1 / 34

E196 Web Services and Security

E196 Web Services and Security. Scott McReynolds Engineering Manager e-Business scottmc@sybase.com. Agenda. Securing SOAP Future Plans for Security in Web Services. Web Services Security. What are we trying to accomplish? Restricting access to authorized users

sissy
Download Presentation

E196 Web Services and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. E196 Web Services and Security • Scott McReynolds • Engineering Manager • e-Business • scottmc@sybase.com

  2. Agenda • Securing SOAP • Future Plans for Security in Web Services

  3. Web Services Security • What are we trying to accomplish? • Restricting access to authorized users • Protecting messages from being viewed by unauthorized parties • How are we going to achieve that desired effect? • Network, transport layer, OS, Service, or application.

  4. Is SOAP Secure? • Not Built into the Specification • Have to rely on EAServer security • Authentication • Authorization

  5. What Is Authentication? • One endpoint of an established communications session can request information to identify the other endpoint • Both client and server authenticated for best security • Answers the question “Who are you really?”

  6. What Is Authorization? • Do you have the ability to access a particular set of data or component • Checking information about the user against the access control list (ACL) to determine if a user can execute the business logic. • Clients may have different degrees of access • Read • Create • Update • Delete

  7. What Is Encryption? • Process of applying an algorithm to scramble the data in a message • Inputs to algorithm involve secret data called keys • Strength of encryption (length of keys) varies • Software for domestic use – Strongest encryption • Two types of encryption • Symmetric cryptography (private key encryption) • Asymmetric cryptography (public key encryption) • More secure • Uses two keys – A public key and a private key

  8. Public Key Cryptography • Authentication • Ensures both client and server are who they say they are • Encryption • Modifies data so it can be read only by the party for whom it is intended

  9. Public Key Encryption • Uses a pair of keys for encryption and decryption • Private key – Secret • Public key – Widely distributed • You send your public key to anyone with whom you wish to communicate using encoded data

  10. Public Key Encryption • Messages sent to you are: • Encrypted with your distributed public key • Decrypted by your private key • Messages sent by you are: • Encrypted with your private key • Decrypted with your distributed public key

  11. Secure Sockets Layer (SSL) • Network protocol that provides security for network connections • Uses public key encryption to provide: • Client and server authentication using digital certificates • Encryption – Prevents third parties from understanding transmitted data • Integrity checking – Detects whether transmitted data has been altered • Nonrepudiation – Message sender cannot disown responsibility for sending the message

  12. Tunneling • Packets for other protocols can be embedded inside SSL packets • A connection in which another protocol is embedded inside SSL is an SSL-tunneled connection • Both IIOP and HTTP can be tunneled inside SSL • For Web Services you will only be using HTTP tunneling.

  13. How SSL Security Works – Authentication Client Hello, I am ‘client’ Server Hello, I am ‘server’ How do I know you are who you say you are?

  14. Hello, I am ‘client’ Hello, I am ‘server’ Certificate Authority (CA) CA Cert CA Cert How SSL Security Works – Authentication Server Client How do I know you are who you say you are? I’ll vouch for him Client Entity Info Server Entity Info

  15. Encrypted Encrypted CA Cert CA Cert CA Cert How SSL Security Works – Encryption Hello, I am ‘client’ Server Client Hello, I am ‘server’

  16. Public Key Cryptography • Each entity has a public key and a private key • Messages • Encrypted with your private key • Decrypted with your public key • You give your public key to whomever you want to communicate with • Exchange public keys with other entities for two-way communication

  17. Public Key Cryptography (cont.) • You (client or server) generate a key pair • Send your public key to the Certificate Authority (CA) • The certificate request Certificate Authority Client or Server Public Private

  18. Digitally Signed Certificate CA Cert Public Key Cryptography (cont.) • CA creates a certificate for you by using his private key to digitally sign your public key • CA sends certificate back to you Certificate Authority Public CA’s own keys Private Entity’s Public Key

  19. CA Cert Public Key Cryptography (cont.) • You use your certificate along with your private key to establish identity Client or Server Private Key + Digitally Signed Certificate

  20. Public Key of the Client Public Key of the Server SSL Communication Server Server’s Private Key CA’s Public Key + Client Client’s Private Key CA’s Public Key + Digitally Signed Certificates

  21. Certificate Authorities • Commonly known trusted third party • VeriSign • Entrust • Thawte • Perform varying levels of verification of the requester’s identity • Name • Organization • Location

  22. Certificate Authorities • When two entities trust the same CA, they swap digital certificates to obtain access to each other’s public key • Public keys for commonly known trusted CAs are stored in most browsers • CA certificates • EAServer provides a CA for testing purposes • Generate client or server certificates signed by the Test CA • Must install Test CA certificate in Netscape to use • Sample client certificates signed by the Test CA provided

  23. Certificate Management • Certificates and keys managed by a cryptographic module • Loadable software • PKCS #11 standard • Browsers have a PKCS #11 module • EAServer has a PKCS #11 module • Accessible from Netscape • Accessible from Security Manager

  24. Security Manager • Plug-in to Sybase Central • Tool for: • Generating and installing client and server certificates • Installing CA certificates • Creating a certificate request to be sent to a CA • Managing key pairs • Defining security profiles • For non-browser-based clients, can install standalone Security Manager on the client machine to manage client certificates

  25. Security Manager • Keys displayed until certificate generated • Certificates sent to the client to identify server • Preinstalled CA certificates • Sybase Test CA certificate

  26. EAServer Security Scenario EAServer Encryption Authentication Encrypted HTTP C SSL (Encryption, Authentication Using Certificate) C++ Client Component-Level Authorization Based on Roles

  27. Associating Roles with Components • Define Roles within EAServer • Create the role • Add valid certificates to the role

  28. Associating Roles with Components • Add the role to the component • For PowerBuilder/CORBA Components

  29. Associating Roles with Components • Add the role to the component • For EJB Components

  30. Agenda • Securing SOAP • Future Plans for Security in Web Services

  31. Proposed Architectures • SOAP • Currently with SOAP there are no plans to add security to the underlying architecture. • Such mechanisms can be provided as SOAP extensions using the SOAP extensibility model

  32. Proposed Architectures • Web Services Standards • Microsoft and IBM seem to be leading the way • They are proposing a wide variety of additions to the stand that include authentication, authorization, privacy, trust, integrity, confidentiality, secure communications channels, federation, delegation and auditing across a wide spectrum of application and business topologies. • See www.Microsoft.com for more information

  33. Other Additions • Looking at a number of changes to improve security • Basic • Form • Plan to adhere to the industry standards as they evolve • Support of SAML once it gets through the OASIS general membership • Support of the J2EE 1.4 Web Services additions (JSR-115, Authorization Contract for Containers)

  34. Questions

More Related