Web Services Security

Transcription

1 Web Services Security MSc Information Systems 2002/03 School of Computing University of Leeds Leeds, LS2 9JT, UK Supervisor: Mr. Bill Whyte

2 Table of Contents Summary... I Acknowledgments...II 1 Introduction Background The Problem Key Challenges Project Objectives and Minimum Requirements Over objectives Minimum requirements Approaches and Schedule Approaches Schedule Structure of the Report What are Web Services Service-Oriented Architecture What is Service-oriented Architecture Service Oriented Architecture Service Consumer Service Provider Service Broker / Registry Enabling technologies XML WSDL UDDI SOAP Web Services Application Benefits of Web Services Drawbacks Amazon Web Service Application Scenario Application Design and Implementation Web Services Security Security Primer...19 i

3 5.1.1 Authentication Authorization Integrity Confidentiality Non-repudiation XML Security XML Signature XML Encryption XML Key Management Specification Security Assertion Markup Language Extensible Access Control Markup Language Web Services Security (WS-Security) SOAP Security Evaluations Security Evaluation Spoofing identity Tampering with data Repudiation Information disclosure Denial of service Elevation of privilege Evaluation of Objectives Conclusions and Future Work Conclusions Future Work...30 References...32 Appendix...36 Appendix A: Project Experience...36 Appendix B: Project Objectives and Deliverables Form...38 Appendix C: Making Scheme and Comments From the Assessor...40 ii

4 Summary Web services are revolutionizing e-business on the Internet. However, the lack of security consideration hinders the popularity of Web services. This report studies security specification of Web services from various aspects, namely, transport and message level. This report first studies the concept of Web services and its architecture. The service-oriented architecture examined the building blocks of Web services. In addition, security measures for Web service were discussed with combination of different specifications and standards. Moreover, a system was built to demonstrate Web services application. Furthermore, potential threats in Web services were evaluated using the STRIDE threat model and the appropriate solutions to address the threat. I

5 Acknowledgments First, I would like to thank my family for continuous support towards my study. Moreover, sincere thanks must go to my supervisor Mr. Bill Whyte, who has guided, directed and assisted me in doing this dissertation. I have learned a lot from him namely, project management, evaluation methodology and concept of security tokens. Last but not the least, thanks Ms. Emma Leung for proof reading my report. II

6 1 Introduction 1.1 Background MSc Project : Web Service Security Web services have been heating up nowadays. People in the IT industry are discussing Web services everyday. Web services are expected to help companies to cut cost, increase productivity and efficiency. Web services are platform independent. By deploying Web services, companies can enjoy its flexibility in providing services to customers, partners and suppliers with individual needs whose systems may be running on different operating systems, such as VAX, Unix and Windows, and so forth. In addition, Web services enable an organisation simplify their enterprise application integration. Web services data are exchanged in XML formatted messages and are transmitted over standard Web protocols such as HTTP, SMTP and FTP. Web services can be programmed in different programming languages, which lead to increased interoperability between systems. Besides, Web services reduces the development cycle for developers, which they may utilise their familiar tools and libraries. Web services will be the next wave in the IT industry. Many people were amazed by the impact that it has brought in the last few years. There are a vast majority of leading vendors in the IT industry that are actively supporting the standard, such as IBM, Microsoft, SAP, SUN, and so forth. Currently, Web services are becoming popular among people in the IT industry and in the commerce world alike. 1.2 The Problem Still, Web services are not widely implemented. Why people are reluctant to deploy Web services? The biggest concern is security. According to the survey conducted by market researcher Evans Data, 48% of the 400 IT executives interviewed are not confident to deploy Web services to the public due to lack of security and authentication [1]. The lack of security standard for Web services makes it limited for internal connectivity [2]. Many companies are studying the power of the Web services by deploying applications within the company. Figure 1 shows the adoption of Web services in the coming years as predicted by 1

7 MSc Project : Web Service Security International Data Corporate (IDC), Web services are able to achieve its full potential strength starting from 2005 by providing automated services based on its architecture. Figure 1. Web Services adoption time line [3]. 1.3 Key Challenges Web services are a relatively new technology. It aims to provide easy to use programmatic interfaces for applications. Security is not a major issue for developing Web services at the beginning [4], it could be addressed by existing Web security standards. Simplicity, extensibility and interoperability are important for the operation of Web services. However, as evolving of Web services, security became the priority issue in Web service implementation. The domain for Web services security is very broad and complex. Different technologies and standard are needed to make it secure. There are new initiatives and recommendations coming out everyday from different organizations to tackle problems in different areas. Due to limited time for this project, a well-organized and feasible project plan is essential. Besides, understanding the fundamentals of the Web services technologies are important. Though I have heard a lot about the advantages of the application of Web services, time is needed to learn the core technologies and understand its concepts. Building a simple Web service application would help me to understand the technologies thoroughly. 2

