Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forward: Preventing XML Signature Wrapping Attacks in Cloud Computing Prepared by: Abdulaziz AlShammari Professor Ramasamy Uthurusamy April10, 2014.

Published byAldous Sharp Modified over 8 years ago

Similar presentations

Presentation on theme: "Forward: Preventing XML Signature Wrapping Attacks in Cloud Computing Prepared by: Abdulaziz AlShammari Professor Ramasamy Uthurusamy April10, 2014."— Presentation transcript:

1 Forward: Preventing XML Signature Wrapping Attacks in Cloud Computing Prepared by: Abdulaziz AlShammari Professor Ramasamy Uthurusamy April10, 2014

2 2 Agenda What is Cloud Computing? Layers of Cloud Computing. Why Cloud? Related Work Technical Security Issues in Cloud Computing. What are the problems? Proposed Solutions Conclusion References Alshammari/Cloud Security

3 3 It is a new paradigm for the provision of computing services. Shifting the location of these services to the network causes reducing the costs of hardware and software resources. What is Cloud Computing? Alshammari/Cloud Security

4 4 Models of Cloud Computing Alshammari/Cloud Security

5 5 Models of Cloud Computing Alshammari/Cloud Security

6 6 To reduce the costs: (Pay – As – You – Go) 1- To reduce hardware costs (IaaS). 2- To reduce software license costs (SaaS), (PaaS). To support the Scalable Systems: - To NOT worry about increasing of users and requests. On-demand service Broad Network Access Why we use Cloud Computing? Alshammari/Cloud Security

7 7 1- Web-Services: Provide access to (IaaS) 2- Web-Browsers: Provide access to (SaaS) * Both provide the access to (PaaS) Two main technologies are used to access these three Cloud services Alshammari/Cloud Security

8 Related work McIntosh and Austel:  A signature must be present in the security header  The element specified by /soap:Envelope/ soap:Body must be referenced from the signature  The element matching /soap:Envelope/soap:Header/ wsse:Security/wsu:Timestamp must be referenced from the signature  the signature verification key must be provided by an X.509 certificate issued by a trusted CA Alshammari/Cloud Security 8

9 Related work Gruschka and Lo Iacono :  XSW attack that the proposed checks by McIntosh and Austel are not sufficient to effectively detect XSW attacks Bhargavan, Fournet and Gordon  Mandatory elements: wsa:To, wsa:Action, soap:Body  Signed elements: all mandatory, wsa:MessageID, wsu:Timestamp  Recommended: use of X.509 certificates for authentication Alshammari/Cloud Security 9

10 10 Cloud Security issues focuse on: 1- Confidentiality. 2- Integrity. 3- Authentication. Two places that must be secure in Cloud which are: 1- Web-Services (WS). 2- Web-Browser (WB). Some Technical Security Issues in Cloud Computing Alshammari/Cloud Security

11 11  WS-Security: it is a mechanism for web service working in message level.  How to provide Confidentiality, Integrity, and Authentication for messages? 1- By using XML signature: For XML fragments to be digitally signed to ensure integrity and authentication. 2- By using XML Encryption: For XML fragments to be encrypted to ensure data confidentiality. 1- Web-Service Security Alshammari/Cloud Security

12 12  Also works with: 1- XML Signature. 2- XML Encryption.  Modern Web-Browser are using AJAX techniques (Asynchronous Java Scripts and XML) to develop platform independent I/O tools.  New names for that techniques (Web Applications, Web 2.0, or SaaS). 2- Web-Browser Security Alshammari/Cloud Security

13 13  XML Signature Element Wrapping:  SOAP messages are generally transmitted through HTTP protocol with an XML format.  Attacker is able to manipulate a SOAP messages by copying the target element and inserting another value and moving the original element to somewhere on the SOAP message. What is the problem with Web-Services? What is the problem with Web-Services?  To Solve The Problem:  Using a combination of WS-Security with XML signature to sign particular element and digital certificated such as X.509.  Create a list of elements that is used in the system, and reject any other messages.  XSpRES to ensures that the digital signatures are generated and verified by combining a hardened XML signature library Alshammari/Cloud Security

14 14 Second Part “What are the problems?” Alshammari/Cloud Security

15 15  XML Signature Element Wrapping:  SOAP messages are generally transmitted through HTTP protocol with an XML format.  Attacker is able to manipulate a SOAP messages by copying the target element and inserting another value and moving the original element to somewhere on the SOAP message. What is the problem with Web-Services? What is the problem with Web-Services? Alshammari/Cloud Security

16 16 What is the problem with Web-Services? What is the problem with Web-Services? Alshammari/Cloud Security XML Signature Element Wrapping:

17 17 What is the problem with Web-Services? What is the problem with Web-Services? Alshammari/Cloud Security

18 18  The web-Browsers are not able to apply WS-Security concepts (XML signature and XML encryption). BECAUSE: 1- Data can only be encrypted through (TLS) which is Transport Layer Security. 2- XML signatures are only used within the (TLS) handshake. What is the problem with Web-Browser? Alshammari/Cloud Security

