Web Services Security. Dr. Ingo Melzer, Prof. Mario Jeckle

Similar documents
A Signing Proxy for Web Services Security

Implementing a Ground Service- Oriented Architecture (SOA) March 28, 2006

Distributed Systems. Web Services (WS) and Service Oriented Architectures (SOA) László Böszörményi Distributed Systems Web Services - 1

Web Services in Cincom VisualWorks. WHITE PAPER Cincom In-depth Analysis and Review

J2EE APIs and Emerging Web Services Standards

(9A05803) WEB SERVICES (ELECTIVE - III)

Transport (http) Encoding (XML) Standard Structure (SOAP) Description (WSDL) Discovery (UDDI - platform independent XML)

Simple Object Access Protocol (SOAP) Reference: 1. Web Services, Gustavo Alonso et. al., Springer

How to Overcome Web Services Security Obstacles

UNITE 2007 Technology Conference

Web Services Introduction WS-Security XKMS

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

XML Web Service? A programmable component Provides a particular function for an application Can be published, located, and invoked across the Web

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

C exam. IBM C IBM WebSphere Application Server Developer Tools V8.5 with Liberty Profile. Version: 1.

Distribution and web services

Lesson 13 Securing Web Services (WS-Security, SAML)

Berner Fachhochschule. Technik und Informatik. Web Services. An Introduction. Prof. Dr. Eric Dubuis Berner Fachhochschule Biel

Sistemi ICT per il Business Networking

WWW, REST, and Web Services

XML Web Services Basics

VPN Ports and LAN-to-LAN Tunnels

Chapter 17 Web Services Additional Topics

Programming Web Services in Java

Announcements. Next week Upcoming R2

WEB Service Interoperability Analysis and Introduction of a Design Method to reduce non Interoperability Effects

Göttingen, Introduction to Web Services

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

SOA-Tag Koblenz 28. September Dr.-Ing. Christian Geuer-Pollmann European Microsoft Innovation Center Aachen, Germany

HP Instant Support Enterprise Edition (ISEE) Security overview

Application Connectivity Strategies

Forum XWall and Oracle Application Server 10g

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

SUN. Java Platform Enterprise Edition 6 Web Services Developer Certified Professional

CSC Network Security

International Journal of Computer Science Trends and Technology (IJCST) Volume 3 Issue 6, Nov-Dec 2015

UNITE 2003 Technology Conference

Testpassport.

Integration of Wireless Sensor Network Services into other Home and Industrial networks

Concepts of Web Services Security

Introduction to Web Services & SOA

ITdumpsFree. Get free valid exam dumps and pass your exam test with confidence

Web Services Architecture Directions. Rod Smith, Donald F Ferguson, Sanjiva Weerawarana IBM Corporation

Cloud Computing Chapter 2

CREATION AND CONFIGURATION OF WEB SERVICE FROM RFC AND DEPLOYMENT IN ANOTHER SYSTEM

Basic Profile 1.0. Promoting Web Services Interoperability Across Platforms, Applications and Programming Languages

Network Security and Cryptography. December Sample Exam Marking Scheme

DISTRIBUTED COMPUTING

Oracle Developer Day

Programming the Internet. Phillip J. Windley

DenyAll Protect. accelerating. Web Application & Services Firewalls. your applications. DenyAll Protect

Middleware. Adapted from Alonso, Casati, Kuno, Machiraju Web Services Springer 2004

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

SOA-20: The Role of Policy Enforcement in SOA Management

AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0

COMPUTER NETWORK SECURITY

Profiling of Standards A Necessary Step toward Interoperability

04 Webservices. Web APIs REST Coulouris. Roy Fielding, Aphrodite, chp.9. Chp 5/6


Exam Name: IBM WebSphere Datapower SOA. Appliances Firmware V3.8.1, Solution Implementation

Services and Identity Management Contents. A Basic Web Service. Web applications. Applications and Services

Distributed Systems Question Bank UNIT 1 Chapter 1 1. Define distributed systems. What are the significant issues of the distributed systems?

