Figure 3.2: Web services security layers [Kearney et al., 2004a].
Layered architectures are a popular mechanism for describing networked systems, for exam-ple the layered OSI reference model [Jeckle and Wilde, 2004, Zimmermann, 1988]. The layer-ing and separation of concerns adhered to by layered architectures allows the security functions within a networked system to be more clearly identified.
NIST categorise web services security functions according to the OSI reference model, for example deployment of a dedicated line at the link layer, TLS at the transport layer and XML Encryption at the application layer [Singhal et al., 2007]. Jeckle and Wilde [2004] derive a web services protocol stack with layers that mirror the functionality of the OSI model’s layers, for ex-ample the Internet protocols that transport SOAP messages are placed at the bottom layer of their stack. This layer corresponds to the physical layer in the OSI model. Jeckle and Wilde [2004]
CHAPTER 3. WEB SERVICES SECURITY 40 place SOAP message security at the “transport layer” of their stack because security functionality is found in the transport layer of the OSI model. Geuer-Pollmann and Claessens [2005] position security within a “WS-*” specification stack. This stack layers SOAP web services specifica-tions but it does not adhere to the separation of concerns principle because some layers overlap.
However, a distinction between layers containing Internet protocol security and layers containing SOAP security is made.
Despite the different layered web services models, a trend towards the separation of Inter-net protocol security and SOAP message security is apparent. Figure 3.2 better illustrates this separation through the 3 layers of web services security identified by Kearney et al. [2004a] : transport layer; message layer; and message content layer. Each of these layers are independent of each other as dictated by the separation of concerns principle.
3.5.1 Transport layer security
Figure 3.3: Transport layer security when multiple hops exist.
Securing the underlying Internet protocols that carry SOAP messages is done at the transport layer [Kearney, 2005]. This layer may be mapped to the network and transport layers of the OSI stack and examples of security at this layer are TLS and virtual private networks. This type of security encapsulates the higher layers shown in figure 3.2, for example TLS will encrypt an entire message payload regardless of the security deployed at a higher layer.
Although Kearney [2005] states that transport layer security is commonly adopted, its suit-ability for web services is criticised. NIST and Kearney [2005] affirm that transport level secu-rity can only guarantee secusecu-rity between an endpoint and its closest intermediary [Singhal et al., 2007]. If the intermediaries are untrusted, there is no way to guarantee a message’s security from one endpoint to another. Figure 3.3 illustrates a scenario where the requester has no way of ensuring that the second TLS connection is ever instantiated.
A related criticism of transport security is the lack of transport independence [Singhal et al.,
CHAPTER 3. WEB SERVICES SECURITY 41 2007]. The close coupling of security with transport protocols is problematic because security will be terminated and instantiated with each transport link. This is illustrated in figure 3.3 where two TLS connections are instantiated for one transaction. The termination of the first connection and the instantiation of the second requires security information to be repackaged and transferred from one connection to another [Singhal et al., 2007]. This may result in security vulnerabilities from poor security implementations of this complex transfer. The endpoints have no control over the quality of this protection along the entire message path because they rely on the quality of the security implemented by intermediaries.
Transport layer security also protects the entire message payload and this makes it impossible to protect individual message parts [Khoo and Zhou, 2004]. The protection of individual parts of a message is important when it is undesirable for certain intermediaries to access some message parts.
3.5.1.1 The Transport Layer and End-to-end Security
Transport layer mechanisms such as TLS may provide protection against all the threats men-tioned in section 3.4.3. TLS allows for mutual authentication to mitigate the authentication threats and it provides encryption to mitigate the confidentiality threats [Schwarz et al., 2007].
The deployment of message authentication codes (MAC) [Shirey, 2000] by TLS mitigates in-tegrity threats [Dierks and Rescorla, 2006]. MAC will guarantee the message uniqueness of a TLS session only. The replay of a TLS session transporting a SOAP message can be detected but the replay of the SOAP message with different TLS sessions cannot be detected.
However, the previously mentioned transport layer criticisms indicate that the mitigation of the security threats cannot be achieved end-to-end when intermediaries exist. Intermediaries must be relied upon to mitigate threats along the message path. If an intermediary is unau-thorised to access an entire message then confidentiality threats are inherent to transport layer security. The threats to data authentication are also inherent in transport layer security as this type of security authenticates an entire message and not individual parts. Transport layer secu-rity fails to provide end-to-end web services message secusecu-rity because it does not work at the required granularity. The need for finer-grained end-to-end web services security has led to the development of message layer security.
CHAPTER 3. WEB SERVICES SECURITY 42
3.5.2 Message Layer Security
Message layer security secures SOAP messages themselves [Kearney, 2005]. XML security mechanisms provide security at this layer because SOAP is based on XML. XML Encryption provides mechanisms for encrypting XML documents and these documents may be signed using XML Signature. Since SOAP uses XML in a specific manner, WS-Security details how to use these XML security standards to secure SOAP messages [Nadalin et al., 2006a].
The criticisms levelled at transport layer security are dealt with by message layer security.
Message layer security is not dependent on the communication links between web services en-tities. To this end criticisms based on transport protocol dependence are defeated . XML En-cryption and XML Signature may be used to secure individual XML message parts. This fine granularity overcomes the transport layer criticism that individual message parts cannot be se-cured according to their intended recipients.
3.5.2.1 The Message Layer and End-to-end Security
The threats in section 3.4.3 may be mitigated end-to-end by message layer security. XML en-cryption mitigates confidentiality threats and XML Signature mitigates threats to authentica-tion and integrity [Schwarz et al., 2007]. WS-Security defines mechanisms for authenticaauthentica-tion and mitigates threats to message uniqueness using unique message identifiers and timestamps [Nadalin et al., 2006a]. Although message layer security provides the end-to-end security for web services, the meaning of the security employed remains unestablished. This is the role of the message content layer.
3.5.3 Message Content Layer
The message content layer is unique to the analysis by Kearney [2005]. This layer is concerned with the meaning of security mechanisms deployed at lower levels, for example determining whether a digital signature means that the owner of the signing key has signed the message or that an entity with access to the signing key created the message [Kearney, 2005]. Such a consideration is relevant because the plausibility of signing key theft defeats non-repudiation.
This layer deals with security issues whose solutions are currently non technological [Schwarz et al., 2007]. This layer is not considered further as it is an undeveloped open issue that warrants future work of its own.
CHAPTER 3. WEB SERVICES SECURITY 43
3.5.4 Summary
Both transport and message layer security may mitigate the threats identified in section 3.4.3.
Transport layer security may meet web services security challenges in a point-to-point environ-ment only. Message layer security can meet these challenges in an end-to-end manner.
It is possible to combine transport and message level security since they are independent. The WS-I Security Challenges, Threats and Countermeasuresdocument [Schwarz et al., 2007] details how to implement such a combination but this is not considered here because end-to-end security cannot be provided by transport layer security. Combining transport layer security with message layer security does not add any value to the provision of end-to-end web services security.