8 MSc Project : Web Service Security Moreover, to focus on Web services security and achieve a successful project, the scope of the study should be well defined. Furthermore, the study will be emphasis on the message level, which is the core building block for Web services. 1.4 Project Objectives and Minimum Requirements Over objectives The following objectives have been set at the beginning of the project, whilst the fourth objective was added according to the feedback from the MSc project committee in May To understand Web Services and its architecture To evaluate Web Services application applied to a business To build a Web Services demonstrator To understand Web Services security in depth Minimum requirements To achieve a successful project, the following minimum requirements have to be achieved, To understand Web Services and its architecture To understand the basic principle of Web Services security To build a Web Services demonstrator 1.5 Approaches and Schedule Approaches Firstly, the fundamentals of Web services are studied. Substantial knowledge about Web services is acquired, such as the architecture and applications of Web services. Web services security is emerging. Different vendors and organizations proposed slightly different security models. My supervisor, Mr. Bill Whyte, suggested employing an appropriate model to evaluate the threats for Web services. This would help to cover a more complete study of security issues. Microsoft is using the STRIDE threat model to evaluate threats in secure coding. Having studied the STRIDE model and through discussions with Bill, I found that STRIDE threat 3

9 MSc Project : Web Service Security model is a good tool for identifying potential security threats in Web Services. It will be used in this project to evaluate threats for SOAP. To evaluate security risks, generic security requirements are analysed. Then, XML security will be examined. Focus will be put on the security implementation in SOAP message, because it is the core technology of Web services. To understand practical application of Web services, a Web service demonstrator is built by using the Web services offered from Amazon.com. The application is based on JSP and developed using Sun Microsystems SUN One Studio Schedule To ensure that the project is carried out smoothly, a project plan based on the milestone as shown in the following schedule was created. Figure 2. Project schedule. 1.6 Structure of the Report 1. Introduction This chapter will discuss the background of Web services. 2. What are Web Services? This chapter will discuss what are Web Services and it s role in e-business. 3. Service-oriented Architecture 4

10 MSc Project : Web Service Security This chapter will discuss the general Web services architecture, protocols used and the underlying technologies. 4. Web Services Applications This chapter will discuss the application of Web Services in the real world 5. Web Services Security This chapter will discuss the fundamentals of security and Web service security standards. 6. SOAP Security This chapter will discuss the security implementation in SOAP. 7. Evaluation This chapter will evaluate the Web services security and project achievements. 8. Conclusions and future work This is the conclusion for this project and suggested future work on this topic. 5

11 2 What are Web Services MSc Project : Web Service Security Web services are still a very new technology. Therefore, has no unified definition for Web Services [5, 6,7]. Essentially, Web services are middleware applications that enable different systems to exchange data over standard Internet protocols, such as HTTP, SMTP and FTP. The data exchanged is transferred under the Simple Object Access Protocol (SOAP) message framework, which is presented in Extensible Markup Language (XML) format. In this report, we adopt the definition from W3C, A Web service is a software system identified by a URI, whose public interfaces and bindings are defined and described using XML. Its definition can be discovered by other software systems. These systems may then interact with the Web service in a manner prescribed by its definition, using XML based messages conveyed by internet protocols. [8] Web services are neither programming language specific nor system platform dependent. It is a set of standards that allow computer systems to exchange information as services over traditional distributed programming models such as RPC, DCOM, CORBA and RMI. Web based model is loosely coupled [9]. Web applications do not require to be deployed at once. Clients and servers can be added to the Web system as needed. The simplicity of web-based systems offers a high degree of interoperability, scalability and manageability. Thus, we can create Web applications incrementally. However, information exchanged over conventional Web is not self-describing, making it difficult to integrate with other systems. XML, on the other hand, makes data exchanging among different systems feasible and easily. XML is a meta language, which is self-describing. XML file stores structured information in clear text, which is human readable and can be passed and understood by different systems. These enable information exchange over different platforms much more efficient. Web services build on the loosely coupled Web programming model and utilize the power of XML language to offer business functions as services over the Internet infrastructure. These make the sharing of information and system development much easier. With Web services, business function can be built as a service and open it to users and partners for them to glue it together with their applications. Applications can be built on different platforms and programming languages, though. 6

12 MSc Project : Web Service Security Web services are completely platform independent, thus reduce problems for enterprise application integration between systems. Web services are expected to reduce cost in system development and service deployment as well as increase productivity and efficiency. Many companies are testing the technology in discrete functional areas, usually, behind the corporate firewall. 7

