Home > Taking steps to secure web services - Computer

Taking steps to secure web services - Computer

Page 1
Organizations are investing
considerable resources in Web services, an approach that comprises a set of plat- form-neutral technologies designed to ease the delivery of ser- vices over intranets and the Internet. Web services enable interoperability via a set of open standards, including XML to provide information about the data in a document to users on various platforms; the simple object access protocol (SOAP) for cross-platform interapplication communication; the Web Services Description Language to describe online services; and the uni- versal description, discovery, and inte- gration protocol to find available Web services on the Internet or corporate networks. Despite the promise, Web services present network administrators with a thorny problem: As network security becomes an increasing concern, Web services open up networks by letting outside users access databases, appli- cations, and internal users. Traditional security techniques— such as virtual private networks or secure sockets layer (SSL) technol- ogy—cannot secure the large number of transactions that Web services can perform in a short time. Meanwhile, basic Web services transactions are unencrypted and unse- cured, which creates the potential for disaster, said Alan Zeichick, principal analyst with Camden Associates, a technology research and analysis firm. It is thus important for Web services technology to have its own security mechanisms. In fact, industry observers have said the biggest obstacle to wider adoption of Web services has been security concerns. With this in mind, researchers are developing and implementing several Web services security approaches.
Web services security requires authentication (establishing identity), authorization (establishing what a user is allowed to do), confidentiality (ensuring that only the intended recip- ient can read the message, accom- plished with encryption), and integrity (ensuring the message hasn��t been tam- pered with, generally accomplished with digital signatures).
SSL and TLS issues
Typically, most secure Web commu- nications have used SSL for protection. SSL operates between the HTTP and TCP network layers. It uses public- and private-key encryption and works with digital certificates, which are files issued by a certification authority to authenticate users. The transport layer security proto- col has succeeded SSL. TLS provides encryption-based connection security, and lets servers and clients authenti- cate one another and determine the cryptographic algorithms and keys that can be used for data transfer. Browsers support SSL and TLS, but the protocols don��t scale well to com- plex, high-volume transactions, like those in Web services. This is because SSL and TLS systems must decrypt data every time it arrives at a new Web server and then encrypt the data for transmission to the next server.
Problems with SOAP
SOAP functions as a transport mech- anism for XML messages by letting pro- grams running on one OS communicate with programs running on another, using HTTP and XML to exchange data. However, the World Wide Web Consortium��s original SOAP version provided no security.
SAML, developed by the Organi- zation for the Advancement of Struc- tured Information Standards (Oasis; www.oasis-open.org), defines security- related schemas for structuring docu- ments. ��SAML defines a vendor-neutral way to express security information in an XML format,�� explained Rob Philpott of RSA Security, who is a member of the Oasis Security Services Technical Committee. ��It defines the schemas for the structure of documents that include information related to user identity and access or authorization rights.�� By defining how this information is exchanged, SAML lets companies with different internal security architectures communicate.
Taking Steps to Secure Web Services
David Geer

Page 2
October 2003
rity metadata like that found in the XML Encryption and XML Signature specifications. WS-Sec lets companies send mes- sages with digital signatures that tell recipients whether hackers have altered documents during transmission and whether the documents are actu- ally from the person named as the sender. The standard also uses security tokens—such as Kerberos authentica- tion tickets or SAML assertions—that validate digital signatures, verifying the sender hasn��t been spoofed. The tokens validate senders�� claims of rights to recipients�� CPU, memory, and other computing resources, noted Robert Hillery, a faculty member with the SANS Institute, an organization that focuses on information-security research, certification, and education.
Important specifications
The XML Encryption and XML Signature specifications are central to WS-Sec. The two approaches provide ways to include both encrypted data and digital signatures in XML docu- ments. They also include XML ele- ments that identify the encryption SAML, shown in Figure 1, functions as a framework for exchanging authen- tication, attribute, and authorization assertions across multiple participants over the Internet using protocols such as HTTP and SOAP. Assertions provide proof of iden- tity—via SAML subjects, which contain identity-related information—for users and computers. In addition, assertions list transaction-related user information (such as credit limits for e-commerce) and activities users are authorized to perform (such as executing permissions to access and work with files). SAML can also indicate the authen- tication method that must be used with a message, such as a password, Kerberos authentication ticket, hard- ware token, or X.509 digital certificate. A SAML authentication authority is closely coupled with the system that performs the authentication opera- tions, which include identification col- lection and verification. The authority then creates assertions containing authentication statements based on the results of those operations. SAML can work either via a cen- tralized certificate authority or directly between users, which is particularly efficient for small groups. SAML would facilitate single-sign- on for Web users by, for example, let- ting them log on to one site and have their security credentials transferred automatically to partner sites for authentication. If the second site rec- ognizes the authentication authority, it accepts the assertion and the user does not have to log in again.
IBM, Microsoft, and Internet secu- rity vendor VeriSign developed the Web Services Security protocol (WS- Sec; www.oasis-open.org/committees/ wss/) as a way for Web services to work with several different security models via SOAP extensions. WS-Sec, under consideration as a standard by Oasis, lets applications attach security data to the headers of SOAP messages. This can include secu- algorithm that a document is using and provide uniform resource indicators that link to the public keys sometimes used to verifiy a sender��s identity.
XML Encryption. XML Encryption
describes the process for encrypting and representing encrypted data in XML documents. The specification supports common encryption algo- rithms and techniques. The standard provides ways to encrypt all or just parts of the XML in the message. Proponents say this approach is more efficient because information that isn��t confidential can be sent unencrypted. Selective encryption and signing also let senders add different signatures and keys to parts of a single document that are designated for different recipients. However, the process of identifying which data is supposed to be confi- dential, based on information listed in a header manifest, adds overhead to a system, noted Microsoft architect Chris Kaler.
XML Signature. XML Signature
defines syntax and processing rules for representing digital signatures. Digital signatures on one computer can be read by another because the machines
SAML Policy Policy Policy Credentials collector Authentication authority Attribute authority Policy decision point System entity Policy enforcement point Application request Authorization decision assertion Attribute assertion Authorization assertion
Source: Oasis
Figure 1. The Security Assertion Markup Language secures Web services transactions. SAML works with a system��s security policies via authentication, which establishes a user��s identity; credentials, which a user must have to be considered for authentication; assertions, which provide proof of identity; and trusted third-party authorities.

