Presentation is loading. Please wait.

Presentation is loading. Please wait.

11/9/2018 Web Services Security Maria Lizarraga CS691.

Published byDeddy Tedja Modified over 6 years ago

Similar presentations

Presentation on theme: "11/9/2018 Web Services Security Maria Lizarraga CS691."— Presentation transcript:

1 11/9/2018 Web Services Security Maria Lizarraga CS691

2 Agenda Problem Definition SOAP Messages Implementing Security Services
Integrity Confidentiality Authentication Implementation 11/9/2018 Maria Lizarraga

3 11/9/2018 What is a web service? A web service is a web software application available on the network that provides an interface for exchanging information with a client. the software application a method to interface to the application URI associated with the application a published document that gives visibility to the world A web service can be analogized a procedure call, a remote procedure call. It is a service (operation) that can be accessed over the network by providing the proper interface to it. A client can provide data to the web service or obtain data from it via the interface. The service resides on the web server. The interface starts with a XML document. The information in the XML document must be put into an agreed upon format in order to communicate to a web service. This format is described in the standard called Simple Object Access Protocol, SOAP. It a method of sending messages between the client and server. The web server compiles the data into a SOAP message. The SOAP messages are sent via HTTP. The web service is registered, giving visibility of the web service to those who have access to the registry. The registry keeps a name, location, and description of the service. The standard for the registry is the Universal Description, Discovery, and Integration (UDDI) standard. The registry is known as an UDDI registry. The web service information is put into a file, whose format is covered by the Web Services Description Language (WSDL) standard. I will discuss each of these elements in greater detail later in this paper. 11/9/2018 Maria Lizarraga

4 Architecture 11/9/2018 Maria Lizarraga
There are three entities that play a part in deploying a web service. These entities are depicted in figure 1. The service server contains the web service. It publishes the web service to a registry. The registry contains a description of the web service. Clients can “shop” for a web service by contacting a registry. When a client discovers the web service they need, they download the description. From the description, an application can be developed that will access the web service from the service server. 11/9/2018 Maria Lizarraga

5 Maria’s Competitive Loan Service
11/9/2018 Maria Lizarraga

6 Network Layer Firewall
Firewall authenticates user SOAP server cannot distinguish between Business Partner Customer 11/9/2018 Maria Lizarraga

7 Solution Make firewall XML and SOAP aware
SOAP message contains security information Intruders now stopped at the firewall 11/9/2018 Maria Lizarraga

8 Simple Object Access Protocol, SOAP Message
XML Embedded into HTTP Three parts Envelope Header Body 11/9/2018 Maria Lizarraga

9 SOAP Request – Digital Signature
11/9/2018 SOAP Message POST /GradesService/services/GradesService HTTP/1.0 Content-Type: text/xml; charset=utf-8 Accept: application/soap+xml, application/dime, multipart/related, text/* User-Agent: IBM WebServices/1.0 Host: localhost:9080 Cache-Control: no-cache Pragma: no-cache SOAPAction: "" Content-Length: 356 <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv=" envelope/" xmlns:soapenc=" encoding/" xmlns:xsd=" xmlns:xsi=" instance"> <soapenv:Body> <getStudents xmlns=" </soapenv:Body> </soapenv:Envelope> Application package grades; public class GradesService { final int NUMSTUDENTS = 4; String[] students; char[] grade; public GradesService ( ) { students = new String [] {"Mary", "Joe", "Sally", "Tim"}; grade = new char [] {'A', 'B', 'C', 'D'}; } // end constructor public char getStudentGrade (String student) { for (int i = 0; i < NUMSTUDENTS; i++) if (student.equals(students[i])) return grade[i]; return 'Z'; } // end getStudentGrade public String getStudent (int studentID) { return students[studentID]; } // end getStudent public String[] getStudents ( ) { return students; } // end getStudents public static void main(String[] args){ GradesService gs = new GradesService(); for (int i = 0; i < gs.NUMSTUDENTS; i++) System.out.println("Student: " + gs.getStudent (i) + "\tGrade:” + gs.getStudentGrade(gs.getStudent(i))); } // end main } // end class GradesService Sent over HTTP Envelope Body (no header) 11/9/2018 Maria Lizarraga

