Web Services Security Issues in a Justice Environment
Prepared by the Global Security Working Group August 2003
The opinions, findings, and conclusions or recommendations expressed in this publication are those of the Global Justice Information Sharing Initiative and do not necessarily reflect the views of the U.S. Department of Justice.
This project was supported by Award No. 2000-LD-BX-0003, awarded by the Office of Justice Programs.
Acknowledgements
The Web Services Security Issues in a Justice Environment was developed through a cooperative effort under the direction of the Global Justice Information Sharing Initiative (Global). Global’s mission—the efficient sharing of data among justice entities— is at the very heart of modern public safety and law enforcement, and the efforts of Global have direct impact on the work of more than 1.2 million justice professionals. Global is the foremost voice for justice information sharing.
Global advises the nation's highest-ranking law enforcement officer, the U.S. Attorney General. Global aids its member organizations and the people they serve through a series of important information sharing initiatives. These include the development of technology standards such as the Justice XML Data Dictionary; creation of reports for recommending policies on data sharing issues, such as the National Criminal Intelligence Sharing Plan; and the facilitation of justice information sharing through the Global Web site.
The Global Security Working Group (GSWG) is an example of the various Global working groups. Its focus is on the trusted and secure information exchange among justice agencies. This document is the product of the GSWG and its membership of justice practitioners and industry professionals who volunteer their time and resources to ensure effective information exchange throughout the law enforcement and public safety communities.
Therefore, a special indebtedness is offered to Alan Harbitter, Ph.D., for being the principal author of this document, as well as a special expression of thanks to the following developers for their commitment and expertise.
Lieutenant John Aerts Alan Harbitter, Ph.D. Project Manager Chief Technology Officer Los Angeles County Sheriff’s PEC Solutions, Inc. Department Fairfax, Virginia Norwalk, California Mr. Jim Jolley Mr. Steve Correll Computer Training Specialist Executive Director SEARCH, The National Consortium National Law Enforcement for Justice Information and Statistics Telecommunication System Sacramento, California Phoenix, Arizona Mr. James Pritchett Mr. Fred Cotton Executive Director Training Services Director Southwest Alabama Integrated SEARCH, The National Consortium Criminal Justice System for Justice Information and Statistics Foley, Alabama Sacramento, California Mr. Bob Slaski Mr. Ken Gill Product Development Vice President Technology Advisor Advanced Technology Systems, Inc. Bureau of Justice Assistance McLean, Virginia Office of Justice Programs U.S. Department of Justice Ms. Monique Schmidt Washington, DC Research Associate Institute for Intergovernmental Research Tallahassee, Florida ii
Table of Contents
Scope ...... 1 What Are Web Services? ...... 1 Standards Overview...... 2 The WS-Security Specification—A Step in the Right Direction...... 2 A Roadmap to Security-Conscious Web Services Implementations ...... 3 The Standard Bodies...... 3 An Editorial View of Web Services Standards Efforts...... 4 Considerations...... 4 Confidentiality...... 5 Integrity...... 5 Availability...... 5 Identification and Authentication ...... 5 Workarounds...... 6 Use of SSL...... 6 Application Level Security...... 6 Operational Restrictions on Data or Environment...... 7 Tightening Up Internet Security Policies and Practices...... 8 General Proprietary Solutions...... 8 Best Practices Case Study...... 9 Conclusion...... 10 Glossary...... 11 Resources...... 14
iii
Web Services Security Issues in a Justice Environment
Scope
This document raises information While HTML 1 is the universal security issues that should be language for computers to present considered by justice and public safety multimedia information to people over managers who are deploying justice the World Wide Web, XML is the new XML-based systems for the exchange of universal language for computers to justice and public safety information. exchange information. A host of new These concerns are not meant to protocols has been introduced to ride on discourage continued development of top of XML and enhance the ability of these standards, but rather to assist two or more computer programs to justice managers, technologists, and cooperate in exchanging information. practitioners in understanding and managing risk. Web services are built around a set of well-accepted Internet protocols. One The first sections provide back- important protocol, SOAP,2 defines ground by presenting a working specific fields in an XML message that definition for Web services and an enable multiple programs (“software overview of standards. This discussion objects”) to communicate over the Web. is followed by a summary of security SOAP messages can be exchanged by concerns and approaches to mitigate software objects through the standard those concerns. Finally, we describe Web communications protocol, HTTP. the security practices employed by the HTTP is the same protocol that Web Southwest Alabama Integrated Criminal- sites use to send HTML pages to Web Justice System (SAICS) to provide an browsers. Software objects are operational example. computer programs packaged into “black boxes.” Other programmers or programs can use a software object’s What are Web Services? services (“methods,” in object-speak) without knowing anything about how the “Web services” is a frequently used object is designed or written. Certainly and commonly misunderstood term. this is a useful feature when you have What do we mean when we use the programs that want to exchange term Web services? It all starts with information but are operating on XML. different computers at far reaches of the Internet.
