Web Service Security Vulnerabilities and Threats in the Context of WS-Security



Similar documents
Securing Web Services Using Microsoft Web Services Enhancements 1.0. Petr PALAS PortSight Software Architect

NIST s Guide to Secure Web Services

WEB SERVICES SECURITY

Chapter 12 GRID SECURITY ARCHITECTURE: Requirements,fundamentals, standards, and models

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

This Working Paper provides an introduction to the web services security standards.

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

Federated Identity Management Solutions

T-Check in Technologies for Interoperability: Web Services and Security Single Sign-On

A Conceptual Technique for Modelling Security as a Service in Service Oriented Distributed Systems

Securely Managing and Exposing Web Services & Applications

The Role of Identity Enabled Web Services in Cloud Computing

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

Web Services Security: What s Required To Secure A Service-Oriented Architecture. An Oracle White Paper January 2008

A Service Oriented Security Reference Architecture

An Oracle White Paper Dec Oracle Access Management Security Token Service

e-gov Architecture Service Interface Guidelines

Web Services Implementation: The Beta Phase of EPA Network Nodes

DISTRIBUTED SYSTEMS SECURITY

Digital Signature Web Service Interface

THREAT MODELLING FOR WEB SERVICES BASED WEB APPLICATIONS

Securing Web Services From Encryption to a Web Service Security Infrastructure

Security in Network-Based Applications. ITIS 4166/5166 Network Based Application Development. Network Security. Agenda. References

Federated Identity and Trust Management

Strategic Information Security. Attacking and Defending Web Services

Web Services and Service Oriented Architectures. Thomas Soddemann, RZG

AquaLogic Service Bus

Principles and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards)

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Notes on Network Security - Introduction

A Signing Proxy for Web Services Security. Dr. Ingo Melzer RIC/ED

Securing Web Services with WS-Security

Using WS-Federation and WS-Security for Identity Management in Virtual Organisations

Chap. 1: Introduction

02267: Software Development of Web Services

A pattern for the WS-Trust standard for web services

Security Issues In Cloud Computing and Countermeasures

Chapter 10. Cloud Security Mechanisms

Guide to Secure Web Services

Network Security. Chapter 10. Application Layer Security: Web Services. Part I: Introduction to Web Services

Securing your XML and Web service implementations Nattakan Pengphon Technical Specialist

E-commerce. business. technology. society. Kenneth C. Laudon Carol Guercio Traver. Second Edition. Copyright 2007 Pearson Education, Inc.

CICS Identity and Security

Szolgáltatásorientált rendszerintegráció. WS-* standards

Security for Service Oriented Architectures

Secure Authentication and Session. State Management for Web Services

XML Signatures in an Enterprise Service Bus Environment

Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact

Security a Major Imperative for an Service-Oriented Architecture

Skoot Secure File Transfer

Cryptography and Network Security

Leveraging Service Oriented Architecture (SOA) to integrate Oracle Applications with SalesForce.com

Software Requirement Specification Web Services Security

Security in the PEPPOL

Security in integration and Enterprise Service Bus(ESB) Anton Panhelainen Principal Technology Consultant Tieto Oy

Service-Oriented Computing and Service-Oriented Architecture

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Model User Guide for Implementing Online Insurance Verification

COSC 472 Network Security

Security Goals Services

A Web Services Security Testing Framework

CPSC 467: Cryptography and Computer Security

Design and Implementation of an e-transcript System using Web services

Rational AppScan & Ounce Products

Creating a Strong Security Infrastructure for Exposing JBoss Services

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Prescription Monitoring Program Information Exchange Service. Execution Context Version 1.0

CPSC 467b: Cryptography and Computer Security

Information System Security

CHAPTER - 3 WEB APPLICATION AND SECURITY

Transcription:

Web Service Security Vulnerabilities and Threats in the Context of WS-Security Jesper Holgersson Eva Söderström University of Skoevde, Sweden SIIT 2005, ITU, Geneva, September 2005

Outline of presentation Research objectives Web Services Basic requirements for achieving information security Threats and challenges related to security in Web Services WS-Security basics WS-Security vs Threats Summary

Objective Security concerns are the main issues preventing organizations from adopting public Web Services (Greenspan, 2003) Security standards for Web Services are emerging, WS-Security is considered to be the most profound one yet How does WS-Security address known threats and weaknesses within Web Services?

