Gap Assessment of the Top Web Service Specifications Managing the Security of Web Services Cristina Fhied SE 690 Final Presentation Advisor: Xiaoping Jia, Luigi Guadagno SE 690 - Survey 1
Outline n n 1. 2. 3. 4. n n n Project Goal Overview of Web Services introduction Security Enterprise Requirements Security Specifications Comparison Overview (how do they map req. ) Drawbacks and Benefits of each Model 5. Current Enterprise State Survey 6. Conclusion and Recommendations 7. Potential Future Work SE 690 - Survey 2
Project Goal n n n Research available web service specifications. Conduct an enterprise state survey exploring problems and experiences facing network professionals. Research the Enterprise communication and architecture requirements for a secure Web Services. Prepare gap assessment tables mapping the communication and network enterprise req. against the researched available security specifications. Prepare a model showing the interpolation of Ws. Security specification with the interaction of the researched available web service specifications. SE 690 - Survey 3
What are Web Services? n “Software pieces that interact with each other using internet standards to create an application in response to requests that conform to agreedupon formats. ” [Infravio, 2003] SE 690 - Survey 4
What Are the Characteristics… n n A web service is accessible over the internet. Provides an interface that can be called from one application to another. Interface can be called from any type of application client or service. Acts as a liaison between the web and the application logic that implements the service. SE 690 - Survey 5
How Does a Web Service Communicate? n n n Uses XML on top of HTTP XML is a widely accepted format for exchanging data and its semantics The Web service STACK consists of: n n XML (e. Xtensible Markup Language) SOAP (Simple Object Access Protocol) WSDL (Web Services Definition Language) UDDI (Universal Discovery Description Language) SE 690 - Survey 6
Web Services Stack UDDI WSDL SOAP Returns the WSDL reference used to bind to web service Specifies how to connect to a web service Better describes the data being sent XML HTTP (SMTP, FTP, other) Acts as the envelope for XML messages Transport layer SE 690 - Survey 7
What About Current Web Security? n n n To date much of web security is built around encryption through secure socket layers (SSL) using simple object access protocol (SOAP). Not enough to protect supply-chain operations and other business to business transactions because SOAP is based on XML. One way transmission, easy to steal and resend messages. SE 690 - Survey 8
Enterprise Requirements Network n. Communication n SE 690 - Survey 9
Communication based Enterprise Security Requirements… Ø Ø Authentication Authorization Data protection Non-repudiation SE 690 - Survey 10
Defining Requirements n n Authentication – involves accepting credentials from the entity and validating them against an authority. Authorization – determines whether the service has granted access to the web service to the requestor. Data protection – ensures that the web services request and response have not tampered with en route. Requires both integrity and privacy. Nonrepudiation – guarantees that the message sender is the same as the creator of the message. SE 690 - Survey 11
Network based Enterprise Security Requirements… Ø Ø Ø Confidentiality Integrity Accessibility SE 690 - Survey 12
Defining Requirements Cont. n n n Confidentiality – contains information required for protection against unauthorized use or disclosure. Accessibility – must be able on a timely basis to meet mission requirements or to avoid substantial losses. Integrity – contained information must be protected from unauthorized, unanticipated or unintentional modifications. SE 690 - Survey 13
Available Industry Specification Definitions and Features n. Comparison Mapping Overview n. Drawbacks and Benefits n. Model n SE 690 - Survey 14
PKI n n n Public Key Infrastructure is an open specification. Published by Veri. Sign in 2002. Integrates digital certificates and certificate authorities into enterprisewide network security architecture. SE 690 - Survey 15
PKI Cont. n Provides protection by: n n n Authenticating identity Verifying Integrity Ensuring Privacy Authorizing Access Authorizing Transactions Supporting Nonrepudiation SE 690 - Survey 16
PKI Cont. n Strengths: n n n Integrates Authentication and digital signatures. Allows confidential validation on the identity of each party in an internet transaction. Ensures that the message or documents the digital certificate signs has not been changed in transit online. Protects information from interception during Internet transmission. Validates a user identity making it possible to later update a digitally signed transaction (single signon). SE 690 - Survey 17
