A Signing Proxy for Web Services Security. Dr. Ingo Melzer RIC/ED



Similar documents
A Signing Proxy for Web Services Security

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

AquaLogic Service Bus

Java Security Web Services Security (Overview) Lecture 9

02267: Software Development of Web Services

<Insert Picture Here> Oracle Web Services Manager (WSM)

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Unit IV: SOAP protocol, XML-RPC, HTTP, SOAP faults and SOAP attachments, Web services, UDDI, XML security

XML Signatures in an Enterprise Service Bus Environment

Principles and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards)

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Introduction into Web Services (WS)

CS 356 Lecture 28 Internet Authentication. Spring 2013

Securing Web Services with WS-Security

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Digital Signature Web Service Interface

Research on the Model of Enterprise Application Integration with Web Services

Motivation Definitions EAI Architectures Elements Integration Technologies. Part I. EAI: Foundations, Concepts, and Architectures

This Working Paper provides an introduction to the web services security standards.

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

Securely Managing and Exposing Web Services & Applications

Web services can convert your existing applications into web applications.

PARTNER INTEGRATION GUIDE. Edition 1.0

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

PowerCenter Real-Time Development

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

How To Protect A Web Application From Attack From A Trusted Environment

PROTECTING DATA IN TRANSIT WITH ENCRYPTION IN M-FILES

Run-time Service Oriented Architecture (SOA) V 0.1

IBM WebSphere Data Power SOA Applicances V3.8.1 Solution IMP. Version: Demo. Page <<1/10>>

WEB SERVICES SECURITY

Apigee Gateway Specifications

VALLIAMMAI ENGINEERING COLLEGE SRM NAGAR, KATTANKULATHUR DEPARTMENT OF COMPUTER APPLICATIONS SUBJECT : MC7502 SERVICE ORIENTED ARCHITECTURE

Strategic Information Security. Attacking and Defending Web Services

Redbook Overview Patterns: SOA Design with WebSphere Message Broker and WebSphere ESB

Easy CramBible Lab DEMO ONLY VERSION Test284,IBM WbS.DataPower SOA Appliances, Firmware V3.6.0

Web Services Advanced Topics

Middleware and the Internet. Example: Shopping Service. What could be possible? Service Oriented Architecture

Middleware Lou Somers

Creating Web Services in NetBeans

Architectural Requirements for an SOA Based on Web Services. Jim Bole VP, Engineering Infravio, Inc. April 23, 2003

Web Service Security Vulnerabilities and Threats in the Context of WS-Security

Internationalization and Web Services

ISM/ISC Middleware Module

Web Services Security: What s Required To Secure A Service-Oriented Architecture. An Oracle White Paper January 2008

Network Security. Chapter 10. Application Layer Security: Web Services. Part I: Introduction to Web Services

ebxml Web Services & EDI

Securing Web Services From Encryption to a Web Service Security Infrastructure

How To Understand A Services-Oriented Architecture

Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact

21.4 Network Address Translation (NAT) NAT concept

Quickstream Connectivity Options

Emergency Services Interconnection Forum (ESIF) Emergency Services Messaging Interface Task Force ( Task Force 34 )

Requirement Priority Name Requirement Text Response Comment

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

OsEra Enterprise Service Bus

<Insert Picture Here> Oracle Security Developer Tools (OSDT) August 2008

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

AquaLogic ESB Design and Integration (3 Days)

Authentication and Single Sign On

Web Services Implementation: The Beta Phase of EPA Network Nodes

Application Note. Onsight Connect Network Requirements v6.3

NIST s Guide to Secure Web Services

Middleware and the Internet

Setup Guide Access Manager Appliance 3.2 SP3

Securing Web Services With SAML

4. Concepts and Technologies for B2C, B2E, and B2B Transaction

Creating a Secure Web Service In Informatica Data Services

Mobility Information Series

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

Service-Oriented Architecture and Software Engineering

PUBLIC Connecting a Customer System to SAP HCI

ELECTRONIC COMMERCE OBJECTIVE QUESTIONS

Secure Authentication and Session. State Management for Web Services

A Service Oriented Security Reference Architecture

WEB SERVICES WITH APPLICATION SERVER ABAP

PHIN MS Detailed Security Design

Security Testing For RESTful Applications

Web Services and Service Oriented Architectures. Thomas Soddemann, RZG

Network Configuration Settings

Global Client Access Managed Communications Solutions. JPMorgan - Global Client Access. Managed Internet Solutions (EC Gateway)

