Web Services Security.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Core Web Service Security Patterns
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Web services security I
Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.
CSCI 6962: Server-side Design and Programming
INE1020: Introduction to Internet Engineering 6: Privacy and Security Issues1 Lecture 9: E-commerce & Business r E-Commerce r Security Issues m Secure.
Chapter 3 Mohammad Fozlul Haque Bhuiyan Assistant Professor CITI Jahangirnagar University.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Session 11: Security with ASP.NET
Web Services Security. Introduction Developing standards for Web Services security – XML Key Management Specification (XKMS) – XML Signature – XML Encryption.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Securing Electronic Transactions University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Cryptography, Authentication and Digital Signatures
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Module 9: Fundamentals of Securing Network Communication.
ACM 511 Introduction to Computer Networks. Computer Networks.
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.
Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
1 Internet data security (HTTPS and SSL) Ruiwu Chen.
TOPIC: HTTPS (Security protocol)
Web Security CS-431.
IPSec Detailed Description and VPN
Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.
Security Outline Encryption Algorithms Authentication Protocols
SSL Certificates for Secure Websites
PAYMENT GATEWAY Presented by SHUJA ASHRAF SHAH ENROLL: 4471
Computer Communication & Networks
Information Security message M one-way hash fingerprint f = H(M)
Chapter 8 Building the Transaction Database
Jim Fawcett CSE686 – Internet Programming Summer 2005
Radius, LDAP, Radius used in Authenticating Users
BY GAWARE S.R. DEPT.OF COMP.SCI
Information and Network Security
E-Commerce Security.
Information Security message M one-way hash fingerprint f = H(M)
Chapter 7 STRENGTH OF ENCRYPTION & Public Key Infrastructure
Message Digest Cryptographic checksum One-way function Relevance
Pooja programmer,cse department
Information Security message M one-way hash fingerprint f = H(M)
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
Protocol ap1.0: Alice says “I am Alice”
CDK: Chapter 7 TvS: Chapter 9
Advanced Computer Networks
Electronic Payment Security Technologies
Chapter 8 roadmap 8.1 What is network security?
Presentation transcript:

Web Services Security

Introduction Developing standards for Web Services security XML Key Management Specification (XKMS) XML Signature XML Encryption How Web Services affect network security and security policies Web Services Security

Introduction Effective Web Services security allows clients to access appropriate services while keeping sensitive information confidential Web services require end-to-end security for transactions Authentication (e.g., Login names and passwords) can be compromised because of communications not encrypted Required strong interoperability Because transmissions occurs across multiple platforms and must be secured at all times Web Services Security

Introduction Well-defined and well-documented security policies, as well as implementation, administration and maintenance, are crucial to any security infrastructure Companies are responsible to create their own security policies Result in disparate security policies across organizations Need to develop security-policy standards for organizations to communicate effectively without compromising their security policies Web Services Security

Basic Security for Transmission over HTTP HTTP enables Web servers to authenticate users before allowing access to resources Web server check user’s credentials (e.g., username and password) HTTP security employs secret-key cryptography, message digests, etc. However, HTTP do not encrypt the body of a message Need other strong security technologies E.g., SSL or Kerberos Web Services Security

Basic Security for Transmission over HTTP Challenge-response authentication Users must provide specific authentication information to verify their identities Return 401 Unauthorized response when users are not unauthenticated to view a protected resource Users provide username and password setup up by, for example, emails Return 403 Forbidden if denied Relatively weak security solution Username and password are not encrypted Web Services Security

Basic Security for Transmission over HTTP Digest authentication A protocol Part of HTTP 1.1 specification A user’s credentials are submitted to the server as a checksum Checksum, input as message digests in digital signature, are generated using Username, password, requested URL, the HTTP method and a nonce value (a unique value generated by the server for each transmission) Created using MD5 algorithm, with 128 bits input Message content not encrypted Easy to be intercepted Both the client and the server must support digest authentication Use public-key or Kerberos for security help for HTTP 1.1 Web Services Security

Basic Security for Transmission over HTTP Server can restrict access on the basis of an IP address, password, or public-key Server can disallow access to all or part portions of a site for users with a certain IP address or from a specific IP subnet Also, use Public-key cryptography or other security methods in password Web Services Security

Web Services and Secure Sockets Layer (SSL) SSL protocols secures the channel through which data flows between a client and server and enables authentication of both parties. Still have problems using SSL to secure Web services User credentials and certificates are sometimes too large to transmit efficiently between computers Affect success of transactions SSL encryption uses processor power Slow down transmissions and significantly impede Web services performance Use SSL accelerators to handle complex SSL encryption calculations to free server resources and improving performance Web Services Security