Page 3
trust relationships in a Web services transaction between parties using incompatible security approaches. WS-Federation accomplishes this by standardizing the way companies share user and machine identities among their disparate authentication and authorization systems.
A principal Web services security problem is that XML transfers every- thing over HTTP, allowing traffic to pass through firewalls via TCP port 80. This enables easy communication between networks whose firewalls block all ports except the ones that Web protocols use. However, firewall pene- tration also creates security concerns. In light of this threat, Check Point has upgraded its firewalls to recognize, examine, and filter XML and SOAP traffic. DataPower has developed Web ser- vices appliances that can detect and process XML traffic and block mali- cious code. Forum Systems develops appliances, PCI cards, and software for Web services security.
Web services security technology has sparked several key concerns. For example, complex Web services security sometimes requires PKI use, said analyst Ray Wagner with Gartner Inc., a market research firm. PKI uses cryptography, digital certificates, and trusted third-party authorities to enable secure communications over public networks. However, Wagner said, ��PKI [is complex and thus] has been a difficult infrastructure to manage. And the cost of managing it has been a detriment to organizations.�� Some users are reluctant to work work with the same encrypted digest— a cryptographic hash that represents the signed material—for the same sec- tion of XML code, explained Kaler.
Future WS-Sec specifications
IBM, Microsoft, and other compa- nies have proposed several new stan- dards to be layered on top of WS-Sec. The specifications would certify that information in Web services transac- tions is safe, define how to share the information safely with others, and describe how to connect systems that use different security technologies. Industry observers expect early adopters to start using the technologies by late 2004, with widespread adop- tion beginning in early 2005. WS-SecurityPolicy provides a frame- work for defining security, privacy, and other policies on machines involved in Web services transactions. The specifi- cation also lets a system assess the poli- cies�� requirements, such as which type of authentication is needed. WS-Privacy implements privacy poli- cies that WS-SecurityPolicy defines and lets Web services providers and users state privacy preferences and practices. WS-Trust provides a framework of models for establishing both direct and brokered trust relationships for secure Web services interoperation. ��WS- Trust is the basis behind how you do token acquisition, validation, and exchange,�� said Tony Nadalin, a secu- rity architect with IBM Tivoli Software. The specification promises to ensure document security even when compa- nies use different security systems, such as Kerberos authentication or public- key infrastructure (PKI) encryption. WS-SecureConversation establishes sessions during which SOAP acts like a connection-based approach, which lets users send consecutive messages with- out repeating authentication and pol- icy negotiations each time. WS-Authorization defines how Web services manage authorization policies. WS-Federation enables associations between security domains. In essence, WS-Federation defines how to broker with Web services security technology because they don��t have much experi- ence with the specifications, which are fairly new. Others aren��t using the specifications because they haven��t even figured out yet what they want to do with Web services. Also, said Camden��s Zeichick, some people are concerned because much of Web services security technology is still being developed and has not stabilized enough to inspire confidence.
Because Web services offer such
promise, many observers expect Web services security measures to be widely adopted. Wagner said users will particularly see the need for the technology after hackers begin attacking Web services transactions. Web services security technology will be implemented more in software first, according to Wagner. Users won��t want to spend the time and money nec- essary to upgrade hardware until Web services and WS-Sec have proven themselves, he stated. Organizations and vendors are working on systems that combine the advantages of using software with the speed of using hardware. Wagner said, ��When an organization does a huge amount of Web services traffic, it will need [specialized, high-performance] hardware support for XML filtering, encryption, and key management.�� Meanwhile, said Zeichick, ��Web services security hasn��t progressed beyond securing communications between trusted parties. We haven��t really thought about the malicious use of Web services interfaces. That will significantly affect the adoption of the technology.�� �� David Geer is a freelance technology writer based in Ashtabula, Ohio. Con- tact him at d@geercom.com.
Technology News
Editor: Lee Garber, Computer, 10662 Los Vaqueros Circle, PO Box 3014, Los Alamitos, CA 90720-1314; l.garber@computer.org
WS-Federation standardizes the way companies share user and machine indentities.

Set Home | Add to Favorites

All Rights Reserved Powered by Free Document Search and Download

Copyright © 2011
This site does not host pdf,doc,ppt,xls,rtf,txt files all document are the property of their respective owners. complaint#nuokui.com