19 19 1- For the problems in Web-Browsers / SSL  Create new web browsers that apply WS-Security concepts.  The WS-Security works in message level, so it appears to be more suitable than SSL/TLS.  Then, these web browsers are able to use XML Encryption in order to provide end-to-end encryption in SOAP messages. Opportunities for Advancement Alshammari/Cloud Security

20 Proposed Solutions o Companies should adhere to guidelines stipulated by Open Web Application Security Project (OWASP) that emphasis on designing secure web application and services. o Companies need to integrate the guidelines in their System development life cycle. This will ensure web services like cloud computing will follow the necessary steps and ensure minimal vulnerabilities. Alshammari/Cloud Security 20

21 Proposed Solutions o I would suggest use of other protocols like use of Representational State Transfer (REST) instead of SOAP. o REST provides encryption of data using many formats unlike SOAP that offers only use of XML. Alshammari/Cloud Security 21

22 Proposed Solutions Alshammari/Cloud Security 22 Find strong method to protect this part

23 23 1. Cloud Computing: 1. WS 2. WB 2. WS-Security Mechanism:  XML Signature.  XML Encryption. 3. Technical security :  XML Signature Wrapping Attacks. 4. Future Work Conclusion Alshammari/Cloud Security

24 References Constantin, L. (2011). Researchers demo cloud security issue with Amazon AWS attack. Computerworld. Retrieved 29 March 2015, from http://www.computerworld.com/article/2499567/network-security/researchers-demo-cloud- security-issue-with-amazon-aws-attack.html http://www.computerworld.com/article/2499567/network-security/researchers-demo-cloud- security-issue-with-amazon-aws-attack.html Kouchaksaraei, H., & Chefranov, A. (2013). Countering Wrapping Attack on XML Signature in SOAP Message for Cloud Computing. Arxiv.org. Retrieved 29 March 2015, from http://arxiv.org/abs/1310.0441 http://arxiv.org/abs/1310.0441 Mainka, C., Jensen, M., Lo Iacono, L., & Schwenk, J. (2013). Making XML Signatures Immune to XML Signature Wrapping Attacks. Cloud Computing And Services Science, 151-167. doi:10.1007/978-3-319-04519-1_10 McIntosh, M., & Austel, P. (2014). XML Signature Element Wrapping Attacks and Countermeasures (1st ed.). Retrieved from http://domino.research.ibm.com/library/cyberdig.nsf/papers/73053F26BFE5D1D385257067004CF D80/$File/rc23691.pdf http://domino.research.ibm.com/library/cyberdig.nsf/papers/73053F26BFE5D1D385257067004CF D80/$File/rc23691.pdf Muralidhara, P. (2013). Security issues in cloud computing and its countermeasures (1st ed.). Retrieved from http://www.ijser.org/researchpaper%5CSecurity-issues-in-cloud-computing-and- its-countermeasures.pdfhttp://www.ijser.org/researchpaper%5CSecurity-issues-in-cloud-computing-and- its-countermeasures.pdf Alshammari/Cloud Security 24

25 References Constantin, L. (2011). Researchers demo cloud security issue with Amazon AWS attack. Computerworld. Retrieved 29 March 2015, from http://www.computerworld.com/article/2499567/network-security/researchers-demo-cloud- security-issue-with-amazon-aws-attack.html http://www.computerworld.com/article/2499567/network-security/researchers-demo-cloud- security-issue-with-amazon-aws-attack.html Jensen M and Schwenk J (2009). On Technical Security Issues in Cloud Computing. Horst Gortz Institute for IT Security, Ruhr University Bochum, Germany. Alshammari/Cloud Security 25

26 Alshammari/Cloud Security 26 Thank you

Download ppt "Forward: Preventing XML Signature Wrapping Attacks in Cloud Computing Prepared by: Abdulaziz AlShammari Professor Ramasamy Uthurusamy April10, 2014."

Similar presentations

Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
General introduction to Web services and an implementation example

General introduction to Web services and an implementation example
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
XML Rewrite Attacks in The Context of SOAP Messages, Evaluating The Current Solutions AHMED ALGHAMDI CSCE 813.

XML Rewrite Attacks in The Context of SOAP Messages, Evaluating The Current Solutions AHMED ALGHAMDI CSCE 813.
Security Prospects through Cloud Computing by Adopting Multiple Clouds Meiko Jensen, Jorg Schwenk Jens-Matthias Bohli, Nils Gruschka Luigi Lo Iacono Presented.

Security Prospects through Cloud Computing by Adopting Multiple Clouds Meiko Jensen, Jorg Schwenk Jens-Matthias Bohli, Nils Gruschka Luigi Lo Iacono Presented.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
January 2011 As a precaution, re-check the exam time in early January. Various rooms are used, your room will be on your personal timetable, available.

January 2011 As a precaution, re-check the exam time in early January. Various rooms are used, your room will be on your personal timetable, available.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Chapter 8 Web Security.

Chapter 8 Web Security.
Web services security I

Web services security I
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju

Similar presentations

Ads by Google