1 / 21

Web Services Security – Ready for Wireless?

Web Services Security – Ready for Wireless?. Immo Hüneke, Technical Architect. Storage Days Europe 2003 Birmingham 13 May 2003. Agenda. Who is ObjectValue What is meant by Web Services Approaches to Wireless Security Web Services (WS-) Security An example Discussion

yanni
Télécharger la présentation

Web Services Security – Ready for Wireless?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Services Security– Ready for Wireless? Immo Hüneke, Technical Architect Storage Days Europe 2003Birmingham 13 May 2003

  2. Agenda • Who is ObjectValue • What is meant by Web Services • Approaches to Wireless Security • Web Services (WS-) Security • An example • Discussion • Conclusion and Recommendation WS-Security: Ready for Wireless?

  3. ObjectValue • Founded 2002 – see www.objectvalue.com • Vehicle for my consulting and contracting activities • Example projects • Technical support for Tandem-based Intelligent Network call routing system (Mobile operator in South Africa) • Requirements study for Engineering Access Modelling and Planning systems (Underground railway operating company) • Expertise in mobile computing, wireless internet and advanced methodology WS-Security: Ready for Wireless?

  4. Web Services • Web Services are replacing other integration technologies in many contexts • They promise in the long term to enable the fully automated assembly of distributed application functionality on demand from published service components • This is currently a pipe dream • Nevertheless, many application vendors are urgently overhauling their products to expose their individual functions as Web Services • Peoplesoft • SAP • all Microsoft products released with the .NET branding WS-Security: Ready for Wireless?

  5. Web Services (ii) • Web Services, using XML as a lingua franca, have emerged as the next-generation Web-based technology for exchanging information • Web Services are modular, self-describing applications that are accessible over the Internet • Web Services are based on open standards • Web Services enable Web-based applications to interoperate between any platform, object model, and programming language (in theory!) • “Web Services allow any piece of software to communicate with a standardized XML messaging system.” Hari Mailvaganam WS-Security: Ready for Wireless?

  6. Web Services (iii) • Two main schools of thought • Both supported through OASIS/Open • ebXML (more mature, top-down) • “Business Web Services” (Sun) • Business Process / Business Document model • BPSS, CPP/CPA, ebMS, SOAP with Attachments, MIME • WSDL/UDDI (more noise, bottom-up) • “Enterprise Web Services” (Sun) • Remote Method Call model • WSDL, UDDI repository, SOAP (“WUS”), plus options: • WS-Transaction • WS-Security • BPEL4WS … WS-Security: Ready for Wireless?

  7. Web Services Example (i) • Currency Conversion rate lookup • http://www.webserviceX.net/CurrencyConvertor.asmx • Append ?wsdl to see the service definition * From-currency* To-currency Client Server HTTP/SOAP * Rate WS-Security: Ready for Wireless?

  8. Web Services Example (ii) <?xml version="1.0"?> <definitions xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:s="http://www.w3.org/2001/XMLSchema" xmlns:s0="http://www.webserviceX.NET/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/" targetNamespace="http://www.webserviceX.NET/" xmlns="http://schemas.xmlsoap.org/wsdl/"> <types> <s:schema elementFormDefault="qualified" targetNamespace="http://www.webserviceX.NET/"> <s:element name="ConversionRate"> <s:complexType> <s:sequence> <s:element minOccurs="1" maxOccurs="1" name="FromCurrency" type="s0:Currency"/> <s:element minOccurs="1" maxOccurs="1" name="ToCurrency" type="s0:Currency"/> </s:sequence> </s:complexType> </s:element> <s:simpleType name="Currency"> <s:restriction base="s:string"> <s:enumeration value="AFA"/> WS-Security: Ready for Wireless?

  9. Suggestion: use sparingly Only where scalability or other business benefit is gained by decoupling layers Where does it make sense to use Web Services Client Presentation Application Business Process Business Logic / Rules Business Data WS-Security: Ready for Wireless?

