web services security – ready for wireless?
DESCRIPTION
Web Services Security – Ready for Wireless?. Immo Hüneke, Technical Architect. Storage Days Europe 2003 Birmingham 13 May 2003. Agenda. Who is ObjectValue What is meant by Web Services Approaches to Wireless Security Web Services (WS-) Security An example Discussion - PowerPoint PPT PresentationTRANSCRIPT
1Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
bjec valuO ET
Storage Days Europe 2003Birmingham 13 May 2003
Web Services Security– Ready for Wireless?Immo Hüneke, Technical Architect
2Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
Agenda
Who is ObjectValueWhat is meant by Web ServicesApproaches to Wireless SecurityWeb Services (WS-) SecurityAn exampleDiscussionConclusion and Recommendation
3Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
ObjectValue
Founded 2002 – see www.objectvalue.com
Vehicle for my consulting and contracting activities
Example projectsTechnical support for Tandem-based Intelligent
Network call routing system (Mobile operator in South Africa)
Requirements study for Engineering Access Modelling and Planning systems (Underground railway operating company)
Expertise in mobile computing, wireless internet and advanced methodology
4Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
Web Services
Web Services are replacing other integration technologies in many contexts
They promise in the long term to enable the fully automated assembly of distributed application functionality on demand from published service componentsThis is currently a pipe dream
Nevertheless, many application vendors are urgently overhauling their products to expose their individual functions as Web ServicesPeoplesoftSAPall Microsoft products released with the .NET
branding
5Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
Web Services (ii)
Web Services, using XML as a lingua franca, have emerged as the next-generation Web-based technology for exchanging information
Web Services are modular, self-describing applications that are accessible over the Internet
Web Services are based on open standards Web Services enable Web-based applications
to interoperate between any platform, object model, and programming language (in theory!)
“Web Services allow any piece of software to communicate with a standardized XML messaging system.” Hari Mailvaganam
6Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
Web Services (iii)
Two main schools of thoughtBoth supported through OASIS/Open
ebXML (more mature, top-down)“Business Web Services” (Sun)Business Process / Business Document modelBPSS, CPP/CPA, ebMS, SOAP with Attachments, MIME
WSDL/UDDI (more noise, bottom-up)“Enterprise Web Services” (Sun)Remote Method Call modelWSDL, UDDI repository, SOAP (“WUS”), plus options:
WS-Transaction WS-Security BPEL4WS …
7Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
Web Services Example (i)
Currency Conversion rate lookuphttp://www.webserviceX.net/CurrencyConvertor.asmxAppend ?wsdl to see the service definition
Client
* From-currency* To-currency
* Rate
ServerHTTP/SOAP
8Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
Web Services Example (ii)<?xml version="1.0"?><definitions xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:s="http://www.w3.org/2001/XMLSchema" xmlns:s0="http://www.webserviceX.NET/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/" targetNamespace="http://www.webserviceX.NET/" xmlns="http://schemas.xmlsoap.org/wsdl/"> <types> <s:schema elementFormDefault="qualified" targetNamespace="http://www.webserviceX.NET/"> <s:element name="ConversionRate"> <s:complexType> <s:sequence> <s:element minOccurs="1" maxOccurs="1" name="FromCurrency" type="s0:Currency"/> <s:element minOccurs="1" maxOccurs="1" name="ToCurrency" type="s0:Currency"/> </s:sequence> </s:complexType> </s:element> <s:simpleType name="Currency"> <s:restriction base="s:string"> <s:enumeration value="AFA"/>
9Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
Where does it make sense to use Web Services
Business Data
Application
Presentation
Business Process
Business Logic / Rules
ClientSuggestion:
use sparinglyOnly where
scalability or other business benefit is gained by decoupling layers
10Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
Approaches to Security
Link LayerNetwork Layer
IPSecTransport Layer
TLS/SSLWTLS