Web Services and Secure Sockets Layer (SSL) For Web services, information going through a third-party device before reaching destination SSL cannot guarantee the security if the messages E.g., credit-card information SSL connects two computers at a time Protect data transmission, but not end-to-end security HTTPS Secure communications by sending HTTP requests and responses over an SSL connection Use port 443, instead of port 80 Web Services Security

XML Signature XML-based applications have security concerns XML documents are plain-text DTDs and stylesheets can be modified Alter XML documents (security holes) to allow anyone to access information Digital signature Solve the problem above by verifying document integrity Web Services Security

XML Signature W3C’s XML Signature specification Define an XML-based standard for representing digital signatures Provide authentication, message integrity and nonrepudiation Use Digital Signature Standard (DSS) public-key algorithm and the Secure Hash (SHA-1) authentication algorithm Web Services Security

XML Signature Extend XML signature to support their own algorithm and secure models Sign any type of file, not just XML document Signed data can reside inside or outside the XML document that contains the signature The data object is cryptographically signed and used in generating a message digest Web Services Security

XML Signature Using canonical form of an XML document before it is signed Avoid XML documents have the same hash value Same canonical form  logically equivalent Small differences create different hash values E.g., comments or spaces that have no impact on the meaning of an XML document Transform an XML document into a context interpreted by an application Logically equivalent documents produce the same message digest Regardless of structures of documents Web Services Security

XML Signature An example Online book order using credit card Send an XML document contains name, address, credit-card information, and order info. Information is protected by the signature and sent to the seller Seller checks the integrity of the customer’s signature and sign the document before submitting it to the credit-card company The credit-card company receives signatures that verify the authenticate the customer and the seller Protects buyers against unauthorized purchases Web Services Security

XML Encryption Handle the encryption and decryption of XML documents that are secured with XML signature. Signature verifies a sender’s identity and the data’s integrity, but encryption is necessary to prevent the signed data from being read en route. Protect any form of data Web Services Security

XML Encryption Exmaple Web Services Security

XML Encryption

XML Key management Specification (XKMS) Developed by Microsoft, VeriSign and webMethods A specification for registering and distributing encryption keys for Public Key Infrastructure (PKI) in Web services Problems with PKI No Web services PKI standards exist PKI solutions are expensive, difficult to implement No interoperable with other businesses’ PKI product Web Services Security

XML Key management Specification (XKMS) XKMS solves the problems Establishes a platform-independent set of standards Place portions of the PKI workload on the server side Free application resources for other processes Works with proprietary PKI solutions to integrate encryption, digital signature and authentication. Easy the steps to implement PKI Provide an easy and user-friendly method for secure transactions Web Services Security

Authentication and Authorization for Web Services Web service providers that want to reach the largest number of users should provide authentication and authorization via various popular sign-on services Web Services Security

Authentication and Authorization for Web Services Microsoft Passport uses .NET Web services for authentication and authorization Provide single sign-on Required to access Windows XP applications and Hotmail Adopted by many e-business, including eBay, Monster 200 millions users registered Web Services Security

Authentication and Authorization for Web Services Liberty Alliance Formed in October 2001 by Sun Microsystems Try to establish non-proprietary single sign-on standards for e-business Seek to secure businesses’ and users’ confidential information and to establish universal single sign-on methods Participants include AOL Time Warner, General Motors, American Express, Mastercard International, and RSA Security Web Services Security

Authentication and Authorization for Web Services Liberty Alliance The specification is designed to support decentralized authentication and interoperability Users are not required to contact a central server to receive authentication Increase flexibility Provide an ideal authentication system for wireless communications Offer an alternative to Microsoft Passport service Web Services Security

Web Services and Network Security Web services create additional network security concerns Network authenticate users before allowing access to resource However, Web services are designed to use single sign-on Allow access to applications on the basis of another source’s authentication credentials. Carry transactions beyond firewalls and place resources in risk of attack Web Services Security

Web Services and Network Security The biggest concern The immaturity of underlying standards Vulnerabilities are not discovered until attacks occur Usually, companies operate Web services over internal networks and restrict external access For security reasons Need extra steps to protect applications and network to offer external access to Web services Web Services Security

Web Services and Network Security Still improving Web services create new security challenge, but also can protect computers on a network Use Web services to search networks for signs of viruses Use Web services to apply updates to computers Web Services Security