WSDL standard, also XML-based, is While not all Web services used to describe the types of services applications use SOAP, WSDL, and that an online business (or justice UDDI, for the purposes of our organization) might offer. WSDL works definition, we will say that if you are in conjunction with the UDDI standard going to call it “Web services,” that defines an XML-based registry of XML and computer-to-computer services listed in WSDL format. While communications have to be in the not all Web services applications use mix. SOAP, WSDL, and UDDI, for the
1 http://www.w3.org/MarkUp/ 2 http://www.w3.org/TR/2000/NOTE-SOAP -20000508/
1 Web Services Security Issues in a Justice Environment purposes of this document, XML and Standards Overview computer-to-computer communications will be considered a part of Web Engineering security services into services. Web services is a challenge that requires involvement from a variety of Here is a simple generic example of stakeholders, including both product how these protocols and standards manufacturers and standards bodies. might be used. Consider a fictitious A major step forward came on Web site, www.theweather.com, that April 5, 2002, when Microsoft®, IBM®, provides current weather and forecast and VeriSign released the WS-Security information. If you were writing a Web specification, which provides a services program that needed to know foundation for adding security features about the weather in Washington, DC, in to Web services. In addition to the real time, your software object could WS-Security3 specification, Microsoft look in the www.theweather.com Web and IBM published the first version of site’s UDDI directory for the WSDL that Security in a Web Services World: A describes weather services offered by Proposed Architecture and Roadmap4 the site. Then your software object could (“Roadmap”) that looks to the future and use SOAP to retrieve the information outlines the standards and development you need. This Web site would return work that will have to be performed on the weather information in XML. XML the three- to five-year horizon. labels each field in such a way that a software program can read and The WS-Security Specification—A understand text fields that describe weather characteristics. Step in the Right Direction
How might justice organizations use The WS-Security specification Web services? Many own dozens of describes enhancements to SOAP disparate computer systems and messaging to provide message integrity, automated databases. These databases confidentiality, and single message may contain investigative, court, or authentication. These mechanisms can corrections records. Web services offer be used to accommodate a wide variety a standardized way for a database of security models and encryption system to share this information by technologies. WS-Security also provides posting the information that it can a general-purpose mechanism for provide and responding to programmatic associating “security tokens” with requests for that information. These messages. A security token is generally database systems usually reside on an used to maintain the security intranet or some other closed network. procedures and “state” in a multiparty information interchange. No specific As is the case with many new type of security token is required by WS- technologies, there are some challenges Security. It is designed to be extensible associated with Web services. (e.g., support multiple security token Information security is the main formats). challenge. To date, no one has really produced standards-based, packaged The specification describes how to products that provide comprehensive encode binary security tokens—specifi- security for a Web services application. cally, how to encode digital certificates Basic security services, such as identifying who is asking for information, 3 Specification: Web Services Security (WS-Security), Version 1.0, April 5, 2002, http://www-106.ibm.com/ protecting the integrity of information, developerworks/library/ws-secure/ and guarding against unauthorized 4 Security in a Web Services World: A Proposed Architecture and Roadmap, IBM and Microsoft intrusion is just starting to be addressed Corporation, April 7, 2002, http://www-106.ibm.com/ by standards committees. developerworks/webservices/library/ws-secmap/ 2 Web Services Security Issues in a Justice Environment and security authorization tickets—as The Standard Bodies well as how to include cryptographic key information. It also includes extensibility Several organizations are working mechanisms that can be used to further on Web services security standards, describe the characteristics of the including the W3C5 and OASIS.6 credentials that are included with a message. The specification defines the W3C: W3C was created in October use of XML Signature and XML 1994 to develop common Web protocols Encryption in SOAP headers. As one of that promote its evolution and the building blocks for securing SOAP interoperability. W3C has approximately messages, it is intended to be used in 450 member organizations from all over conjunction with other security the world. Before WS-Security, W3C techniques. developed standards for XML digital signature and encryption to provide A Roadmap to Security-Conscious message confidentiality and integrity. Web Services Implementations These cryptographic capabilities provide fundamental XML security features. The Roadmap document proposes a W3C also developed standards for technical strategy whereby the industry XKMS—the protocols for distributing can produce