Preview of
Mastering Web Services SecurityPreview of
Mastering Web Services Security
Konstantin [email protected]
QuadrãsisSeptember 16, 2002
2
Talk OutlineTalk OutlineBook introductionHighlights of the book
Web Services security problemXML SecurityWS-SecuritySecurity mechanisms for ASP.NET Web ServicesPlanning and building secure Web Service systems
– Architectural and policy principlesEASI FrameworkExample
3
4
Why am I talking to you?Why am I talking to you?Ph.D. “Engineering Access Control for Distributed Enterprise Applications”CORBA Security
CORBA Security“Resource Access Decision” (RAD) Facility“Security Domain Membership Management”
Security Architectwith Baptist Health, Concept 5, Quadrasis (HICAM)Architecture, design and implementation of enterprise security solutions and products using CORBA, EJB, COM+, .NET
5
Book GoalsBook GoalsAudience
practicing application/enterprise security designers and architectsExplain
key underlying principles for securing WShow to secure today
– simple WS systemsJava and (ASP).NET
– complex WS systemsfor large enterprises
Describe what’s coming and what to expect
6
It’s aboutIt’s about1. Principles of Securing Web Services
Getting Started with Web Services SecurityXML SecurityWS-SecuritySAMLPrinciples of Securing Web Services
2. Middleware Mechanisms for securing Web ServicesMiddleware security mechanisms– CORBA, COM+, .NET, EJBSecuring (ASP).NET and Java Web Services
3. Advanced TopicsInteroperabilityAdministrationPlanning and Building
7
Web Service Syste
mWhat’s a Web Service System?What’s a Web Service System?
SOAP
8
Typical Web Service EnvironmentTypical Web Service Environment
9
Conventional Approach to SecurityConventional Approach to SecurityProtection
Authorization Accountability
AssuranceAvailability
Acc
ess C
ontro
l
Dat
a Pr
otec
tion
Audit
Non-Repudiation
Serv
ice
Con
tinui
ty
Dev
elop
men
t Ass
uran
ce
Ope
ratio
nal A
ssur
ance
Des
ign
Ass
uran
ce
Dis
aste
r Rec
over
yAuthenticationCryptography
10
Web Usage Scenario - SecurityWeb Usage Scenario - Security
SOAPUltimateReceiver
SOAPUltimateSender
Bought 5000 shares MSFT
@$YY/share
Bought 5000 shares MSFT
@$YY/share
SOAPIntermediary
Buy 5000 shares MSFT
@$XX/share
SOAPIntermediary
Buy 5000 shares MSFT
@$XX/share
Trader’sSystem
NotarySystem
TradingSystemTradingSystem
Trader’sSystem
NotarySystem
SOAPUltimateReceiver
SOAPUltimateSender
11
Changes in the Security PictureChanges in the Security PictureWS open enterprise resources to outside worldNew security responsibilities due to mixing lines of business:
Outsourcing credit card authorization serviceCross-selling and customer relationship managementSupply chain-management
Risk must be assessed and managed across a collection of organizationsInteractions are more complex and take place among diverse environments
12
WS Security Building BlocksWS Security Building Blocks
NetworkSecurity Directories Firewalls IDS
Web ServersSecurity
MiddlewareSecurity
MainframeSecurity
Physical Security
DatabaseSecurity
XMLSecurity
SOAPSecurity
WSDLSecurity
UDDISecurity
WS-Security
XML SecurityXML Security
14
XML EncryptionXML EncryptionEncrypt all or part of an XML messageSeparation of encryption information from encrypted dataSuper-encryption of data
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Content'><EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#3des-cbc'/><ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'><ds:KeyName>John Smith</ds:KeyName></ds:KeyInfo> <CipherData>
<CipherValue>A23B45C56</CipherValue></CipherData>
</EncryptedData>
15
XML SignatureXML SignatureApply to all or part of a documentContains: references to signed portions, canonicalization algorithm, hashing and signing algorithm Ids, public key of the signer.Multiple signatures with different characteristics over the same content
<Signature Id="MySignature" xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> <Transforms> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
</Reference> </SignedInfo> <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> <P>...</P><Q>...</Q><G>...</G><Y>...</Y>
</DSAKeyValue></KeyValue>
</KeyInfo></Signature>
16
GapsGapsSignature and Encryption specifications are for XML not SOAP
Format and location of security information in SOAP messageSupport for multiple security operationsTargeting specific actors
Passing security-related client informationAuthenticationAttributes
SOAP Message SecuritySOAP Message Security
18
WS-SecurityWS-Security
Message integrity and message confidentialityCompliance with XML Signature and XML EncryptionEncoding for binary security tokens