Service-Oriented Architecture (SOA) vs. Component Based Architecture. Helmut Petritsch

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

WEB SERVICES. Revised 9/29/2015

Authentication and Authorization Systems in Cloud Environments

SAML-Based SSO Solution

Centers for Disease Control and Prevention, Public Health Information Network Messaging System (PHINMS)

Transcription:

A Signing Proxy for Web Services Security Dr. Ingo Melzer RIC/ED

What is a Web Service? Infrastructure Web Service I. Melzer -- A Signing Proxy for Web Services Security 2

What is a Web Service? basic Web Service Infrastructure Web Service I. Melzer -- A Signing Proxy for Web Services Security 3

What is a Web Service? CDR ASN.1 JRMP EDI ASCII Content Infrastructure XML Web Service basic Web Service I. Melzer -- A Signing Proxy for Web Services Security 4

What is a Web Service? RPC RMI XML-RPC DCE Msg. CORBA Transport Content Infrastructure SOAP XML Web Service basic Web Service I. Melzer -- A Signing Proxy for Web Services Security 5

What is a Web Service? SDL SCL NASSL IDL Description WSDL Transport Content Infrastructure SOAP XML Web Service basic Web Service I. Melzer -- A Signing Proxy for Web Services Security 6

What is a Web Service? DISCO ADS naming service property service Directory Description UDDI/WSIL WSDL Transport Content Infrastructure SOAP XML Web Service basic Web Service I. Melzer -- A Signing Proxy for Web Services Security 7

What is a Web Service? Directory Description UDDI/WSIL WSDL Web Service Transport Content Infrastructure SOAP XML Web Service basic Web Service I. Melzer -- A Signing Proxy for Web Services Security 8

Properties of Web Services Web Services allow collaboration of different systems Integration of existing systems Facade for set of similar systems Web Services offer two styles: RPC and messaging Protocol of Web Services: SOAP (XML-based) SOAP mainly used over HTTP(S) Most of the time: Computer to computer communication Easy access of otherwise hidden systems Security issue! I. Melzer -- A Signing Proxy for Web Services Security 9

Definition: Web Services A Web Service is is a piece of of server-side software that provides a certain functionality (as a black box) and is is accessible through Internet protocols using XML/SOAP messages with a described and published interface (typically by by means of of WSDL). Those interface descriptions should be be registered in in a (global) registry such as as UDDI. I. Melzer -- A Signing Proxy for Web Services Security 10

Common Web Services Scenario Client calls Web Service over the Internet Client Web Service (XML) Digital Signature (XML) Digital Signature SOAP SOAP Transport Protocol (e. g. HTTP) Transport Protocol (e. g. HTTP) Trusted Intranet Internet Trusted Intranet Firewall Firewall I. Melzer -- A Signing Proxy for Web Services Security 11

Web Services Architecture Web Services Protocol: SOAP (XML based) SOAP usually over other protocol SOAP does not deal with security (and does not have to) SOAP (XML based),... Transport Protocol (often HTTP),... Ethernet (TCP/IP),... I. Melzer -- A Signing Proxy for Web Services Security 12

Web Services Architecture + Security Security can be added at each layer No layer completely suitable for securing all services XML-layer important for flexibility (intermediaries) XML-Signature, XML-Encryption, WS-Security, SAML SOAP (XML based),... Transport Protocol (often HTTP),... Ethernet (TCP/IP),... XML-Secu. SSL IPSec I. Melzer -- A Signing Proxy for Web Services Security 13

Why SSL (HTTPS) often does not help: SSL is only for point to point connections Only usable for a few protocols (mainly HTTP) Only transport of whole document is encrypted Header information no longer readable Routing information Intermediaries Calling a set of Web Services? Asynchronous call of Web Services not possible Data unprotected upon reaching the server Authentication of origin lost if more than one service is involved I. Melzer -- A Signing Proxy for Web Services Security 14

Needs and Wishes Security at XML level, e. g. to keep only parts of the message readable Transparent for users impossible to forget it Centralized control single point of administration Easy integration into existing systems Usable even with external partners no proprietary solutions Open Standards like XML-Signature, WS-Security, Interoperability Framework for exchange and adaptation of security technologies at any time I. Melzer -- A Signing Proxy for Web Services Security 15