13 3 Service-Oriented Architecture 3.1 What is Service-oriented Architecture MSc Project : Web Service Security Service-oriented architecture is essentially a collection of services that communicate with each other. A service is a well-defined and self-contained function that does not depend on the context or state of other services. The service has a published interface that can be discovered and used dynamically over the network. Web services [10] provide a mean to publish the enterprise services and application integration over the standard Internet infrastructure. By employing a services-oriented architecture, an enterprise can extend its enterprise applications to their customers or clients. Web services are built on XML standard. All messages are exchanged in XML format. Thus, it provides a language and cross platform environment to the applications. 3.2 Service Oriented Architecture Service Oriented means that the architecture is described and organized to support Web Services dynamic, automated description, publication, discovery and use [11]. The service provider defines service rules, function and interface description in WSDL [12] file. UDDI [13] was used to publish service description to the centralized registry or service broker. Service consumer searches services from a registry via UDDI. Once the service has been located, service consumer binds the service and request service as described in the WSDL file. Service provider processes and returns result to the service consumer. Both request and response are made in SOAP [14] message. Figure 3 shows the conceptual architecture of Web services. 8

14 MSc Project : Web Service Security Figure 3. The SOA conceptual architecture with SOAP, WSDL and UDDI [15] Service Consumer A service consumer is an application, service or entity that is requesting service from the service provider. It looks up service from service broker or registry; binds service between client and service; and executes requests to the service provider according to the published Web services specification Service Provider A service provider is a service end-point that accepts and executes requests from service clients. It defines service functions, requirements and interfaces; publishing the service specification to the registry Service Broker / Registry A service broker or registry is a public directory containing all available services. Like a DNS system, it stores service description from service providers and responds to queries from service consumers. 9

15 3.3 Enabling technologies XML MSc Project : Web Service Security Extensible Markup Language (XML) is a text-based markup language with customizable tags for decribing data in a document. XML is strictly used to describe the data structure in a plain text format. Its possible to exhange and processed XML documents on different platforms using different programming languages. XML is the core technology used in Web services WSDL Web Service Description Language (WSDL) [16] is a language for describing Web services. It is used to describe the abstract functionality of a service and a framework for describing what the service is offering. WSDL describes the data type of elements being exchanged between service consumer and service provider. WSDL file also contains the operation and service endpoint or location of the service. Essentially, WSDL tells you where the Web service is located, which services it is offering, how can you request from it and what information it returns to you. Listing 1 shows a sample WSDL file. <?xml version="1.0" encoding="utf-8"?> <definitions name="ticketagent" targetnamespace=" xmlns=" xmlns:tns=" xmlns:xs=" xmlns:xsd1=" <import location="ticketagent.xsd" namespace=" <message name="listflightsrequest"> <part name="depart" type="xs:datetime"/> <part name="origin" type="xs:string"/> <part name="destination" type="xs:string"/> </message> <message name="listflightsresponse"> <part name="result" type="xsd1:arrayofstring"/> </message> <message name="reserveflightrequest"> <part name="depart" type="xs:datetime"/> <part name="origin" type="xs:string"/> <part name="destination" type="xs:string"/> <part name="flight" type="xs:string"/> </message> <message name="reserveflightresponse"> <part name="result" type="xs:string"/> </message> <interface name="ticketagent"> <operation name="listflights" parameterorder="depart origin destination"> <input message="tns:listflightsrequest" name="listflightsrequest"/> <output message="tns:listflightsresponse" name="listflightsresponse"/> </operation> <operation name="reserveflight" parameterorder="depart origin destination flight"> <input message="tns:reserveflightrequest" name="reserveflightrequest"/> <output message="tns:reserveflightresponse" name="reserveflightresponse"/> 10

16 </operation> </interface> </definitions> MSc Project : Web Service Security Listing 1. Sample WSDL document [16] UDDI Universal Description, Discovery, and Integration (UDDI) registry is a public registry storing all available Web services. It is like a white page business directory that contains details about the Web services for business entities. It can be used to look up Web service interfaces for a desired service and discover the technical details of the service. There are four public UDDI registries hosted by Microsoft, IBM, SAP and NTT Com. Like the domain name system (DNS), they replicate each other to update records SOAP Simple Object Access Protocol (SOAP) [17] is a lightweight protocol for exchange structured and typed information in a decentralized, distributed environment using XML. SOAP message defines a messaging protocol between service consumer and service provider. A SOAP message or SOAP envelope is composed in two parts, the header and the body. The envelope header contains information that might be used by any party that process the SOAP message, such as the name space, encoding style, and others. Application data is stored in the envelope body. Hence, security reference is best to be placed in the header part. Listing 2 shows a SOAP message used in this project. As the nature of XML document, SOAP message can be used with different transport protocols such as HTTP, SMTP and FTP. Because SOAP binds with standard Web protocol, it is firewall friendly. SOAP messages would not be filtered by traditional firewalls, because they are passed through well-known Internet ports such port 80. Hence, SOAP poses a high degree of interoperability. <?xml version="1.0" encoding="utf-8"?> <env:envelope xmlns:env=" xmlns:xsd=" xmlns:xsi=" xmlns:enc=" xmlns:ns0=" env:encodingstyle=" <env:body> <ns0:keywordsearchrequest> <KeywordSearchRequest href="#id1" /> </ns0:keywordsearchrequest> <ns0:keywordrequest id="id1" xsi:type="ns0:keywordrequest"> 11

