Presentation is loading. Please wait.

Presentation is loading. Please wait.

Multi-party Authentication in Web Services

Published byΣατανᾶς Αλαφούζος Modified over 6 years ago

Similar presentations

Presentation on theme: "Multi-party Authentication in Web Services"— Presentation transcript:

1 Multi-party Authentication in Web Services
Madhumita Chatterjee 11/28/ :03 PM

2 Overview Web Services Architecture Typical Scenario Security Threats
Challenges and issues Need for Session Authentication Maruyama’s Approach A Proposal 11/28/ :03 PM

3 Demystifying Webservices:
Web services are modular software components Wrapped inside a specific set of Internet communications protocols Can communicate with other components automatically without human intervention. 11/28/ :03 PM

4 Typical Web Services airline ticket reservation process
real time travel advisory a restaurant review article 11/28/ :03 PM

5 Web Site/ Web Service A Web service is designed to be
accessed by applications. 11/28/ :03 PM

6 Web Service Working Each new request to a Web service is automatically spawned as a new thread in the Web Service process . A Service could also delegate tasks to other services. Dynamic behavior of these short-lived services, introduce new security challenges. 11/28/ :03 PM

7 Key roles in the Web services architecture
3 key roles a service provider, a service registry and a service requestor. 3 operations performed: Publish--- makes the service description publicly available. Find operation discovers the Web service. Bind operation allows the service to be used by the person or program requesting the service. 11/28/ :03 PM

8 Architecture 11/28/ :03 PM

9 Web Service Components
Internet based modular applications Program to program communication XML WSDL SOAP UDDI 11/28/ :03 PM

10 Web Services Description Lang
WSDL is the language used to create service descriptions. Able to create descriptions about the location of the service, how to run it, what business is hosting the service, the kind of service it is, etc 11/28/ :03 PM

11 Simple Object Access Protocol
SOAP is the means through which the service provider, service registry and service requestor communicate. XML-based technology used to exchange structured data between network applications. SOAP is used to publish the service description to a service registry. All other interactions between service registry, service requestor and service provider are done via SOAP. 11/28/ :03 PM

12 Universal Description Discovery & Integration
· UDDI is the directory technology used by service registries that contain the description of Web services Allows the directory to be searched for a particular Web service. UDDI is in essence a Yellow Pages that can be used to locate Web services. 11/28/ :03 PM

13 Web Service Architecture
Implementation of Services (components) UDDI Interface Description with WSDL 1. Request 4. Request Service requester Service Broker Web Server For SOAP S E R V I C e 11/28/ :03 PM

14 Web Service Security-A concern
Web services are based on message exchanges on the net with the possibility of dynamic short-term relationships. Authentication: Establishing identity of user Authorization: Establishing what a user is allowed to do. 11/28/ :03 PM

15 Web Service Security……cont
Confidentiality: Ensuring that only the intended recipient can read the message, accompanied by encryption. Integrity: Ensuring that the message has not been tampered with, generally accomplished with digital signatures. 11/28/ :03 PM

16 Web Service Workflows Dynamic composition Multiple instances
Workflow involves service instances belonging to different Web services Multiple parties belong to a flow. 11/28/ :03 PM

17 Typical Web Service Scenario
Buyer Govt service Financer Provider Shipper B.1 G.1 P.2 S.1 P.1 F.2 Service Instance Insurance I.1 F.1 11/28/ :03 PM

18 Threats To Web Service Security
Malicious web service threats typically fall into one of three categories: Identity threats, such as authentication attacks, eavesdropping etc. Content-borne threats, which are attacks with elements in the actual XML payload, such as XML viruses. XML Denial of Service (XdoS), which are new application-level versions of network level DoS attacks. 11/28/ :03 PM

19 Identity Threats…. Unauthorized access Parameter manipulation
Weak authentication and authorization Parameter manipulation Unauthorized modification of data Network eavesdropping Message replay 11/28/ :03 PM

20 Need for session Authentication
TA-1 TA-2 Hotel Flight Car#1 Car#2 11/28/ :03 PM

21 Maruyama’s protocol Session Authenticator component responsible for distributing keys and authenticating messages Each instance belonging to a session gets the shared key 11/28/ :03 PM

22 Maruyama’s protocol….cont
Message authentication protocol transports authentication information between session participants Session management protocol responsible for starting, running and ending a particular session. 11/28/ :03 PM

23 Message Authentication
Session Authenticator Allows service instances to mutually verify transient membership Service Authenticator Protocol for sending Web service to send MACed SOAP envelope to receiving Web Service 11/28/ :03 PM

24 Session Authenticator
Sending instance prepares SOAP envelope Optionally uses XML encryption Adds authentication to SOAP header Using SOAP-DSIG applies MAC to envelope under session key. 11/28/ :03 PM

25 Session Auth….cont… Receiver checks for session key.
Else obtains key from session manager. Validates MAC and accepts SOAP envelope. Decrypts encrypted message. Receiver now has authenticated mesg and session handle. 11/28/ :03 PM

26 Service Authenticator
Sending service prepares SOAP envelope. Adds authentication header. Uses SOAP-DSIG to digitally sign mesg. Optionally uses XML encryption. Receiver decrypts, validates signature, verifies its own sign and accepts. 11/28/ :03 PM

