Analysis of Security Aspects of Web ServicesAbstractThe technology that is presently being used to secure point-1. Introduction2. Overview of Web Services3. Security Issues3.1 Authentication3.2 Authorization/Access Control3.3 Confidentiality3.4 Integrity3.5 Non-Repudiation4. Security protocols4.1 XML Encryption24.2 XML Signatures3Creation of XML SignaturesVerifying XML Signatures4.3 SAML44.4 XKMS5XKMS is simple. It does not handle the management of private4.5 WS-Security65. Implementation5.1 Aim5.2 Analysis of Results6. ConclusionsReferencesWS-1 Page 1 of 12 Analysis of Security Aspects of Web Services Lavanya Kanchanapalli, Mahesh Mutham, Raghu Ram Ala Abstract The technology that is presently being used to secure point-to-point based client-server architecture will not sufficiently secure the Web Services infrastructure9. In this paper we discuss the security requirements of the Web Services and explain how the existing technologies fall short in securing them. In the recent years tremendous work has been done by several organizations proposing new techniques and protocols to secure Web Services, several of these protocols and techniques are elaborated and explained with their relative advantages and disadvantages. Different SOAP requests were encrypted using symmetric key encryption and asymmetric key encryption and their respective response times were noted and analyzed. 1. Introduction Web Services technology refers to a set of related protocols, which make program-to-program communication easier. A Web Service is an interface to application logic, which can be accessed using web-based open standard protocols, which include XML, HTTP etc. All details that are necessary to interact with Web Service are provided in an interface description as an XML document. The interface hides the implementation details of the service, allowing it to be used independently of the hardware or software platform on which it is implemented and also independently of the programming language in which it is written. This allows and encourages Web Services-based applications to be loosely coupled, component-oriented, cross-technology implementations. Web Services fulfill a specific task or a set of tasks. They can be used alone or with other Web Services to carry out a complex aggregation or a business transaction. Web Services dramatically increase the reach of e-business. A homogeneous model that spans internal as well as external resources enables uniform solutions to comple`x business problems. Yet, the complexity of web-service-based systems increases exponentially with their scope. Security is the single biggest concern to deploying Web Services, which shall be dealt with in detail in rest of the report. SSL provides good point-to-point security but fails to provide end-to-end security, which is needed to provide security services to Web Service transactions. This report aims at describing the concerns related to Web Service security and comparing and analyzing a few tools and techniques, which could be used to secure Web Services. As a part of the project, a few SOAP messages were encrypted using symmetric key encryption on .Net platform. The results and conclusions both from analysis and implementation are included in the report. Section 2 gives a brief overview of Web Services and other protocols used. Section 3 discusses about some of the security issues related to Web Services. Section 4 describes briefly the different proposals being made in this direction to secure in Web Services. In the same section we compare different technologies and protocols, which could be used to address security concerns of Web Services. Implementation of encryption of SOAP messages on .Net is described and its performance is discussed in Section 6 and Section 7. Conclusions and problems encountered are described in Section 8.WS-1 Page 2 of 12 2. Overview of Web Services A Web Service is any ordinary existing function, service or a business process or a new functionality, which is made available to network to be accessed using open Internet standards like XML, SOAP etc. For example, an enterprise created a stockQuote Web Service and would like to make it available to interested users on the web. The enterprise publishes the description of this service either in human language like English or (WSDL)11, which could be understood by Web Service development tool kits or other services or functions using this Web Service. WSDL consists of two parts: -- an abstract interface describing the operations and the associated messages and a concrete implementation (bindings) describing the actual network protocols, wire formats, and the actual network endpoint addresses required to access the service WSDL message binding is not limited to SOAP/HTTP12, although this combination accounts for the majority Web Services implementations. Other bindings that are commonly discussed are HTTP POST and GET. An interested user can find this Web Service in a public directory like UDDI13 and use the WSDL to create a client to communicate with the Web Service. This is called binding to the service. Then the Web Service client and service communicate using SOAP messages. SOAP (Simple Object Access Protocol) is a lightweight, XML-based, protocol for exchanging information in an open network environment. SOAP consists of three elements: • A mandatory SOAP envelope wraps all other elements of SOAP message and gives information about version of message and encoding rules, if any. • An optional SOAP header contains application specific information about SOAP message • Required SOAP body element contains the actual SOAP message In theory SOAP is able to use almost any underlying transport protocol, including HTTP, SMTP, FTP, and others. The current version of SOAP, version 1.1, defines bindings for HTTP. UDDI (Universal Description Discovery and Integration) of Web Services is a concept similar to that of Yellow pages for phone numbers. Web Services and their descriptions can be published in these directories along with description (WSDL). The UDDI specification defines a way to publish and discover information about services. Interested users or services can search UDDI for required Web Service. This is called find operation. Users can bind to the service and communication can take place. This is called bind phase. There are many unsolved security issues with the implementation of UDDI. For
View Full Document
Unlocking...