and implement a and registering public keys in standards-based architecture that is conjunction with the XML Signature and comprehensive, yet flexible enough to XML Encryption. WS-Security builds on meet the Web services security needs the W3C encryption and digital of real businesses. It is a proposed plan signature specifications by tailoring for developing a set of specifications them to SOAP. that address how to provide protection for message exchange and an overall OASIS: Members of the OASIS strategy for security within a Web consortium have formed a technical services environment. It defines a committee to facilitate distributed comprehensive WS-security model that systems management over the Internet. supports, integrates, and unifies several The goal of the new OASIS popular security models, mechanisms, Management Protocol Technical and technologies (including both Committee is to enable businesses to symmetric and public key technologies), manage their own Web services and in a way that enables a variety of oversee their interaction with services systems to securely interoperate in a offered by other companies. The OASIS platform- and language-neutral manner. Management Protocol will be designed It also describes a set of specifications to manage desktops, services, and and scenarios that show how these networks across an enterprise or specifications might be used together. Internet environment. OASIS is reviewing a number of Web services The Roadmap presents a broad set standards and operations for use in the of specifications that covers security Management Protocol, including XML, services, including authentication, SOAP, OMI, and the Web Services authorization, privacy, trust, integrity, Distributed Management Technical confidentiality, secure communications Committee’s CIM. The Management channels, federation, delegation, and Protocol joins several Web services auditing across a wide spectrum of standards currently being developed application and business topologies. within OASIS. Other specifications 7 These specifications provide a include UDDI for discovery, ebXML framework that is extensible and flexible and maximizes existing investments in 5 http://www.w3.org security infrastructure. 6 http://www.oasis-open.org/home/index.php 7 http://www.ebxml.org 3 Web Services Security Issues in a Justice Environment for electronic business commerce, security features and still comply WS-Security for secure Web services, with the standard. The downside of WSIA for interactive Web applications, this flexibility is that two products WSRP for remote portals, and others. In that comply with the standards will particular, VeriSign, IBM, and Microsoft not necessarily be able to submitted WS-Security specifications to interoperate. OASIS in June 2002. At the XML Web Services One Conference in Boston, · The scope of the task. Providing a Massachusetts, OASIS and W3C held full range of security services will an all-day forum to determine where to involve attacking complex problems, pool their resources and integrate such as the standardization of security standards efforts. Despite federated identity. extensive efforts to come to agreement on Web security standards, the two Currently, the accepted standards leading standards bodies can say that at cover fundamental security services least a start on moving toward a within the XML and SOAP. While there common set of standards has been are tools available to implement these made. fundamental security services, there are no products that provide a complete, An Editorial View of Web Services standards-based security solution. This Standards Efforts places the responsibility on justice information system software engineers to develop secure Web services applications. Without a comprehensive set of standards and complying products, engineers will, by necessity, end up Considerations developing solutions that use temporary workarounds and have The World Wide Web was proprietary aspects. developed to provide information sharing on a grand scale. The communications protocols behind the Web are geared to maximize There is rapid and substantial information accessibility and exchange. progress being made in developing Web services share this under- standards that will uniformly specify the lying philosophy. Freewheeling and protocols used to secure Web services. widespread information accessibility are However, the effort is complicated by a the antithesis of rigorous information number of factors, including: security. This is the fundamental reason that it will take considerable time on · The number of parties involved. behalf of industry, practitioners, and While it will take close collaboration standards organizations to engineer by a wide variety of industry and comprehensive information security into standards organizations to define Web services. enduring standards, this process, requiring consensus among many In order to understand, at a high parties, takes more time. level, where the Web services security liabilities are and what mechanisms · The desire to provide flexibility within must be added to mitigate these the standards. This point is liabilities, we can look at the three illustrated by the WS-Security fundamental information security areas: standard. There is great flexibility for confidentiality, integrity, and availability, the product developers to implement as well as identification and
4 Web Services Security Issues in a Justice Environment authentication, which are important services is considered to be an security functions. emerging technology.
