1 / 38

Internet Security 2007

Internet Security 2007. Web services Johan Lukkien using slides from Benne de Weger. Agenda. Outline of web services The role of XML and XML-based protocols Web services particular problems Security aspects and approaches. Service Oriented Computing.

nomlanga-kirby
Download Presentation

Internet Security 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Security2007 Web services Johan Lukkien using slides from Benne de Weger Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  2. Agenda • Outline of web services • The role of XML and XML-based protocols • Web services particular problems • Security aspects and approaches Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  3. Service Oriented Computing • Separation into services and applications • services do not know their operating context • Avoid dependence on language / OS / Instruction Set Architecture • dynamic binding, through the network • Build applications from existing functionality through dynamic composition • orchestration: build application from services • choreography: application as a service graph • keywords: interoperability, P2P, (paid) subscriptions, web services, business processes Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  4. Web services • In principle: any service provided through the http protocol on port 80 • through CGI or server-side processing • Currently, the W3C definition is more appropriate • A Web service is a software system designed to support interoperable machine-to-machine interaction over a network. It has an interface described in a machine-processable format (specifically WSDL). Other systems interact with the Web service in a manner prescribed by its description using SOAP messages, typically conveyed using HTTP with an XML serialization in conjunction with other Web-related standards. • from http://www.w3.org/TR/ws-arch/#whatis • Includes integration of services into layers • Drivers: • passing the firewall • .... just think how strange that is • the need to integrate disparate applications, to re-use existing ones, even beyond business boundaries Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  5. Outline of interaction UDDI Directory UDDI Publish & describe UDDI Find SOAP protocol Transport (http or …) Service Provider Service Requestor Bind, execute from: Mark Greenwood University of Manchester Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  6. Web services • Publish - find – bind – execute sequence • Publication • UDDI – universal description discovery & integration • ‘DNS for services’ • description: WSDL • Execution • exchange of SOAP messages • Simple Object Access Protocol • XML encoded Remote Procedure Calls Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  7. Web services integration Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  8. Popular examples • Weather forecast service • Time service • Real-time stock quote service • Airline fare • Transaction based services • Not (yet) the strength of W3C web services • Credit card payments, Airline reservation Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  9. Agenda • Outline of web services • The role of XML and XML-based protocols • Web services particular problems • Security aspects and approaches Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  10. Vision of W3C, and standards Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  11. XML, personal perspective • XML is a document (message) format containing both record structure and content • record structure: tree-like elements • XML standardizes on • the way of denoting elements and contents • the way of defining element types (schema’s, document type defs) • the introduction of name spaces for elements • the description of visual appearance (stylesheets, XSL) • some minor reserved symbol sequences and orderings • XML can be used for describing information at various abstraction levels • the document describing name spaces is again in XML as is the document describing field types • An XML document can contain passive data as well as the complete information of how to process it • e.g. a remote procedure call, a html page, a database record Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  12. XML and its family • SGML – Standard General Markup Language • how to specify a document language • HTML – HyperText Markup Language • describes the particular syntax and appearance of a web document • XML – eXtensible Markup Language • describes the structure of a document • structure is user-extensible • XML is the new standard in application-level communications • XHTML – eXtensible HyperText Markup Language • XML-version of HTML (XML for browsers) • in fact XML + stylesheet SGML HTML XML XHTML Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  13. Issues in web services • Authentication and access control • the usual tradeoff: trust a carrier or put in your own security • as in email: there is a clear notion of ‘message’ that may exist much longer • note that messages are in fact ‘active’ content • protect content • authenticate the active part, the transaction • non-repudiation of the transaction • The machine-to-machine communication • must obey security policies without user intervention • The wish for single sign-on • introduce an ‘authentication’ service, hiding repeated authentications • increased opportunity by the ‘complete’ nature of XML documents • Multi-author XML documents • protect just parts, and just the data [e.g. extending a legal file, a pit] • Communication (XML-based) about authentication, trust • e.g. as part of the single sign-on Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  14. Web Services Security • World-wide-web consortium • www.w3.org • OASIS: Organization for the Advancement of Structured Information Standards • www.oasis-open.org • ws-security • initiative from IBM, Microsoft, Verisign • since 2004 adopted by OASIS, called WSS • Security approaches • SOAP Security Extensions • XML Security • WS-Security Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  15. SOAP security extensions • Basic and digest authentication • basic: supply credentials, typically once • digest: use MD5 sum for each message • Included in special headers not handled by the SOAP engine itself • requires handling by client / server transport agents • Considered weakly secure • offline attacks Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  16. XML security • Sign (parts of) XML documents • problem of canonicalization • Encrypt (parts of) XML documents • Combine these Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  17. XML documents • Serial representation of fairly arbitrary objects • although in principle not unique • security calls for a canonical form • signing does not allow modification of white space, character encoding or hyphenation • name spaces introduce context dependence in case of embedding • (a reference to) The canonicalization algorithm is part of the document • A document may consist of several parts by separate authors • must sign parts to authors • must sign the combination • don’t protect just the transport (persistent signatures) Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  18. Canonicalization and Signatures Internet application generating an XML document application receiving the XML document serial ization parsing allowed XML changes canonical ization canonical ization valid or invalid bitwise equality signature generation signature verification Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  19. Canonicalization and Encryption • importance of canonicalization for encryption: • character encoding • padding (multiple of 8 bits) • namespace problems (include or exclude) Internet application generating an XML document application receiving the XML document cipher text cipher text canonical ization decryption encryption Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  20. XML Digital Signatures • Signature object itself appears in XML format • as opposed to e.g. PKCS#7 which requires ASN.1 • PKCS#7: public key cryptography standards #7 • = crytographic message syntax standard • ASN.1: abstract syntac notation • Three types • enveloping: signature contains signed data • signed object is child of signature • enveloped: signed data contains signature • signature is child of signed object • need to rule out signature from digest computation • detached: signature separated from signed data, signature contains reference to signed data • in same document: signature is sibling of signed object • in external document – reference included Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  21. Fields partaining to signature • SignedInfo • CanonicalizationMethod - algorithm • SignatureMethod - used algorithm • Reference URI • internal or external reference to signed part • “” denotes entire document • Transform - transformation to be applied before digest • DigestMethod - algorithm • DigestValue • SignatureValue • KeyInfo • Object ID Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  22. <Document> <someunsigneddata> ... </someunsigneddata> <Signature> <SignedInfo> ... <Reference URI="#tbs1"> ... <DigestValue> Szbv70 ... jV1fk= </DigestValue> </Reference> <Object ID="tbs1"> <somesigneddata> ... </somesigneddata> </Object> </SignedInfo> <SignatureValue> yFw+Pr ... soPDw= </SignatureValue> <KeyInfo> <X509Data> <X509Certificate> zPrj46 ... hH6Qj= </X509Certificate> </X509Data> </KeyInfo> </Signature> </Document> Enveloping Signature Example Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  23. <Document> <somesigneddata> ... </somesigneddata> <moresigneddata> ... </moresigneddata> <Signature> <SignedInfo> ... <Reference URI=""> <Transforms> ... </Transforms> ... <DigestValue> Szbv70 ... jV1fk= </DigestValue> </Reference> </SignedInfo> <SignatureValue> yFw+Pr ... soPDw= </SignatureValue> <KeyInfo> <X509Data> <X509Certificate> zPrj46 ... hH6Qj= </X509Certificate> </X509Data> </KeyInfo> </Signature> </Document> Enveloped Signature Example Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  24. XML Signature Application Examples • P3P – Platform for Privacy Preferences • standardized syntax for web site privacy policy • in XML • uses XML signatures to sign policies • SOAP • SOAP messages may include XML Signatures Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  25. XML Encryption • Encryption of (part of) XML documents • Ciphertext object itself appears in XML format • as opposed to e.g. PKCS#7 which requires ASN.1 • Two types • enveloping: XML document contains ciphertext • detached: ciphertext separated from XML