10 Response HTTP/1.1 200 OK Server: WebSphere Application Server/5.1
11/9/2018 Response HTTP/ OK Server: WebSphere Application Server/5.1 Content-Type: text/xml; charset=utf-8 Content-Language: en-US Connection: close <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv=" xmlns:soapenc=" xmlns:xsd=" xmlns:xsi=" <soapenv:Body> <getStudentsResponse xmlns=" <getStudentsReturn> Mary </getStudentsReturn> Joe Sally Tim </getStudentsResponse> </soapenv:Body> </soapenv:Envelope> Data is visible. 11/9/2018 Maria Lizarraga

11 Security Services Confidentiality XML Encryption Integrity
XML Digital Signature Authentication Security Tokens 11/9/2018 Maria Lizarraga

12 Client Application 11/9/2018 Maria Lizarraga

13 Integrity and Authentication Example
Goal Message Integrity Message Authentication User Authentication Process Obtain the message digest of the message. Encrypt message digest with sender’s private key. 11/9/2018 Maria Lizarraga

14 XML Digital Signature <BinarySecurityToken> -- This section is for specifying the encoding format for binary encoded security tokens. EncodingType -- Encoding used on Security Token ValueType -- ID Encoded Digital Certificate <Signature> -- Signature specific information. It contains the following three subsections: <SignedInfo> -- Processing information – How it is signed <CanonicalizationMethod> -- Normalizing data algorithm <SignatureMethod> -- Signature algorithm <Reference> -- Points to signed content <Transforms> -- How to process data <DigestMethod> -- Hashing algorithm used on <body> <DigestValue> <SignatureValue> -- Value of the signed data <KeyInfo> -- Optional key identifier (such as a public key/symmetric key) <wsse:SecurityTokenReference> Reference -- Refers to public key inside Digital Certificate Digital Signature Request Example Digital Signature Response Example 11/9/2018 Maria Lizarraga

15 Confidentiality Example
Goal Only allow those who have “a need to know” see the data Process Encrypt <body> with symmetric key Encrypt symmetric key with recipient's public key 11/9/2018 Maria Lizarraga

16 XML Encryption <EncryptedKey> -- Symmetric key information
<EncryptionMethod> -- Method of Encryption <KeyInfo> -- Encrypted Key Identifier <SecurityTokenReference> <KeyIdentifier> <CipherData> <CiperValue> -- Encrypted Symmetric Key <ReferenceList> -- Reference to the encrypted text Encryption Request Example Encryption Response Example 11/9/2018 Maria Lizarraga

17 Other XML Encryption Options
Encrypt entire message Encrypt attachments Encrypt any element Encrypt an encrypted element 11/9/2018 Maria Lizarraga

18 Basic Authentication Example
Goal Identify the user Process Provide user name Provide user password (not encrypted) 11/9/2018 Maria Lizarraga

19 Basic Authentication < UsernameToken> <Username>
<Password> Basic Authentication Request Example Basic Authentication Response Example 11/9/2018 Maria Lizarraga

20 Security Tokens Security Tokens used to Authenticate
Basic Authentication Login/Password Digital Signature Public Key/Private Key ID Assertion Single Sign-On LTPA – Lightweight Third Party Authentication Forwardable Credentials 11/9/2018 Maria Lizarraga

21 Assertions 11/9/2018 Maria Lizarraga

22 LTPA 11/9/2018 Maria Lizarraga

23 Hash Message Authentication Code (HMAC)
<wsse:UsernameToken wsu:Id=“LoanCenterUsernameToken">     <wsse:Username> CompetitiveLoanService</wsse:Username>  <wsse:Nonce>WS3Lhf6RpK...</wsse:Nonce>  <wsu:Created> T09:00:00Z </wsu:Created> </wsse:UsernameToken> 11/9/2018 Maria Lizarraga

24 WebSphere Implementation
11/9/2018 WebSphere Implementation Wizard support for: XML Encryptions XML Digital Signatures (One or the other, not both for <body> of message) Without Wizardry: Security Tokens Basic Authentication Digital Signatures Assertions LTPA Multiple Encryption on any part of message Multiple Digital Signatures on any part of message 11/9/2018 Maria Lizarraga

25 Summary Web Service Architecture SOAP Implementing Security Services
Integrity  XML Digital Signature Confidentiality  XML Encryption Authentication  Security Tokens 11/9/2018 Maria Lizarraga

26 References XML Signature WG (specification), XML Encryption WG (specification), OASIS Security Services (SAML) TC, OASIS eXtensible Access Control Markup Language (XACML) TC, SOAP Tutorial, Specification: Web Services Security (WS-Security), 11/9/2018 Maria Lizarraga

Download ppt "11/9/2018 Web Services Security Maria Lizarraga CS691."

