11/9/2018 Web Services Security Maria Lizarraga CS691

Agenda Problem Definition SOAP Messages Implementing Security Services Integrity Confidentiality Authentication Implementation 11/9/2018 Maria Lizarraga

11/9/2018 What is a web service? A web service is a web software application available on the network that provides an interface for exchanging information with a client. the software application a method to interface to the application URI associated with the application a published document that gives visibility to the world A web service can be analogized a procedure call, a remote procedure call. It is a service (operation) that can be accessed over the network by providing the proper interface to it. A client can provide data to the web service or obtain data from it via the interface. The service resides on the web server. The interface starts with a XML document. The information in the XML document must be put into an agreed upon format in order to communicate to a web service. This format is described in the standard called Simple Object Access Protocol, SOAP. It a method of sending messages between the client and server. The web server compiles the data into a SOAP message. The SOAP messages are sent via HTTP. The web service is registered, giving visibility of the web service to those who have access to the registry. The registry keeps a name, location, and description of the service. The standard for the registry is the Universal Description, Discovery, and Integration (UDDI) standard. The registry is known as an UDDI registry. The web service information is put into a file, whose format is covered by the Web Services Description Language (WSDL) standard. I will discuss each of these elements in greater detail later in this paper. 11/9/2018 Maria Lizarraga

Architecture 11/9/2018 Maria Lizarraga There are three entities that play a part in deploying a web service. These entities are depicted in figure 1. The service server contains the web service. It publishes the web service to a registry. The registry contains a description of the web service. Clients can “shop” for a web service by contacting a registry. When a client discovers the web service they need, they download the description. From the description, an application can be developed that will access the web service from the service server. 11/9/2018 Maria Lizarraga

Maria’s Competitive Loan Service 11/9/2018 Maria Lizarraga

Network Layer Firewall Firewall authenticates user SOAP server cannot distinguish between Business Partner Customer 11/9/2018 Maria Lizarraga

Solution Make firewall XML and SOAP aware SOAP message contains security information Intruders now stopped at the firewall 11/9/2018 Maria Lizarraga

Simple Object Access Protocol, SOAP Message XML Embedded into HTTP Three parts Envelope Header Body 11/9/2018 Maria Lizarraga

SOAP Request – Digital Signature 11/9/2018 SOAP Message POST /GradesService/services/GradesService HTTP/1.0 Content-Type: text/xml; charset=utf-8 Accept: application/soap+xml, application/dime, multipart/related, text/* User-Agent: IBM WebServices/1.0 Host: localhost:9080 Cache-Control: no-cache Pragma: no-cache SOAPAction: "" Content-Length: 356 <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/ envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/ encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance"> <soapenv:Body> <getStudents xmlns="http://grades"/> </soapenv:Body> </soapenv:Envelope> Application package grades; public class GradesService { final int NUMSTUDENTS = 4; String[] students; char[] grade; public GradesService ( ) { students = new String [] {"Mary", "Joe", "Sally", "Tim"}; grade = new char [] {'A', 'B', 'C', 'D'}; } // end constructor public char getStudentGrade (String student) { for (int i = 0; i < NUMSTUDENTS; i++) if (student.equals(students[i])) return grade[i]; return 'Z'; } // end getStudentGrade public String getStudent (int studentID) { return students[studentID]; } // end getStudent public String[] getStudents ( ) { return students; } // end getStudents public static void main(String[] args){ GradesService gs = new GradesService(); for (int i = 0; i < gs.NUMSTUDENTS; i++) System.out.println("Student: " + gs.getStudent (i) + "\tGrade:” + gs.getStudentGrade(gs.getStudent(i))); } // end main } // end class GradesService Sent over HTTP Envelope Body (no header) 11/9/2018 Maria Lizarraga

Response HTTP/1.1 200 OK Server: WebSphere Application Server/5.1 11/9/2018 Response HTTP/1.1 200 OK Server: WebSphere Application Server/5.1 Content-Type: text/xml; charset=utf-8 Content-Language: en-US Connection: close <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Body> <getStudentsResponse xmlns="http://grades"> <getStudentsReturn> Mary </getStudentsReturn> Joe Sally Tim </getStudentsResponse> </soapenv:Body> </soapenv:Envelope> Data is visible. 11/9/2018 Maria Lizarraga