17 MSc Project : Web Service Security <keyword xsi:type="xsd:string">web Service Security</keyword> <page xsi:type="xsd:string">1</page> <mode xsi:type="xsd:string">books</mode> <tag xsi:type="xsd:string">affinebiz-20</tag> <type xsi:type="xsd:string">lite</type> <devtag xsi:type="xsd:string">d2yurp76b7vdk8</devtag> <sort xsi:type="xsd:string" xsi:nil="1" /> <variations xsi:type="xsd:string" xsi:nil="1" /> <locale xsi:type="xsd:string" xsi:nil="1" /> </ns0:keywordrequest> </env:body> </env:envelope> Listing 2. Sample SOAP message [17]. 12

18 4 Web Services Application 4.1 Benefits of Web Services MSc Project : Web Service Security The ubiquitous of computers and networking enable us to do business much more efficiently. Information can be processed and stored in a database system and exchanged with clients or partners. Nevertheless, we still have to stick to a specific platform or standard for transactions, for instance, EDI. Therefore, applications cannot be built flexibly according to special needs and developed by different programming languages and platforms. In addition, those systems are usually not able to link with the legacy system such as mainframes. Hence, new systems have to be developed, leading to complicated internal infrastructure. With the introduction of Web services, automated and programmatic services are able to run over the Internet infrastructure. The Web services model enable solutions to be delivered by reducing operating and development cost, promote module reuse on open platform and open standard fashion. Services can be located and bound dynamically. Applications can look up a particular service from the UDDI registry and bind it with the application on the fly. Sophisticated system can be built in much shorter time and at a lower cost. Developers can now build systems based on services published in the registry and glue them together instead of developing their own each time. Since services are well defined and rigorously tested, there are fewer errors happening during development. Moreover, the application is easier to maintain and upgraded than traditional distributed systems, thanks to the distributed nature of Web services. Web services aim for ease. Developers who want to use the service are not necessarily required to have depth knowledge of SOAP and WSDL. There are tools and libraries from vendors helping developers to build applications. Tools such as Microsoft s Visual Studio and Sun Microsystems Sun One Studio, are making the development much easier. People in the Microsoft camp can develop applications using C# or ASP.Net. On the other hand, People in the Java school can develop applications using Java. In deed, applications are connecting to the same service and accessing the same functionality. Web services enable a service provider to provide services to many partners or service consumers at the same time without negotiating system specifications with each other, which may results in many hours of work. Instead, a service provider releases the system interface to the public via the WSDL file. Service consumers then compose requests in SOAP message according to the 13

19 MSc Project : Web Service Security operation they required. Both the request and response of SOAP messages are transferred over HTTP, using the GET and POST operation. Unlike in the traditional distributed system model, application must be developed on the same platform and using the same programming language. Applications can now be created using different programming languages on different platforms. 4.2 Drawbacks There are drawbacks for Web services too. Services may not be available when there is a broken link between service consumers and service providers or overloaded on the service provider s system that is using dynamic binding. These may affect many operators who are relying on the Web services to provide a service. To ensure high quality and successful services, quality of service (QoS) [18] agreement should be contracted between service providers and service consumers as well as network access providers. Web services are usually bonded to well-known Internet protocols, for example, HTTP. Conventional firewalls would not block such traffic. Therefore, creating possible loophole for corporate security. SOAP message may contain attachments, which could be executable. The end system might be under attack for which the executable was triggered. 4.3 Amazon Web Service Application In this project, a simple online bookstore Web service application was built using the Amazon Web Services developer kit (SDK), which can be downloaded at The purpose of building this application was to test drive Web services and to understand how does it works in real life. Due to the purpose of this project, it would not have gone through the UDDI registry for service discovering and construction of the SOAP messages. WSDL file is provided in the SDK. The SDK also contains technical documents and sample codes for accessing Amazon Web Service Scenario Internet provides an unlimited sky for conducting online business with the potential to reach millions of users worldwide. The author wants to build a simple online e-commerce site for selling books. Because of the financial constrains, the author wants to keep the investment as low as possible. Before going to establish the online store, the author found the Web services offered by 14

20 MSc Project : Web Service Security Amazon.com. Amazon.com offers Web services for its subscribers or affiliates to query products in its database. Amazon.com is responsible for the logistic and payment processing, so, its associates need only to build the Web site and promote the services. Thus, startups benefit from reduced investment and risks Application Design and Implementation To develop the online store, a Java based platform has been chosen for this project, the system was generated using JSP pages. With the help from Web services development tool, Sun One Studio in this project, Web services application can be built in a relatively painlessly in a short period. The development tool generates Java class files or APIs that contain operational functions for accessing the Web services according to the specifications in the WSDL file. Therefore, developers can access the functions without coding them, hence reduced time in producing routine procedures. Like the system developed in this project, application developers can build their system based on generic functions generated by the tool. Application developers can then concentrate on the presentation and business focus of the system. Hence, making the system available faster to the market. For demonstration purpose, this simple bookstore offers its users, searching capability for book titles on Amazon.com. Making the system simple and easy to use, it offers keyword search only. Once a user submits a keyword to be searched, the system generates a SOAP message requesting for the search results from the service provider. The service provider processes the request and returns the results in SOAP message to the service consumer, that is, the bookstore Web site. The system then processes the returned results for displaying according to the Web site s specification. In these processes, the SOAP message has bonded the HTTP transport protocol. That is, the SOAP message was wrapped in the HTTP and transferred over the port 80, which then passed through firewalls freely. Figure 4 shows the transport interaction between different parties in the system. Figure 4. Web Service interaction. 15

21 MSc Project : Web Service Security End users entered their queries in the Web interface, the query information then transferred to the Web service consumer - Ernest Bookstore. In this project, a secure connection was established between the end user and the service consumer using SSL. A SSL certificate was generated using the Tomcat tool kit. Therefore, it is not a trust worth certificate in the real world. However, this demonstrates the secure link between a Web browser and a Web server. Figure 5 shows the main page of the bookstore. Figure 5. Ernest Bookstore using Amazon Web Service On receiving queries from the Web browser, the service consumer produced a SOAP message requesting for query results and posted it to the service provider over HTTP. This process is similar to calling a function in conventional programming practice. The service provider validates the requesting SOAP message according to the service specifications and generates results in SOAP returning via HTTP. This is a standard request and response process for information exchange. On receiving the SOAP result message, the service consumer processes the message and format for displaying the result. Figure 6 shows a sample formatted result returned from the service provider Amazon.com. 16

22 MSc Project : Web Service Security Figure 6. Displaying keyword search results. When the user clicks on the title link, the system repeats the steps of sending requests and formatting results to retrieve detailed information for the selected book. Figure 7 shows book details. 17

23 MSc Project : Web Service Security Figure 7. Displaying book information. Web service is easy to use and build. It provides a powerful interface for utilizing the Internet and application integration. 18

24 5 Web Services Security 5.1 Security Primer MSc Project : Web Service Security Security is the utmost issue for online transaction. Information could be intercepted when transmitted over the Internet. The Web was invented to share information over the networked environment. Therefore, security was not the key issue for developing the HTTP protocol. The security employed in the HTTP protocol is a Basic Access Authentication scheme [19]. It is not considered as a secure method, because the user name and password are transmitted in clear text over the network. It exposes risks to the public, which can be easily read by protocol sniffers. To secure the information transferred over HTTP, Secure Socket Layer (SSL) [20] must be used. SSL is used to protect privacy and maintain data integrity between two-point communications Authentication Authentication is the process to verify a person or system that is accessing the service. This process is to identify that who claim to use the service is really who they are. Traditionally, this will be done using user name and password pair. Authentication can now be done via biological characteristics, such as fingerprint, retina, digital key, and so forth Authorization Authorization is the access control that authorize who has the right to access what information or operation in a system. It can be controlled on individual or group basis. Users are given different access privilege or rights to perform task in a system, usually, it comes with user name and password control. For example, affiliates of Amazon.com may not be able to access the promotional information, while their partners have access rights to query for promotional items Integrity Integrity of data is important for data transmitted over the network. It guarantees the data or information being transferred is intact. In other words, the data received by the intended receiver should be exactly the same as it was sent. Digitally signed document could help to maintain the integrity of information being transmitted. 19

25 5.1.4 Confidentiality MSc Project : Web Service Security Sensitive information transferred over the network need to be protected. Confidentiality means to protect the data being transferred was not exposed to third party. Encryption is one of the methods to avoid data from being seen during transmission. The data was encrypted before sending and decrypted on receiving Non-repudiation The person who has made the transaction should be accountable for it. Non-repudiation is to ensure that the person is liable for the action he/she has been made electronically. With the implementation of PKI [21] infrastructure, the identity of an entity involved in a transaction can be identified by digital certificate or digital signature. 5.2 XML Security As evolving of the Web, traditional security model is not able to cover all the security needs for Web services. Web services are not simply point-to-point operations. A service consumer could be a service provider for another service consumer. For example, a mortgage service opened for public (a service provider) may need to request for updated information from other internal Web services (a service consumer). Thus, point-to-point security measures cannot be applied in this case. Web service messages may be passed between multiple points. In addition, Web services may not always be processed in synchronous fashion as it was transferred over HTTP [22, 23]. Web services over asynchronous messaging transport means that the identity may not be verified at the time of negotiating the service. The intermediate parties may have accessed to or retained the message in transit. Therefore, a security model that can secure a message from end-to-end is essential. Web services rely on SOAP message. SOAP is composed in XML; therefore, XML security plays a major role in securing the SOAP message. The combination of XML Signature and XML Encryption provides reliable security measures for XML documents XML Signature The Internet Engineering Task Force (IETF) and W3C jointly developed XML Signature. XML Signature is a digital signature for digital documents. Digital signature was designed to provide data integrity, authentication, and/or non-repudiatability over digital content [24]. 20

26 MSc Project : Web Service Security XML documents contain clear text, which make data exchange between different systems much easier. However, it is not possible for us to know if the data has been modified after it was created. It may be a disaster for a company if the sales quotation has been modified, for instance. Besides, we want to be assured that the document received was sent from a person who is trusted or it was sent from a verified entity. In a traditional signed document, signatures can be verified by various technologies identifying its validity. Digital document, on the other hand, has no simple mechanism to identify that it was produced or sent from a particular individual. Digital signature is used to replace the conventional signature in digital documents. XML Signature supports sender authentication, and related mechanisms are used to ensure that another party cannot later repudiate a valid transaction [25]. Instead of signing the whole document at once, XML signature can be used to sign the whole document or a portion of the document. The signed items are referenced in URIs, for example, is referencing a PHP page on the web; #name is referencing a specific item on the same page. A document can contain one XML signature for the whole document or multiple signatures for multiple items. XML signatures can be used to sign entities on an individual basis. People who want to sign the document need only sign the portion that they want to keep intact and leaving the other portion blank [26]. In such case, a signature is still valid for any changes that have been made in that document except for the signed items. The data integrity therefore has maintained. Listing 3 is an example of signed XML document. <?xml version="1.0" encoding="utf-8"?> <Signature xmlns=" <SignedInfo Id="foobar"> <CanonicalizationMethod Algorithm=" <SignatureMethod Algorithm=" /> <Reference URI=" <DigestMethod Algorithm=" /> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> </Reference> <Reference URI=" <DigestMethod Algorithm=" <DigestValue>UrXLDLBIta6skoV5/A8Q38GEw44=</DigestValue> </Reference> </SignedInfo> <SignatureValue>MC0E~LE=</SignatureValue> <KeyInfo> <X509Data> <X509SubjectName>CN=Ed Simon,O=XMLSec Inc.,ST=OTTAWA,C=CA </X509SubjectName> <X509Certificate>MIID5jCCA0+gA...lVN 21

27 </X509Certificate> </X509Data> </KeyInfo> </Signature> MSc Project : Web Service Security Listing 3. Sample XML signature [26]. There are three types of signature: enveloping signature, enveloped signature and detached signature [27]. Enveloping and enveloped signatures are used to sign the items in the same documents while the detached signature is used to sign items on documents other than the two previously mentioned. Digital signature ensures data integrity and authenticates for the parties involved XML Encryption Digital signature itself is not sufficient to address all the security risks. The XML document is signed in text format, which is easily read by humans. Sensitive data exposed during transfer in XML document; privacy of the data is not established. Data encryption is needed to protect the data from being seen by human. Sensitive information should be well protected from being exposed to the public. Data transmitted in XML format can easily be read by humans. However, not everyone assumed to have read the same piece of information. Restricted or sensitive data should be protected. For example, sales figures of a company must not be exposed when the data is transmitted over the network. On the other hand, the company contact information does not required to be protected. To protect the privacy of data, only the intended person should be able to read the information. Sensitive data should not be view by unauthorized people. Data encryption is able to protect the privacy and confidentiality of the data being sent over the network. In traditional Web security model, data are usually protected in the transport layer. Data on the Web are usually exchanged between Web browsers and Web servers directly. Therefore, sensitive data are normally encrypted by SSL over the wire. Data privacy and confidentiality are guaranteed during transit. SSL can protect data from end-to-end. Once the data arrived at the Web server, the protection is not guaranteed. XML document are not just being transferred from end-to-end. It could be passed between different intermediate services or further processed by an intermediate party. How can we protect 22

