exigo.pro Lifestyle Securing Web Services With Ws-security Pdf


Friday, February 14, 2020

Securing Web. Services with. WS-Security. Demystifying WS-Security,. WS-Policy , SAML, XML Signature and XML Encryption jothy Rosenberg. David L. Remy. Securing Web Services has several parts. – XML Message Security soap- message-securitypdf. – Schema: Web Service Security Basic Picture. Agenda. • Intro. • Transport Layer Security. • Message Level Security. • When to use which? • Web Service Security Standards. • Oracle Web Service Manager.

Language:English, Spanish, German
Published (Last):18.04.2016
ePub File Size:18.39 MB
PDF File Size:8.83 MB
Distribution:Free* [*Regsitration Required]
Uploaded by: CHASSIDY

OMG Web Services Workshop USA. 22 April . Secure gateways: Web Services Security Proxies proxy understands SOAP/HTTP and WS-Security. Other Web services security specifications, such as WS-Trust, WS-Secure- For example, SOAP messages need to be secure, WSDL files may need to be. GUIDE TO SECURE WEB SERVICES . Web Service Security Functions and Related Technologies. exigo.pro .

Other important specifications from this family are still found in different development stages, and plans for their submission have not yet been announced, although they cover such important issues as security policies WS-Policy et al , trust issues and security token exchange WS-Trust , establishing context for secure conversation WS-SecureConversation. One of the specifications in this family, WS-Federation, directly competes with the work being done by the LA consortium, and, although it is supposed to be incorporated into the Longhorn release of Windows, its future is not clear at the moment, since it has been significantly delayed and presently does not have industry momentum behind it.

WSS served as the foundation for all other specifications in this domain, creating a basic infrastructure for developing message-based security exchange.

Because of its importance for establishing interoperable Web Services, it was submitted to OASIS and, after undergoing the required committee process, became an officially accepted standard. Current version is 1. Organization of the standard The WSS standard itself deals with several core security areas, leaving many details to so-called profile documents.

The core areas, broadly defined by the standard, are: Ways to add security headers WSSE Header to SOAP Envelopes Attachment of security tokens and credentials to the message Inserting a timestamp Encrypting the message Extensibility Flexibility of the WS-Security standard lies in its extensibility, so that it remains adaptable to new types of security tokens and protocols that are being developed.

This flexibility is achieved by defining additional profiles for inserting new types of security tokens into the WSS framework.

While the signing and encrypting parts of the standards are not expected to require significant changes only when the underlying XML-dsig and XML-enc are updated , the types of tokens, passed in WSS messages, and ways of attaching them to the message may vary substantially.

Each of those types is further specified in one or more profile document, which defines additional tokens' attributes and elements, needed to represent a particular type of security token. Purpose The primary goal of the WSS standard is providing tools for message-level communication protection, whereas each message represents an isolated piece of information, carrying enough security data to verify all important message properties, such as: authenticity, integrity, freshness, and to initiate decryption of any encrypted message parts.

This concept is a stark contrast to the traditional channel security, which methodically applies pre-negotiated security context to the whole stream, as opposed to the selective process of securing individual messages in WSS. In the Roadmap, that type of service is eventually expected to be provided by implementations of standards like WS-SecureConversation.

From the beginning, the WSS standard was conceived as a message-level toolkit for securely delivering data for higher level protocols. Those protocols, based on the standards like WS-Policy, WS-Trust, and Liberty Alliance, rely on the transmitted tokens to implement access control policies, token exchange, and other types of protection and integration.

However, taken alone, the WSS standard does not mandate any specific security properties, and an ad-hoc application of its constructs can lead to subtle security vulnerabilities and hard to detect problems, as is also discussed in later sections of this chapter. WS-Security Building Blocks The WSS standard actually consists of a number of documents, one core document, which defines how security headers may be included into SOAP envelope and describes all high-level blocks, which must be present in a valid security header.

Profile documents have the dual task of extending definitions for the token types they are dealing with, providing additional attributes, elements, as well as defining relationships left out of the core specification, such as using attachments. Core WSS 1. Associated specifications are: Username token profile 1. Kerberos Token Profile 1. How data is passed WSS security specification deals with two distinct types of data: security information, which includes security tokens, signatures, digests, etc; and message data, i.