Confidentiality In addition to digital signature, there are data integrity issues that arise in Confidentiality services support the applying Web services to implement policies governing access to information complex transactions such as those and are designed to ensure that that perform multiple updates on a information is not exposed to distributed database or set f databases. unauthorized parties. Currently, a Most sophisticated transaction systems, common practice providing such as CICS or Tuxedo, include confidentiality service on the Internet is integrity features to make sure data is the use of the standard end-to-end not corrupted by failed transactions encryption protocol, Secure Socket or other anomalies. There are no Layer or “SSL” (also more accurately comparable standardized mechanisms referred to as Transport Level Security that are widely implemented in Web or “TLS”). A key problem with using services. As a result, data integrity in SSL to provide confidentiality in Web a transactional setting is generally services applications is granularity. SSL implemented through proprietary encrypts the entire session between a means. user and a Web server or, in the case of Web services, between two computers. Availability More sophisticated applications of Web services may call for encrypting select Availability services provide fields of an XML message. For example, confidence that information systems will maybe the XML message includes be on the job when needed. A medical information fields that must be significant threat to the availability of encrypted to comply with HIPAA, but all computer systems is a security other fields, for the purposes of wide- attack called “distributed denial of scale use, must be unencrypted. The service”—one of the most difficult WS-Security standard provides this kind attacks to prevent. of granularity, and there are tool-kits now available that allow developers to While Web services do not introduce encrypt specific XML fields. However, substantial new risks with respect to we consider WS-Security-compliant availability, all of the existing availability applications to be an emerging risks associated with Web sites and technology that requires considerable Internet protocols remain. If Web expertise and complex programming to services are being considered for a implement. production-level justice application, the exposure to the kinds of availability risks Integrity that are present in all Internet-based applications must be considered and Integrity services maintain the mitigated. accuracy of information products to prevent unauthorized parties from Identification and Authentication modifying or compromising the integrity of information. One way to provide Identification and Authentication integrity in the XML message is to (I&A) are the first line of defense in digitally sign selected fields or many information systems. I&A embedded documents. This feature is mechanisms provide a basic security also supported by the WS-Security function: they ensure that those wishing standard, and as with the confidentiality to gain access to information resources features, granular integrity in Web are indeed who they represent
5 Web Services Security Issues in a Justice Environment themselves to be. Traditional means of benefits outweigh the risks. As a result, I&A, such as user ID and password or “workarounds” to security limitations other challenge-response techniques, are surfacing as Web services can be applied to Web services. The pilot implementations become more SSL protocol, frequently used to secure common. Some of these workarounds Web information exchanges, includes are summarized in the following the ability to mutually identify and paragraphs. We believe that by using authenticate two parties. It is also a these techniques, it is possible to candidate for I&A in a Web services deploy a Web services -based justice application. information system with an acceptable level of security risk. In a Web services setting, further complexity is introduced into the I&A process by the concept of “federated identity.” Web services offer the These concerns are not meant to possibility of implementing complex discourage continued development transactions involving not just two of these standards but rather parties, but multiple computers spread to assist justice managers, across an enterprise network. In order technologists, and practitioners in for a secure transaction to take place, understanding and managing risk. each participant in the transaction must be uniquely identified (and subsequently authenticated) to the others. An Use of SSL enterprise-wide, unique identification scheme is referred to as federated The lack of “granularity” in using identity. The incorporation of federated SSL to help provide confidentially for a identity into Web services security is an Web services information exchange was emerging technology. As a result, pointed out in the Considerations current implementation will likely use section of this document. SSL will proprietary mechanisms to conduct I&A encrypt all of the data exchanged across the federation. between two communicating hosts. It will not selectively encrypt specific fields The new protocol to augment I&A or documents within a given session. and authorization capabilities of Web However, in some applications, this services is called SAML or Security limitation is acceptable. Assertion Markup Language. SAML is also based on XML and includes SSL can also perform two-way features that identify how a subject is authentication—allowing both the authenticated, what characteristics that information provider and receiver to subject possesses (i.e., which group identify each other. Using SSL for memberships or roles are associated authentication generally requires that with the subject), and what specific both parties exchange public key resources that the subject is or is not certificates that are part of a common, or allowed to access. SAML is an at least mutually compatible, Public Key emerging standard. Infrastructure (PKI).
