NIST s Guide to Secure Web Services

NIST’s Guide to

Secure Web Services

Presented by

Gaspar Modelo-Howard

and Ratsameetip Wita

Secure and Dependable

Web Services

z

National Institute of Standards and

Technology. Special Publication 800-95:

Guide to Secure Web Services. Aug 2007.

z

Ingham, D., et al. Constructing Dependable

Web Services. IEEE Internet Computing,

Jan/Feb 2000.

Goals

z

Give a broad overview of field (secure and

dependable web services)

z

Provide challenges and open problems in

research

Outline

z

Introduction to Web Services

z

Web Security Dimensions

z

Attacks to Web Services

z

Web Service Security Functions

Introduction to Web Services

z WS: Software system designed to support

interoperable machine to machine interaction over a network [W3C]

z Ex: Web APIs accessed over a network and executed remotely

Introduction to Web Services

z Make a collection of software services accessible via standardized protocols whose functionality can be automatically discovered and integrated into

applications (loosely coupled)

z Allows WS to dynamically bind to other WS at run-time, depending on needs of user or app

A Few More Acronyms

to Your Vocabulary

z OWL-S: Ontology Web Language for Services

z SOA: Service Oriented Architecture

z SOAP: Service Oriented Architecture Protocol

z SAML: Security Assertion Markup Language

z UDDI: Universal Description, Discovery and Integration

z WSDL: Web Services Description Language

z XACML: eXtensible Access Control Markup Language

Introduction to Web Services

z

Components of a SOA application

Introduction to Web Services

z

Components of a SOA application

z Discovery z Messaging z SOAP (XML) z Portals z Roles z Coordination

Introduction to Web Services

z

Components of a SOA application

z Discovery

z Messaging

z Portals

z Roles

Introduction to Web Services

z

Components of a SOA application

z Discovery z Messaging z Portals z Roles z Requester z Intermediary z Provider z Coordination

Introduction to Web Services

z

Components of a SOA application

Introduction to Web Services

z

Components of a SOA application

z Discovery z Messaging z Portals z Roles z Coordination z Orchestration z Choreography

Outline

z

Introduction to Web Services

Web Security Dimensions

z

Attacks to Web Services

z

Web Service Security Functions

WS Security Dimensions

z

Secure Messaging

z SOAP was not designed with security in mind

z Possible approaches: HTTP over SSL, XML Encryption and XML Signature, WS-Security

z

Protecting Resources

z WS are intended to be accessible only to authorized requesters

z Protection involves more than just access control (disruption, mitm, eavesdropping, impersonating)

WS Security Dimensions

z

Negotiation of Contracts

z WS should automatically negotiate and agree upon contracts (ebXML, WSDL)

z No standards that support enforcement of implicit contracts (WSDL)

z QoP: Only some support for negotiating security requirements

WS Security Dimensions

z

Trust Relationships

z Currently limited to trust of the service identity

z Architecture models:

z Pairwise trust

ƒ Each WS is provided the sec info of all other WS z Brokered trust

ƒ Uses TTP, WS should be designed with this in mind z Federated trust

ƒ WS from different organizations can interact z Perimeter defense

ƒ XML gateways placed between providers and requesters

WS Security Dimensions

z Some Pitfalls

z XML Encryption / XML

Signature: no std for informing recipients how were applied to message

Web Services Security

Standards

Attacks to Web Services

z

Reconnaissance Attacks

z

Code Templates

z

Forceful Browsing Attack

Directory Traversal Attack

z

WSDL Scanning

z

Registry Disclosure Attack

Privilege Escalation Attack

Dictionary Attack

Outline

z

Introduction to Web Services

z

Web Security Dimensions

z

Attacks to Web Services

z

Web Service Security Functions

z

Challenge and Open Problems

Web Service Security

Functions

z Service-to-Service Authentication z

Identity Management

z

Establishing Trust between Services

z

Describing Web Services Policies

(WS-Policy)

z Distributed Authorization and Access Management

z Confidentiality and Integrity of Service to Service Interchanges

Identity Management

z An Identity Management System (IDMS) is responsible for z Verifying identities of entities z Registering them z Issuing them digital identifiers

Identity Management

z

Three major identity architectures for WS

z Credential and identity providers are merged

z Service must know for all requesters (scalability issue) z Federated identity management

z Group of providers agrees to recognize user ids from one another

Establishing Trust between

Services

z Trust relationships need to be established between remote WSs for SAML or WS-Security to be useful on a large scale

z Trust models like Kerberos have worked well for a single organization

z Pairwise trust circle

z Each entity that is authorized to communicate with another must share its key information (unscalable)

z Brokered trust model

z TTP is used to exchange key information between services to communicate

z Community trust model

z Relies on an external PKI for establishing trust

Establishing Trust between

Services

z

Practical approaches for federation of trust

z Provides both Web app and WS federation using SAML to perform trust brokering

z Suitable for businesses and governments z WS-Federation

Describing Web Services

Policies (WS-Policy)

z Extension to WSDL, allows to express capabilities, requirements and characteristics of WS

z WSDL is limited to describing what is included in the message itself

z WS-Policy requirement types

z On the wire (WS-Sec encryption, signature)

z Abstract (QoS, privacy)

z WS-Policy expression contains a set of policy alternatives encompassing sets of assertions

z Policy expressions are external to metadata stored in UDDI and WSDL, need distribution mechanism z WS-MetadataExchange or WS-PolicyAttachment

Describing Web Services

Policies (WS-Policy)

z

Specifications defining WS-Policy assertions

integrity, confidentiality, and information about security tokens

Describing Web Services

Policies (WS-Policy)

Availability of WS

z Availability is intended to ensure that QoS and reliability are maintained even under intentional attempts to compromise the WS operation (DoS) z Recognize and react to DoS patterns

z Constrain and isolate the DoS attack

z Recover and resume secure operation after DoS

z Necessary to include redundancy, error handling capabilities and defensive techniques

z Most common accidental threats z Service recursion

z Service deadlock

Availability of WS

z

Failover

z UDDI supports listing multiple URIs for each WS

z Makes the UDDI registry the point of failure

z UDDI supports replication

z

QoS

Outline

z

Introduction to Web Services

z

Web Security Dimensions

z

Attacks to Web Services

z

Web Service Security Functions

z

Challenge and Open Problems

Challenge and Open Problems

z

Security remains a major challenge, in the

presence of dynamic composition and

heterogeneity in large, autonomous and

un-trusted environments

Challenge and Open Problems

z Service description, automatic service discovery, and QoS

z Make WS simpler? Feasible? z Secure issuance of credentials

z Repudiation of transactions

z Few logging implementations that can be used across an entire SOA

z Relationship between contracts and federated identity management

Challenge and Open Problems

z DoS attacks

z Protection from DoS attacks that exploit vulnerabilities unique to WS (discovery service)

z Spread of malware

z Compromised services

z Functional integrity of WS that requires the establishment of trust between services on transaction-by-transaction basis

NIST’s Guide to

Secure Web Services