These identifiers are defined in the WSS specification documents. Security header's structure A security header in a message is used as a sort of an envelope around a letter, it seals and protects the letter, but does not care about its content. This "indifference" works in the other direction as well, as the letter SOAP message should not know, nor should it care about its envelope WSS Header , since the different units of information, carried on the envelope and in the letter, are presumably targeted at different people or applications.

Unless the whole token is encrypted, a message which includes a clear-text password should always be transmitted via a secured channel. In situations where the target Web Service has access to clear-text passwords for verification this might not be possible with LDAP or some other user directories, which do not return clear-text passwords , using a hashed version with nonce and a timestamp is generally preferable.

The core specification defines BinarySecurityToken element, while profile documents specify additional attributes and sub-elements to handle attachment of various tokens. Presently, both the X. The core specification merely mentions the possibility of inserting such tokens, leaving all details to the profile documents.

At the moment, SAML 1. See the further reading section for a design pattern on this.

Securing Web Services with WS-Security

Referencing message parts In order to retrieve security tokens, passed in the message, or to identify signed and encrypted message parts, the core specification adopts usage of a special attribute, wsu:Id.

The only requirement on this attribute is that the values of such IDs should be unique within the scope of XML document where they are defined.

Its application has a significant advantage for the intermediate processors, as it does not require understanding of the message's XML Schema. Unfortunately, XML Signature and Encryption specifications do not allow for attribute extensibility i. WSS core specification also defines a general mechanism for referencing security tokens via SecurityTokenReference element. The specification recommends using two of its possible four reference types: Direct References by URI and Key Identifiers some kind of token identifier.

Communication Protection Mechanisms As was already explained earlier see 0 , channel security, while providing important services, is not a panacea, as it does not solve many of the issues facing Web Service developers. Integrity WSS specification makes use of the XML-dsig standard to ensure message integrity, restricting its functionality in certain cases; for instance, only explicitly referenced elements can be signed i. Prior to signing an XML document, a transformation is required to create its canonical representation, taking into account the fact that XML documents can be represented in a number of semantically equivalent ways.

In order to provide a uniform way of addressing signed tokens, WSS adds a Security Token Reference STR Dereference Transform option, which is comparable with dereferencing a pointer to an object of specific data type in programming languages. Similarly, in addition to the XML Signature-defined ways of addressing signing keys, WSS allows for references to signing security tokens through the STR mechanism explained in 0 , extended by token profiles to accommodate specific token types.

A typical signature example is shown in an earlier sample in the section 0. There is an interesting twist when a particular element is both signed and encrypted, since these operations may follow even repeatedly in any order, and knowledge of their ordering is required for signature verification.

To address this issue, the WSS core specification requires that each new element is pre-pended to the security header, thus defining the "natural" order of operations. A particularly nasty problem arises when there are several security headers in a single SOAP message, using overlapping signature and encryption blocks, as there is nothing in this case that would point to the right order of operations. A SOAP message with encrypted body is shown in the section 0. Freshness SOAP messages' freshness is addressed via timestamp mechanism, each security header may contain just one such element, which states, in UTC time and using the UTC time format, creation and expiration moments of the security header.

It is important to realize that the timestamp is applied to the WSS Header, not to the SOAP message itself, since the latter may contain multiple security headers, each with a different timestamp.

There is an unresolved problem with this "single timestampt" approach, since, once the timestamp is created and signed, it is impossible to update it without breaking existing signatures, even in case of a legitimate change in the WSS Header.

There is no mechanism foreseen to address clock synchronization issue which, as was already point out earlier, is generally not an issue in modern day systems , this has to be addressed out-of-band as far as the WSS mechanics is concerned. See the further reading section for a design pattern addressing this issue.

Access Control Mechanisms When it comes to access control decisions, Web Services do not offer specific protection mechanisms by themselves, they just have the means to carry the tokens and data payloads in a secure manner between source and destination SOAP endpoints.

Navigation menu

For more complete description of access control tasks, please, refer to other sections of this Development Guide. Identification Identification represents a claim to have certain identity, which is expressed by attaching certain information to the message.