Set of related claims (assertions) about a subjectX.509 certificatesKerberos ticketsEncrypted keys
19
SOAP Message with WS-SecuritySOAP Message with WS-Security<? Xml version=‘1.0’ ?><env:Envelope xmlns:env=“http://www.w3.org/2001/12/soap-envelope”
xmlns:sec=“http://schmas.xmlsoap.org/ws/2002/04/secext”xmlns:sig=“http://www.w3.org/2000/09/xmldsig#”xmlns:enc=“http://www.w3.org/2001/04/xmlenc#”><env:Header><sec:Security
sec:actor=“http://www.w3.org/2001/12/soap-envelope/actor/next”sec:mustUnderstand=“true”><sig:Signature>
…</sig:Signature><enc:EncryptedKey>
…</enc:EncryptedKey><sec:BinarySecurityToken
…</sec:BinarySecurityToken
</sec:Security></env:Header><env:Body><enc:EncryptedData>
…</enc:EncryptedData></env:Body>
</env:Envelope>
20
Web Services Security RoadmapWeb Services Security RoadmapSecurity in a Web Services World: A proposed Architecture and Roadmap – April 2002Joint IBM and Microsoft White PaperInitial specifications:
WS-SecurityWS-Trust
WS-PolicyWS-Privacy
WS-SecureConversationWS-Federation
Follow-On Specifications:
WS-Authorization
21
Security Assertion Markup Language(SAML)
Security Assertion Markup Language(SAML)
AuthenticationAuthority
AttributeAuthority
AuthorizationAuthority
AuthenticationAssertion
AuthorizationAssertion
CredentialsAssertion 61 2 3 5
4
AttributeAssertion
22
Comprehensive Message SecurityComprehensive Message Security
<SOAP-ENV:Body>
</SOAP-ENV:Body>
<SOAP-ENV:Header><WS-Security>
<SAML Token>
</SAML Token>
</WS-Security></SOAP-ENV:Header>
<SOAP-ENV:Envelope>
</SOAP-ENV:Envelope>
Secured SOAP Message
- Authenticates initiator of SOAP request - Enables role based authorization- Time-limited- Interoperable
SAML Token
- Multiple signed areas of header and body- Integrity protection via PKI based cryptography- Prevents tampering
XML Signature, DSIG
- Validates against XML schemaXML Schema Verification
- End-to-end tracing, Method accessAudit
SOAP Message
- Multiple encrypted areas of body- Prevents disclosure
XML Encryption
- Prevents unauthorized call to methodsRPC Method Authorization
FunctionSecurity Feature
- Encryption and signature verificationX.509 Certificate (or other security token)
SOAP Body
SOAP Header
- Attaches signature, encryption, security tokens to SOAP messages
WS-Security
Security Mechanisms for (ASP).NET Web Services
Security Mechanisms for (ASP).NET Web Services
24
Options for Building MS WSOptions for Building MS WS1. Publish COM+ component as SOAP Endpoint
Only Windows.NET and XP ProLimitations on what COM+ components could be publishedMight be not 100% interoperable with other SOAP implementations
2. Use CLR remoting over SOAP/HTTPSupports (non-interoperable) passing object referencesSupports client and server-activated objectsCan be hosted by IISVague on client authentication and channel protection, unless IIS security is used
3. Generate COM WrapperGood way to reuse existing COM componentsNo support for custom typesNo .NET framework in the picture
4. Use ASP.NET MechanismsClaimed to be interoperable with other SOAP-compliant web servicesLeverages .NET, ASP.NET and IIS security mechanismsSimplifies handling of WS-Security data via WSDK
25
ASP.NET Custom HTTP ModulesASP.NET Custom HTTP Modules
AdvantagesAllows custom authentication schemes
Allows decoupling (HTTP) transport from SOAP
Makes application security-unaware
Supports CLR authorization
DisadvantagesCouples client and server
unmanaged code
managed code
IIS
ASP.NET_ISAPI.DLL
Quadrasis.Authentication.AuthFooModule
Web Service (.asmx) Handler Factory
StoreFrontService.asmx Other .asmx files
SOAP/HTTP
…
SOAP client
Planning, BuildingSecure Web Service Systems
Planning, BuildingSecure Web Service Systems
27
Recommended ApproachRecommended ApproachConsistent with TCB principlesSimplifies the analysis
Leave security to expertsSecurity COTS integration vs. do-it-yourself
– More thoroughly tested by other customers– More careful about common development mistakes
Follow good architectural and policy design principlesPlan for evolution and manageability
Have a security framework
28
Security Architecture PrinciplesSecurity Architecture PrinciplesTrust no one
Don’t’ make your firewall the only point of enforcementView Web Services collections as mutually suspicious islands
Enable interoperabiltiyUse vendor-neutral standards (WS-Security, SAML)
Modularize security“Push” security down – security unaware applicationsInsulate applications from security functionality with stable APIs
29
Security Policy PrinciplesSecurity Policy PrinciplesAuthentication: balance cost against threat
