Web Services Security – Ready for Wireless?

1Contents Confidential & Proprietary to ObjectValue Ltd. © 2003

bjec valuO ET

Storage Days Europe 2003Birmingham 13 May 2003

Web Services Security– Ready for Wireless?Immo Hüneke, Technical Architect


13 May 2003WS-Security: Ready for Wireless?

bjec valuO ET

Agenda

Who is ObjectValueWhat is meant by Web ServicesApproaches to Wireless SecurityWeb Services (WS-) SecurityAn exampleDiscussionConclusion and Recommendation



bjec valuO ET

ObjectValue

Founded 2002 – see www.objectvalue.com

Vehicle for my consulting and contracting activities

Example projectsTechnical support for Tandem-based Intelligent

Network call routing system (Mobile operator in South Africa)

Requirements study for Engineering Access Modelling and Planning systems (Underground railway operating company)

Expertise in mobile computing, wireless internet and advanced methodology



bjec valuO ET

Web Services

Web Services are replacing other integration technologies in many contexts

They promise in the long term to enable the fully automated assembly of distributed application functionality on demand from published service componentsThis is currently a pipe dream

Nevertheless, many application vendors are urgently overhauling their products to expose their individual functions as Web ServicesPeoplesoftSAPall Microsoft products released with the .NET

branding



bjec valuO ET

Web Services (ii)

Web Services, using XML as a lingua franca, have emerged as the next-generation Web-based technology for exchanging information

Web Services are modular, self-describing applications that are accessible over the Internet

Web Services are based on open standards Web Services enable Web-based applications

to interoperate between any platform, object model, and programming language (in theory!)

“Web Services allow any piece of software to communicate with a standardized XML messaging system.” Hari Mailvaganam



bjec valuO ET

Web Services (iii)

Two main schools of thoughtBoth supported through OASIS/Open

ebXML (more mature, top-down)“Business Web Services” (Sun)Business Process / Business Document modelBPSS, CPP/CPA, ebMS, SOAP with Attachments, MIME

WSDL/UDDI (more noise, bottom-up)“Enterprise Web Services” (Sun)Remote Method Call modelWSDL, UDDI repository, SOAP (“WUS”), plus options:

WS-Transaction WS-Security BPEL4WS …



bjec valuO ET

Web Services Example (i)

Currency Conversion rate lookuphttp://www.webserviceX.net/CurrencyConvertor.asmxAppend ?wsdl to see the service definition

Client

* From-currency* To-currency

* Rate

ServerHTTP/SOAP



bjec valuO ET

Web Services Example (ii)<?xml version="1.0"?><definitions xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:s="http://www.w3.org/2001/XMLSchema" xmlns:s0="http://www.webserviceX.NET/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/" targetNamespace="http://www.webserviceX.NET/" xmlns="http://schemas.xmlsoap.org/wsdl/"> <types> <s:schema elementFormDefault="qualified" targetNamespace="http://www.webserviceX.NET/"> <s:element name="ConversionRate"> <s:complexType> <s:sequence> <s:element minOccurs="1" maxOccurs="1" name="FromCurrency" type="s0:Currency"/> <s:element minOccurs="1" maxOccurs="1" name="ToCurrency" type="s0:Currency"/> </s:sequence> </s:complexType> </s:element> <s:simpleType name="Currency"> <s:restriction base="s:string"> <s:enumeration value="AFA"/>



bjec valuO ET

Where does it make sense to use Web Services

Business Data

Application

Presentation

Business Process

Business Logic / Rules

ClientSuggestion:

use sparinglyOnly where

scalability or other business benefit is gained by decoupling layers



bjec valuO ET

Approaches to Security

Link LayerNetwork Layer

IPSecTransport Layer

TLS/SSLWTLS

Session LayerSSH

End-to-End / Application LayerSAMLWS-Security



bjec valuO ET

Non-Application-Layer Approaches

IP Layer IP Layer IP Layer IP Layer

TCP (UDP) TCP (UDP) TCP (UDP) TCP (UDP)

