1 / 23

Enabling Interoperable Secure Web Services

Enabling Interoperable Secure Web Services. Bret Hartman, DataPower Technology July, 2004. Businesses need to innovate at an ever increasing pace Success requires broad interoperability Within an enterprise Between business partners

vondra
Télécharger la présentation

Enabling Interoperable Secure Web Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enabling Interoperable Secure Web Services Bret Hartman, DataPower Technology July, 2004

  2. Businesses need to innovate at an ever increasing pace Success requires broad interoperability Within an enterprise Between business partners Across a heterogeneous set of platforms, applications and programming languages Internet technologies are assumed, interoperability is required THE CONTEXT

  3. The shift to Web services is underway An Internet-native distributed computing model based on XML standards has emerged Early implementations are solving problems today and generating new requirements The Web services standards stack is increasing in size and complexity to meet these requirements The fundamental characteristic of Web services is interoperability THE CONTEXT

  4. Guidance A common definition for Web services Implementation guidance and support for Web services adoption Interoperability Across platforms, applications, and languages Consistent, reliable interoperability between Web services technologies from multiple vendors A standards integrator to help Web services advance in a structured, coherent manner WHAT IS NEEDED?

  5. ABOUT WS-I • An open industry effort chartered to promote Web Services interoperability across platforms, applications and programming languages. • A standards integrator to help Web services advance in a structured, coherent manner • Approximately 150 member organizations • 70% vendors, 30% end-user organizations • 80% North America with active worldwide membership

  6. Achieve Web services interoperability Integrate specifications Promote consistent implementations Provide a visible representation of conformance Accelerate Web services deployment Offer implementation guidance and best practices Deliver tools and sample applications Provide a implementer’s forum where developers can collaborate Encourage Web services adoption Build industry consensus to reduce early adopter risks Provide a forum for end users to communicate requirements Raise awareness of customer business requirements WS-I GOALS

  7. Basic Profile Addresses the core set of specifications (e.g., SOAP, WSDL, UDDI, attachments, etc.) that provide the foundation for Web services Basic Security Profile (New!) Addresses transport security, SOAP messaging security, and other security considerations Requirements Gathering Captures business requirements to drive future profile selection Sample Applications Illustrate best practices for implementations on multiple vendor platforms Testing Tools and Materials Develops self-administered tests to very conformance with WS-I profiles WORKING GROUPS

  8. WS-I, STANDARDS AND INDUSTRY Standards Specifications Requirements Implementation Guidance Requirements Businesses, Industry Consortia, Developers, End Users

  9. MILESTONES • Basic Profile 1.0 Package • Delivered Basic Profile 1.0, and associated sample applications and test tools as Final Material • More than 200 interoperability issues resolved in Basic Profile 1.0 • Conventions around messaging, description and discovery • Vendors are incorporating the Basic Profile 1.0 into products and services • End-users are requiring conformance

  10. CURRENT WORK: BASIC PROFILES • Basic Profile 1.1 • Derived from the Basic Profile 1.0 incorporating any errata to date and separating out requirements related to the serialization of envelopes and their representation in messages • Attachments Profile 1.0 • Complements Basic Profile 1.1 to add support for interoperable SOAP messages with attachments • Simple SOAP Binding Profile 1.0 • Derived from those Basic Profile 1.0 requirements related to the serialization of the envelope and its representation in the message, incorporating any errata to date • Board Approval Drafts of these profiles were delivered June 3

  11. CURRENT WORK: BASIC SECURITY PROFILE • Security Scenarios • Identifies security challenges and threats in building interoperable Web services and countermeasures for these risks • Basic Security Profile • Addresses transport security, SOAP messaging security and other security considerations • References existing specifications used to provide security, including the OASIS Web Services Security 1.0 specification • HTTP over TLS • SOAP with Attachments • WS-Security with Username and X.509 token profiles • SAML Token Profile and REL (XRML) Token Profile are being considered

  12. SECURITY SCENARIOS WORKING DRAFT • Addresses • Security Challenges • Threats • Security Solutions and Mechanisms • Scenarios • February, 2004 draft for public comment • http://ws-i.org/Profiles/BasicSecurity/2004-02/SecurityScenarios-0.15-WGD.pdf • Final Security Scenarios expected in August, 2004