27 Session Management Initiator of session could be SA
Assigning session Ids. Creating session secrets. Maintaining status information for each session. Keeping participants informed of the status. Shutting down sessions. 11/28/ :03 PM

28 Online session Management
11/28/ :03 PM

29 Drawbacks .. SA cannot measure the validity of service instance
Anyone who has session ID can contact SA. An attacker who has compromised an instance can request to join session No unique identifier for each instance 11/28/ :03 PM

30 Issues not considered What if Session Manager is malicious??
11/28/ :03 PM

31 WS-Security specifications
The WS-Security specifications protect against: Message alteration—By including digital signatures for all or parts of the SOAP body and the SOAP header. Message disclosure—By supporting message encryption. 11/28/ :03 PM

32 ….Specifications cont Preserve message integrity through the use of strong key algorithms. Authenticate messages through the use of various token mechanisms such as Kerberos and X.509. 11/28/ :03 PM

33 Challenges Dealing with un-trusted clients.
Application internals are exposed. SOAP messages are not point to point Challenge is to preserve security of SOAP message from initial SOAP sender to ultimate SOAP receiver. 11/28/ :03 PM

34 SSL is inadequate SSL cannot be used to authenticate dynamically generated participants SSL provides point-to-point security Web Services need end-to-end security SSL does not support End-to-end confidentiality Element wise signing and encryption Non-repudiation 11/28/ :03 PM

35 A Proposal….Adaptive approach
Requirements of users may vary. Is there need for stringent measures uniformly to every node and transaction Can we apply as much security as a particular transaction requires? 11/28/ :03 PM

36 Sophisticated Web Services
E.g order for aircraft engine Spawns multiple supporting transactions Orders to individual parts Orders for shipping containers Etc Involves handling huge volumes of traffic 11/28/ :03 PM

37 Adaptive approach ….cont
For Simple Web services existing security measures may suffice. For sophisticated Web Services involving long transactions trusted third party model desirable. Can an adaptive/hybrid approach be implemented??? 11/28/ :03 PM

38 References 1. S. Hada and H. Maruyama, “Session Authentication Protocol for Web Services,” Proc IEEE Symposium on Application and the Internet, pp , Jan 2. Dacheng Zhang and Jie Xu, “Multi-Party Authentication for Web Services: Protocols, Implementation and Evaluation,” Proc IEEE Symposium on Object Oriented Real-time Distributed Computing. 3. M.Hondo, N. Nagaratnam, A.Nadalin, “Securing Web Services,” IBM Systems Journal, Vol 41, No. 2, 2002. 4. David Geer, “Taking Steps to Secure Web Services,” IEEE Computer, Vol 36, Oct 2003. 5. V Vasudevan, “A Web Services Primer”, April 2001. 6. Y. Nakamur, S. Hada and R. Neyama, “Towards the Integration of Web Services Security on Enterprise Environments,” Proc Symposium on Applications and the Internet, pp , Jan 7. W3C NOTE, Simple Object Access Protocol (SOAP) 1.1, 11/28/ :03 PM

39 References 8. W3C NOTE, SOAP Security Extensions: Digital Signature,
9. Web `Services Security(WS-Security), 10. Web Services Security Threats and Countermeasures, Microsoft Corporation, Jan 2004. 11/28/ :03 PM

Download ppt "Multi-party Authentication in Web Services"

Similar presentations

Web Service Architecture

Web Service Architecture
Overview of Web Services

Overview of Web Services
CS651/551 Federated Trust Systems Alfred C. Weaver

CS651/551 Federated Trust Systems Alfred C. Weaver
Web Services Nasrullah. Motivation about web service There are number of programms over the internet that need to communicate with other programms over.

Web Services Nasrullah. Motivation about web service There are number of programms over the internet that need to communicate with other programms over.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.

SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Web Services Andrea Miller Ryan Armstrong Alex. Web services are an emerging technology that offer a solution for providing a common collaborative architecture.

Web Services Andrea Miller Ryan Armstrong Alex. Web services are an emerging technology that offer a solution for providing a common collaborative architecture.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Processing of structured documents Spring 2003, Part 6 Helena Ahonen-Myka.

Processing of structured documents Spring 2003, Part 6 Helena Ahonen-Myka.
Wireless and Email Security CSCI 5857: Encoding and Encryption.

Wireless and Security CSCI 5857: Encoding and Encryption.
Secure Electronic Transaction (SET)

Secure Electronic Transaction (SET)
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Agent Model for Interaction with Semantic Web Services Ivo Mihailovic.

Agent Model for Interaction with Semantic Web Services Ivo Mihailovic.
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,

International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: 102088 March 10, 2001.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Chapter 21 Distributed System Security Copyright © 2008.

Chapter 21 Distributed System Security Copyright © 2008.
Web Services Based on SOA: Concepts, Technology, Design by Thomas Erl MIS 181.9: Service Oriented Architecture 2 nd Semester, 2011-2012.

Web Services Based on SOA: Concepts, Technology, Design by Thomas Erl MIS 181.9: Service Oriented Architecture 2 nd Semester,

Similar presentations

Ads by Google