Presentation is loading. Please wait.

Presentation is loading. Please wait.

Multi-party Authentication in Web Services

Published byChristine Woods Modified over 5 years ago

Similar presentations

Presentation on theme: "Multi-party Authentication in Web Services"— Presentation transcript:

1 Multi-party Authentication in Web Services
Madhumita Chatterjee Dt :28th October 2004 12/8/2018 5:03 PM

2 Overview Web Services Architecture Typical Scenario Security Threats
Challenges and issues Need for Session Authentication Maruyama’s Protocol A Proposal 12/8/2018 5:03 PM

3 Web Service Components
Internet based modular applications Program to program communication XML WSDL SOAP UDDI 12/8/2018 5:03 PM

4 Web Service Architecture
Implementation of Services (components) UDDI Interface Description with WSDL 1. Request 4. Request Service requester Service Broker Web Server For SOAP S E R V I C e 12/8/2018 5:03 PM

5 Web Service Workflows Dynamic composition Multiple instances
Workflow involves service instances belonging to different Web services Multiple parties belong to a flow. 12/8/2018 5:03 PM

6 Typical Web Service Scenario
Buyer Govt service Financer Provider Shipper B.1 G.1 P.2 S.1 P.1 F.2 Service Instance Insurance I.1 F.1 12/8/2018 5:03 PM

7 Web Service Security Authentication: Establishing identity of user by providing a set of credentials. In return user receives a security token that can be used to access the server. Authorization: Establishing what a user is allowed to do. 12/8/2018 5:03 PM

8 Web Service Security……cont
Confidentiality: Ensuring that only the intended recipient can read the message, accompanied by encryption. Integrity: Ensuring that the message has not been tampered with, generally accomplished with digital signatures. 12/8/2018 5:03 PM

9 Threats…. Unauthorized access Parameter manipulation
Network eavesdropping Message replay 12/8/2018 5:03 PM

10 Challenges Dealing with un-trusted clients.
Application internals are exposed. SOAP messages are not point to point Challenge is to preserve security of SOAP message from initial SOAP sender to ultimate SOAP receiver. 12/8/2018 5:03 PM

11 SSL is inadequate SSL provides point-to-point security
Web Services need end-to-end security SSL does not support End-to-end confidentiality Element wise signing and encryption Non-repudiation 12/8/2018 5:03 PM

12 Need for session Authentication
TA-1 TA-2 Hotel Flight Car#1 Car#2 12/8/2018 5:03 PM

13 Maruyama’s protocol Session Authenticator component responsible for distributing keys and authenticating messages Each instance belonging to a session gets the shared key 12/8/2018 5:03 PM

14 Maruyama’s protocol….cont
Message authentication protocol transports authentication information between session participants Session management protocol responsible for starting, running and ending a particular session. 12/8/2018 5:03 PM

15 Message Authentication
Session Authenticator Allows service instances to mutually verify transient membership Service Authenticator Protocol for sending Web service to send MACed SOAP envelope to receiving Web Service 12/8/2018 5:03 PM

16 Session Authenticator
Sending instance prepares SOAP envelope Optionally uses XML encryption Adds authentication to SOAP header Using SOAP-DSIG applies MAC to envelope under session key. 12/8/2018 5:03 PM

17 Session Auth….cont… Receiver checks for session key.
Else obtains key from session manager. Validates MAC and accepts SOAP envelope. Decrypts encrypted message. Receiver now has authenticated mesg and session handle. 12/8/2018 5:03 PM

18 Service Authenticator
Sending service prepares SOAP envelope. Adds authentication header. Uses SOAP-DSIG to digitally sign mesg. Optionally uses XML encryption. Receiver decrypts, validates signature, verifies its own sign and accepts. 12/8/2018 5:03 PM

19 Session Management Initiator of session could be SA
Assigning session Ids. Creating session secrets. Maintaining status information for each session. Keeping participants informed of the status. Shutting down sessions. 12/8/2018 5:03 PM

20 Online session Management
12/8/2018 5:03 PM

21 Drawbacks .. SA cannot measure the validity of service instance
Anyone who has session ID can contact SA. An attacker who has compromised an instance can request to join session No unique identifier for each instance 12/8/2018 5:03 PM

22 Issues not considered What if Session Manager is malicious??
12/8/2018 5:03 PM

23 A Proposal….Adaptive approach
Requirements of users may vary. Is there need for stringent measures uniformly to every node and transaction Can we apply as much security as a particular transaction requires? 12/8/2018 5:03 PM

24 Sophisticated Web Services
E.g order for aircraft engine Spawns multiple supporting transactions Orders to individual parts Orders for shipping containers Etc Involves handling huge volumes of traffic 12/8/2018 5:03 PM

25 Adaptive approach ….cont
For Simple Web services existing security measures may suffice. For sophisticated Web Services involving long transactions trusted third party model desirable. Can an adaptive/hybrid approach be implemented??? 12/8/2018 5:03 PM

26 References 1. S. Hada and H. Maruyama, “Session Authentication Protocol for Web Services,” Proc IEEE Symposium on Application and the Internet, pp , Jan 2. Dacheng Zhang and Jie Xu, “Multi-Party Authentication for Web Services: Protocols, Implementation and Evaluation,” Proc IEEE Symposium on Object Oriented Real-time Distributed Computing. 3. M.Hondo, N. Nagaratnam, A.Nadalin, “Securing Web Services,” IBM Systems Journal, Vol 41, No. 2, 2002. 4. David Geer, “Taking Steps to Secure Web Services,” IEEE Computer, Vol 36, Oct 2003. 5. V Vasudevan, “A Web Services Primer”, April 2001. 6. Y. Nakamur, S. Hada and R. Neyama, “Towards the Integration of Web Services Security on Enterprise Environments,” Proc Symposium on Applications and the Internet, pp , Jan 7. W3C NOTE, Simple Object Access Protocol (SOAP) 1.1, 12/8/2018 5:03 PM

27 References 8. W3C NOTE, SOAP Security Extensions: Digital Signature,
9. Web `Services Security(WS-Security), 10. Web Services Security Threats and Countermeasures, Microsoft Corporation, Jan 2004. 12/8/2018 5:03 PM

Download ppt "Multi-party Authentication in Web Services"

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Core Web Service Security Patterns

Core Web Service Security Patterns
Chapter 8 Web Security.

Chapter 8 Web Security.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.

Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.
Wireless and Email Security CSCI 5857: Encoding and Encryption.

Wireless and Security CSCI 5857: Encoding and Encryption.
Secure Electronic Transaction (SET)

Secure Electronic Transaction (SET)
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,

International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.

Web Security : Secure Socket Layer Secure Electronic Transaction.

Similar presentations

Ads by Google