secure web services arvind easwaran (arvinde@seas) cis/tcom 551 spring 2004 slide set 7

Secure Web ServicesSecure Web Services

Arvind Easwaran Arvind Easwaran (arvinde@seas)(arvinde@seas)

CIS/TCOM 551 Spring 2004CIS/TCOM 551 Spring 2004

Slide Set 7Slide Set 7

OutlineOutline

Web Services (WS): An overviewWeb Services (WS): An overview XML BasicsXML Basics SOAP BasicsSOAP Basics WSEmail : The real oneWSEmail : The real one Security in WSSecurity in WS

Web Services (WS) Web Services (WS) OverviewOverview

Today’s WebToday’s Web

Designed for applications involving human Designed for applications involving human interactionsinteractions

Intended purpose Intended purpose – Information sharing: a distributed content libraryInformation sharing: a distributed content library– Enabled B2C e-commerceEnabled B2C e-commerce– Non-automated B2B interactionsNon-automated B2B interactions

How did it happen?How did it happen?– Built on very few standards: http + htmlBuilt on very few standards: http + html– Shallow interaction model: very few Shallow interaction model: very few

assumptionsassumptions– Result was ubiquityResult was ubiquity

What’s next?What’s next?

There is a lot more we can do !There is a lot more we can do !– Open, automated B2B e-commerceOpen, automated B2B e-commerce– Business process integration on the WebBusiness process integration on the Web– Resource sharing, distributed computingResource sharing, distributed computing

Existing Web technology is Existing Web technology is ad hoc ad hoc for thisfor this– Application-to-application interactions with Application-to-application interactions with

HTML formsHTML forms Goal Goal

Enabling systematic application-to-Enabling systematic application-to-application interaction on the Webapplication interaction on the Web

Web ServicesWeb Services

““Web services” is an effort to build a Web services” is an effort to build a distributed computing platform for the Webdistributed computing platform for the Web

Web service applications are encapsulated, Web service applications are encapsulated, loosely coupled Web “components” that loosely coupled Web “components” that can bind dynamically to each othercan bind dynamically to each other

The Penn – Amazon exampleThe Penn – Amazon example

Typical Web Service Typical Web Service ComponentsComponents

SOAPSOAPSOAPSOAP Web Services consumers send and Web Services consumers send and

receive SOAP messages receive SOAP messages

WSDLWSDLWeb Services Web Services

Description LanguageDescription Language

WSDLWSDLWeb Services Web Services

Description LanguageDescription Language

Web Services are defined in terms of the Web Services are defined in terms of the formats and ordering of messagesformats and ordering of messages

Built using open Internet protocols Built using open Internet protocols XML & HTTPXML & HTTP

Web Services Architecture Web Services Architecture

A programmable application A programmable application component accessible via standard component accessible via standard Web protocolsWeb protocols

OpenOpen Internet Internet Protocols Protocols

Web Web ServiceService

UDDIUDDIUniversal Description, Universal Description,

Discovery, and IntegrationDiscovery, and Integration

UDDIUDDIUniversal Description, Universal Description,

Discovery, and IntegrationDiscovery, and Integration

Provide a Directory of Services on the Provide a Directory of Services on the InternetInternet

Web Services FrameworkWeb Services Framework

Framework can be described in terms ofFramework can be described in terms of– What goes “on the wire”What goes “on the wire”

Formats and protocols : XML and SOAP Formats and protocols : XML and SOAP using HTTPusing HTTP

– What describes what goes on the wireWhat describes what goes on the wireDescription languages : WSDLDescription languages : WSDL

– What allows us to find these descriptionsWhat allows us to find these descriptionsDiscovery of services : UDDIDiscovery of services : UDDI

XMLXML

What is XML?What is XML?

