Enhancing Web Service Security: A Pattern for WS-Security
This presentation by Keiko Hashizume outlines the development of a pattern for WS-Security, addressing the confusion around web services standards that hinder vendors and users alike. The WS-Security standard, enhancing SOAP messaging, focuses on message confidentiality, integrity, authentication, and non-repudiation. Key challenges addressed include preventing unauthorized access, message modification, and replay attacks. Solutions involve implementing security tokens, encryption, and digital signatures in SOAP headers. The importance of developing related patterns, such as XML Encryption and WS-Policy, is emphasized for robust web service security.
Enhancing Web Service Security: A Pattern for WS-Security
E N D
Presentation Transcript
A Pattern for WS-Security Presented by Keiko Hashizume
Outline • Introduction • A Pattern for WS-Security • Conclusion
Introduction • Web services standards are confusing which makes it difficult for vendors to develop products that comply with standards and for users to decide what product to use. • That is why we need to develop patterns for these standards. • Patterns embody the knowledge and experience of software developers about a recurrent problem. A pattern solves a specific problem in a given context and can be tailored to fit different situations.
WS-Security Standard • Originally developed by IBM, Microsoft, VeriSign, and Forum Systems. • OASIS Specification • Latest Version: WS-Security 1.1 • Approved on February 2006
A Pattern for WS-Security • WS-Security Standard describes enhancements to SOAP messaging through • Message Confidentiality • Message Integrity • Message Authentication • Non-repudiation • Context • Users of web services send and receive SOAP messages through the Internet.
A Pattern for WS-Security • Problem • Forces: • We need to prevent unauthorized users from reading data during transit. • We need to protect data in transit from being modified by attackers. • We need to verify the producer of the message. • We need to prevent message replay.
A Pattern for WS-Security • Solution • Use a set of mechanisms to improve security by describing how to add security information in the header part of a message. • Elements that can be included in the SOAP security header : • Security tokens • Encryption • Digital signature • Timestamps
Dynamics • Sequence Diagram for the UC: Encrypt an element using Security Tokens
A Pattern for WS-Security • Dynamics • Sequence Diagram for the UC: Sign an element using Security Tokens
A Pattern for WS-Security • Consequences This pattern presents the following advantages: • XML Encryption allows to hide information from unauthorized users. • XML Digital signature is used to verify whether a message was modified in transit. • The combination of XML Signature and security tokens verifies that the user is who he claims to be. • We can prevent message replay using timestamps . The pattern also has some (possible) liabilities: • This pattern does not describe fixed security protocols.
A Pattern for WS-Security • Know Uses Several vendors have developed products that support WS-Security. • Xtradyne’s WS-DBC (Web Service Domain Boundary Controller) http://www.xtradyne.com/products/ws-dbc/WSDBCfeatures.htm • IONA Artixwww.iona.com/info/aboutus/collateral/Artix%20and%20Security.pdf • Forum Sentry™ http://forumsys.com/products_sentry_specs.htm • Microsoft Trust Bridge http://www.microsoft.com/presspass/press/2002/Jun02/06-06TrustbridgePR.mspx
A Pattern for WS-Security • Related Patterns WS-Security uses XML Signature and XML Encryption Secure Channel contains a set of security protocols that provide identity authentication and secure, private communication through encryption. Strategy
Conclusion • We need to develop related patterns such as XML Encryption and XML Signature. • We need to develop patterns for the WS – family such as WS-Policy, WS-Privacy, WS-SecureConversation, WS-Federation, and WS-Authorization.
