may vary: TCP is connection-oriented – UDP is connectionless Same goes for the properties of the service TCP guarantees delivery – UDP provides no guarantees

3 Quick Review: Protocol Layering (cont.)
In a broad sense, web services are application-layer entities that use HTTP as a communication protocol Security is not included in HTTP’s service model If we want a secure web service, we have a few options: Provide security measures at the service level (or the periphery thereof) Use a more secure message transport protocol (f. ex. HTTP over SSL) Both

4 Web Service Security: An Approach to the Topic
“Wire-level” security (HTTPS) Peer authentication Integrity Confidentiality Credential processing: Phase I: User authentication Phase II: User authorization

5 Wire-level Security Problem: As a government official, I want to conduct business securely. Solution: Set up a private phone line. Analogy: HTTPS connections

6 Wire-level Security: Confidentiality
Problem: My “private” phone line is still connected to the central telephone network. A listening device could be attached to it. Solution: Encode all wire traffic before it leaves the office, decode traffic as it enters the office. Analogy: HTTPS Encryption/Decryption

7 Wire-level Security: Peer authentication
Problems: I only want to accept phone calls from people on the green list Impostors could call a green listed person and pretend to be me Solution: Before discussing any confidential issues, callers should introduce themselves by exchanging (sufficient) information about their respective identities. Analogy: HTTPS digital certificate exchange

8 Wire-level Security: Integrity
Problem: Callers may mishear me due to interference or deliberate tampering. Solution: End each sentence by relaying the first letter of every word spoken – the caller will then try to match this against the message they received. Analogy: HTTPS Message Digests

9 Credential Processing
Web services provide clients with access to resources If a resource is secured, the client should have the appropriate credentials to gain access The credentials are presented and verified through a two-phase process: Phase I: Authentication Phase II: Authorization

10 Credential Processing & Wire-level Security
Under users/roles security, a client furnishes a form of identification together with a security credential that vouches for the identification To avoid hijacking, the credentials should be relayed over a secure channel whose setup and teardown is generally the responsibility of a wire-level security framework Wire-level security is thus the foundation upon which users/roles security is implemented HTTPS is a good way to provide wire-level security for web services (REST & SOAP)

11 Credential Processing: Authentication
Problem: I’m a security guard in charge of a warehouse. Someone wants to enter the building but since I am uncertain of their identity I am unable to proceed. Solution: Ask the caller for their identification code. Analogy: Username/password combination

12 A Note on Credential Format
Username and password pair – self-explanatory API key – basically a unique identifier handed out to each user Pros: UN/PW often less secure Easy reset Independent of master credentials (i.e. actual UN/PW) Saves time since UN/PW processing is slower by necessity (due to extra steps and protection against cyber attacks) Cons: Still need a secure comm. channel Not really a security feature

13 Credential Transmission over HTTPS
Basic Encoded transmission, not much better than plain text Digest Hash transmission, a slight improvement Cryptographic scheme Public key cryptography (symmetric/asymmetric)

14 Basic access authentication

15 Digest access authentication

16 Credential Processing: Authorization
Problem: An authenticated party has already entered the building. He is requesting access for storage compartment #43. Solution: Come up with a mapping that associates each authenticated party to the storage compartments they are allowed to access. Analogy: Authorization schemes

17 What about SOAP and REST?
SOAP – a messaging framework often employed by web services REST – an architecture style often used in the design of web services Irrespective of which particular framework/style was used in the implementation of a web service, the previously discussion about security measures still applies Additionally, there is always the option to define custom security schemes: Custom HTTP headers for REST Custom SOAP extensions

18 A Note on WS-Security (WSS)
A family of specifications providing a unified, transport-neutral, container-neutral, end-to-end framework for higher levels of security such as message confidentiality and authentication/authorization “The protocol specifies how integrity and confidentiality can be enforced on messages and allows the communication of various security token formats” ( F. ex. WSS specifies how digital signatures and encryption information can be inserted into SOAP headers

19 A Note on WS-Security (WSS) (cont.)

20 Recap “Wire-level” security (HTTPS) Credential processing:
Peer authentication Integrity Confidentiality Credential processing: Phase I: User authentication Phase II: User authorization

21 Sources Martin Kalin. “Java Web Services: Up and Running” 2nd ed. pg. 231 – 291. James F. Kurose, Keith W. Ross. “Computer Networking: A Top-Down Approach” 6th Intl. ed. pg. 81 – 87, 73 – 79.

22

Download ppt "REST/SOAP Security A Brief Introduction."

Similar presentations

Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
IPSec.

IPSec.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.

Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.

CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.

Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Similar presentations

Ads by Google