Application Level Security Workarounds Web services designers will, in some Despite the immaturity of native cases, augment their application to fill in security for Web services, justice security gaps. For example, consider a information systems designers and system in which a user issues a query owners are finding that Web services’ that is resolved by collecting information
6 Web Services Security Issues in a Justice Environment from multiple disparate databases place restrictions on the type and residing on multiple computer systems. amount of data that can be shared This type of query can be implemented through a technology such as Web using Web services. The query services. In states such as application on the originating user’s California, Web services applications personal computer might prompt the designers must consider how user for an ID and password. The Web privacy laws may impact decisions services software application might then to share data. In some cases, while package up the ID and password into an individual sources of information XML message that is transferred to the may not be sensitive, the appropriate Web services server in accumulation and correlation of fulfilling the query. The database data from multiple sources may application at the destination computer change the level of sensitivity. system knows where to look in the XML The correlated data may carry to extract the ID and password. The a higher sensitivity level than authorization profile of the Web services any one of the individual data transaction then adopts the privileges of sources. Even with restrictions the originating user. Note that this XML on the data shared, data integrity exchange should probably be encrypted will still need to be addressed. with SSL in order to protect privacy of The Web services applications the ID and password. developers must consider these potential confidentiality and integrity The example provided in this ramifications and ensure that the workaround implements I&A. However, proper security precautions are other security services can be im- taken. plemented at the application level as well. The limitation, in contrast, to a · Physically control access to standards-compliant approach is lack of computers through which Web interoperability. Every computer system services can be obtained. that participates in the Web services Controlling physical access is a application must be aware of how each traditional “low-tech” approach to security function has been encoded controlling security risk. Of course, and must run software that is capable of with Web services, additional care implementing the customized function. must be taken to assure that physical constraints on accessibility Operational Restrictions on Data are not compromised by the lack of or Environment electronic constraints. In other words, while it may be difficult for an There are several ways to unauthorized individual to gain compensate for the lack of physical access to a computer that comprehensive security services by participates in a Web services placing operational restrictions on how application, it may be easier to gain Web services are used. electronic access through network connectivity. · Limit the data shared through Web services to non-sensitive data. There · Locate the Web services enterprise is a considerable amount of justice on the “private side” of the firewall information that is freely available to (i.e., on an intranet). In fact, most of the public. Limiting the access of the Web services applications that Web services to this type of data are currently being deployed in a reduces the need to implement justice setting reside on an intranet confidentiality controls. In fact, in or perhaps an extranet (an intranet some jurisdictions state laws may that is extended to additional user
7 Web Services Security Issues in a Justice Environment communities through mechanisms messages and can enforce initial access such as virtual private networks or policies. However, these types of “VPNs”). While limiting access is not firewalls are still an emerging in the spirit of Web services (i.e., to technology. Until the technology provide wide-scale information matures, organizations should consider access), it reduces security risk by workarounds, such as establishing controlling the potential user dedicated computer systems for Web community. Of course, if this type of services applications and protecting workaround is to be relied upon, the these computer systems as they would justice organization must be any other production information confident that their intranet is system. Production strength protection adequately protected against may include placement on the private intrusion or other security violations. side of the firewall with a more restrictive access policy and the use of Tightening Up Internet Security intrusion detection monitoring. Policies and Practices General Proprietary Solutions Traditionally, the information placed on Web servers in an enterprise is not Many of the workarounds that have highly protected. Many organizations put been described in this section can be their Web server in the “demilitarized categorized as “proprietary.” In other zone” established by a firewall. Most words, they are not standards-based (at system managers view Web servers as least not industry standards-based) and computer systems that will be frequently will be unique to the organizations that