This can be a username, an SAML assertion, a Kerberos ticket, or any other piece of information, from which the service can infer who the caller claims to be. WSS represents a very good way to convey this information, as it defines an extensible mechanism for attaching various token types to a message see 0. It is the receiver's job to extract the attached token and figure out which identity it carries, or to reject the message if it can find no acceptable token in it.

Authentication Authentication can come in two flavors: credentials verification or token validation. The subtle difference between the two is that tokens are issued after some kind of authentication has already happened prior to the current invocation, and they usually contain user's identity along with the proof of its integrity.

WSS offers support for a number of standard authentication protocols by defining binding mechanism for transmitting protocol-specific tokens and reliably linking them to the sender. However, the mechanics of proof that the caller is who he claims to be is completely at the Web Service's discretion. Whether it takes the supplied username and password's hash and checks it against the backend user store, or extracts subject name from the X. Authorization XACML may be used for expressing authorization rules, but its usage is not Web Service-specific, it has much broader scope.

So, whatever policy or role-based authorization mechanism the host server already has in place will most likely be utilized to protect the deployed Web Services deployed as well. Depending on the implementation, there may be several layers of authorization involved at the server.

Granularity of such checks is implementation-specific and is not dictated by any standards. This descriptor has sufficient details to express SOAP binding requirements, but it does not define any security parameters, leaving Web Service developers struggling to find out-of-band mechanisms to determine the endpoint's security requirements.

To make up for these shortcomings, WS-Policy specification was conceived as a mechanism for expressing complex policy requirements and qualities, sort of WSDL on steroids.


Through the published policy SOAP endpoints can advertise their security requirements, and their clients can apply appropriate measures of message protection to construct the requests.

If the requestor does not possess the required tokens, it can try obtaining them via trust mechanism, using WS-Trust-enabled services, which are called to securely exchange various token types for the requested identity.

Unfortunately, both WS-Policy and WS-Trust specifications have not been submitted for standardization to public bodies, and their development is progressing via private collaboration of several companies, although it was opened up for other participants as well.

As a positive factor, there have been several interoperability events conducted for these specifications, so the development process of these critical links in the Web Services' security infrastructure is not a complete black box.

Forming Web Service Chains Many existing or planned implementations of SOA or B2B systems rely on dynamic chains of Web Services for accomplishing various business specific tasks, from taking the orders through manufacturing and up to the distribution process.

This is in theory. In practice, there are a lot of obstacles hidden among the way, and one of the major ones among them, security concerns about publicly exposing processing functions to intra- or Internet-based clients. Here are just a few of the issues that hamper Web Services interaction, incompatible authentication and authorization models for users, amount of trust between services themselves and ways of establishing such trust, maintaining secure connections, and synchronization of user directories or otherwise exchanging users' attributes.

These issues will be briefly tackled in the following paragraphs. Incompatible user access control models As explained earlier, in section 0, Web Services themselves do not include separate extensions for access control, relying instead on the existing security framework.

What they do provide, however, are mechanisms for discovering and describing security requirements of a SOAP service via WS-Policy , and for obtaining appropriate security credentials via WS-Trust based services. Service trust In order to establish mutual trust between client and service, they have to satisfy each other's policy requirements. A simple and popular model is mutual certificate authentication via SSL, but it is not scalable for open service models, and supports only one authentication type.

Services that require more flexibility have to use pretty much the same access control mechanisms as with users to establish each other's identities prior to engaging in a conversation.

Secure connections Once trust is established it would be impractical to require its confirmation on each interaction. Instead, a secure client-server link is formed and maintained the entire time a client's session is active. Again, the most popular mechanism today for maintaining such link is SSL, but it is not a Web Service-specific mechanism, and it has a number of shortcomings when applied to SOAP communication, as explained in 0.

Synchronization of user directories This is a very acute problem when dealing with cross-domain applications, as users' population tends to change frequently among different domains. So, how does a service in domain B decide whether it is going to trust user's claim that he has been already authenticated in domain A?

There exist different aspects of this problem. First, a common SSO mechanism, which implies that a user is known in both domains through synchronization, or by some other means , and authentication tokens from one domain are acceptable in another. Domain federation Another aspect of the problem is when users are not shared across domains, but merely the fact that a user with certain ID has successfully authenticated in another domain, as would be the case with several large corporations, which would like to form a partnership, but would be reluctant to share customers' details.

