A Pattern for WS-Security

Secure Systems Research Group - FAU

A Pattern for WS-SecurityPresented by Keiko Hashizume

Secure Systems Research Group - FAU

Outline

• Introduction• A Pattern for WS-Security• Conclusion

Secure Systems Research Group - FAU

Introduction• Web services standards are confusing which

makes it difficult for vendors to develop products that comply with standards and for users to decide what product to use.

• That is why we need to develop patterns for these standards.– Patterns embody the knowledge and experience of

software developers about a recurrent problem. A pattern solves a specific problem in a given context and can be tailored to fit different situations.

Secure Systems Research Group - FAU

WS-Security Standard

• Originally developed by IBM, Microsoft, VeriSign, and Forum Systems.

• OASIS Specification• Latest Version: WS-Security 1.1• Approved on February 2006

Secure Systems Research Group - FAU

A Pattern for WS-Security• WS-Security Standard describes enhancements to

SOAP messaging through– Message Confidentiality– Message Integrity– Message Authentication– Non-repudiation

• Context– Users of web services send and receive SOAP

messages through the Internet.

Secure Systems Research Group - FAU

A Pattern for WS-Security

• Problem– Forces:

• We need to prevent unauthorized users from reading data during transit.

• We need to protect data in transit from being modified by attackers.

• We need to verify the producer of the message.

• We need to prevent message replay.

Secure Systems Research Group - FAU

A Pattern for WS-Security

• Solution– Use a set of mechanisms to improve security by

describing how to add security information in the header part of a message.

– Elements that can be included in the SOAP security header :

• Security tokens• Encryption• Digital signature• Timestamps

Secure Systems Research Group - FAU

– Structure - Class Diagram

Secure Systems Research Group - FAU

– Dynamics

Sequence Diagram for the UC: Encrypt an element using Security Tokens

Secure Systems Research Group - FAU

– Dynamics

Sequence Diagram for the UC: Sign an element using Security Tokens

A Pattern for WS-Security

Secure Systems Research Group - FAU

A Pattern for WS-Security• Consequences

This pattern presents the following advantages:– XML Encryption allows to hide information from

unauthorized users.– XML Digital signature is used to verify whether a

message was modified in transit.– The combination of XML Signature and security tokens

verifies that the user is who he claims to be.– We can prevent message replay using timestamps .

The pattern also has some (possible) liabilities:– This pattern does not describe fixed security protocols.

Secure Systems Research Group - FAU

A Pattern for WS-Security• Know Uses

Several vendors have developed products that support WS-Security.– Xtradyne’s WS-DBC (Web Service Domain Boundary Controller) http://www.xtradyne.com/products/ws-dbc/WSDBCfeatures.htm– IONA Artix www.iona.com/info/aboutus/collateral/Artix%20and%20Security.pdf–Forum Sentry™ http://forumsys.com/products_sentry_specs.htm–Microsoft Trust Bridge http://www.microsoft.com/presspass/press/2002/Jun02/06-06TrustbridgePR.mspx

Secure Systems Research Group - FAU

A Pattern for WS-Security

• Related PatternsWS-Security uses XML Signature and XML EncryptionSecure Channel contains a set of security protocols that provide identity authentication and secure, private communication through encryption.Strategy

Secure Systems Research Group - FAU

Conclusion

• We need to develop related patterns such as XML Encryption and XML Signature.

• We need to develop patterns for the WS – family such as WS-Policy, WS-Privacy, WS-SecureConversation, WS-Federation, and WS-Authorization.