Tim Bornholtz Director of Technology Services tim@prioritytech.com Securing Web Services Tim Bornholtz Director of Technology Services tim@prioritytech.com ©2001 Priority Technologies, Inc. All Rights Reserved

©2001 Priority Technologies, Inc. All Rights Reserved Web Services Web applications that use programmatic interfaces for application to application communications. Most definitions include these technologies: XML SOAP WSDL UDDI ©2001 Priority Technologies, Inc. All Rights Reserved

©2001 Priority Technologies, Inc. All Rights Reserved Concerns Using web services for basic system integration and XML interfaces is relatively stable Largest concern today is on securing web services ©2001 Priority Technologies, Inc. All Rights Reserved

Security Requirements Three capabilities must exist for secure web services: Credential Transfer Message Integrity Message Confidentiality ©2001 Priority Technologies, Inc. All Rights Reserved

©2001 Priority Technologies, Inc. All Rights Reserved Why isn’t SOAP secure? SOAP is simply a standard for sending messages over HTTP using XML The SOAP specification does not address security at all. SOAP contains no protocol limitations Can use HTTP or HTTPS Can use just about any known protocol ©2001 Priority Technologies, Inc. All Rights Reserved

Security Standards The Internet Engineering Task Force (IETF) Organization for the Advancement of Structured Information Standards (OASIS) World Wide Web Consortium (W3C) Have worked on at least 13 different web services security standards. ©2001 Priority Technologies, Inc. All Rights Reserved

©2001 Priority Technologies, Inc. All Rights Reserved WS-Security W3C standards used XML Encryption XML Signatures Other extension functions Joint effort of many standards bodies and industries IBM Microsoft Verisign ©2001 Priority Technologies, Inc. All Rights Reserved

©2001 Priority Technologies, Inc. All Rights Reserved WS-Security Generally considered to be the best bet to emerge as the standard. WS-Security interoperability exists for Web Services Enhancements 1.0 for Microsoft .NET IBM Web Services ToolKit 3.3.2 Apache Axis with Apache XML Security ©2001 Priority Technologies, Inc. All Rights Reserved

©2001 Priority Technologies, Inc. All Rights Reserved Interoperability Interoperability exists depending on which algorithms are used. Common algorithms such as RSA and DSA work fine Each vendor may support algorithms that may not be interoperable with other toolkits ©2001 Priority Technologies, Inc. All Rights Reserved

©2001 Priority Technologies, Inc. All Rights Reserved XML Encryption Encrypt XML documents and use an XML syntax to represent: Encrypted Content – All encrypted content is still well formed XML Information that enables the intended recipient to decrypt the data ©2001 Priority Technologies, Inc. All Rights Reserved

©2001 Priority Technologies, Inc. All Rights Reserved XML Signatures XML syntax for representing the signature of a document Procedures for computing and verifying the signature. XML Encryption and XML Signatures are different standards and the use of one does not necessarily imply the use of the other ©2001 Priority Technologies, Inc. All Rights Reserved

Security Assertion Markup Language (SAML) Framework for exchanging security information Assertions about subjects (people or computers) which have an identity in the network. Assertions are issued by SAML authorities - authentication authorities, attribute authorities, and policy decision points. ©2001 Priority Technologies, Inc. All Rights Reserved

©2001 Priority Technologies, Inc. All Rights Reserved SAML Assertions Authentication Previous authentication acts Assertions should not usually contain passwords Attributes Profile information Preference information Authorization Given the attributes, should access be allowed? ©2001 Priority Technologies, Inc. All Rights Reserved

©2001 Priority Technologies, Inc. All Rights Reserved Typical Assertion Issuer ID and issuance timestamp Assertion ID Subject Name and security domain Conditions under which the assertion is valid Assertion validity period (NotBefore and NotOnOrAfter) Audience restrictions Target restrictions (intended URLs for the assertion) Application specific conditions ©2001 Priority Technologies, Inc. All Rights Reserved

©2001 Priority Technologies, Inc. All Rights Reserved Meteor Security All security in Meteor is through the use of industry standard technologies. Centralized registry SAML XML Signatures SSL ©2001 Priority Technologies, Inc. All Rights Reserved

©2001 Priority Technologies, Inc. All Rights Reserved Centralized Registry Meteor uses a centralized LDAP server to contain: Public keys of all participants Network status information (active, pending, suspended) Contact Information ©2001 Priority Technologies, Inc. All Rights Reserved

©2001 Priority Technologies, Inc. All Rights Reserved SAML Assertions Meteor SAML Assertions contain Authentication Statement Timestamp, Creator, and Locality (machine) Attributes Subject (Creator) Attribute Name Attribute Namespace Attribute Value ©2001 Priority Technologies, Inc. All Rights Reserved

Authentication Statement <saml:AuthenticationStatement AuthenticationInstant="2002-08-27T03:12:01CDT" AuthenticationMethod="nchelp.org/meteor"> <saml:Subject> <saml:NameIdentifier Name="ED.TIM" SecurityDomain="nchelp.org/meteor"/> </saml:Subject> <saml:AuthenticationLocality DNSAddress="meteor.prioritytech.com" IPAddress="10.110.1.48"> </saml:AuthenticationLocality> </saml:AuthenticationStatement> ©2001 Priority Technologies, Inc. All Rights Reserved

©2001 Priority Technologies, Inc. All Rights Reserved Attributes <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier Name="ED.TIM" SecurityDomain="nchelp.org/meteor"> </saml:NameIdentifier> </saml:Subject> <saml:Attribute AttributeName="Role" AttributeNamespace="nchelp.org/meteor"> <saml:AttributeValue>BORROWER</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> ©2001 Priority Technologies, Inc. All Rights Reserved

Multiple Security Assertions One SAML Assertion may contain authentication, authorization, and attribute information from several different authorities. Not necessary to have separate assertions for each different SAML authority. ©2001 Priority Technologies, Inc. All Rights Reserved

©2001 Priority Technologies, Inc. All Rights Reserved XML Signatures The SAML assertion is signed by the entity that created it. When signed, all irrelevant white-space is removed. Sample: Signed Assertion Once signed, the document may not be modified in any way. The entire request is not signed. ©2001 Priority Technologies, Inc. All Rights Reserved

©2001 Priority Technologies, Inc. All Rights Reserved Encryption Meteor does not use XML Encryption The Specification was not available when we began development Plan to move to this as the technology matures Currently all communication is over SSL ©2001 Priority Technologies, Inc. All Rights Reserved

Meteor Security Requirements Three capabilities must exist for secure web services: Credential Transfer SAML Assertions Message Integrity XML Signatures and SSL Message Confidentiality SSL ©2001 Priority Technologies, Inc. All Rights Reserved

Planning an Implementation When planning your own Web Services: Gain a detailed understanding of the potential risks (viruses, hackers, natural disasters) Make a proactive analysis of the consequences and countermeasures in relation to risks Create an implementation strategy for integrating security measures into your enterprise network. ©2001 Priority Technologies, Inc. All Rights Reserved