Extensible Markup LanguageExtensible Markup Language Meta language that Meta language that

– Allows to create and format own document Allows to create and format own document markupsmarkups

a method for putting structured data into a method for putting structured data into a text file a text file

- easy to read- easy to read- unambiguous- unambiguous- extensible- extensible- platform-independent- platform-independent

Sample XML ExampleSample XML Example

<?xml version=“1.0” encoding=“…”?><?xml version=“1.0” encoding=“…”?><msg:message from=“id” to=“id” xmlns:msg=“URI” <msg:message from=“id” to=“id” xmlns:msg=“URI”

xmlns:po=“URI”>xmlns:po=“URI”><msg:text><msg:text>

Hi please bill to the following addressHi please bill to the following address</msg:text></msg:text><msg:item><msg:item>

<po:po id=“123”><po:po id=“123”> <po:billto><po:billto>

<po:company> Skateboard </po:company><po:company> Skateboard </po:company> <po:street> One Warehouse Park </po:street><po:street> One Warehouse Park </po:street> <po:city> Boston </po:city><po:city> Boston </po:city>

</po:billto></po:billto> </po:po></po:po>

</msg:item></msg:item></msg:message> </msg:message>

XMLXML Declaration Declaration

<?xml version=“1.0” encoding=“…”?><?xml version=“1.0” encoding=“…”?>

<?xml ?> the XML declaration<?xml ?> the XML declaration – Not required, but typically usedNot required, but typically used– Attributes include:Attributes include:

VersionVersion Encoding – the character encodingEncoding – the character encoding

XMLXML Element Element

<msg:message from=“id” to=“id” xmlns:msg=“URI” <msg:message from=“id” to=“id” xmlns:msg=“URI” xmlns:po=“URI”>xmlns:po=“URI”><msg:text><msg:text>

Hi please bill the followingHi please bill the following</msg:text></msg:text><msg:item><msg:item>

<po:po id=“123”><po:po id=“123”> … …

</po:po></po:po> </msg:item></msg:item>

</msg:message> </msg:message>

<tag> text/element </tag> an element<tag> text/element </tag> an element Each element tag can be divided into 2 parts Each element tag can be divided into 2 parts Namespace, Tag Namespace, Tag

namename

XML AttributeXML Attribute

<msg:message from=“id” to=“id” xmlns:msg=“URI” <msg:message from=“id” to=“id” xmlns:msg=“URI” xmlns:po=“URI”>xmlns:po=“URI”>

…… <po:po id=“123”><po:po id=“123”>

… … </po:po></po:po>

</msg:message> </msg:message>

XML Attribute XML Attribute – Describes additional information about an elementDescribes additional information about an element– <tag key=”value”> text</tag><tag key=”value”> text</tag>– Reserved attribute Reserved attribute xml:lang xml:lang

XMLXML Namespaces Namespaces

<msg:message from=“id” to=“id” <msg:message from=“id” to=“id” xmlns:msg=“URI” xmlns:po=“URI”>xmlns:msg=“URI” xmlns:po=“URI”>

……</msg:message> </msg:message>

NamespacesNamespaces– Not mandatory, but useful in giving uniqueness Not mandatory, but useful in giving uniqueness

to an elementto an element– Declared using the xmlns:Declared using the xmlns:namename= “= “value”value”

SOAPSOAP

SOAPSOAP

An XML envelope for XML messagingAn XML envelope for XML messaging Headers + bodyHeaders + body SOAP is “transport independent”SOAP is “transport independent” A convention for doing RPCA convention for doing RPC

Soap Message ProcessingSoap Message Processing

SOAP Message ExampleSOAP Message Example

<?xml … ?><?xml … ?><SOAP-ENV:Envelope xmlns:SOAP-ENV=“URI” ><SOAP-ENV:Envelope xmlns:SOAP-ENV=“URI” >

<SOAP-ENV:Header><SOAP-ENV:Header> <t:Transaction xmlns:t=“URI” SOAP-ENV:mustUnderstand=“1” ><t:Transaction xmlns:t=“URI” SOAP-ENV:mustUnderstand=“1” >

1234512345 </t:Transaction></t:Transaction> <p:Priority xmlns:p=“URI”><p:Priority xmlns:p=“URI”>

Very HighVery High </p:Priority></p:Priority></SOAP-ENV:Header></SOAP-ENV:Header>

<SOAP-ENV:Body><SOAP-ENV:Body>““XML Document”XML Document”

