ANSEC Security Services in Pune - Security Guards,Security Services Company
Web Services Security – A Survey
-
Upload
wyoming-gallegos -
Category
Documents
-
view
33 -
download
0
description
Transcript of Web Services Security – A Survey
![Page 1: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/1.jpg)
1
Web Services Security – A Survey
Abu Uddin
Shamual Rahaman
![Page 2: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/2.jpg)
2
Web Services
Open standard (XML, SOAP, etc.) based Web applications that interact with other web applications for the purpose of exchanging data.
Initially used for the exchange of data on large private enterprise networks, web services are evolving to include transactions over the public Internet.
Even though it’s framework in not 100% complete, people have been widely using it.
Heterogeneous, loosely coupled architecture.
![Page 3: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/3.jpg)
3
Hello Web Services
![Page 4: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/4.jpg)
4
Hello Web Services
![Page 5: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/5.jpg)
5
Hello Web Services
![Page 6: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/6.jpg)
6
Web Services Security
Importance of security in Web Services. Security Issues in Web Services. Our Survey.
![Page 7: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/7.jpg)
7
Selected Papers
Threats and security of Web services - a theoretical short study-Rao, Radha Krishna
Web service security - vulnerabilities and threats within the context of WS-security-Holgersson, J.; Soderstrom, E.;
Web Service Composition: A Security Perspective-Carminati, B.; Ferrari, E.; Hung, P.C.K.;
Algorithm Exchange of a Security Control System for Web Services Applications-Nasution, B.B.; Kendall, E.A.; Khan, A.I.;
![Page 8: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/8.jpg)
8
Paper 1: Threats and security of Web services - a theoretical short study
Various threats and remedies for web services. This paper mainly focuses mainly on three different
attacks: Dictionary Attack, Replay Attack, and Buffer Overflow.
Vital points in Web services security: Authentication Authorization Confidentiality Integrity Non-repudiation
All of these can be satisfied by using encryption except Authorization, where it can use SOAP messages.
![Page 9: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/9.jpg)
9
Dictionary Attack
Reverse Turing Test. was developed to protect system from
automated program that launches dictionary attack.
combine the traditional password authentication with a challenge that is very easy to answer for a human but not possible for an automated program.
widely used by many web sites, such as Hotmail, Yahoo.
![Page 10: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/10.jpg)
10
Dictionary Attack
Advantages of Reverse Turing Test: does not affect the usability. offers a much better protection. no special hardware or software is needed to implement.
Disadvantages of Reverse Turing Test: requires certain capabilities on the user side. can frighten the user who are unwilling to solve the riddles . can affect the scalability of the system. not optimal for large scale system.
![Page 11: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/11.jpg)
11
Dictionary Attacks Java Cryptography:
Dictionary attacks take twice the time to break a simple protection algorithm than doubly protected password.
now used in various critical applications. Java Cryptography Architecture(JCA)
Java Cryptography Advantages: Portability permits controlled execution of less trusted code (vs.
Activex) fine grained permission control
Java Cryptography Disadvantages: complex dependencies on other system, OS, browser,
network(DNS), PKI flexible policies accepted by user may permit hidden
breaching interactions.
![Page 12: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/12.jpg)
12
Dictionary Attacks
Secure Socket Layer (SSL): most popular transport layer security protocol for internet.
offers the basic security services of encryption, source authentication and integrity protection for data exchanged over underlying unprotected networks.
Many product and OS has support for SSL. Also many web services permits the SSL communication.
SSL has all available security functions that’s needed to make a project secure (authentication, asymmetric/symmetric encryption, MAC and certificates).
But the problem with SSL is that programmers have to know a lot of details about the OS, and system calls.
![Page 13: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/13.jpg)
13
Replay Attack
When an attacker simply listens and sniffs the packets and then later he resends the same packet, it’s called replay attack.
The intruder might extract information and alter or inject his own information in the message stream.
easier to detect with Web Services.
![Page 14: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/14.jpg)
14
Buffer Overflow
Buffer Overflow is one of the major threats on data integrity.
Some of the solutions to the buffer overflow problem are: Applying patch to the affected code that will
check the length of the data before saving it to the buffer.
Apply backup code to replace the overflowed one to gain back authorities of the system.
Use programming languages that has automatic bound checking .
