1 / 49

Gap Assessment of the Top Web Service Specifications Managing the Security of Web Services

Gap Assessment of the Top Web Service Specifications Managing the Security of Web Services. Cristina Fhied SE690 Final Presentation Advisor: Xiaoping Jia, Luigi Guadagno. Outline. 1. Project Goal 2. Overview of Web Services introduction 3. Security Enterprise Requirements

baka
Download Presentation

Gap Assessment of the Top Web Service Specifications Managing the Security of Web Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Gap Assessment of the Top Web Service SpecificationsManaging the Security of Web Services Cristina Fhied SE690 Final Presentation Advisor: Xiaoping Jia, Luigi Guadagno SE 690 - Survey

  2. Outline • 1. Project Goal • 2. Overview of Web Services introduction • 3. Security Enterprise Requirements • 4. Security Specifications • Comparison Overview (how do they map req.) • Drawbacks and Benefits of each • Model • 5. Current Enterprise State Survey • 6. Conclusion and Recommendations • 7. Potential Future Work SE 690 - Survey

  3. Project Goal • Research available web service specifications. • Conduct an enterprise state survey exploring problems and experiences facing network professionals. • Research the Enterprise communication and architecture requirements for a secure Web Services. • Prepare gap assessment tables mapping the communication and network enterprise req. against the researched available security specifications. • Prepare a model showing the interpolation of Ws-Security specification with the interaction of the researched available web service specifications. SE 690 - Survey

  4. What are Web Services? “Software pieces that interact with each other using internet standards to create an application in response to requests that conform to agreed-upon formats.” [Infravio, 2003] SE 690 - Survey

  5. What Are the Characteristics… • A web service is accessible over the internet. • Provides an interface that can be called from one application to another. • Interface can be called from any type of application client or service. • Acts as a liaison between the web and the application logic that implements the service. SE 690 - Survey

  6. How Does a Web Service Communicate? • Uses XML on top of HTTP • XML is a widely accepted format for exchanging data and its semantics • The Web service STACK consists of: • XML (eXtensible Markup Language) • SOAP (Simple Object Access Protocol) • WSDL (Web Services Definition Language) • UDDI (Universal Discovery Description Language) SE 690 - Survey

  7. Web Services Stack Returns the WSDL reference used to bind to web service UDDI Specifies how to connect to a web service WSDL Better describes the data being sent SOAP XML Acts as the envelope for XML messages HTTP (SMTP, FTP, other) Transport layer SE 690 - Survey

  8. What About Current Web Security? • To date much of web security is built around encryption through secure socket layers (SSL) using simple object access protocol (SOAP). • Not enough to protect supply-chain operations and other business to business transactions because SOAP is based on XML. • One way transmission, easy to steal and resend messages. SE 690 - Survey

  9. Enterprise Requirements Network Communication SE 690 - Survey

  10. Communication based Enterprise Security Requirements… • Authentication • Authorization • Data protection • Non-repudiation SE 690 - Survey

  11. Defining Requirements • Authentication – involves accepting credentials from the entity and validating them against an authority. • Authorization – determines whether the service has granted access to the web service to the requestor. • Data protection – ensures that the web services request and response have not tampered with en route. Requires both integrity and privacy. • Nonrepudiation – guarantees that the message sender is the same as the creator of the message. SE 690 - Survey

  12. Network based Enterprise Security Requirements… • Confidentiality • Integrity • Accessibility SE 690 - Survey

  13. Defining RequirementsCont. • Confidentiality – contains information required for protection against unauthorized use or disclosure. • Accessibility – must be able on a timely basis to meet mission requirements or to avoid substantial losses. • Integrity – contained information must be protected from unauthorized, unanticipated or unintentional modifications. SE 690 - Survey

  14. Available Industry Specification Definitions and Features Comparison Mapping Overview Drawbacks and Benefits Model SE 690 - Survey

  15. PKI • Public Key Infrastructure is an open specification. • Published by VeriSign in 2002. • Integrates digital certificates and certificate authorities into enterprise-wide network security architecture. SE 690 - Survey

  16. PKI Cont. • Provides protection by: • Authenticating identity • Verifying Integrity • Ensuring Privacy • Authorizing Access • Authorizing Transactions • Supporting Nonrepudiation SE 690 - Survey