Security Services Confidentiality XML Encryption Integrity XML Digital Signature Authentication Security Tokens 11/9/2018 Maria Lizarraga

Client Application 11/9/2018 Maria Lizarraga

Integrity and Authentication Example Goal Message Integrity Message Authentication User Authentication Process Obtain the message digest of the message. Encrypt message digest with sender’s private key. 11/9/2018 Maria Lizarraga

XML Digital Signature <BinarySecurityToken> -- This section is for specifying the encoding format for binary encoded security tokens. EncodingType -- Encoding used on Security Token ValueType -- ID Encoded Digital Certificate <Signature> -- Signature specific information. It contains the following three subsections: <SignedInfo> -- Processing information – How it is signed <CanonicalizationMethod> -- Normalizing data algorithm <SignatureMethod> -- Signature algorithm <Reference> -- Points to signed content <Transforms> -- How to process data <DigestMethod> -- Hashing algorithm used on <body> <DigestValue> <SignatureValue> -- Value of the signed data <KeyInfo> -- Optional key identifier (such as a public key/symmetric key) <wsse:SecurityTokenReference> Reference -- Refers to public key inside Digital Certificate Digital Signature Request Example Digital Signature Response Example 11/9/2018 Maria Lizarraga

Confidentiality Example Goal Only allow those who have “a need to know” see the data Process Encrypt <body> with symmetric key Encrypt symmetric key with recipient's public key 11/9/2018 Maria Lizarraga

XML Encryption <EncryptedKey> -- Symmetric key information <EncryptionMethod> -- Method of Encryption <KeyInfo> -- Encrypted Key Identifier <SecurityTokenReference> <KeyIdentifier> <CipherData> <CiperValue> -- Encrypted Symmetric Key <ReferenceList> -- Reference to the encrypted text Encryption Request Example Encryption Response Example 11/9/2018 Maria Lizarraga

Other XML Encryption Options Encrypt entire message Encrypt attachments Encrypt any element Encrypt an encrypted element 11/9/2018 Maria Lizarraga

Basic Authentication Example Goal Identify the user Process Provide user name Provide user password (not encrypted) 11/9/2018 Maria Lizarraga

Basic Authentication < UsernameToken> <Username> <Password> Basic Authentication Request Example Basic Authentication Response Example 11/9/2018 Maria Lizarraga

Security Tokens Security Tokens used to Authenticate Basic Authentication Login/Password Digital Signature Public Key/Private Key ID Assertion Single Sign-On LTPA – Lightweight Third Party Authentication Forwardable Credentials 11/9/2018 Maria Lizarraga

Assertions 11/9/2018 Maria Lizarraga

LTPA 11/9/2018 Maria Lizarraga

Hash Message Authentication Code (HMAC) <wsse:UsernameToken wsu:Id=“LoanCenterUsernameToken">     <wsse:Username> CompetitiveLoanService</wsse:Username>  <wsse:Nonce>WS3Lhf6RpK...</wsse:Nonce>  <wsu:Created> 2003-06-12T09:00:00Z </wsu:Created> </wsse:UsernameToken> 11/9/2018 Maria Lizarraga

WebSphere Implementation 11/9/2018 WebSphere Implementation Wizard support for: XML Encryptions XML Digital Signatures (One or the other, not both for <body> of message) Without Wizardry: Security Tokens Basic Authentication Digital Signatures Assertions LTPA Multiple Encryption on any part of message Multiple Digital Signatures on any part of message 11/9/2018 Maria Lizarraga

Summary Web Service Architecture SOAP Implementing Security Services Integrity  XML Digital Signature Confidentiality  XML Encryption Authentication  Security Tokens 11/9/2018 Maria Lizarraga

References XML Signature WG (specification), http://www.w3.org/Signature/ XML Encryption WG (specification), http://www.w3.org/Encryption/2001/ OASIS Security Services (SAML) TC, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security OASIS eXtensible Access Control Markup Language (XACML) TC, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml SOAP Tutorial, http://www.w3schools.com/soap Specification: Web Services Security (WS-Security), http://www-106.ibm.com/developerworks/webservices/library/ws-secure/ 11/9/2018 Maria Lizarraga