SOA Management and Security Enforcement

SHORT NOTES / INTEGRATION AND MESSAGING

Unifie X Common Gateway Server (N Tier)

FAQ TALK2M. ewon SA Avenue de l artisanat, Braine L Alleud Belgium

Introduction to Web Services & SOA

Innovation and Cryptoventures. Technology 101. Lee Jacobs and Campbell R. Harvey. February 22, 2017

Asynchronous and Synchronous Messaging with Web Services and XML Ronald Schmelzer Senior Analyst ZapThink, LLC

Grid Computing Fall 2005 Lecture 5: Grid Architecture and Globus. Gabrielle Allen

API Security Management with Sentinet SENTINET

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Goal: Offer practical information to help the architecture evaluation of an SOA system. Evaluating a Service-Oriented Architecture

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

A short introduction to Web Services

CA SiteMinder Web Services Security

SAML-Based SSO Solution

Syllabus: The syllabus is broadly structured as follows:

eid Interoperability for PEGS WS-Federation

CISCO IT DEPARTMENT DEPLOYS INNOVATIVE CISCO APPLICATION- ORIENTED NETWORKING SOLUTION

Web Services and SOA. The OWASP Foundation Laurent PETROQUE. System Engineer, F5 Networks

IBM Exam IBM WebSphere DataPower SOA Appliances Firmware V5.0 Solution Implementation Version: 6.0 [ Total Questions: 75 ]

the Corba/Java Firewall

Web Services, ebxml and XML Security

Agent-Enabling Transformation of E-Commerce Portals with Web Services

Service Oriented Architectures Visions Concepts Reality

JXTA TM Technology for XML Messaging

CmpE 596: Service-Oriented Computing

COMMUNICATION PROTOCOLS

Overview and Benefits of SEEBURGER AS2 Spokes. Trading Partner Integration Using SEEBURGER'S BIS:AS2 Spoke

Networking interview questions

Firewalls, Tunnels, and Network Intrusion Detection

02267: Software Development of Web Services

describe the functions of Windows Communication Foundation describe the features of the Windows Workflow Foundation solution

KINGS COLLEGE OF ENGINEERING 1

BEAAquaLogic. Service Bus. JPD Transport User Guide

Federated Web Services with Mobile Devices

Leveraging Web Services Application Integration. David S. Linthicum CTO Mercator

Transcription:

Web Services Security Dr. Ingo Melzer, Prof. Mario Jeckle

What is a Web Service? Infrastructure Web Service I. Melzer -- Web Services Security 2

What is a Web Service? Directory Description UDDI/WSIL WSDL Web Service Transport Content Infrastructure SOAP XML Web Service basic Web Service I. Melzer -- Web Services Security 8

Properties of Web Services Web Services allow collaboration of different systems Integration of existing systems Facade for set of similar systems Web Services offer two styles: RPC and messaging Protocol of Web Services: SOAP (XML-based) SOAP mainly used over HTTP(S) Most of the time: Computer to computer communication Easy access of otherwise hidden systems Security issue! I. Melzer -- Web Services Security 9

Definition: Web Services A Web Service is is a piece of of server-side software that provides a certain functionality (as a black box) and is is accessible through Internet protocols using XML/SOAP messages with a described and published interface (typically by by means of of WSDL). Those interface descriptions should be be registered in in a (global) registry such as as UDDI. I. Melzer -- Web Services Security 10

Common Web Services Scenario Client calls Web Service over the Internet Client Web Service (XML) Digital Signature (XML) Digital Signature SOAP SOAP Transport Protocol (e. g. HTTP) Transport Protocol (e. g. HTTP) Trusted Intranet Internet Trusted Intranet Firewall Firewall I. Melzer -- Web Services Security 11

Web Services Architecture Web Services Protocol: SOAP (XML based) SOAP usually over other protocol SOAP does not deal with security (and does not have to) SOAP (XML based),... Transport Protocol (often HTTP),... Ethernet (TCP/IP),... I. Melzer -- Web Services Security 12

Web Services Architecture + Security Security can be added at each layer No layer completely suitable for securing all services XML-layer important for flexibility (intermediaries) XML-Signature, XML-Encryption, WS-Security, SAML SOAP (XML based),... Transport Protocol (often HTTP),... Ethernet (TCP/IP),... XML-Secu. SSL IPSec I. Melzer -- Web Services Security 13

Why SSL (HTTPS) often does not help: SSL is only for point to point connections Only usable for a few protocols (mainly HTTP) Only transport of whole document is encrypted Header information no longer readable Routing information Intermediaries Calling a set of Web Services? Asynchronous call of Web Services not possible Data unprotected upon reaching the server Authentication of origin lost if more than one service is involved I. Melzer -- Web Services Security 14

Needs and Wishes Security at XML level, e. g. to keep only parts of the message readable Transparent for users impossible to forget it Centralized control single point of administration Easy integration into existing systems Usable even with external partners no proprietary solutions Open Standards like XML-Signature, WS-Security, Interoperability Framework for exchange and adaptation of security technologies at any time I. Melzer -- Web Services Security 15