PKI Cont. n Weaknesses: n Complications associated with the usage of proprietary PKI software toolkits. n Complex deployment associated with server side components. n Constraint of complexity in integrating authentication and digital signatures in web service applications. SE 690 - Survey 18
SAML n n n Security Assertions Markup Language is an XML-based framework for Web Services. Security Specification from OASIS, released in February 2002. First industry standard for enabling secure e-commerce transactions through XML. SE 690 - Survey 19
SAML Cont. n Gives guidelines on assertions to request and response messages to provide: n n Authentication. Authorization. Interoperability Also shows how single sign-on can be achieved when several web-services are interacting; achieved by adding XML assertions. SE 690 - Survey 20
SAML Cont. n Strengths: n n n Supports real-time Authentication and Authorization. Can interoperate with any kind of system. Makes it possible to have message integrity and non-repudiation of the sender. Establishes assertions and protocol schemas for the structure of the document that transport security. Links back to the actual authentication and makes its assertions based on the requests of that event. SE 690 - Survey 21
SAML Cont. n Weaknesses: n n Security of SAML conversation is not a stand-alone application; depends on a trust model, typically PKI. Does not address privacy policies. Does not define any technology or approaches for Authentication. Only makes assertions about credentials; does not authenticate or authorize users. SE 690 - Survey 22
XKMS n n n XML Key Management Specification is an open specification. Published by the W 3 C as a technical note. Provides a standard XML-based messaging protocol to outsource the processing of key management to dedicated services. SE 690 - Survey 23
XKMS Cont. n n XML version of PKI handling. Integrates: n n n Authentication. Authorization. Malicious Attack Support. Uses SOAP over an HTTP based network. Makes it easy for applications to interface with key-related services. SE 690 - Survey 24
XKMS Cont. n Strengths: n n n Integrates Authentication and Authorization. Does status checking in a matter of hours. Rapidly implements trust features incorporating cryptographic support for XML digital signatures. Moves the complexity associated with PKI integration to server side components. Specification toolkit is completely platform, vendor, and transport protocol independent. Developer friendly, syntax used eliminates the necessary plug-ins PKI requires. SE 690 - Survey 25
XKMS Cont. n Weaknesses: n n Has no implemented prototype depicting its available techniques. Needs to have three standards to be used at the same time, in order for higher security, Not a stand-alone application: n n n X-KISS (XML Key Information Serv. Spec. ). X-KRSS (XML Key Requirement Serv. Spec. ). Protocol Binding Specification. SE 690 - Survey 26
WS-Security Cont. n n n Published in April 2002 by IBM, Microsoft, and Veri. Sign. Helps enterprises build secure web services, and applications based on them that are broadly interoperable. Proposes a set of SOAP extensions, used when building secure web services to implement: n n Integrity. Confidentiality. SE 690 - Survey 27
WS-Security Cont. n n n Does not limit itself to a specific model or mechanism, can be used as a guideline. Has support for several models and security mechanisms. Supports: n n Multiple Security Tokens. Cryptography Technologies. Requester Security. Transport Security. SE 690 - Survey 28
Ws-Security Cont. n n Microsoft, Veri. Sign and IBM are announcing the publication of 5 new specifications. When used with Ws-Security they provide a framework that is extensible and flexible in a infrastructure. n n n WS-Trust: provides Interoperability WS-Secure Conversation: Cent. Management WS-Secure Policy: protects against Malicious Attack WS-Policy: provides Authentication WS-Authorization: provides Authorization SE 690 - Survey 29
WS-Security Cont. n Strengths: n n n Implements integrity and confidentiality. Building block or better yet a blueprint to be used in conjunction with other web service specifications. Integrates, unifies and supports many popular security models and technologies. Defines how signatures can be used. Provides for a generic mechanism to associate security tokens with messages; does not require any type of security tokens. SE 690 - Survey 30
WS-Security Cont. n Weaknesses: n n Does not discuss how proof-of-possession must be implemented. Does not discuss how subject confirmations must be implemented. Their needs to be effort applied to ensure that security protocols that are implemented are not exposed to a wide range of attacks. Not approved as a standard as of yet, there are not commercial web-services that use this specification as of yet. SE 690 - Survey 31
Gap Assessment Table n Summary Comparison mapping of Communication Enterprise Security Requirements. Requirement WS-Security SAML Interoperability Support X X Scalability Support X Centralized Management Support Malicious Attack Support XKMS PKI X X SE 690 - Survey X 32
Gap Assessment Table n Summary Comparison mapping of Network Enterprise Security Requirements. Requirement WS-Security SAML XKMS PKI Authentication Support X X Authorization Support X X X X Data Protection/ Confidentiality Support Data Integrity Support SE 690 - Survey 33
Model WS-Policy Assertion WSAuthorization WS-Trust WS-Secure Conversation WS-Security Policy Authentication W S S e c u r i ty Authorization Data Protection/ Confidentiality Data Integrity Scalability SAML PKI XKMS SAML XKMS PKI WS-Security Interoperability SAML Centralized Management SAML Malicious Attack XKMS SE 690 - Survey PKI XKMS 34
Survey Results n Current Enterprise State SE 690 - Survey 35
About the Survey n n Explores areas of interest and experiences for those responsible in ensuring network/web service securities Survey was voluntary and consisted of eight questions Final survey was sent to 25 individuals 20 individuals submitted a completed survey SE 690 - Survey 36
Key Research Questions n n n Rank web-based communication security requirements based on security framework importance Rank networking issue requirements based on security framework importance Rank security methods in terms of effectiveness in acquiring information security at an organization SE 690 - Survey 37
Survey Findings n Experience any of these Security Breaches: Yes No 95% 5% 43% 57% 19% 81% 52% Security Breach 48% Viruses or Worms Attacks related to Protocol Weaknesses Attacks related to insecure passwords Attacks on bugs in Web Servers SE 690 - Survey 38
Survey Findings n Indicate level of concern in the following issues Level of Concern Issue 1 (Highest) Malicious Code Infection 2 System Unavailability 3 Loss of Confidentiality/Privacy 4 (Lowest) Physical Security SE 690 - Survey 39
Survey Findings n Method effectiveness in terms of acquiring information security in an organization: Effectiveness 1 (Most) Method Conduct Vulnerability Assessment 2 Scare them with hacker stories 3 Argue that security should be funded out of indiv. 4 (Least) Exp. The relationship btw. Security and complying with legal industry requirements SE 690 - Survey 40
Survey Findings n Priority of the following items Importance to an organization Priority 1 (Most) Item Security and availability for Web site and ecommerce operations 2 Strengthening the network perimeter to prevent external intrusions 3 Securing remote access for traveling employees/remote offices 4 Centralized management of control data 5 (Least) Preventing employees or outsiders from abusing access rights SE 690 - Survey 41
Survey Findings n Prioritize the Networking Issue Requirements based on security framework importance. Priority 1 (Greatest) Requirement Interoperability 2 Scalability 3 Malicious Attack 4 (Least) Centralized Management SE 690 - Survey 42
Survey Findings n Prioritize the web-based Communication Security Requirements based on security framework importance: Priority 1 (Greatest) Requirement Data Protection/Confidentiality 2 Data Integrity 3 Authorization 4 (Least) Authentication SE 690 - Survey 43
Conclusion and Recommendation SE 690 - Survey 44
Managing Web Security n n Difficult to determine a single best strategy. When dealing with applications with strong authentication and authorization, Ws-Security and SAML specifications should be considered. When dealing with concerns of malicious attack and data protection, XKMS and SAML should be considered. XKMS when joined with WS-Security has a stronger use for digitally signing and SAML assertions. SE 690 - Survey 45
Managing Web Security Cont. n n n SAML when combined with Ws-Security should use techniques such as XML signatures and encryptions. SAML assertions should be carried as security tokens defined in Ws-Security. SAML traffic should be secured by XKMS -based PKI. SE 690 - Survey 46
Managing Web Security Cont. n n Most effective method in acquiring information security in an organization is by conducting vulnerability assessments and explaining the differences between security and legal requirements. To reduce obstacles in achieving web service security is to greatly reduce the technical challenges and complexity of using security specification toolkit products. SE 690 - Survey 47
Potential Future Work n Research and analyze whether an implementation of Ws-Security, PKI, SAML and XKMS on Web Services is enough to provide a system with the needed securities. SE 690 - Survey 48
Conclusion n For more information please visit project web site: http: //shrike. depaul. edu/~cfhied/se 690/ab stract. html Thank you!!! n SE 690 - Survey 49
Скачать презентацию Gap Assessment of the Top Web Service Specifications
62e7a70b3c57996d7c86956021c6be19.ppt