SSOAuthorization: application-driven
Use the business of the application to drive authorization settings
Accountability: audit early, not often“pop” audit into/near the application
Security administration: collections and hierarchies for scale
Enterprise Application Security Integration(EASI)
Framework
Enterprise Application Security Integration(EASI)
Framework
31
EASI Framework ArchitectureEASI Framework Architecture
Enterprise Security Integration Framework
Core Security Services
Authentication Authorization Cryptography Accountability SecurityAdministration
AuthenticationProducts
AuthorizationProducts
CryptographyProducts
AccountabilityProducts
SecurityAdministration
Products
FrameworkSecurity Facilities
ProfileManager
SecurityAssociation
ProxyServices
Security APIs
Custom Security APIs Vendor Security APIs
Standard Security APIs
Presentation Components Business Logic Components Legacy Data Stores
32
Specific Example of EASI: QuadrasisSpecific Example of EASI: Quadrasis
AuthenticationServices
PresentationTier
WebServers
Client Tier
Browser
ApplicationClient
Back-OfficeTier
Mainframes
Component Tier
WebServices Application
Servers
EASI Executive
EASI Security Service Mappers
EASI Application Environment Adapters
EASI
Sec
urity
Uni
fier
App
licat
ion
Infr
astr
uctu
reSe
curit
ySe
rvic
es
Security Management Security Administration Security Configuration
Security Policy
Data-bases
Authentication API
Authorization API
AuditAPI
CryptographyAPI
Security Administration
Services
Authorization Services
CryptographyServices
AccountabilityServices
33
EASI Pros and ConsEASI Pros and ConsCommon security infrastructure shared across the enterpriseDecoupling applications from productsWell defined boundary between business and security logicNo need to implement everything at once
Complex due to generalityPerformance and scalability constraintsSignificant initial effort in designing and building itHas to be politically accepted in many different “parties” of organizationSemantic mismatch among security products makes their “swapping” hard
ExampleExample
35
ePortal.com eBusiness.comePortal.com eBusiness.com
ePortal.com eBusiness.comSOAP/HTTPSHTML/HTTPS
Internet customers
36
Functional Security RequirementsFunctional Security RequirementseBusiness.comeBusiness.com
Limit visitor accessProtect the accounts of each individualGrant members more accessSecure exchange with ePortal.comAdministrator control of critical functionsRestrict administrators’ abilities
ePortalePortal.com.comLimit visitor accessEliminate administration of new customersGrant members more accessSecure exchange with eBusiness.com
37
Browser
EASI FrameworkEASI Framework and Services
Middle Tier Back OfficeTier
FirewallDMZ
eBusiness.comPerimeter
Tier
FrameworkSecurity Facilities
Security APIs
Core SecurityServices
Oracle
AccountsProducts/Prices
WebLogic
J2EEApp Svr
StoreFront
Service
iPlanet
eBusiness.com WebServer
EASI Framework and Services
Middle Tier
FirewallFirewallDMZ
ePortal.comPerimeter
Tier
FrameworkSecurity Facilities
Security APIs
Core SecurityServices
COM+
StoreFront
MiddleTier
eBuyer.com
WebServiceClient
Application
Internetcustomer
IIS
ASP.NET
ePortal.comWeb
ServerInternet
Firewall
HTML/HTTPS
SOAP/HTTPS
SOAP/HTTPS
DCOM
SOAP/HTTP
38
EASI Framework for ePortal.comEASI Framework for ePortal.comePortal.com Enterprise Application Security Integration Framework
Core Security Services
Authentication Authorization Cryptography Accountability SecurityAdministration
FrameworkSecurity Facilities
ActiveDirectoryService
WS-Security/SAML
Service
Security APIs
Custom Self-Registration Web SSO, SAML Service
ASP.NET, COM+
FirewallIntrusion Detection System
Web SSOCOM+
Windows 2000SSL
Custom Self-Registration Module
39
EASI Framework for eBusiness.comEASI Framework for eBusiness.com
eBusiness.com Enterprise Application Security Integration Framework
Core Security Services
Authentication Authorization Cryptography Accountability SecurityAdministration
FrameworkSecurity Facilities
iPlanetDirectoryService
WS-Security/SAML
Service
Security APIs
Oracle Security, SAML Service
FirewalliPlanet
WebLogicSSL
OracleAttribute Mapping
JAAS, EJB
40
Security Gotchas at the System Architecture LevelSecurity Gotchas at the System Architecture Level
ScalingDistribute requests over multiple security policy serversCentral administrationAdministration delegation
Performance – “No free lunch”Encryption algorithmsUnderlying transportPolicy granularityCaching
41
Presentation SlidesPresentation Slides
http://www.beznosov.net/konstantin