  17. PKI Cont. • Strengths: • Integrates Authentication and digital signatures. • Allows confidential validation on the identity of each party in an internet transaction. • Ensures that the message or documents the digital certificate signs has not been changed in transit online. • Protects information from interception during Internet transmission. • Validates a user identity making it possible to later update a digitally signed transaction (single sign-on). SE 690 - Survey

  18. PKI Cont. • Weaknesses: • Complications associated with the usage of proprietary PKI software toolkits. • Complex deployment associated with server side components. • Constraint of complexity in integrating authentication and digital signatures in web service applications. SE 690 - Survey

  19. SAML • Security Assertions Markup Language is an XML-based framework for Web Services. • Security Specification from OASIS, released in February 2002. • First industry standard for enabling secure e-commerce transactions through XML. SE 690 - Survey

  20. SAML Cont. • Gives guidelines on assertions to request and response messages to provide: • Authentication. • Authorization. • Interoperability • Also shows how single sign-on can be achieved when several web-services are interacting; achieved by adding XML assertions. SE 690 - Survey

  21. SAML Cont. • Strengths: • Supports real-time Authentication and Authorization. • Can interoperate with any kind of system. • Makes it possible to have message integrity and non-repudiation of the sender. • Establishes assertions and protocol schemas for the structure of the document that transport security. • Links back to the actual authentication and makes its assertions based on the requests of that event. SE 690 - Survey

  22. SAML Cont. • Weaknesses: • Security of SAML conversation is not a stand-alone application; depends on a trust model, typically PKI. • Does not address privacy policies. • Does not define any technology or approaches for Authentication. • Only makes assertions about credentials; does not authenticate or authorize users. SE 690 - Survey

  23. XKMS • XML Key Management Specification is an open specification. • Published by the W3C as a technical note. • Provides a standard XML-based messaging protocol to outsource the processing of key management to dedicated services. SE 690 - Survey

  24. XKMS Cont. • XML version of PKI handling. • Integrates: • Authentication. • Authorization. • Malicious Attack Support. • Uses SOAP over an HTTP based network. • Makes it easy for applications to interface with key-related services. SE 690 - Survey

  25. XKMS Cont. • Strengths: • Integrates Authentication and Authorization. • Does status checking in a matter of hours. • Rapidly implements trust features incorporating cryptographic support for XML digital signatures. • Moves the complexity associated with PKI integration to server side components. • Specification toolkit is completely platform, vendor, and transport protocol independent. • Developer friendly, syntax used eliminates the necessary plug-ins PKI requires. SE 690 - Survey

  26. XKMS Cont. • Weaknesses: • Has no implemented prototype depicting its available techniques. • Needs to have three standards to be used at the same time, in order for higher security, Not a stand-alone application: • X-KISS (XML Key Information Serv. Spec.). • X-KRSS (XML Key Requirement Serv. Spec.). • Protocol Binding Specification. SE 690 - Survey

  27. WS-Security Cont. • Published in April 2002 by IBM, Microsoft, and VeriSign. • Helps enterprises build secure web services, and applications based on them that are broadly interoperable. • Proposes a set of SOAP extensions, used when building secure web services to implement: • Integrity. • Confidentiality. SE 690 - Survey

  28. WS-Security Cont. • Does not limit itself to a specific model or mechanism, can be used as a guideline. • Has support for several models and security mechanisms. • Supports: • Multiple Security Tokens. • Cryptography Technologies. • Requester Security. • Transport Security. SE 690 - Survey

  29. Ws-Security Cont. • Microsoft, VeriSign and IBM are announcing the publication of 5 new specifications. • When used with Ws-Security they provide a framework that is extensible and flexible in a infrastructure. • WS-Trust: provides Interoperability • WS-Secure Conversation: Cent. Management • WS-Secure Policy:protects against Malicious Attack • WS-Policy: provides Authentication • WS-Authorization: provides Authorization SE 690 - Survey