  10. Approaches to Security • Link Layer • Network Layer • IPSec • Transport Layer • TLS/SSL • WTLS • Session Layer • SSH • End-to-End / Application Layer • SAML • WS-Security WS-Security: Ready for Wireless?

  11. Non-Application-Layer Approaches Client Client proxy Server proxy Server Socket Layer Socket Layer Socket Layer Socket Layer TCP (UDP) TCP (UDP) TCP (UDP) TCP (UDP) IP Layer IP Layer IP Layer IP Layer WS-Security: Ready for Wireless?

  12. Application Layer Approaches Any Protocol Any Network Any Network Client Security Lib Security Lib Server Message Message Any Path WS-Security: Ready for Wireless?

  13. Web Services Security • Services provided • Single-message authentication • security tokens and digital (XML) signature • Message integrity • XML Signature • Message confidentiality • XML Encryption WS-Security: Ready for Wireless?

  14. WS-Security (ii) SOAP Envelope SOAP Header Security Header Token Token … Signature Signature … Other Headers (optional) SOAP Body (optionally partly or wholly encrypted) WS-Security: Ready for Wireless?

  15. WS-Security (iii) <?xml version="1.0" encoding="utf-8"?> <S:Envelope xmlns:S="http://www.w3.org/2001/12/soap-envelope" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <S:Header> <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/xx/secext"> <wsse:UsernameToken wsu:Id="MyID"> ... </wsse:UsernameToken> <ds:Signature> <ds:SignedInfo> ... </ds:SignedInfo> <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue> <ds:KeyInfo> ... </ds:KeyInfo> </ds:Signature> </wsse:Security> </S:Header> <S:Body wsu:Id="MsgBody"> ... </S:Body> </S:Envelope> WS-Security: Ready for Wireless?

  16. Example • Mobile Sales Rep enters a customer order • Message Authentication is used to verify the identity of the user (and check access permissions – outside scope of WS-Security) • Message Integrity is used to ensure that the order cannot be modified in transit without detection (e.g. to change quantity, price or delivery address) • Message Confidentiality is used to ensure that the customer’s order details are not seen by anyone except the supplier WS-Security: Ready for Wireless?

  17. Advantages • End to end message confidentiality, integrity and authentication are assured • Messages can be stored, retrieved and forwarded arbitrary numbers of times • Extensible • Multiple security token formats • Multiple trust domains • Multiple signature formats • Multiple encryption technologies WS-Security: Ready for Wireless?

  18. Drawbacks • Immaturity of the specification • Many things outside the scope • Trust establishment • Security policy exchange and agreement • Security context specification • Authentication mechanisms • Key management • Only one security header per message • Processing and bandwidth overheads • XML and SOAP are verbose: WS-Security exacerbates this • Signatures & tokens must be generated / checked every time • Onerous verification, logging and error reporting • Not ideally suited to inter-enterprise exchanges WS-Security: Ready for Wireless?

  19. Conclusion and Recommendation • Yes, it can be done • But the effort doesn’t seem worth it for the current generation of mobile devices • VPN-style solutions lead to quicker and more dependable results • Wait for standards to settle down • Decide your business model • Extension of the enterprise network to the mobile • Direct interaction of mobile device with Web Services offered by multiple providers WS-Security: Ready for Wireless?

  20. A Hybrid Solution Firewall VPN WS-Security WS-Security Mobile App (client part) Internet Mobile App(server part) In-HouseWeb Service Third PartyWeb Service WS-Security: Ready for Wireless?

  21. Thank You! ObjectValue Ltd., 31 Guildford Way, Wallington, Surrey SM6 8NS, United Kingdom www.objectvalue.com Immo Hüneke BSc MBCS CEng, Director ' +44 (0)20 8395 5835; +44 (0)7941 072 238 *immo.huneke@objectvalue.com Software Systems consultancy & development O T E bjec valu Questions? WS-Security: Ready for Wireless?

More Related