28 MSc Project : Web Service Security the plain text document or data that are being passed between different systems from the naked eye? This is an important issue for this plain text-based technology. Apart from protection at the transportation layer using SSL. We need a mechanism that could protect data at the content level. This mechanism should protect the information from being recognized by humans, yet, it should preserve the integrity of the document. To increase the security, we need an encryption standard for XML documents. XML Encryption is the specification defined by W3C for encrypting data and representing the result in XML [28]. XML Encryption has the capability to encrypt portion of the document. An entity in the document can be encrypted using this standard, for example, the amount of a quotation. This increases the flexibility in encrypting information. In addition, this also reduces the overhead in encryption and decryption as well as transmission. Because, less time and resources are required for encryption and decryption, less data will be needed to transfer over the network. XML Encryption provides end-to-end security for applications that require secure exchange of structured data [29]. The encryption information was embedded in XML document. This approach provides increased portability for the encrypted document. The document, hence, is safe to travel along systems with more than two parties. XML Encryption therefore maintains the data privacy over network transmission and offline data exchange. Following two code fragments from [28] demonstrate simple encryption for credit card information. The credit card details were encrypted. Intermediate parties can only see that there are encrypted data for the book purchased. Therefore, it protects the credit card information from exposure. <purchaseorder> <Order> <Item>book</Item> <Id> </Id> <Quantity>12</Quantity> </Order> <Payment> <CardId> </CardId> <CardName>visa</CardName> <ValidDate> </ValidDate> </Payment> </purchaseorder> Listing 4. Before encryption [28] 23

29 MSc Project : Web Service Security <?xml version='1.0'?> <PurchaseOrder> <Order> <Item>book</Item> <Id> </Id> <Quantity>12</Quantity> </Order> <EncryptedData Type=' xmlns=' <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData> </PurchaseOrder> Listing 5. After encryption [28] XML Key Management Specification XML Key Management Specification (XKMS) [30] is a specification from W3C for cryptographic keys distribution and registration. XKMS can be used together with XML Signature and XML Encryption. It comprises of two parts; the XML Key Information Service Specification (X-KISS) and the XML Key Registration Service Specification (X-KRSS). X-KISS minimizes the complexity of using XML Signature in application. It can delegate partly or wholly the processing to the XKMS service. Being a XKMS service client, the application does not need to create trust relationship by using complex PKI specifications such as X.509/PKIX, SPKI or PGP. Therefore, it reduces the complexity in application development. X-KRSS is the protocol for key pair holder to register the key pair in the service. It supports services like registration, reissue, revoke and recover. The registered key pair can then be used in conjunction with X-KISS or other PKI specifications Security Assertion Markup Language Security Assertion Markup Language (SAML) [31] is a standard approved by OASIS. SAML uses shared assertion to exchange security information. Assertions are used to express the security information about a subject. A subject is an entity that has an identity in some security domain, for example, a human or a machine. Client can request an assertion from a SAML authority to verify the validity of an entity that is requesting a service. Additionally, SAML supports Single Sign-On. That is, valid users can access resources from other domains without re-authenticating. 24

30 5.2.5 Extensible Access Control Markup Language MSc Project : Web Service Security Extensible Access Control Markup Language (XACML) is a standard approved by OASIS. XACML is used to express security policies. In other words, it is the access control mechanism for entities based on rules and authorization policy. It determines whether a data or an operation is accessible by a requesting entity Web Services Security (WS-Security) Web Services Security (WS-Security) [32] is jointly developed by IBM, Microsoft and VeriSign. WS-Security is a specification that can integrate a variety of security model and encryption technologies by protecting message integrity, message confidentiality and single message authentication. It also provides mechanism to associate security tokens with message and describe how to encode binary tokens, such as X.509 certificates and Kerberos tickets. 6 SOAP Security SOAP is the core technology for Web services. It defines the framework for data transmitted between different systems and services. Without SOAP, Web services are virtually none existent and not able to function. SOAP messages are composed in XML format. In other words, SOAP is a XML message. Therefore, it inherits the characteristics of XML document. In securing a SOAP message, XML security will be employed. On top of the XML security implementation, there are SOAP specific security implementations. Currently, most of the Web services implementations were based on the HTTP binding. Which, SOAP messages were transferred over HTTP protocol. The implementation is simple and involves less parties or partners over simple network architecture. The easy and simple way to secure the service is to employ current Web security technologies. The most popular and widely available one is SSL. Like thousands of e-commerce sites available on the Internet, SSL was used to secure information being transferred between users and service providers. In fact, SSL is used to protect data sent between Web browsers and Web servers. It is a transport layer protocol that ensures privacy and confidentiality between two points. SSL encrypted data are transferred over HTTPS protocol instead of HTTP. In addition, combined with digital certificates, it can be used to identify 25