</SOAP-ENV:Body></SOAP-ENV:Body></SOAP-ENV:Envelope></SOAP-ENV:Envelope>

WSEmailWSEmail

Carl GunterCarl Gunter

Kevin LuxKevin Lux

Michael MayMichael May

WSEmailWSEmail

Traditional Internet EmailTraditional Internet Email– Based on a collection of protocolsBased on a collection of protocols

SMTP, POP, IMAPSMTP, POP, IMAP

– Evolved over a vast installed baseEvolved over a vast installed base– ShortcomingsShortcomings

FlexibilityFlexibility Security and Security and IntegrationIntegration

WSEmail : The SolutionWSEmail : The Solution

Aims to exploit advantages of web Aims to exploit advantages of web service protocolsservice protocols

Uses web service security features to Uses web service security features to support integrity, authentication, and support integrity, authentication, and access control for both end-to-end access control for both end-to-end and hop-by-hop message and hop-by-hop message transmissionstransmissions

A collection of services that can be A collection of services that can be added to the base systemadded to the base system

The Solution (Contd)The Solution (Contd)

A way to integrate different A way to integrate different messaging systemsmessaging systems

Prototype system is built using Prototype system is built using Microsoft .Net Microsoft .Net

On-demand attachmentsOn-demand attachments Integrated instant messagingIntegrated instant messaging

ArchitectureArchitecture

Architecture (Contd)Architecture (Contd)

Sender Client SC makes a call on its Sender Sender Client SC makes a call on its Sender Server SSServer SS

All calls are SOAP calls over TCPAll calls are SOAP calls over TCP The server SS then makes a call on the The server SS then makes a call on the

Receiver Server RSReceiver Server RS The Receiver Client RC periodically makes The Receiver Client RC periodically makes

calls to RCcalls to RC Security based on standards for web service Security based on standards for web service

security possibly supported by encrypted security possibly supported by encrypted tunnelstunnels

Architecture (Contd)Architecture (Contd)

Hop-by-hop confidentiality, so Hop-by-hop confidentiality, so communications between the nodes can communications between the nodes can be protected by TLSbe protected by TLS

Clients like SC and RC are typically Clients like SC and RC are typically authenticated by a passwordauthenticated by a password

Servers authenticate themselves using Servers authenticate themselves using certificatescertificates

Such certificates are used in TLS and used Such certificates are used in TLS and used to sign messages using XMLDSIGto sign messages using XMLDSIG

Variations – Security TokenVariations – Security Token

Security Token (Contd)Security Token (Contd)

SC contacts SS to obtain a security token SC contacts SS to obtain a security token recognized by RSrecognized by RS

SC sends a message authenticated with this SC sends a message authenticated with this credential to RScredential to RS

Instant messages are posted directly to the Instant messages are posted directly to the clientclient

RS and RC apply access control for this RS and RC apply access control for this function based on the security token from function based on the security token from SCSC

Token is recognized because of a form of Token is recognized because of a form of federated identity between SS and RSfederated identity between SS and RS

SecuritySecurity

Why Web Services Security Why Web Services Security is a Challengeis a Challenge

Theory: This thing has 4 wheel drive But we only take it to the Mall

Practice: In this environment we need 4 wheel drive

Message Level SecurityMessage Level Security

Example : SC to SSExample : SC to SS

<wsse:Security SOAP-ENV:mustUnderstand="1“<wsse:Security SOAP-ENV:mustUnderstand="1“ SOAP-ENV:actor=“…” xmlns:wsse=“…"> SOAP-ENV:actor=“…” xmlns:wsse=“…">

<wsse:UsernameToken xmlns:wsu=“…“<wsse:UsernameToken xmlns:wsu=“…“ wsu:Id="SecurityToken…">wsu:Id="SecurityToken…"><wsse:Username>SC</wsse:Username><wsse:Username>SC</wsse:Username> <wsse:Nonce>…</wsse:Nonce><wsse:Nonce>…</wsse:Nonce> <wsu:Created>Date</wsu:Created> <wsu:Created>Date</wsu:Created> </wsse:UsernameToken> </wsse:UsernameToken>

<Signature> <Signature> <SignedInfo> <SignedInfo>

<CanonicalizationMethod <CanonicalizationMethod Algorithm=“…" /> Algorithm=“…" />

