1 / 31

“Web Services” and its security

“Web Services” and its security. Overview. Web Services Definition What they said Web Services components How it is working Success factors W.S. Security Authentication Access Control Secrecy Integrity DOS in Web Services. Definition.

oriana
Télécharger la présentation

“Web Services” and its security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “Web Services” and its security (c) Khaled Alghathbar

  2. Overview • Web Services • Definition • What they said • Web Services components • How it is working • Successfactors • W.S. Security • Authentication • Access Control • Secrecy • Integrity • DOS in Web Services (c) Khaled Alghathbar

  3. Definition “Loosely coupled, reusable software components that semantically encapsulate discrete functionality and are distributed and programmatically accessible over standard Internet protocols.”[1] • It is lightweight, • Platform and language independent [1] Sleeper, Brent, and Bill Robins. "Defining Web Services." Stencil Group June 2001. 01 Oct. 2001 (c) Khaled Alghathbar

  4. What they said • Bill Gates points Web Services as one of the key technology milestones of the past 20 years. • Alfred Chuang, “The universal umbrella of Web Services will fuel the next wave. ” COO and founder of BEA System PC Internet Web Services (c) Khaled Alghathbar

  5. Web Services components • HTTP Protocol • XML • (SOAP) Simple Object Access Protocol • (WSDL) Web Services Description Language • (UDDI) Universal Description, Discovery, and Integration • Others: • (ebXML) Electronic Business XML • (WSFL) Web Services Flow Language (c) Khaled Alghathbar

  6. How it is working (c) Khaled Alghathbar

  7. How it is working Changing inner system or even changing to another company dose not require much modification (c) Khaled Alghathbar

  8. Working Examples • Rent a car at Hertz • Temperature and weather conditions • Sales Rank and Price for online bookstores • Credit card validator • Locates Healthcare providers in USA • News headlines on six topics • Stock quote with currency conversion • Returns airfare/flight information • Access to FedEx Tracking information • German <-> English translation • From Xmethods.com (c) Khaled Alghathbar

  9. Supporters IBM And More… (c) Khaled Alghathbar

  10. Successfactors • Platform independent: • Programming language, DBMS independent. • Execute lightly not like DCOM and IIOP • Easy to adapt. • Maintainability is low and economical. • Reduce integration cost and complexity. • Use HTTP as a transport layer. • Using XML as data representation • Easy to be accessed through the internet, not like traditional distributing object module. (c) Khaled Alghathbar

  11. SOAP vs. DCOM & IIOP • DCOM and IIOP protocols not appropriate to the Internet. • Both protocols require a large amount of dedicated runtime support. • many firewalls do not permit access by non-HTTP protocols. • Because SOAP requires less organization and recourses to achieve security because of HTTP usage. DCOM= Distributed Component Object Model IIOP = Internet Interoperable Orb Protocol (c) Khaled Alghathbar

  12. Web Services vs. CORBA • One, Web Services is loosely coupled. • Two, Web Services is built on top of everywhere infrastructure such as HTTP and XML. • Three, Web Services is meant to be simple “the problem with CORBA was a little too big” [2] [2] Dyck, Timothy. "Web Services Wave." eWEEK. 10 Sept. 2001 (c) Khaled Alghathbar

  13. Web Services Security • Authentication • Access Control • Secrecy • Integrity • DOS in Web Services (c) Khaled Alghathbar

  14. Authentication • While the web site is often accessed by users, Web Services is often accessed by program running of behalf of users. For example, Web Services may access other Web Services to gather specific information needed for the requester (c) Khaled Alghathbar

  15. Authentication • Different kinds of techniques helps authentication: • Basic authentication. • Basic authentication over SSL. • Kerberos. • Client certificate • XKMS (c) Khaled Alghathbar

  16. XKMS XKMS(XML Key Management Specification) “Developers can allow applications to delegate all or part of the processing of XML digital signatures and encrypted elements to VeriSign, shielding the application from the complexity of the underlying PKI.”VeriSign XKMS created by Microsoft, VeriSign, webMethods (c) Khaled Alghathbar

  17. XKMS XKMS – benefits: • No need to delay PKI deployment pending client support. • Be “future proof” against new PKI developments. • Allow mobile devices to access full-featured PKI (c) Khaled Alghathbar

  18. XKMS XKMS subsections: • The XML Key Information Service Specification (X-KISS): Key Information processing. • The XML Key Registration Service Specification (X-KRSS): Key Registration, Key Revocation, Key Recovery (c) Khaled Alghathbar

