Web Service Security

1

Web Service Security (Part – I)

By: Jahanzeb Q Hashmi

2

Index

Introduction Important Concepts Common Scenarios

• Public Web Service• Intranet Web Service• Internet Business to Business• Multiple Internet Web Services

3

Introduction

To design, develop, and deploy secure Web services, architects and developers must learn new technologies and consider new threats associated with exposing functionality on potentially unsecured networks.

Choosing between message layer security and transport layer security. Choosing a client authentication technology, from basic direct authentication to more

sophisticated brokered solutions like X.509, certificates, using the Kerberos version 5 protocol, and solutions involving a Security Token Service (STS).

Protecting confidentiality of messages. Detecting tampered messages. Preventing the processing of replayed messages. Accessing remote resources and flowing identities across tiers. Preventing exceptions from revealing sensitive implementation details. Protecting Web services from malformed or malicious messages.

4

Important ConceptsThere are some important concepts you should understand before reviewing the different scenarios. These include:

Brokered authentication. This is a type of authentication where a trusted authority is used to broker authentication services between a client and a service. You can use a broker to perform authentication.

Client. The client accesses the Web service. The client provides credentials for authentication during the request to the Web service.

Credentials. A set of claims used to prove the identity of a client. They contain an identifier for the client and a proof of the client’s identity, such as a password. They may also include information, such as a signature, to indicate that the issuer certifies the claims in the credential.

Direct authentication. A type of authentication where the service validates credentials directly with an identity store, such as a database or directory service.

Impersonation. The act of assuming a different identity on a temporary basis so that a different security context or set of credentials can be used to access a resource.

5

Important Concepts Message layer security. Represents an approach where all the information that is

related to security is encapsulated in the message. In other words, with message layer security, the credentials are passed in the message.

Mutual authentication. This is a form of authentication where the client authenticates the server in addition to the server that authenticates the client.

Security token. A set of claims used to prove the identity of a client. They contain an identifier for the client and a proof of the client’s identity such as a password. They may also include information, such as a signature, to indicate that the issuer certifies the claims in the credential. Most security tokens will also contain additional information that is specific to the authentication broker that issued the token.

Service. A Web service that requires authentication.

Transport layer security. Represents an approach where security protection is enforced by lower level network communication protocols.

Trusted subsystem. This is a process where a trusted business identity is used to access a resource on behalf of the client. The identity could belong to a service account or it could be the identity of an application account created specifically for access to remote resources.

6

Common Scenarios

The following four scenarios provide examples of common Web service interactions:

Public Web service. This scenario describes the decision criteria used to choose transport layer confidentiality with HTTPS and UsernameToken support in WSE 3.0 for authentication.

Intranet Web service. This scenario describes the decision criteria used to choose message layer security with the Kerberos protocol for an internal banking solution. It also provides a high-level description of the Kerberos design.

Internet business-to-business. This scenario describes a business-to-business solution that uses message layer security with the Kerberos protocol within the organization and X.509 certificates between businesses.

Multiple Internet Web services. This scenario describes the decision criteria used to choose a Security Token Service (STS) for a travel agency application that is accessible from the Internet. This section also describes how both direct authentication and brokered authentication are used to implement the solution.

7

Public Web Service Scenario

A large clothing distributor uses Web services to provide catalog information tomerchants that provide online shopping services. The merchants access the Web servicefrom their Web applications to display current items available from the distributor.

Distributor Web Service ProfileA distributor Web service has the following requirements: The merchant Web application requires direct access to the distributor’s Web service. Merchants accessing the Web service must be authenticated. Data passed between the merchant and distributor contains some information, such as

merchant account information, that must be protected.

8

Public Web Service Finding Solution

9

Public Web Service Solution

The distributor Web service security solution is implemented in the following way:

The distributor Web service uses a server certificate to establish secure communications with the merchant Web application using HTTPS.

The merchant Web application passes a UsernameToken to the distributor Web service for authentication.

The UsernameToken information is used to authenticate the merchant Web application.

The distributor Web service uses a trusted subsystem to access catalog data.

10

Intranet Web Service Scenario

The banking application is a Windows client that directly accesses a Web service. The Web services access a bank account database for information. The following sections provide an overview of the banking application requirements.

Banking Application ProfileThe banking application has the following features: The banking application is used in bank branches. The user of the application is a customer service representative (CSR). The CSR must be authenticated as a valid user to use the banking application. Banking regulations require that the account activities that the CSR performs must be audited.

11

Intranet Web Service Finding Solution

12

Intranet Web Service Solution

The intranet banking security solution is implemented in the following way:

The user’s credentials are used to obtain a security token from the Kerberos Key Distribution Center (KDC) implemented in Active Directory.

The security token is used to sign and encrypt messages sent to the service. The security token is used to obtain additional information about the user from Active

Directory. Impersonation with delegation is used to access the database.

13

Internet Business-to-Business Scenario

Figure illustrates an operation where the supply chain application interacts with the procurement Web service through an intranet. The procurement Web service accesses an external ordering Web service over the Internet. The following sections provide an overview of the supply chain application requirements.

Supply Chain Management Application ProfileThe supply chain management application has the following features: The manufacturing company gets parts from a business partner. Parts are ordered through an internal line-of-business supply chain management application. Factory floor supervisors are the users of the application. The application communicates with a procurement Web service that places orders with an ordering Web

service hosted by the supplier. This way, only the two Web services have to agree on the external service contract.

The procurement Web service is one of a few other internal Web services that the supply chain management application uses. Maintaining an SSO user experience is an important requirement.

14

Internet Business-to-Business Finding Solution

15

Internet Business-to-Business Solution The supply chain management security solution is implemented in the following way: The user’s credentials are used to obtain

a security token from the Kerberos KDC implemented in Active Directory.

The security token is used to sign and encrypt messages sent to the service. The supplier’s security solution is implemented in the following way:

X.509 certificates are issued and imported into appropriate certificate stores.

X.509 certificates are used to provide mutual authentication, data confidentiality, and data origin authentication for interactions between the procurement Web service and the ordering Web service.

A perimeter service router is used to accept requests from the supply chain application and send them to the ordering Web service.

16

Multiple Internet Web Services ScenarioThe travel booking Web application is accessible from the Internet. However, only the Web application can access the Web services that the application calls. Each Web service has an independent data store.

Travel Booking Application ProfileThe travel booking application has the following features: Travel agents in a travel franchise help customers

book tour packages. Two Web services are used: a travel packages

Web service, and an online booking Web service. The travel packages Web service provides travel

product catalog information such as tour dates, itineraries, and prices.

The online booking Web service allows travel agents to book tour packages on behalf of the customers.

Identity propagation is needed for the online booking Web service because the database needs to keep a record of each travel agent who makes a travel request. Customers can go to any travel agent in the franchise to book a tour.

During peak travel seasons, user activity is high. This means that performance must be considered.

17

Multiple Internet Web Services Finding Solution

18

Multiple Internet Web Services SolutionThe Internet travel booking security solution isimplemented in the following way: The STS uses a server certificate to establish

secure communications with the travel booking Web application using HTTPS.

The travel booking Web application passes a UsernameToken to the STS for authentication.

The STS returns a security token for interaction with both the travel packages Web service and the online booking Web service.

Encryption is not required when accessing the travel package Web service. However, the STS security token is used to sign the messages to provide authentication.

The STS security token is used to sign and encrypt messages sent to the online booking Web service.

A trusted subsystem is used to access the product catalog and customer booking database.

Impersonation is not required for auditing. Instead, the agent’s ID is retrieved from the security token and passed to the customer booking database as part of the request.

19

Questions