The decision to accept this request is then based on the inter-domain procedures, establishing special trust relationships and allowing for exchanging such opaque tokens, which would be an example of Federation relationships.


The work in this area is still far from being completed, and most of the existing deployments are nothing more than POC or internal pilot projects than to real cross-companies deployments, although LA's website does list some case studies of large-scale projects. Available Implementations It is important to realize from the beginning that no security standard by itself is going to provide security to the message exchanges, it is the installed implementations, which will be assessing conformance of the incoming SOAP messages to the applicable standards, as well as appropriately securing the outgoing messages.

WSE, currently at the version 2.

Once standards mature, their support is incorporated into new releases of the. NET platform, which is what is going to happen when. NET 2. The next release of WSE, 3. Considering that Microsoft is one of the most active players in the Web Service security area and recognizing its influence in the industry, its WSE implementation is probably one of the most complete and up to date, and it is strongly advisable to run at least a quick interoperability check with WSE-secured.

NET Web Service clients.

If you have a Java-based Web Service, and the interoperability is a requirement which is usually the case , in addition to the questions of security testing one needs to keep in mind the basic interoperability between Java and. NET Web Service data structures. This is especially important since current versions of.

Securing Web Services and the Java WSDP 1.5 XWS-Security Framework

That said, WSE package itself contains very rich and well-structured functionality, which can be utilized both with ASP. NET-based and standalone Web Service clients to check incoming SOAP messages and secure outgoing ones at the infrastructure level, relieving Web Service programmers from knowing these details. Among other things, WSE 2. Those are needed for establishing secure exchanges and sessions - similar to what SSL does at the transport level, but applied to message-based communication.

Moving one level up, to address Web Services themselves, the picture becomes muddier, at the moment, there are many implementations in various stages of incompleteness. For instance, Apache is currently working on the WSS4J project, which is moving rather slowly, and there is commercial software package from Phaos now owned by Oracle , which suffers from a lot of implementation problems. However, its support for Web Service security specifications in the version 1. Download preview PDF.

References 1. Abadi, M. Apache Software Foundation. Bhargavan, K. In: de Boer, F. FMCO LNCS, vol. Blanchet, B. Box, D. Dolev, D. Eastlake, D. W3C Recommendation Google Scholar Gordon, A. Goubault-Larrecq, J. In: Cousot, R. VMCAI The core areas, broadly defined by the standard, are: Ways to add security headers WSSE Header to SOAP Envelopes Attachment of security tokens and credentials to the message Inserting a timestamp Encrypting the message Extensibility Flexibility of the WS-Security standard lies in its extensibility, so that it remains adaptable to new types of security tokens and protocols that are being developed.

Maybe it needs weather data, local restaurant data, movie data, etc. Moving one level up, to address Web Services themselves, the picture becomes muddier, at the moment, there are many implementations in various stages of incompleteness.

Domain federation Another aspect of the problem is when users are not shared across domains, but merely the fact that a user with certain ID has successfully authenticated in another domain, as would be the case with several large corporations, which would like to form a partnership, but would be reluctant to share customers' details.

Securing Web Services Web services, like other distributed applications, require protection at multiple levels: SOAP messages that are sent on the wire should be delivered confidentially and without tampering The server needs to be confident who it is talking to and what the clients are entitled to The clients need to know that they are talking to the right server, and not a phishing site see the Phishing chapter for more information System message logs should contain sufficient information to reliably reconstruct the chain of events and track those back to the authenticated callers Correspondingly, the high-level approaches to solutions, discussed in the following sections, are valid for pretty much any distributed application, with some variations in the implementation details.

This article presents an overview of information security, followed by an overview of the basic concepts for securing web services. Because of this, trust management will become a major source of risk and have a greater impact on business and technical processes than all other aspects of designing, implementing and managing Web services and their clients.

Prior to signing an XML document, a transformation is required to create its canonical representation, taking into account the fact that XML documents can be represented in a number of semantically equivalent ways.

NUBIA from Virginia
I relish studying docunments rightfully. Also read my other articles. I absolutely love category:sports-related lists.