![Page 15: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/15.jpg)
15
Paper 2: Web Service Security – Vulnerability And Threats within the context of WS-Security
The security issues in Web Services Threats involved Incompatibility of traditional Security techniques WS-Security Basics WS-Security vs. Web Services Threats
![Page 16: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/16.jpg)
16
Security Issues
Security of the information must be provided while the information is in transit and while it is in storage of the server
Similar criterion as of traditional security must be satisfied
![Page 17: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/17.jpg)
17
Security Issues
Confidentiality Integrity Non-repudiation Authentication Authorization Availability
![Page 18: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/18.jpg)
18
The threats
Maintaining Security while Routing Unauthorized access Parameter manipulation/malicious input Eavesdropping and Message Replay Denial of Service (DoS) Bypassing of Firewalls Immaturity of the platform
![Page 19: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/19.jpg)
19
Short comings of Traditional Security mechanism
Traditional Security techniques works on the Lower level of the OSI stack of message transfer
Doesn’t provide security against Application level communication
![Page 20: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/20.jpg)
20
OSI Stack
![Page 21: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/21.jpg)
21
WS-Security
Is a new security standard Published in April 2004 Still incomplete but promising
![Page 22: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/22.jpg)
22
WS-Security Basics
Adds security to the SOAP message Passes the security information in the Header of
the SOAP Message 3 Basic Elements
Security tokens XML Encryption XML Signature
![Page 23: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/23.jpg)
23
WS-Security, Tokens
Tokens are the security artifact included in a SOAP message
Provide authentication and authorization Can use simple user id and password based
authentication Also capable of advanced certificate based
authentication like X.509
![Page 24: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/24.jpg)
24
XML Encryption
A specification developed by W3C Prevents unauthorized access to the XML
document Require a decryption key to read the
Document Different part of the document may require
different key to decrypt
![Page 25: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/25.jpg)
25
XML Encryption
Therefore XML Encrypted Document can have multiple recipients
Each recipient will use their own decryption key without violating the privacy of others
![Page 26: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/26.jpg)
26
XML Signature
Also developed by W3C Serves the same purpose that of a traditional
signature Authenticates the credentials of the token This provides message integrity Just like XML Encryption different part of the
document may have different signature associated with it
![Page 27: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/27.jpg)
27
WS-Security VS Threats
Remember the threats….. Maintaining Security while Routing Unauthorized access Parameter manipulation/malicious input Eavesdropping and Message Replay Denial of Service (DoS) Bypassing of Firewalls Immaturity of the platform
All of them satisfied except Denial of Service Bypassing of firewalls Immaturity of the platform
![Page 28: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/28.jpg)
28
Ws-Security: The Road Map
![Page 29: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/29.jpg)
29
Paper 3: Web Service Composition: A security Perspective
The papers describes a security conscious Web Service composition framework that supports different security requirement criterion imposed by different WS provider and requestor
![Page 30: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/30.jpg)
30
Web Service Composition
![Page 31: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/31.jpg)
31
Composition With Security Restrictions Different WS may have different security
requirement e.g. some WS may require the X.509 based authentication as a security measurement for authentication and authorization
Some service requestor may want his service to be processed by a WS that use P3P based privacy policy
![Page 32: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/32.jpg)
32
Secure WS Broker ArchitectureImage ref [3]
![Page 33: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/33.jpg)
33
Secure WS Broker Architecture
Four main components Modeler Web Services Locator Security Match Maker WSBPEL Generator
![Page 34: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/34.jpg)
34
SWS Broker: Modeler
Given the service request try to build a work flow
For example given a task A The modeler tries to divide the task in a sequence of tasks say {A1, A2, A3, A4} which must be carried in sequence
The A1, A2 etc are the activities
![Page 35: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/35.jpg)
35
SWS Broker: SWs Locator
The locator is actually a simple old fashioned Web Service locator that finds the Web Services that capable of servicing the request
The locator finds all the sets of Web Services that are capable of servicing A1, A2 etc.
![Page 36: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/36.jpg)
36
SWS Broker: Match Maker
This is the model that employs the security constrains imposed by all the involved Web Service Providers and Requestors
The algorithm is explained with an example in the next slide
![Page 37: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/37.jpg)
37
Match Maker: Algorithm/Methodology
Lets say the service locator provides the following WSs for each of the activities in previous example
![Page 38: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/38.jpg)
38
Match Maker: Algorithm/Methodology
We can build a following tree structure for the Wss. (Figure
ref [3])
![Page 39: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/39.jpg)
39
SWS Broker: WSBPEL
Web Service Business Process Execution Language
Beyond the scope of this Paper
![Page 40: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/40.jpg)
40
Defining Security Requirement
All the previously mentioned techniques sounds easy
But how to search and compare security requirement and Constraints
WSDL, SOAP none provides such mechanism
![Page 41: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/41.jpg)
41
Modeling Security Information
Two Classes Capability Description Constraint Description
Compatibility General Final
![Page 42: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/42.jpg)
42
Capabilities Description
Uses SAML description of following type (Figure ref [3])
![Page 43: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/43.jpg)
43
Compatibility Constraint Description
Compatibility Constraints can be put into the WSDL using the extensibility element of WSDL
![Page 44: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/44.jpg)
44
Other Constraint Description
The other two constraint criterion general constraint and final constraint goes into the SOAP definition
![Page 45: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/45.jpg)
45
Future Work
The author working on implementing additional constraints like quality of service constraints
They are trying to produce a better version of the Match Maker Algorithm
![Page 46: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/46.jpg)
46
Paper 4: Algorithm Exchange of a Security Control System for Web Services Applications
Problem with WS-Security standard. This papers takes system approach rather
than analytical approach. Two parts of the paper:
TTSN(Trusted Tansient Simple Network) Architecture.