document, XML document contains reference to ciphertext • Multiple encryption Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  26. <Document> <publicdata> ... </publicdata> <confidentialdata> ... </confidentialdata> <mixeddata> <nameandaddress> ... <nameandaddress> <creditcardnumber> ... </creditcardnumber> </mixeddata> </Document> element to be encrypted with symmetric method (AES) contents to be encrypted with asymmetric method (RSA) Plaintext Example Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  27. <Document xmlns:xenc="http://www.w3.org/ 2001/04/xmlenc#" xmlns:ds="http://www.w3.org/ 2000/09/xmldsig#"> <publicdata> ... </publicdata> <xenc:EncryptedData Type="http://www.w3.org/ 2001/04/xmlenc#Element"> <EncryptionMethod Algorithm="http://www.w3.org/ 2001/04/xmlenc#aes128-cbc"/> <ds:KeyInfo> <ds:KeyName> mykey </ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> ... </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <mixeddata> <nameandaddress> ... <nameandaddress> Ciphertext Example (1/3) Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  28. <xenc:CipherData> <xenc:CipherValue> ... </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </creditcardnumber> </mixeddata> <creditcardnumber> <xenc:EncryptedData Type="http://www.w3.org/ 2001/04/xmlenc#Content"> <EncryptionMethod Algorithm="http://www.w3.org/ 2001/04/xmlenc#aes128-cbc"/> <ds:KeyInfo> <ds:RetrievalMethod URI="#tempkey" Type="http://www.w3.org/ 2001/04/xmlenc# EncryptedKey"/> </ds:KeyInfo> Ciphertext Example (2/3) Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  29. <EncryptedKey ID="tempkey"> <EncryptionMethod Algorithm="http://www.w3.org/ 2001/04/xmlenc#rsa-1_5"/> <ds:KeyInfo> <ds:KeyName> John Doe </ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> ... </xenc:CipherValue> </xenc:CipherData> </EncryptedKey> </Document> Ciphertext Example (3/3) Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  30. XML Signatures and Encryption • Combine XML Signatures and XML Encryption • Possibilities in order of operation: • sign plaintext, then encrypt plaintext + signature • preferred in most situations (“sign what you see”) • sign plaintext, then encrypt only plaintext • encrypt plaintext, then sign ciphertext • Possibilities in enveloping: • all possible choices for enveloping, enveloped, detached Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  31. Agenda • Outline of web services • The role of XML and XML-based protocols • Web services particular problems • Security aspects and approaches Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  32. XML-signature related standards • Web services (Service Specification) for • key management • registration & lookup • processing trust assertions • PKI-based • Markup languages (ML) for • authorization / access control • key tracking • trust credential tracking Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  33. XKMS Trust Service XKMS Trust Service XKMS Trust Service XKMS Trust Service information request informationrequest PubAlice informationresponse registration Alice Bob XKMS – XML Key Management • XKMS = XKISS + XKRSS • XKISS: XML Key Information Service Specification • XKRSS: XML Key Registration Service Specification • Service for key search and validation Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  34. XKRSS • XML Key Registration Service Specification • Registration Service: registers public (and private) key • includes owner and usage information • user generated or server generated keys • proof of possession required • Reissuing Service: reissues public key / certificate • Revocation Service: revokes public key / certificate • Recovery Service: recovers private key Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  35. XKISS • XML Key Information Service Specification • uses SOAP for communications • Locate Service: locate and retrieve public key via URL • Validate Service: locate + trust assertion • all messages should be signed • and maybe even encrypted Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  36. SAML • Security Assertion Markup Language • transporting authentication and authorization credentials • useful for Single Sign-On • enables third party security services • authentication and authorization service • SAML components • assertions • authentication assertions • attribute assertions • authorization decision assertions • request and response protocols • bindings and profiles • how to use SAML messages in SOAP Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  37. XACML • eXtensible Access Control Markup Language • description of Access Control elements • roles database contains relations between entities Principals, Groups, Roles, Permissions • XACML combines entities into “authorization attributes” • XACML authorization attributes  SAML authorization assertions Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

  38. WS-Security • glueing the parts together • mechanisms to include digital signatures, message digests and encryption in a SOAP message • started by IBM, Microsoft and VeriSign; since then adopted by OASIS • goals • multiple security tokens • multiple trust domains • multiple encryption technologies • end to end message-level security Johan J. Lukkien, j.j.lukkien@tue.nl TU/e Informatica, System Architecture and Networking

More Related