1 / 15

Web Services Security

Web Services Security. Dept of Computer Engineering Khon Kaen University. Challenges of Securing Web Services. Need to figure out a way of securing Web services that can be potentially accessed by a complete stranger over the network Many technologies developed to support: XML Encryption

oswald
Download Presentation

Web Services Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Services Security Dept of Computer Engineering Khon Kaen University

  2. Challenges of Securing Web Services • Need to figure out a way of securing Web services that can be potentially accessed by a complete stranger over the network • Many technologies developed to support: • XML Encryption • XML Signature (XML DSIG) • XML Key Management Service (XKMS) 168493: XML and Web Services (II/2546)

  3. Concepts of Cryptography • Encryption and digital signatures are a part of a bigger science of cryptography • Cryptography is the art of secret writing, the enciphering and deciphering of messages in secret code or cipher, as many would put it • Cipher=a message written in a secret code • Decipher=convert code into ordinary language • Encipher=convert plain text into the cipher text 168493: XML and Web Services (II/2546)

  4. Four Goals of Cryptography • Confidentiality • Ensuring that only authorized parties are able to understand the data • Authentication • Ensuring the identify of the party in a given security domain • Integrity • Protecting sensitive information from unauthorized modifications • Non-repudiation • Ensures that another party cannot repudiate 168493: XML and Web Services (II/2546)

  5. Confidentiality • Ensuring that only authorized parties are able to understand the data • Unauthorized parties may know that the data exists, but they should not be able to understand what the data is • Confidentiality is made possible through encryption. Encryption is the process of converting a particular message into scrambled text, also known as cipher text 168493: XML and Web Services (II/2546)

  6. Authentication • Ensures the identity of the party in a given security domain • This involves having some sort of password or key through which the user would prove his or her identify in a particular security domain • Authentication is extremely important for services to be able to tell to whom all they are providing their services 168493: XML and Web Services (II/2546)

  7. Integrity • Protecting sensitive information from unauthorized modifications • Ensures that the message received by the recipient was the same message that was sent originally by the sender • The message has not been tampered with since it was sent • Different hashing algorithms are used to generate a sort of a checksum to guarantee integrity 168493: XML and Web Services (II/2546)

  8. Non-repudiation • Repudiation is to refuse to accept something • Non-repudiation is a technique in which one party ensures that another party cannot repudiate • Example, a supplier of raw materials would want to ensure that the customer does not repudiate later its placing of an order for materials • Digital signatures can be used to provide non-repudiation in computer security systems 168493: XML and Web Services (II/2546)

  9. XML Encryption • The XML Encryption standard is currently been developed at the W3C • http://www.w3.org/Encryption/2001/ • Unlike SSL/TLS (Secure Sockets Layer/Transport Layer Security), XML Encryption enables the encryption of data at different granularity levels • This means that one can select to encrypt parts of data using XML Encryption 168493: XML and Web Services (II/2546)

  10. XML Encryption • It also enables the establishment of secure sessions with more than one party • XML encryption can also be used to encrypt both XML as well as as non-XML data • For more information about the implementation of XML Encryption • http://www-106.ibm.com/developerworks/xml/library/x-encrypt/ 168493: XML and Web Services (II/2546)

  11. XML Signatures • Provides a mechanism for applying digital signatures to XML documents and other Internet resources • Provide strong integrity for message authentication, signer authentication and non-repudiation services for data of any type 168493: XML and Web Services (II/2546)

  12. Types of XML Signatures • Three types of signatures supported by the XML Signature specification • Enveloped signatures • The signature is over the XML content that contains the signature as an element • Enveloping signatures • The signature is over the content found within an <object> element of the signature itself • Detached signatures • The signature is over the content external to the <Signature> element and this external content is identified via a URI 168493: XML and Web Services (II/2546)

  13. Example: Enveloped Signature <doc Id=“doc0”> <elem/> <Signature> …. <Reference URI=“doc0”/> … </Signature> </doc> 168493: XML and Web Services (II/2546)

  14. Example: Enveloping Signature <Signature> … <Reference URI=“#ID0”/> … <Object Id=“ID0”> … </Object> </Signature> 168493: XML and Web Services (II/2546)

  15. Detached Signatures <doc> <Signature> ... <reference URI=http://www.ach.com/fundstransfer/fundstarnsferproc.html/> </Signature> <elem/> </doc> 168493: XML and Web Services (II/2546)

More Related