Similar presentations

Siebel Web Services Siebel Web Services March, From

Siebel Web Services Siebel Web Services March, From
Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group

Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group
1 Understanding Web Services Presented By: Woodas Lai.

1 Understanding Web Services Presented By: Woodas Lai.
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
Topics Acronyms in Action SOAP 6 November 2008 CIS 340.

Topics Acronyms in Action SOAP 6 November 2008 CIS 340.
Web Services Nasrullah. Motivation about web service There are number of programms over the internet that need to communicate with other programms over.

Web Services Nasrullah. Motivation about web service There are number of programms over the internet that need to communicate with other programms over.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
Presentation 7 part 2: SOAP & WSDL. Ingeniørhøjskolen i Århus Slide 2 Outline Building blocks in Web Services SOA SOAP WSDL (UDDI)

Presentation 7 part 2: SOAP & WSDL. Ingeniørhøjskolen i Århus Slide 2 Outline Building blocks in Web Services SOA SOAP WSDL (UDDI)
XML Technologies and Applications Rajshekhar Sunderraman Department of Computer Science Georgia State University Atlanta, GA 30302

XML Technologies and Applications Rajshekhar Sunderraman Department of Computer Science Georgia State University Atlanta, GA 30302
Slide 1 EE557: Server-Side Development Lecturer: David Molloy Room: XG19 Mondays 10am-1pm Notes:

Slide 1 EE557: Server-Side Development Lecturer: David Molloy Room: XG19 Mondays 10am-1pm Notes:
SOAP Chandra Dutt Yarlagadda Introduction  Why ?  What ?  How ?  Security Issues in SOAP  Advantages  Uses  Conclusion.

SOAP Chandra Dutt Yarlagadda Introduction  Why ?  What ?  How ?  Security Issues in SOAP  Advantages  Uses  Conclusion.
ΗΛΕΚΤΡΟΝΙΚΟ ΕΜΠΟΡΙΟ Web Services Overview Mary Grammatikou www.netmode.ntua.gr 9/06/2009.

ΗΛΕΚΤΡΟΝΙΚΟ ΕΜΠΟΡΙΟ Web Services Overview Mary Grammatikou 9/06/2009.
CS 522 WebServices -Sujeeth Narayan -Ankur Patwa.

CS 522 WebServices -Sujeeth Narayan -Ankur Patwa.
Web services security I

Web services security I
CS 415 N-Tier Application Development By Umair Ashraf July 6,2013 National University of Computer and Emerging Sciences Lecture # 9 Introduction to Web.

CS 415 N-Tier Application Development By Umair Ashraf July 6,2013 National University of Computer and Emerging Sciences Lecture # 9 Introduction to Web.
Web Services Michael Smith Alex Feldman. What is a Web Service? A Web service is a message-oriented software system designed to support inter-operable.

Web Services Michael Smith Alex Feldman. What is a Web Service? A Web service is a message-oriented software system designed to support inter-operable.
1 Web Services Security XML Encryption, XML Signature and WS-Security.

1 Web Services Security XML Encryption, XML Signature and WS-Security.
Processing of structured documents Spring 2003, Part 6 Helena Ahonen-Myka.

Processing of structured documents Spring 2003, Part 6 Helena Ahonen-Myka.
TP2653 Adv Web Programming SOAP and WSDL. SOAP Simple Object Access Protocol – Lightweight XML-based messaging protocol – A protocol for accessing a Web.

TP2653 Adv Web Programming SOAP and WSDL. SOAP Simple Object Access Protocol – Lightweight XML-based messaging protocol – A protocol for accessing a Web.

Similar presentations

Ads by Google