Session LayerSSH
End-to-End / Application LayerSAMLWS-Security
11Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
Non-Application-Layer Approaches
IP Layer IP Layer IP Layer IP Layer
TCP (UDP) TCP (UDP) TCP (UDP) TCP (UDP)
Socket Layer Socket Layer Socket Layer Socket Layer
Client Client proxy Server proxy Server
12Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
MessageMessageMessageMessage
Application Layer Approaches
Client ServerSecurity Lib Security Lib
Any NetworkAny Network
Any Path
Any NetworkAny Network
Any Protocol
13Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
Web Services Security
Services providedSingle-message authentication
security tokens and digital (XML) signatureMessage integrity
XML SignatureMessage confidentiality
XML Encryption
14Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
WS-Security (ii)
SOAP EnvelopeSOAP EnvelopeSOAP HeaderSOAP Header
SOAP Body (optionally partly or wholly encrypted)SOAP Body (optionally partly or wholly encrypted)
Security HeaderSecurity Header
Other Headers (optional)Other Headers (optional)
TokenToken
TokenToken
SignatureSignature
SignatureSignature
… …
15Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
WS-Security (iii)<?xml version="1.0" encoding="utf-8"?><S:Envelope xmlns:S="http://www.w3.org/2001/12/soap-envelope" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <S:Header> <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/xx/secext"> <wsse:UsernameToken wsu:Id="MyID"> ... </wsse:UsernameToken> <ds:Signature> <ds:SignedInfo> ... </ds:SignedInfo> <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue> <ds:KeyInfo> ... </ds:KeyInfo> </ds:Signature> </wsse:Security> </S:Header> <S:Body wsu:Id="MsgBody"> ... </S:Body></S:Envelope>
16Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
Example
Mobile Sales Rep enters a customer order Message Authentication is used to verify
the identity of the user (and check access permissions – outside scope of WS-Security)
Message Integrity is used to ensure that the order cannot be modified in transit without detection (e.g. to change quantity, price or delivery address)
Message Confidentiality is used to ensure that the customer’s order details are not seen by anyone except the supplier
17Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
Advantages
End to end message confidentiality, integrity and authentication are assured
Messages can be stored, retrieved and forwarded arbitrary numbers of times
ExtensibleMultiple security token formatsMultiple trust domainsMultiple signature formatsMultiple encryption technologies
18Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
Drawbacks
Immaturity of the specification Many things outside the scope
Trust establishment Security policy exchange and agreement Security context specification Authentication mechanisms Key management
Only one security header per message Processing and bandwidth overheads
XML and SOAP are verbose: WS-Security exacerbates this Signatures & tokens must be generated / checked every
time Onerous verification, logging and error reporting
Not ideally suited to inter-enterprise exchanges
19Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
Conclusion and Recommendation
Yes, it can be doneBut the effort doesn’t seem worth it
for the current generation of mobile devices
VPN-style solutions lead to quicker and more dependable results
Wait for standards to settle downDecide your business model
Extension of the enterprise network to the mobile
Direct interaction of mobile device with Web Services offered by multiple providers
20Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
A Hybrid Solution
InternetInternet
Firewall
Third PartyWeb Service
Mobile App(server part)
In-HouseWeb Service
VPN
WS-Security WS-Security
Mobile App (client part)
21Contents Confidential & Proprietary to ObjectValue Ltd. © 2003
13 May 2003WS-Security: Ready for Wireless?
bjec valuO ET
Thank You!
Questions? ObjectValue Ltd., 31 Guildford Way, Wallington,
Surrey SM6 8NS, United Kingdom
www.objectvalue.com
Immo Hüneke BSc MBCS CEng, Director
+44 (0)20 8395 5835; +44 (0)7941 072 238
ObjectValue Ltd., 31 Guildford Way, Wallington,
Surrey SM6 8NS, United Kingdom
www.objectvalue.com
Immo Hüneke BSc MBCS CEng, Director
+44 (0)20 8395 5835; +44 (0)7941 072 238
Software Systems
consultancy & development
ETbjecvalu
O