Web Services SecuritybyShilpa VenugopalNagalakshmi KohareswaranWhat are Web Services? Business logic or applications on Internet Collection of web and object oriented technologies Links Web-based applications running on different hardware, software, database, or network platforms Enables integration of applications across enterprise boundaries, providing seamless collaboration with partners, customers, and suppliers.What are Web Services?Example  Tour operator who offers customizable vacation tours Tours contain all the information related to destinations, hotels to stay at, car rentals, flights to take, etc. Tour operator needs to communicate with its partner hotels and car rental companies Done by means of web services Partner hotels offer remote access of information such as room rents, availability, booking, etc by means of services Public services – Room availability Private services – Discount rates for partnersWhat are Web Services?TouristTourOperatorCarRentalHotelPartnerBusinessesIntegration ModulesWhat are Web Services? Services hosted on SOAP server running on a Web server Accessed by SOAP over HTTP protocol SOAP is Simple object access protocol SOAP - XML messages using SOAP specifications Web service method call appears as an URL with or without parameters.  It returns data in the form of an XML document.What are Web Services?Web Service ClientWeb ServerHotel Web Services(Private)GetBookings( )GetDiscountRates( )(Public)GetRoomsAvail( )GetRoomRates( )HotelSOAPServerSOAP over HTTPChallenges in Web Services Security Interactions are expanding from intranets to the Internet.  Security requirements must be addressed by the underlying security technology. The interactions are anticipated to be more dynamic and instantaneous.  The number of participants are exceedingly larger than in other environments.Security Requirements Authentication mechanisms Authorization to access resources  Data integrity and confidentiality  Integrity of transactions and communications  End-to-end integrity and confidentiality of messages Non-repudiation  Audit Trails  Distributed enforcement of security policyCurrent Security Mechanisms Security at the Transport level  Security at the XML level Security at the Transport levelSSL Limitations: SSL provides point-to-point security  SSL secures communication at the transport level rather than message level  HTTPS in its current form does not support non-repudiation well  SSL does not provide element-wise signing and encryptionWeb Services SecurityWeb Service ClientSecured IntranetHotelSOAPServerXML FirewallHotel Web Services(Private)GetBookings( )GetDiscountRates( )(Public)GetRoomsAvail( )GetRoomRates( )XML Security StandardsXML level security involves standards that form the modules of XML firewall– XML Signature – XML Encryption – WS Security – eXtensible Access control Markup Language (XACML)– Security Assertion Markup Language (SAML)– XML Key Management Services (XKMS)SOAP (Simple Object Access Protocol)<soap:Envelope><soap:Header>header definition....</soap:Header><soap:Body>body definition.... </soap:Body></soap:Envelope>XML Signature Standard proposed by W3C group Designed for use with XML transactions not necessarily SOAP Used to provide authentication, data integrity, and support for non-repudiation to the data Message integrity and user authentication information enclosed within the SOAP message XML firewall receives and checks the message integrity and authentication information Provides flexibility to sign specific portions of the XML documentXML Signature<Signature><SignedInfo><SignatureMethod><Reference><DigestMethod></DigestMethod><DigestValue></DigestValue></Reference></SignedInfo><SignatureValue></SignatureValue><KeyInfo></KeyInfo></Signature>Signature – main element SignedInfo – resources to sign and algorithmsSignatureMethod – signing algo.Reference – list of resourcesDigestMethod –digest algorithmDigestValue – result of digest SignatureValue – sign valueKeyInfo – Key used to validate signatureXML SignatureSteps in creating digital signature Identifying the resources to be signed – can be - Character-encoded data (HTML) e.g.http://www.xyz.com/index.html- Binary-encoded data like an image file on the web (JPG) - XML file on the web e.g. http://www.xyz.com/xml/abc.xml- Specific element in an XML file on the web. e.g.http://www.xyz.com/xml/abc.xml#element1XML Signature Determine the digest for each resource Add the SignedInfo Element Calculate the digest of the <signedInfo>, sign and put signature in the <SignatureValue>  Add the KeyInfo Add the Signature elementXML SignatureValidating an XML Signature  Verify the signature of the <SignedInfo> element - use the public verification key to verify that the <SignatureValue> element is valid Verify the Digest values of the <Reference> elements - Recalculate the digests of the references contained within the <SignedInfo> element- Compare them to the values in the corresponding <DigestValue> elements.XML Encryption An Encryption technology optimized for XML data. It addresses two requirements- End-to-End Security- Selective Encryption XML encryption provides flexibility by encrypting any of the following:- A Complete XML file- Any single element of an XML fileXML Encryption (cont)A simple example of secure exchange of XML data <purchaseOrder><Order><Item>book</Item><Id>123-56-6789</Id><Quantity>6</Quantity></Order><Payment><CardId>9876-5432-6874</CardId><CardName>abc</CardName><ValidDate>12-04</ValidDate></Payment></purchaseOrder>XML Encryption (cont)Encrypting a Complete XML File<?xml version=?> <EncryptedData Type='…'><CipherData><CipherValue>A123B456C</CipherValue></CipherData></EncryptedData> XML Encryption (cont)Encrypting a single element<?xml version=?> <EncryptedData Type='…#Element'<CipherData> <CipherValue>A123B456</CipherValue></CipherData></EncryptedData>WS Security Proposed by OASIS group Extension to SOAP specification by W3C Defines the mechanism for including integrity, confidentiality, and authentication features within a SOAP message Defines how to include digital signatures, and encrypted data in a SOAP message.  Uses XML Signature and XML Encryption specifications WS