Socket Layer Socket Layer Socket Layer Socket Layer

Client Client proxy Server proxy Server



bjec valuO ET

MessageMessageMessageMessage

Application Layer Approaches

Client ServerSecurity Lib Security Lib

Any NetworkAny Network

Any Path

Any NetworkAny Network

Any Protocol



bjec valuO ET

Web Services Security

Services providedSingle-message authentication

security tokens and digital (XML) signatureMessage integrity

XML SignatureMessage confidentiality

XML Encryption



bjec valuO ET

WS-Security (ii)

SOAP EnvelopeSOAP EnvelopeSOAP HeaderSOAP Header

SOAP Body (optionally partly or wholly encrypted)SOAP Body (optionally partly or wholly encrypted)

Security HeaderSecurity Header

Other Headers (optional)Other Headers (optional)

TokenToken

TokenToken

SignatureSignature

SignatureSignature

… …



bjec valuO ET

WS-Security (iii)<?xml version="1.0" encoding="utf-8"?><S:Envelope xmlns:S="http://www.w3.org/2001/12/soap-envelope" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <S:Header> <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/xx/secext"> <wsse:UsernameToken wsu:Id="MyID"> ... </wsse:UsernameToken> <ds:Signature> <ds:SignedInfo> ... </ds:SignedInfo> <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue> <ds:KeyInfo> ... </ds:KeyInfo> </ds:Signature> </wsse:Security> </S:Header> <S:Body wsu:Id="MsgBody"> ... </S:Body></S:Envelope>



bjec valuO ET

Example

Mobile Sales Rep enters a customer order Message Authentication is used to verify

the identity of the user (and check access permissions – outside scope of WS-Security)

Message Integrity is used to ensure that the order cannot be modified in transit without detection (e.g. to change quantity, price or delivery address)

Message Confidentiality is used to ensure that the customer’s order details are not seen by anyone except the supplier



bjec valuO ET

Advantages

End to end message confidentiality, integrity and authentication are assured

Messages can be stored, retrieved and forwarded arbitrary numbers of times

ExtensibleMultiple security token formatsMultiple trust domainsMultiple signature formatsMultiple encryption technologies



bjec valuO ET

Drawbacks

Immaturity of the specification Many things outside the scope

Trust establishment Security policy exchange and agreement Security context specification Authentication mechanisms Key management

Only one security header per message Processing and bandwidth overheads

XML and SOAP are verbose: WS-Security exacerbates this Signatures & tokens must be generated / checked every

time Onerous verification, logging and error reporting

Not ideally suited to inter-enterprise exchanges



bjec valuO ET

Conclusion and Recommendation

Yes, it can be doneBut the effort doesn’t seem worth it

for the current generation of mobile devices

VPN-style solutions lead to quicker and more dependable results

Wait for standards to settle downDecide your business model

Extension of the enterprise network to the mobile

Direct interaction of mobile device with Web Services offered by multiple providers



bjec valuO ET

A Hybrid Solution

InternetInternet

Firewall

Third PartyWeb Service

Mobile App(server part)

In-HouseWeb Service

VPN

WS-Security WS-Security

Mobile App (client part)



bjec valuO ET

Thank You!

Questions? ObjectValue Ltd., 31 Guildford Way, Wallington,

Surrey SM6 8NS, United Kingdom

www.objectvalue.com

Immo Hüneke BSc MBCS CEng, Director

+44 (0)20 8395 5835; +44 (0)7941 072 238

[email protected]

ObjectValue Ltd., 31 Guildford Way, Wallington,

Surrey SM6 8NS, United Kingdom

www.objectvalue.com

Immo Hüneke BSc MBCS CEng, Director

+44 (0)20 8395 5835; +44 (0)7941 072 238

[email protected]

Software Systems

consultancy & development

ETbjecvalu

O

Documents

Web Services Security – Ready for Wireless?