  19. Access Control (c) Khaled Alghathbar

  20. Secrecy • SSL is a slow mechanism • Web Services developer need to secure some parts of the message that are very sensitive to reduce the encryption overhead which SSL can not offer at this time. Solution: XML Encryption (c) Khaled Alghathbar

  21. XML Encryption Example (c) Khaled Alghathbar

  22. XML Encryption XML encryption uses: • AES or triple DES as block encryption • AES-RSA-OEAP or 3DES-RSA- v1.5 as a key transport (c) Khaled Alghathbar

  23. Integrity XML Signature • It allows processing of a signature in a XML document • It provides a mechanism for verifying the signature (c) Khaled Alghathbar

  24. XML Signature A fundamental feature of XML Signature is the ability to sign only specific portions of the XML tree rather than the complete document. (c) Khaled Alghathbar

  25. XML Signature Integrity of signed XML document is checked by comparing the digest of the document and the decrypted digest that form the signature . Is there a problem? (c) Khaled Alghathbar

  26. XML Signature Unfortunately, different XML applications, while uniformly processing the information content, may treat the physical representation of the XML document differently. • e.g. an extra space between an element name and the closing tag delimiter ‘>’ What is the solution? (c) Khaled Alghathbar

  27. XML Signature Canonical XML: the canonical form of an XML document is a normalized physical representation that establishes a standard baseline for signature processing. (c) Khaled Alghathbar

  28. XML Signature • To compute digest Secure Hash Standard (SHA1) is used. • To sign HMAC-SHA1 for MAC and DSA with SHA1 (DSS) is used. (c) Khaled Alghathbar

  29. DOS in Web Services Web Services have the same threat as web sites do. However, most Web Services information is more valuable than a web site. (c) Khaled Alghathbar

  30. DOS in Web Services DOS attacker (c) Khaled Alghathbar

  31. Resources • Miller , Michael J. "View From the Top." PC Magazine. 4 Sept. 2001: 164+. • Jepsen, T. "SOAP cleans up interoperability problems on the Web ." IT Professional 3 (2001): 52-55. • Chester, T M. "Cross-platform integration with XML and SOAP ." IT Professional 3 (2001): 26-34. • Dyck, Timothy. "Web Services Wave." eWEEK. 10 Sept. 2001: 59+. • SOAP Service List. 01 Oct. 2001 <http://xmethods.com/>. • Sleeper, Brent, and Bill Robins. "Defining Web Services." Stencil Group June 2001. 01 Oct. 2001 <http://www.stencilgroup.com/ideas_scope_200106wsdefined.html>. • Oettinger, Ryan, and Steven Sachs. "The U.S. Web Services Revolution Will Not Reach Full Scale For Another 18 to 24 Months, Reports Jupiter Media Metrix." Jupiter Media Metrix 30 Aug. 2001. 01 Oct. 2001 <http://www.jmm.com/xp/jmm/press/2001/pr_083001.xml>. • Robins, Bill. "How Web Services Will Beat the 'New New Thing' Rap ." Stencil Group June 2001. 01 Oct. 2001 <http://www.stencilgroup.com/ideas_scope_200106newnew.html>. • "Simple Object Access Protocol (SOAP)." Microsoft 07 Jan. 2001. 01 Oct. 2001 <http://www.microsoft.com/WINDOWS2000/hpc/soap.asp>. • Gavrylyuk, Kirill. "Building Secure Web Services with Microsoft SOAP Toolkit 2.0." Microsoft July 2001. 01 Oct. 2001 <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsoap/html/soapsecurity.asp>. • Sundsted , Todd. "Building Security Into Web Services ." SUN Microsystems 17 Aug. 2001. 01 Oct. 2001 <http://dcb.sun.com/practices/devnotebook/webserv_security.jsp>. • "XML Web Services Security." Microsoft 12 Nov. 2000. N.d. <http://msdn.microsoft.com/vstudio/nextgen/Technology/security.asp>. • "Web Services Trust and XML Security Standards." Entrust 9 Apr. 2001. 01 Oct. 2001 <http://www.entrust.com/resources/pdf/TWS_apr9.pdf>. • Reagle , Joseph. "XML Encryption Requirements." The World Wide Web Consortium (W3C) 20 Apr. 2001. 01 Oct. 2001 <http://www.w3.org/TR/xml-encryption-req>. • Eastlake , Donald, Joseph Reagle , and David Solo . "XML-Signature Syntax and Processing." The World Wide Web Consortium (W3C) 20 Aug. 2001. 01 Oct. 2001 <http://www.w3.org/TR/xmldsig-core/>. (c) Khaled Alghathbar

More Related