• No results found

A Signing Proxy for Web Services Security. Dr. Ingo Melzer RIC/ED

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "A Signing Proxy for Web Services Security. Dr. Ingo Melzer RIC/ED"

Copied!
24
0
0

Loading.... (view fulltext now)

Download now ( 24 Page )

Full text

(1)
(2)

What is a Web Service?

Web

Infrastructure

(3)

What is a Web Service?

Web Service basic

Web

Infrastructure

Service

(4)

What is a Web Service?

XML

basic Web Service

ASN.1

EDI

ASCII

CDR

JRMP

Content

Web

Infrastructure

Service

(5)

What is a Web Service?

SOAP

basic Web Service

Msg.

XML-RPC

RPC

DCE

RMI

CORBA

Transport

XML

Content

Web

Infrastructure

Service

(6)

What is a Web Service?

WSDL

SCL

NASSL

SDL

IDL

Description

SOAP

basic Web Service Transport

XML

Content

Web

Infrastructure

Service

(7)

What is a Web Service?

UDDI/WSIL

ADS

naming service

DISCO

property service Directory

WSDL

Description

SOAP

basic Web Service Transport

XML

Content

Web

Infrastructure

Service

(8)

What is a Web Service?

Service

Web

XML

WSDL

UDDI/WSIL

Web Service

Directory Description

SOAP

basic Web Service Transport Content Infrastructure

(9)

Properties of Web Services

„ Web Services allow collaboration of different systems „ Integration of existing systems

„ Facade for set of similar systems

„ Web Services offer two styles: RPC and messaging „ Protocol of Web Services: SOAP (XML-based)

„ SOAP mainly used over HTTP(S)

„ Most of the time: Computer to computer communication

(10)

Definition: Web Services

A Web Service is a piece of server-side software that

provides a certain functionality (as a black box) and is

accessible through Internet protocols using XML/SOAP

messages with a described and published interface

(typically by means of WSDL).

Those interface descriptions should be registered in a

(global) registry such as UDDI.

A Web Service is a piece of server-side software that

provides a certain functionality (as a black box) and is

accessible through Internet protocols using XML/SOAP

messages with a described and published interface

(typically by means of WSDL).

Those interface descriptions should be registered in a

(global) registry such as UDDI.

(11)

Common Web Services Scenario

„ Client calls Web Service over the Internet

Internet Transport Protocol (e. g. HTTP)

SOAP

Transport Protocol (e. g. HTTP) SOAP

Trusted Intranet (XML) Digital Signature (XML) Digital Signature

Client Web Service

(12)

Web Services Architecture

„ Web Services Protocol: SOAP (XML based) „ SOAP usually over other protocol

„ SOAP does not deal with security (and does not have to)

SOAP (XML based), ...

Transport Protocol (often HTTP), ...

Ethernet (TCP/IP), ...

(13)

Web Services Architecture + Security

„ Security can be added at each layer

„ No layer completely suitable for securing all services „ XML-layer important for flexibility (intermediaries)

„ XML-Signature, XML-Encryption, WS-Security, SAML

SOAP (XML based), ...

XML-Secu.

Transport Protocol (often HTTP), ...

SSL

IPSec

Ethernet (TCP/IP), ...

(14)

Why SSL (HTTPS) often does not help:

„ SSL is only for point to point connections

„ Only usable for a few protocols (mainly HTTP) „ Only transport of whole document is encrypted „ Header information no longer readable

„ Routing information

„ Intermediaries

„ Calling a set of Web Services?

„ Asynchronous call of Web Services not possible „ Data unprotected upon reaching the server

(15)

Needs and Wishes

„ Security at XML level, e. g. to keep only parts of the message readable „ Transparent for users Æ impossible to forget it

„ Centralized control Æ single point of administration „ Easy integration into existing systems

„ Usable even with external partners Æ no proprietary solutions „ Open Standards like XML-Signature, WS-Security, …

„ Interoperability

„ Framework for exchange and adaptation of security technologies at any

(16)

XML-Signature (Existing Technology)

„ RFC 3275: Digitally sign document and represent in XML „ Result is (still) an XML document

„ XPath to locate and identify parts to be signed „ Multiple signatures can added to one document 1. Choose parts of documents to sign

2. Calculate digest (or hash sum) of each part (after canonization)

3. Build <SignedInfo> element (contains digest, used algorithms, XPath) 4. Calculate digest of SignedInfo and sign it Æ <SignatureValue>

(17)

Signature

„ Security at XML level, e. g. to keep only parts of the message readable ¾ Transparent for users Æ impossible to forget it

¾ Centralized control Æ single point of administration ¾ Easy integration into existing systems