XML-Signature (Existing Technology) RFC 3275: Digitally sign document and represent in XML Result is (still) an XML document XPath to locate and identify parts to be signed Multiple signatures can added to one document 1. Choose parts of documents to sign 2. Calculate digest (or hash sum) of each part (after canonization) 3. Build <SignedInfo> element (contains digest, used algorithms, XPath) 4. Calculate digest of SignedInfo and sign it <SignatureValue> 5. SignedInfo, SignatureValue, KeyInfo are added to document in <Signature> I. Melzer -- Web Services Security 16

Needs and Wishes not solved at once by XML Signature Security at XML level, e. g. to keep only parts of the message readable Transparent for users impossible to forget it Centralized control single point of administration Easy integration into existing systems Usable even with external partners no proprietary solutions Open Standards like XML-Signature, WS-Security, Interoperability Framework for exchange and adaptation of security technologies at any time I. Melzer -- Web Services Security 17

Adding Security Transparently Proxy transparently adds XML-Signature WS-Client Signing Proxy (XML) Digital Signature SOAP SOAP Transport Protocol (e. g. HTTP) Transport Protocol (e. g. HTTP) Trusted Intranet Internet Boundary of Trust I. Melzer -- Web Services Security 18

Adding Security Transparently II Proxy authentication for personal XML-Signature Proxy Authentication WS Client Signing Proxy (XML) Digital Signature SOAP SOAP Transport Protocol e. g. HTTP(S) Transport Protocol e. g. HTTP(S) Trusted(?) Intranet Internet Company s Boundary I. Melzer -- Web Services Security 19

Encryption for B2B Environment Static Set of Partners In a B2B environment, it is possible to keep a list of partners Therefore encryption can be done in this way: 1. Determine Partner for outgoing message (e. g. domain of URL) 2. Get public key of partner (database, PKI, ) 3. Encrypt e. g. body of message using the key and XML-Encryption Firewall of receiver can use its private key for decryption Information for a more precise encryption possible with header expansions This job could also be done by an intermediary I. Melzer -- Web Services Security 20

Requirements for Bigger Encryption Scenario Public Key of receiver needed for encryption. Possible Solutions: PKI or public key servers (like for pgp) Expansion for WSDL (where are the public keys) Standard for SOAP header expansion to specify part to be encrypted Further spreading of XML encryption Signature can be ignored, encryption cannot It does not help if receiver cannot decrypt message I. Melzer -- Web Services Security 21

Status Three papers accepted (all three together with Mario Jeckle): Three Master Theses with University of Ulm (Prof. Dr. Schweiggert) and FH Hagenberg (Austria) Demonstrator for proof of concept has been implemented To be done: More on encryption including concept for bigger scenario Further evaluation of WS-Policy I. Melzer -- Web Services Security 22

Summary I SOAP does not deal with security (and does not have to) No secure Web Services available yet HTTP is no longer static (or dumb?) Firewalls have to be able to process SOAP, but Today s firewall software for Web Services not sufficient Other XML-based standards suitable for this job: XML-Signature, XML-Encryption, SAML, WS-Security, Idea: Signing Proxy to transparently add signatures Improvement for firewall to check signatures not very difficult I. Melzer -- Web Services Security 23

Summary II (Signing Proxy) Signing Proxy offers single point of administration WS developers have to deal much less with security Can be part of security infrastructure Offer a service (just like a PKI) Signing Proxy fits perfectly into Service Oriented Architecture Encryption easily added in B2B environment Nevertheless: Security for Web Services has to be improved I. Melzer -- Web Services Security 24

Summary of Innovation Management Project Goals Technology monitoring Overview on Web Services standards Developments, trends, risks Securing know-how and expertise on Web Services Participation in standardization Detailed Analysis Report on State of the Art Evaluation of firewalls for Web Services Signing Proxy for Web Services Measurement of performance Mobile Devices Input for GTC project proposal Transactions Security Discovery WSDL SOAP XML I. Melzer -- Web Services Security 25

When to use Web Services Connecting Java and.net Both support Web Services quite well Connecting different platforms or programming languages Web Services are not the only choice, but a good one Modern interfaces for legacy applications Easier to access Encapsulate features that are awkward to use Implementing Service Oriented Architecture Discovery at runtime Binding at runtime Recommend only for new projects or major releases I. Melzer -- Web Services Security 26

Performance of Web Services Deep impact of network traffic SOAP often better than expected HTTP is main bottleneck SPEC benchmarks are good to estimate new server s performance Potential for optimizations only given for servers SOAP-pings good way to compare different platforms/implementations 700 600 500 400 300 200 100 0 0 50 100 250 500 1000 2500 5000 10000 40000 Response time [ms] Perl Java ICMP-Ping RMI CORBA SOAP over HTTP SOAP over TCP Packet Size [Byte] I. Melzer -- Web Services Security 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback