web services security dept of computer engineering khon kaen university
TRANSCRIPT
Web Services Security
Dept of Computer EngineeringKhon Kaen University
168493: XML and Web Services (II/2546) 2
Challenges of Securing Web
Services Need to figure out a way of
securing Web services that can be potentially accessed by a complete stranger over the network
Many technologies developed to support: XML Encryption XML Signature (XML DSIG) XML Key Management Service (XKMS)
168493: XML and Web Services (II/2546) 3
Concepts of Cryptography
Encryption and digital signatures are a part of a bigger science of cryptography
Cryptography is the art of secret writing, the enciphering and deciphering of messages in secret code or cipher, as many would put it Cipher=a message written in a secret code Decipher=convert code into ordinary
language Encipher=convert plain text into the
cipher text
168493: XML and Web Services (II/2546) 4
Four Goals of Cryptography
Confidentiality Ensuring that only authorized parties are able
to understand the data Authentication
Ensuring the identify of the party in a given security domain
Integrity Protecting sensitive information from
unauthorized modifications Non-repudiation
Ensures that another party cannot repudiate
168493: XML and Web Services (II/2546) 5
Confidentiality Ensuring that only authorized parties are
able to understand the data Unauthorized parties may know that the
data exists, but they should not be able to understand what the data is
Confidentiality is made possible through encryption. Encryption is the process of converting a particular message into scrambled text, also known as cipher text
168493: XML and Web Services (II/2546) 6
Authentication Ensures the identity of the party in a
given security domain This involves having some sort of
password or key through which the user would prove his or her identify in a particular security domain
Authentication is extremely important for services to be able to tell to whom all they are providing their services
168493: XML and Web Services (II/2546) 7
Integrity Protecting sensitive information from
unauthorized modifications Ensures that the message received by
the recipient was the same message that was sent originally by the sender The message has not been tampered
with since it was sent Different hashing algorithms are used
to generate a sort of a checksum to guarantee integrity
168493: XML and Web Services (II/2546) 8
Non-repudiation Repudiation is to refuse to accept something Non-repudiation is a technique in which one
party ensures that another party cannot repudiate
Example, a supplier of raw materials would want to ensure that the customer does not repudiate later its placing of an order for materials
Digital signatures can be used to provide non-repudiation in computer security systems
168493: XML and Web Services (II/2546) 9
XML Encryption The XML Encryption standard is
currently been developed at the W3C http://www.w3.org/Encryption/2001/
Unlike SSL/TLS (Secure Sockets Layer/Transport Layer Security), XML Encryption enables the encryption of data at different granularity levels This means that one can select to encrypt
parts of data using XML Encryption
168493: XML and Web Services (II/2546) 10
XML Encryption It also enables the establishment of
secure sessions with more than one party
XML encryption can also be used to encrypt both XML as well as as non-XML data
For more information about the implementation of XML Encryption http://www-106.ibm.com/
developerworks/xml/library/x-encrypt/
168493: XML and Web Services (II/2546) 11
XML Signatures Provides a mechanism for applying
digital signatures to XML documents and other Internet resources
Provide strong integrity for message authentication, signer authentication and non-repudiation services for data of any type
168493: XML and Web Services (II/2546) 12
Types of XML Signatures Three types of signatures supported
by the XML Signature specification Enveloped signatures
The signature is over the XML content that contains the signature as an element
Enveloping signatures The signature is over the content found
within an <object> element of the signature itself
Detached signatures The signature is over the content external to
the <Signature> element and this external content is identified via a URI
168493: XML and Web Services (II/2546) 13
Example: Enveloped Signature
<doc Id=“doc0”><elem/><Signature>
….<Reference URI=“doc0”/>…
</Signature></doc>
168493: XML and Web Services (II/2546) 14
Example: Enveloping Signature
<Signature>…<Reference URI=“#ID0”/>…<Object Id=“ID0”>
…</Object>
</Signature>
168493: XML and Web Services (II/2546) 15
Detached Signatures<doc>
<Signature>...<reference URI=
http://www.ach.com/fundstransfer/fundstarnsferproc.html/></Signature><elem/>
</doc>