Web Services a technology for publishing, identifying and calling services in a network of interacting computer nodes (Henkel & Wiktorin, 2005) Discover (WSDL, UDDI) Invoke/Bind (SOAP, XML) Publish, Unpublish, Update (WSDL, UDDI) Provider: The holder of the implemented service Requestor: The node that wants to use the service Registry: Is searched by the requestor and updated by the provider

Information security Of particular interest for publicly exposed WS since failure in security might result in access to the WS-providers back end systems connected to the WS. Confidentiality Integrity Non-repudiation Authentication Authorization Availability (Boncella, 2004)

Threats and challenges related to security in Web Services Maintaining security while routing between multiple Web Services Confidentiality, Integrity, Authentication, Non-repudiation Unauthorized access Authentication, Authorization Parameter manipulation/malicious input Availability, Integrity Network eavesdropping and message replay Confidentiality, Integrity, Authentication, Non-repudiation Denial of Service Availability Bypassing of firewalls Confidentiality, Integrity, Authentication

Maintaining security while routing between multiple Web Services Traditional security techniques, such as SSL, are designed to protect communication between two points, i.e. security context 1 Traditional security techniques can not handle end-to-end security, i.e. security context 2 Traditional security techniques work at the session layer while SOAP works at the application layer A SOAP message has to be decrypted at the intermediary, thereby threatening confidentiality, integrity and authentication which all are related to authorization and non-repudiation Security context 1 Security context 2 WS SOAP Routing SOAP Request Response to SOAP Request WS SOAP Routing SOAP Request Response to SOAP Request WS From O Neill, 2002

Threats and challenges related to security in Web Services Maintaining security while routing between multiple Web Services Confidentiality, Integrity, Authentication, Non-repudiation Unauthorized access Authentication, Authorization Parameter manipulation/malicious input Availability, Integrity Network eavesdropping and message replay Confidentiality, Integrity, Authentication, Non-repudiation Denial of Service Availability Bypassing of firewalls Confidentiality, Integrity, Authentication

WS-Security Set as a standard by OASIS in April, 2004 Developed by IBM and Microsoft Works as an add-on to SOAP, offering a common format for security in SOAP messages Consists of three main elements XML Encryption (W3C) XML Signature (W3C) Security tokens

WS-Security: an example Furniture retailer (Requestor) Order request [BinarySecurityToken] User: Alice Passwd:XYZ CCNr: Digital Signature Address: SSN: Furniture manufacturer (WS provider) Bank (WS provider) 1. The requestor sends an order request 1. A binary security token (X.509) is used for authentication 2. The message is signed with one signature 3. Customer information is encrypted with two different keys 2. Receiver 1 and 2 check whether the sender is legitimate, check the signature and decrypts those parts of the message that can be decrypted 3. Receiver 1 and 2 send a response in the same manner back to the requestor

WS-Security roadmap WS-SecureConversation WS-Federation WS-Authorization WS-Policy WS-Trust WS-Privacy Today WS-Security SOAP Foundation WS-Policy: Policy details about security issues WS-Trust: Establishing of trust between nodes WS-Privacy: Policies regarding privacy issues WS-Secure Conversation: Session spanning WS-Federation: Brokering of security related data WS-Authorization: How express and manage rules regarding access rights?

Result Threat Security requirements affected Solved by WS- Security? If so, by what? Maintaining security while routing between multiple Web Services Confidentiality, Integrity, Authentication, Non-repudiation Yes XML Encryption, XML Signature, Tokens Unauthorized access Authentication, Authorization Yes Tokens, XML Signature Parameter manipulation and Malicious input Availability, Integrity Yes XML Signature Network eavesdropping and Message Replay Confidentiality, Integrity, Authentication, Non-repudiation Yes Tokens, XML Encryption, XML Signature Denial of Service Availability No - Bypassing of firewalls Integrity, Authentication, Confidentiality Indirectly XML Encryption, XML Signature

Conclusions WS-Security handles the most urgent issues, i.e. secure transmission via intermediaries, thereby eliminating a number of related threats Much remains to be done WS-Security is still a young standard with little real life testing More mature technologies, such as SSL, has an immediate advantage as long as no intermediaries are involved

The end Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information