<SignatureMethod Algorithm=“hmac-<SignatureMethod Algorithm=“hmac- sha1" /> sha1" />

<Reference URI="#Id…"> <Reference URI="#Id…"> <Transforms> <Transform <Transforms> <Transform Algorithm="xml-exc-c14n#" /> Algorithm="xml-exc-c14n#" /> </Transforms></Transforms><DigestMethod <DigestMethod Algorithm="xmldsig#sha1" /> Algorithm="xmldsig#sha1" /><DigestValue>…</DigestValue> <DigestValue>…</DigestValue>

</Reference></Reference></SignedInfo> </SignedInfo>

<SignatureValue>…</SignatureValue><SignatureValue>…</SignatureValue>

<KeyInfo> <KeyInfo> <wsse:SecurityTokenReference> <wsse:SecurityTokenReference>

<wsse:Reference <wsse:Reference URI=“…" /> URI=“…" /> </wsse:SecurityTokenReference> </wsse:SecurityTokenReference> </KeyInfo> </KeyInfo>

</Signature> </Signature>

</wsse:Security> </wsse:Security>

CanonicalizationCanonicalization

Logically equivalent physically Logically equivalent physically different XML snippetsdifferent XML snippets

– <p a=“1” b=“2”> </p><p a=“1” b=“2”> </p>

– <p a=“1” b=“2” /><p a=“1” b=“2” />

XML Element Specific XML Element Specific SecuritySecurity

<po xmlns=“URI” id=“123”><po xmlns=“URI” id=“123”><enc:EncryptedData Type=“URI”><enc:EncryptedData Type=“URI”>

<enc:EncryptionMethod Algorithm=“…”/><enc:EncryptionMethod Algorithm=“…”/><ds:KeyInfo><ds:KeyInfo>

<ds:KeyName> Shared Key <ds:KeyName> Shared Key </ds:KeyName></ds:KeyName>

</ds:KeyInfo></ds:KeyInfo><enc:CipherData>…</enc:CipherData><enc:CipherData>…</enc:CipherData>

</enc:EncryptedData></enc:EncryptedData>……

</po></po>

XML Key Management XML Key Management Specification (XKMS)Specification (XKMS)

Management of Public KeysManagement of Public Keys– RegistrationRegistration

Alice registers her email signature public keyAlice registers her email signature public key

– InformationInformation Bob looks up the key for AliceBob looks up the key for Alice Bob checks to see if it is validBob checks to see if it is valid

Core ObjectiveCore Objective– Shield the client from the complexity of PKIShield the client from the complexity of PKI

Platform Level SecurityPlatform Level Security

Security TerminologySecurity Terminology

Authentication Authentication – Positively identifying the clientsPositively identifying the clients– User ID password pairs, X509 certificate etcUser ID password pairs, X509 certificate etc

AuthorizationAuthorization– Defining what authenticated clients are allowed to see Defining what authenticated clients are allowed to see

and doand do– ACLsACLs

Non RepudiationNon Repudiation– Digital SignaturesDigital Signatures

Secure CommunicationSecure Communication– Ensuring that messages remain private and unaltered as Ensuring that messages remain private and unaltered as

they cross networksthey cross networks– SSL point-to-pointSSL point-to-point

Is SSL Alone Enough?Is SSL Alone Enough?

For For somesome applications applications Yes Yes As Infrastructure As Infrastructure No No

SSL does not support multi-party SSL does not support multi-party transactionstransactions

– Intermediate NodeIntermediate Node

SSL does not support non-RepudiationSSL does not support non-Repudiation Does not leave any audit trail Does not leave any audit trail

DemoDemo

ConclusionsConclusions

Without Security and TrustWithout Security and Trust– Web Services are Dead On ArrivalWeb Services are Dead On Arrival

Considerable progress has already been madeConsiderable progress has already been made– Industry wide consensus on value of standardsIndustry wide consensus on value of standards– Basic Infrastructure is in place or in developmentBasic Infrastructure is in place or in development– There is considerable consensus on the roadmapThere is considerable consensus on the roadmap– Web Services is certainly moving towards a secure Web Services is certainly moving towards a secure

architecturearchitecture