  30. WS-Security Cont. • Strengths: • Implements integrity and confidentiality. • Building block or better yet a blueprint to be used in conjunction with other web service specifications. • Integrates, unifies and supports many popular security models and technologies. • Defines how signatures can be used. • Provides for a generic mechanism to associate security tokens with messages; does not require any type of security tokens. SE 690 - Survey

  31. WS-Security Cont. • Weaknesses: • Does not discuss how proof-of-possession must be implemented. • Does not discuss how subject confirmations must be implemented. • Their needs to be effort applied to ensure that security protocols that are implemented are not exposed to a wide range of attacks. • Not approved as a standard as of yet, there are not commercial web-services that use this specification as of yet. SE 690 - Survey

  32. Requirement WS-Security SAML XKMS PKI Interoperability Support X X Scalability Support   X Centralized Management Support X Malicious Attack Support   X Gap Assessment Table • Summary Comparison mapping of Communication Enterprise Security Requirements. X SE 690 - Survey

  33. Requirement WS-Security SAML XKMS PKI Authentication Support X X X X Authorization Support X X Data Protection/ Confidentiality Support X X Data Integrity Support X X Gap Assessment Table • Summary Comparison mapping of Network Enterprise Security Requirements. SE 690 - Survey

  34. Model SAML PKI Authentication WS-Policy Assertion WS-S ecur i ty XKMS SAML XKMS Authorization WS-Authorization PKI WS-Security Data Protection/ Confidentiality PKI WS-Security Data Integrity PKI WS-Security Scalability WS-Security WS-Trust Interoperability SAML WS-Secure Conversation Centralized Management SAML PKI XKMS WS-Security Policy XKMS Malicious Attack SE 690 - Survey

  35. Survey Results Current Enterprise State SE 690 - Survey

  36. About the Survey • Explores areas of interest and experiences for those responsible in ensuring network/web service securities • Survey was voluntary and consisted of eight questions • Final survey was sent to 25 individuals • 20 individuals submitted a completed survey SE 690 - Survey

  37. Key Research Questions • Rank web-based communication security requirements based on security framework importance • Rank networking issue requirements based on security framework importance • Rank security methods in terms of effectiveness in acquiring information security at an organization SE 690 - Survey

  38. Security Breach Yes No Viruses or Worms 95% 5% Attacks related to Protocol Weaknesses 43% 57% Attacks related to insecure passwords 19% 81% Attacks on bugs in Web Servers 52% 48% Survey Findings • Experience any of these Security Breaches: SE 690 - Survey

  39. Survey Findings • Indicate level of concern in the following issues SE 690 - Survey

  40. Survey Findings • Method effectiveness in terms of acquiring information security in an organization: SE 690 - Survey

  41. Survey Findings • Priority of the following items Importance to an organization SE 690 - Survey

  42. Survey Findings • Prioritize the Networking Issue Requirements based on security framework importance. SE 690 - Survey

  43. Survey Findings • Prioritize the web-based Communication Security Requirements based on security framework importance: SE 690 - Survey

  44. Conclusion and Recommendation SE 690 - Survey

  45. Managing Web Security • Difficult to determine a single best strategy. • When dealing with applications with strong authentication and authorization, Ws-Security and SAML specifications should be considered. • When dealing with concerns of malicious attack and data protection, XKMS and SAML should be considered. • XKMS when joined with WS-Security has a stronger use for digitally signing and SAML assertions. SE 690 - Survey

  46. Managing Web Security Cont. • SAML when combined with Ws-Security should use techniques such as XML signatures and encryptions. • SAML assertions should be carried as security tokens defined in Ws-Security. • SAML traffic should be secured by XKMS-based PKI. SE 690 - Survey

  47. Managing Web Security Cont. • Most effective method in acquiring information security in an organization is by conducting vulnerability assessments and explaining the differences between security and legal requirements. • To reduce obstacles in achieving web service security is to greatly reduce the technical challenges and complexity of using security specification toolkit products. SE 690 - Survey

  48. Potential Future Work • Research and analyze whether an implementation of Ws-Security, PKI, SAML and XKMS on Web Services is enough to provide a system with the needed securities. SE 690 - Survey

  49. Conclusion • For more information please visit project web site: • http://shrike.depaul.edu/~cfhied/se690/abstract.html Thank you!!! SE 690 - Survey

More Related