1

Web Services Security

Different Standards &
Features - Comparison
Vishnu Paturi
G00508233
Contribution
Detailed study of different standards
Feature listing
Application domain
Comparison
Study the upcoming standards of future
Make readers aware, where to use what.
Web services - What & Why?
ts a middleware used for application & cross
platform integration. (Any software, any vendor.)
Uses SOAP (Service Oriented Architecture Protocol)
Based on XML, defines data & interpretation of data.
Can integrate different technologies to communicate
seamlessly without vendor dependency.
Used commonly in B2B interactions. eg:Deal 2buy.com ,
cheapair.com , amazon.com etc
Save T infrastructure cost and time between
partners, suppliers and customers.
Uses standard HTTP, firewall safe.
Why to secure web services?
B2B communication involves sensitive info and should
be protected from sniffing & theft.
Some services should be available only to certain
class of customers/partner.
To avoid various attacks (eg: Message integrity, replay
attacks, mainly should provide non-repudiation, avoid leaching.)
Although it uses nternet, information is not intended
for public users. (nternal data)
SSL and web services security
SSL is point to point security but we require end to
end security in web services.
SSL is transport layer encryption, we require message
level.
SSL cannot provide non repudiation.
SSL cannot encrypt just a particular element in a
SOAP message.
Proposed SoIutions
XML digital signatures.
XML encryption.
XKMS (XML Key Management Specification)
SAML (Secure Assertion Markup Language)
WS-Security (Web Services Security)
ebXML Message Service

XML digitaI signatures

Provides authentication,integrity and non repudiation.
- Uses Public key cryptography
Allows individual elements to be signed in a message,
cosigned,witnessed,notarized or even cascaded
signing. (X.509 certificate attached)
Allows signing remote object, and binary data too. (UR
should be present for the object)
Canonicalizes XML documents such that, documents
with same syntactic and semantic meaning produces
same signature.
Source: http://www.xml.com/pub/a/2001/08/08/xmldsig.html
XML Encryption
Encrypts only private information in a message. (eg:
Creditcard number, SSN)
Can use both secret and public cryptography.
Contains cipher data, its author (key author) and
algorithm used.
The encrypted key is exchanged by ciphering the
encrypting key with receivers public key.
Keys exchange takes places using xml messages.
Problem with lack of trust on source.
<purchaseOrder>
<Order>
<tem>book</tem>
<d>123-958-74598</d>
<Quantity>12</Quantity>
</Order>
<Payment>
<Cardd>123654-8988889-9996874</Cardd>
<CardName>visa</CardName>
<ValidDate>12-10-2004</ValidDate>
</Payment>
</purchaseOrder>
ExampIe:
<PurchaseOrder>
<Order>
<tem>book</tem>
<d>123-958-74598</d>
<Quantity>12</Quantity>
</Order>
<Payment>
<Cardd>
<EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Content''>
<CipherData>
<CipherValue>A23B45C564587</CipherValue>
</CipherData>
</EncryptedData></Cardd>
<CardName>visa</CardName>
<ValidDate>12-10-2004</CardName>
</Payment>
</PurchaseOrder>
Encrypted message: XKMS (XML Key Management Specification)
Makes implementation of PK possible.
ntroduces XKMS servers which does complex cryptos,
locates key, validates, revokes.
Everything done using XML messaging.
Client & Server shares a XKMS service to
validate each other.
No infrastructure needed on client, just xml
messaging capability.
Everything is done by XKMS server.
3
Source:www.networkworld.com/news/tech/2003/0908techupdate.html
$(Security Assertions Markup Language)
Helps exchanging authentication & authorization
information among partners. (FD)
Doesn't really authenticate.
Assertions
Authentication assertion (users identity)
Attribute assertion (user specific info. Eg: credit card,SSN)
Authorization decision assertion (what user can do)
Request response protocol (presently SOAP on HTTP)
Bindings (SOAP message mapping information on HTTP)
Profiles ( how SAML should be transported in communication
systems)
Source : http://www.javaworld.com/javaworld/jw-03-2003/jw-0321-wssecurity-
p2.html
WS Security (Web Services Security)
Provides End to End message security.
Ensures confidentiality,integrity and non repudiation.
(Signs and encrypts messages)
Based on XML signature and XML encryption
Supports multiple security model.(Certificate based, user-
password based, SMcard based.)
Supports PK,Kerberos, X.509,SAML etc
Complete protection from most of the attacks
Very comprehensive, widely used today.
Does not provide guarantee for security.
WS-Security specification
WS-PoIicy defines the methods in which the capabilities and
constraints of security policies can be expressed.
$%7:89 is a model for establishing both direct and brokered
trust relationships.
WS-Privacy is a specification that addresses how privacy
practices can be stated and implemented by Web Services.
WS-Secure Conversation describes how message exchanges
can be securely managed. t also deals with security context
exchange and establishing and deriving session keys.
WS-Federation relates to managing and brokering trust
relationships in a heterogeneous distributed environment. t also
includes support for distributed computing.
Finally, WS-Authorization, is a standard for authorization data
and policy management for Web Services.
ebXML (E business XML)
Developed as an Open standard in competition with
Microsoft Biztalk.
Aims at enabling secure electronic business
transactions.
Uses a central registry to store
Business Processes
Collaborative profile
Business service interface
Core library
Future partners query the registry to match suitable
partners to work with.
4
http://www-128.ibm.com/developerworks/xml/library/x-ebxml/
How does it aII work?
n a typical e-commerce transaction.
An SAML assertion of the transaction is generated on
client side for the user.
Client digitally signs it, and encrypts it.
Registers the public key used to sign and encrypt, in
XKMS server (client and application server can
validate each other using XKMS server)
Transmits the Purchase order document using WS-
Security.
Where to use what?
Small application, needs trust for communication to
transmit public data.
Use XML digital signature (good performance,key
problem) Use XKMS if possible.
Need to transmit private or sensitive data.
Use XML encryption
Large distributed application, need complete security
and use user authentication (Real e-commerce
application)
Use WS Security
Already companies issuing Certificates use XKMS.
Future of Web services
Lot of emerging technologies.
Many standards proposed.
Business strategies play an important role.
Liberty alliance project.
ebXML etc
WS Security has good chance of survival.
Can be easily incorporated into future technologies.
Remember!! Web service is a middleware.
What Technology you use to secure really matters, eg:
Key length, algorithm etc.
#010703.08
http://www.webopedia.com/DidYouKnow/Com
puter_Science/2005/web_services.asp
http://java.sun.com/developer/technicalArticles
/WebServices/security/
http://www.webservicesarchitect.com/content/
articles/apshankar04.asp
http://www.rassoc.com/gregr/weblog/stories/2
002/06/09/webServicesSecurity.html
http://www.xml.com/pub/a/2001/08/08/xmldsig
.html
http://www.networkworld.com/news/tech/2003/
0908techupdate.html
Thank You!!
Question??