XML-Signature (Existing Technology) RFC 3275: Digitally sign document and represent in XML Result is (still) an XML document XPath to locate and identify parts to be signed Multiple signatures can added to one document 1. Choose parts of documents to sign 2. Calculate digest (or hash sum) of each part (after canonization) 3. Build <SignedInfo> element (contains digest, used algorithms, XPath) 4. Calculate digest of SignedInfo and sign it <SignatureValue> 5. SignedInfo, SignatureValue, KeyInfo are added to document in <Signature> I. Melzer -- A Signing Proxy for Web Services Security 16

Needs and Wishes not solved at once by XML Signature Security at XML level, e. g. to keep only parts of the message readable Transparent for users impossible to forget it Centralized control single point of administration Easy integration into existing systems Usable even with external partners no proprietary solutions Open Standards like XML-Signature, WS-Security, Interoperability Framework for exchange and adaptation of security technologies at any time I. Melzer -- A Signing Proxy for Web Services Security 17

Adding Security Transparently Proxy transparently adds XML-Signature WS-Client Signing Proxy (XML) Digital Signature SOAP SOAP Transport Protocol (e. g. HTTP) Transport Protocol (e. g. HTTP) Trusted Intranet Internet Boundary of Trust I. Melzer -- A Signing Proxy for Web Services Security 18

Adding Security Transparently II Proxy authentication for personal XML-Signature Proxy Authentication WS Client Signing Proxy (XML) Digital Signature SOAP SOAP Transport Protocol e. g. HTTP(S) Transport Protocol e. g. HTTP(S) Trusted(?) Intranet Internet Company s Boundary I. Melzer -- A Signing Proxy for Web Services Security 19

Encryption for B2B Environment Static Set of Partners In a B2B environment, it is possible to keep a list of partners Therefore encryption can be done in this way: 1. Determine Partner for outgoing message (e. g. domain of URL) 2. Get public key of partner (database, PKI, ) 3. Encrypt e. g. body of message using the key and XML-Encryption Firewall of receiver can use its private key for decryption Information for a more precise encryption possible with header expansions This job could also be done by an intermediary I. Melzer -- A Signing Proxy for Web Services Security 20

Requirements for Bigger Encryption Scenario Public Key of receiver needed for encryption. Possible Solutions: PKI or public key servers (like for pgp) Expansion for WSDL (where are the public keys) Standard for SOAP header expansion to specify part to be encrypted Further spreading of XML encryption Signature can be ignored, encryption cannot It does not help if receiver cannot decrypt message I. Melzer -- A Signing Proxy for Web Services Security 21

Status Two papers accepted: 1. Ingo Melzer, Mario Jeckle: Using Corporate Firewalls for Web Services Trust, ICWS-Europe'03, Erfurt, Germany, September 23 to 25, 2003, to appear 2. Ingo Melzer, Mario Jeckle: A Signing Proxy for Web Services Security, Berliner XML-Tage 2003, Berlin, Germany, October 13 to 15, 2003, to appear Ongoing Master Theses with University of Ulm (Prof. Dr. Schweiggert) and the University of Applied Sciences Furtwangen (Prof. Jeckle) Demonstrator for proof of concept T. b. d.: More on encryption including concept for bigger scenario I. Melzer -- A Signing Proxy for Web Services Security 22

Summary I SOAP does not deal with security (and does not have to) No secure Web Services available yet HTTP is no longer static (or dumb?) Firewalls have to be able to process SOAP, but Today s firewall software for Web Services not sufficient Other XML-based standards suitable for this job: XML-Signature, XML-Encryption, SAML, WS-Security, Idea: Signing Proxy to transparently add signatures Improvement for firewall to check signatures not very difficult I. Melzer -- A Signing Proxy for Web Services Security 23

Summary II (Signing Proxy) Signing Proxy offers single point of administration WS developers have to deal much less with security Can be part of security infrastructure Offer a service (just like a PKI) Signing Proxy fits perfectly into Service Oriented Architecture Encryption easily added in B2B environment Nevertheless: Security for Web Services has to be improved I. Melzer -- A Signing Proxy for Web Services Security 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information