  13. SECURITY CHALLENGES • Peer Identification and Authentication • Data Origin Identification and Authentication • Data Integrity • Transport Data Integrity • SOAP Message Integrity • Data Confidentiality • Transport Data Confidentiality • SOAP Message Confidentiality • Message Uniqueness • Out of Scope • Credentials Issuance

  14. THREATS • Message alteration • Attachment alteration • Confidentiality • Falsified messages • Man in the middle • Principal spoofing • Repudiation • Forged claims • Replay of message parts • Replay • Denial of service - amplifier

  15. SECURITY SOLUTIONS AND MECHANISMS • Integrity, confidentiality, authentication, attributes • Transport layer (HTTP/HTTPS) • HTTP and SSL/TLS mechanisms • Message layer • WSS mechanisms • Securing SOAP with Attachments • Combinations • Large number of theoretically possible combinations • Identified nine believed to be of practical utility • Security considerations • Properties, threats addressed, limitations

  16. SCENARIOS • Generic requirements • Peer authentication • Integrity • Confidentiality • Origin authentication • Scenario descriptions • One-way • Synchronous request / response • Basic callback • Others?

  17. WS-I BASIC SECURITY PROFILE (BSP) 1.0 • Methodology • Reviewed WSS Documents (WSS core, username, X.509) • Comments to WSS TC • Generated potential profiling points (captured as issues) • Reviewed underlying documents • IETF RFCs covering TLS • XML Signature, XML Encryption • Identified 90+ potential profiling points by looking for anything other than MUST (e.g. options in specifications) • Many have since been dropped • First public Working Draft published May, 2004 • http://ws-i.org/Profiles/BasicSecurityProfile-1.0-2004-05-12.html • Final BSP expected in September, 2004

  18. BSP 1.0 QUESTIONS AND ANSWERS • Cover SSL? • Yes, mentioned in WS-I Basic Profile 1.0 • Address SOAP intermediaries? • Yes, must be considered because of security implications • What will document look like? • Identify constraints by category, as in Basic Profile • If and how to handle security considerations? • Added security considerations section even though it is not testable • One profile or several? • BSP 1.0 will be one document • Subsequent token profiles can be published separately • How to secure Attachment Profile 1.0? • Decided to use WSS and to request OASIS TC to do this work

  19. EXAMPLE REQUIREMENT 4. Transport Layer Security This section of the Profile incorporates the following specifications by reference, and defines extensibility points within them: • HTTP over TLSExtensibility points: • E0001 - Ciphersuites - Additional ciphersuites may be specified. 4.1 SSL and TLS The following specifications (or sections thereof) are referred to in this section of the Profile; HTTP over TLS: Section 2.2.1 SSL and TLS are both used as underlying protocols for HTTP/S. This profile places the following constraints on those protocols: 4.1.1 Use of SSL 2.0 SSL 2.0 has known security issues and all current implementations of HTTP/S support more recent protocols. Therefore this profile prohibits use of SSL 2.0. R2001 A SENDER MUST NOT use SSL 2.0 as the underlying protocol for HTTP/S R2002 A RECEIVER MUST NOT use SSL 2.0 as the underlying protocol for HTTP/S

  20. usage scenarios profile use cases OTHER BSP 1.0 DELIVERABLES sample applications scenarios and sample applications web services basic security profile testing tools other test materials testing tools and materials

  21. TESTING AND DEMONSTRATING BSP 1.0 • How to test Basic Security Profile 1.0? • Basic Profile 1.0 testing tools used a man in the middle testing strategy • Will this work for BSP 1.0 since one of its objectives is to stop man in the middle attacks? • What level does the testing take place at? • Highest level message syntax? • After parts of the message have been decrypted? • BSP sample applications and usage scenarios • Based on sample application for Basic Profile 1.0 adding security aspects

  22. FUTURE WORK PLANS • Additional token profiles • Candidates include Kerberos, REL (XRML), SAML • Depends on progress by OASIS TC • Final material ETA: November, 2004

  23. QUESTIONS • Today • Later • E-mail bhartman@datapower.com • Comments on BSP documents • E-mail wsi_secprofile_comment@lists.ws-i.org • Security Scenarios published February, 2004 • http://ws-i.org/Profiles/BasicSecurity/2004-02/SecurityScenarios-0.15-WGD.pdf • BSP 1.0 WD published May, 2004 • http://ws-i.org/Profiles/BasicSecurityProfile-1.0-2004-05-12.html Thanks to Paul Cotton, chair of WS-I Basic Security Profile Working Group for much of the material in this presentation!

More Related