„ Usable even with external partners Æ no proprietary solutions „ Open Standards like XML-Signature, WS-Security, …

„ Interoperability

„ Framework for exchange and adaptation of security technologies at any

(18)

Adding Security Transparently

„ Proxy transparently adds XML-Signature

Transport Protocol (e. g. HTTP) SOAP

Transport Protocol (e. g. HTTP)

Trusted Intranet Internet SOAP

(XML) Digital Signature WS-Client Signing Proxy

(19)

Adding Security Transparently II

„ Proxy authentication for personal XML-Signature

SOAP

Internet SOAP

(XML) Digital Signature

Transport Protocol e. g. HTTP(S) Transport Protocol e. g. HTTP(S) Trusted(?) Intranet

Signing Proxy WS−Client

(20)

Static Set of Partners

„ In a B2B environment, it is possible to keep a list of partners „ Therefore encryption can be done in this way:

1. Determine Partner for outgoing message (e. g. domain of URL) 2. Get public key of partner (database, PKI, …)

3. Encrypt e. g. body of message using the key and XML-Encryption

„ Firewall of receiver can use its private key for decryption

„ Information for a more precise encryption possible with header expansions „ This job could also be done by an intermediary

(21)

Requirements for Bigger Encryption Scenario

„ Public Key of receiver needed for encryption.

Possible Solutions:

„ PKI or public key servers (like for pgp)

„ Expansion for WSDL (where are the public keys)

„ Standard for SOAP header expansion to specify part to be encrypted

„ Further spreading of XML encryption

„ Signature can be ignored, encryption cannot

(22)

Status

„ Two papers accepted:

1. Ingo Melzer, Mario Jeckle:

Using Corporate Firewalls for Web Services Trust,

ICWS-Europe'03, Erfurt, Germany, September 23 to 25, 2003, to appear

2. Ingo Melzer, Mario Jeckle:

A Signing Proxy for Web Services Security,

Berliner XML-Tage 2003, Berlin, Germany, October 13 to 15, 2003, to appear

„ Ongoing Master Theses with University of Ulm (Prof. Dr. Schweiggert) and

the University of Applied Sciences Furtwangen (Prof. Jeckle)

„ Demonstrator for proof of concept

(23)

Summary I

„ SOAP does not deal with security (and does not have to) „ No secure Web Services available yet

„ HTTP is no longer static (or dumb?) Æ Firewalls have to be able to process

SOAP, but

„ Today’s firewall software for Web Services not sufficient „ Other XML-based standards suitable for this job:

XML-Signature, XML-Encryption, SAML, WS-Security, …

„ Idea: Signing Proxy to transparently add signatures

(24)

Summary II (Signing Proxy)

„ Signing Proxy offers single point of administration „ WS developers have to deal much less with security „ Can be part of security infrastructure

„ Offer a service (just like a PKI)

„ Signing Proxy fits perfectly into Service Oriented Architecture „ Encryption easily added in B2B environment

References

Download now ( PDF - 24 Page - 277.46 KB )

Related documents

Crane Beam Design

Step2: Calculate the Horizontal Loads • Transverse Surge load is taken as 10% of the combined. weight of the crab and the

Before the Federal Communications Commission Washington, D.C ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ORDER

complying with the following conditions: (a) provide its Lifeline customers with 911 and enhanced 911 (E911) access regardless of activation status and availability of

Causes of maternal death and impact of treatment:

Late maternal death is defined as a maternal death due to pregnancy (direct or indirect obstetric causes) which occurred more than 42 days but less than one year after the end

Antioxidant activity changes during hot-air drying of Moringa oleifera leaves

ferric reducing antioxidant power (FRAP), DPPH free radical scavenging activity and ABTS radical cation decolourisation, together with the determination of total

Cardiovascular Disease Risk Factors Related to Shift Work among Korean Workers Aged from 30 to 49 Years

Health risk behaviors are associated with demographic and job characteristics such as gender, age group, job, or work type (21,22]. Therefore, we need to consider the

Reputation Management: Experiments on the Robustness of ROCQ

The ROCQ model combines four parameters: Reputation (R) or a peer’s global trust rating, Opinion (O) formed by a peer’s first-hand interactions, Credibility (C) of a reporting peer

A new approach for multi-agent coalition formation and management in the scope of electricity markets

As market players are complex entities, having their very own characteristics and objectives, making their decisions and inter- acting with other players, MASCEM was developed as

Are Neighbors Obligated To Keep Their Dog Quiet

Our apartment in that are neighbors obligated to keep their quiet on our products are bothered by loud, just moved into turning the balcony.. Longer as much is obligated to keep