Algorithm Exchange.
![Page 47: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/47.jpg)
47
Trusted Transient Simple Network
3rd parties in web services. it is necessary for each party to provide itself with a sophisticated
security system which can be very independently of any other middle parties.
The most frequent strategies to solve the security problem have mainly focused on already known risks. But such strategy will fail when an unknown risk occurs.
![Page 48: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/48.jpg)
48
TTSN
TTSN General Architecture: The traffic package leaving from A
through one path will be sent back to B through the other path.
Also, B will also append the reversed traffic package to B with the response.
In this way, A will know enough information regarding the state of the transaction and some behavior of its counterpart.
Can be activated/deactivated dynamically
![Page 49: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/49.jpg)
49
TTSN
TTSN Security control system:
Plant of the control system. If the plant is not stable, A must maintain the process in a
continuous stable state.
![Page 50: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/50.jpg)
50
TTSN
The reasoning mechanism. Interdependency of all
security properties: Each property will be
occupied by an intelligent agent.
![Page 51: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/51.jpg)
51
TTSN
TTSN’s main modules:
![Page 52: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/52.jpg)
52
TTSN
By deploying co-operative intelligent agents, loosely coupled interrelationship and strong definition of policy and rules, the aim is that TTSN will be able to solve and handle any current and potentially new vulnerability and threats.
![Page 53: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/53.jpg)
53
Algorithm Exchange:
Since web services performs XML-based transactions and most internet transaction perform secret key exchange, it is very likely to be intercepted.
The interceptor has a chance of cracking the content of the message sooner or later.
TTSN performs algorithm exchange instead of key exchange. Both parties dynamically exchanges their algorithm throughout
the session. Since both parties used their unique algorithm, the authors
claimed that, it will be really difficult, if at all possible, for the interceptor to crack the message performing a brute force analysis to the algorithm, NOT to the key.
no known techniques available to crack algorithm.
![Page 54: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/54.jpg)
54
Algorithm Exchange
Reflection packages and serialized class features of JAVA.
Java class file issue. this method not only guarantee confidentiality,
but also authentication and message integrity. Since the algorithm is not known, any one else
cannot impersonate the sender. The recipient must deploy the previous
algorithm to check the integrity of the data validating the signature.
![Page 55: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/55.jpg)
55
Implementation/Testing Methodology:
The authors have successfully implemented and tested a cryptographic algorithm exchange in a web service environment using IMB WebSphere Studio Device Developer(WSDD5.6) and JDK1.4.1
![Page 56: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/56.jpg)
56
Implementation/Testing Methodology:
![Page 57: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/57.jpg)
57
Implementation/Testing Methodology:
![Page 58: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/58.jpg)
58
Implementation/Testing Methodology:
![Page 59: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/59.jpg)
59
Implementation/Testing Methodology:
![Page 60: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/60.jpg)
60
Implementation/Testing Methodology:
![Page 61: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/61.jpg)
61
Implementation/Testing Methodology:
After the class was loaded it has been instantiated and the method has been extracted and invoked:
![Page 62: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/62.jpg)
62
Comparison with other/similar technology On first glance, Algorithm Exchange looks like the mechanism
of IPSec or Opportunistic Encryption. On IPSec all algorithm must comply with IETF’s standards,
which are very common (DES, TripleDES, RC4 etc). A node cannot be embbeded with user’s own generated algorithm.
In Opportunistic Encryption nodes do not exchange algorithms, but they still exchange keys.
IPSec handles network-layer security to protect transactions from hardware or OS level attackers, while most security in web services deals with threats on higher level than IP layers, most of which are software level attackers.
No programming language other than Java can dynamically load a computer program during runtime. Object serialization and class reflection made such thing possible.
![Page 63: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/63.jpg)
63
Conclusion
Web Services is yet not matured. Web Services Security is still infant. Our 4 papers.
![Page 64: Web Services Security – A Survey](https://reader035.fdocuments.in/reader035/viewer/2022062304/568135db550346895d9d4d0f/html5/thumbnails/64.jpg)
64