31 MSc Project : Web Service Security both parties authentication by a trusted authority, such as VeriSign. Thus, it provides integrity for the services as well. Through centralized trust authority verification, an entity can be identified. As a result, most of the security issues arise in the transport level can be dealt with by using SSL. However, SSL keeps the privacy for the data in transit only. It secures the transport link at the transport layer. Like a tunnel, everything transferred inside is safe or kept from being exposed. However, if the tunnel has been broken, the data will be exposed. Therefore, it is still not a very secure measure for security. In fact, there have been no incidents about data privacy being compromised in using SSL, except in the laboratory environment. Increasing the protection security mechanism at message level is required. 7 Evaluations 7.1 Security Evaluation With the popularity of Web services, security is the utmost issues that need to be addressed seriously. There is no unique way to implement security for Web services. Many technical committees are working on the specifications and standards from different camps. In previous sections, technologies and specifications for securing Web services were discussed. Security is a very big topic and it is a complicated issue. We need an all-round model to evaluate security threats that may occur in Web services. A threat model is a security-based analysis that helps people determine the highest level security risks posed to the product and how attacks can manifest themselves. [33] STRIDE threat model is used to evaluate and categorize the threats to Web service. It is a more formal approach to understand the vulnerability in the system and how to mitigate the threats. Its not only used to evaluate threats at message level but Web service as a whole. The evaluation helps us to make the system much more secure. STRIDE model is categorized in the following sections Spoofing identity Authentication identifies the identity of the sender and the receiver. Spoofing threats allow attacker to take control of the system as a valid user. Standard authentication systems use user name, password, Active Directory, Kerberos, digital certificates and LDAP to authenticate users. In Web services, the combination of XML Signature and digital certificate can be used to authenticate the 26

32 MSc Project : Web Service Security identity of a service requester. Additionally, encrypted identity data in SOAP message prevents such information being exposed. XML Encryption can protect data privacy and confidentiality. The Digital Signature of SOAP Security Extensions [34] provides a standard way to sign a SOAP messages using XML Signature [35]. An extensible namespace has been added to the SOAP header for adding security features. It is intended to use in conjunction with other security techniques, such as a time stamp, to ensure the uniqueness. When digital signature is used for authentication, sender must provide the possession of the private key Tampering with data Data can be tampered with, by malicious attacks. An unauthorized person must not alter the data exchanged between systems. Proper authorization for data is crucial to maintain the data integrity. In Web services, authorization for data access may be needed at entity level. Each entity or operation may require different access privilege. Unprotected Web services may open all services to employees, which may lead to exposure of sensitive data. Hence, access rights should be implemented in order to improve the control. XACML can be used to manage the access to the services and operations. XACML is a foundational step in the creation of federated authentication [36]. It allows developers to write and enforce information access policies, making it a key component in the development of authorization infrastructure. Along with the implementation of XML Signature, XML encryption as well as SSL [37] in transportation, the data integrity is ensured Repudiation Repudiation makes a person accountable for the action performed. It cannot be later denied for any reasons. Nonrepudiation is important in e-commerce, which guarantees the transaction is legally bonded between two parties. XML signature can be used to sign partly or wholly the XML message, thus, it can be used to identify a requester. Besides, XKMS can also be employed for nonrepudiation, which is a simplified PKI system in identifying the service consumer and ease in implementation. 27

33 7.1.4 Information disclosure MSc Project : Web Service Security Information disclosure means data disclosed to parties who should not have access to it. SSL protects data from end-to-end transmission. Protection ends once the data reached an endpoint or intermediary. Therefore, SSL is not a comprehensive implementation for securing Web services information, except at the wire level. Additionally, XML Encryption ensures true point-to-point protection for data privacy and confidentiality by encrypting sensitive information and embeds it in SOAP message. Combined with SAML, XACML and XML Signature, data privacy is assured Denial of service Apart from message focused security measures, threats for service availability and reliability should also be address for Web services security. Denials of service (DoS) attacks are sending massive of requests to the server in order to overload the system, and deny service to valid users. For example, sending 10 requests to a system that handles 5 requests per second will result in system unavailable to users. Network load balancing system would be able to reduce the risk for DoS Elevation of privilege Elevation of privilege means an unprivileged user gains privileged access in order to compromise or destroy the entire system [33]. XKMS increases the security level by simplifying the PKI implementation in Web services. XACML is the access control mechanism that can be implemented in SOAP for privileged control; it can be used to control access at an entity level. 7.2 Evaluation of Objectives This section provides evaluations for the project. It evaluates how well the project objectives have been achieved. 1. To understand Web Services and its architecture This is one of the minimum requirements for the project. In the report, Web services definition and concepts were explained in chapter 2. In chapter 3, Web service architecture and the underlying standards were discussed. It describes the building blocks of the Web services, such as WSDL, UDDI and SOAP. 28