accessed by the public. As a result, implement them. In addition to the there is a tendency to isolate them from workarounds already discussed, there production servers and implement a are commercially available products that more lax access security policy through provide Web services security by the firewall. using standardized approaches, where available, and plugging in vendor- The introduction of Web services proprietary approaches, where neces - applications redefines the role of the sary, to fill the gaps. venerable Web server from a generic information-posting repository to a Any organization that uses productive, mission-essential enterprise proprietary approaches to provide more system. As a result, more rigorous and secure Web services should realize that restrictive policies and protection eventually the security standards and mechanisms are warranted. Further, as products that implement them will a mission-essential application provider, mature. At that point in time, the the Web server’s capacity to handle proprietary approach will rapidly become workload becomes a more important obsolete and be a hindrance to wide- issue. Web services application scale interoperability. Organizations that designers should conduct the adopt proprietary security approaches appropriate analyses and workload tests would be well-advised to plan to migrate to confirm that the capacity of the to standards-based approaches as they impacted servers and communications mature. facilities is sufficient to meet the anticipated traffic. A further limitation of proprietary solutions is the inherent level of A new technology direction in Web assurance. Generally, standards-based services security is to create solutions have had the benefit of “application-aware” firewalls that scrutiny and critique by academic and understand the content of Web services industry experts. From a security
8 Web Services Security Issues in a Justice Environment standpoint, the quality of a proprietary multitude of law enforcement agencies solution is solely dependent upon in eight southwest Alabama counties to the skills of the small team that millions of records, including current and implemented the solution. Historically, historic information such as driver’s standards-based products can provide a records, felony warrants, court generally higher level of assurance than protection orders, and state prison proprietary products. records, from a single query. Law enforcement officers with Internet Best Practices Case Study access and a Web-based browser can now access these state databases to The SAICS project is the realization retrieve information vital to investigation of the vision of Baldwin County District of criminal suspects within seconds Attorney David Whetstone. District through the SAICS Web services. Attorney Whetstone spearheaded the multiagency initiative in southwest The philosophy of the SAICS project Alabama with the help of former has always been to make as much U.S. Representative Sonny Callahan. information available to the appropriate Representative Callahan secured a law enforcement personnel as possible, $10.4 million direct appropriation for the when they need it. In order to facilitate Baldwin, Clarke, Choctaw, Escambia, this and to adhere to recognized Mobile, Monroe, and Washington security practices, SAICS uses counties, which comprise the first a combination of applications-level congressional district. security workarounds and SSL- protected information transfers. In The primary goal of the SAICS particular: project is to create and maintain an accessible and appropriately secured · Users are authenticated centrally information system on individuals and upon accessing any part of SAICS. events for criminal justice users, law In order to grant access to enforcement, and homeland security potentially sensitive information, needs, which supports effective SAICS has designed a central administration of these programs, as repository of users (similar to a well as public policy decisions, in a domain) that serves as the master cost-effective manner throughout the user index for all SAICS functions. southwest Alabama region. As it User permissions are set by local currently exists, SAICS uses Web SAICS administrators but are services to provide information retrieval not centrally authenticated unless capabilities that surpass existing state required by agreement with the criminal justice information resources by owners of other data systems that providing rapid access to multiple are being accessed. In that case, records databases across many SAICS has the capability to pass different state agencies. The project user data off to the data owner of the plans to continue expanding the number specific system. That data owner of databases available to law then sets permissions and access to enforcement and to link jails, judges, the data at the table or element and district attorneys’ offices in level. This gives control to the local southwest Alabama to this information. chief, sheriff, or district attorney. Databases in other regions of Alabama, Access permissions are set other states, and other federal agencies individually, not globally. The central will be linked to SAICS as well. SAICS administrator authenticates agency administrators who, in turn, Phase one of the new project went set permission levels for their online January 7, 2003, and now links a personnel. Declarations concerning the appropriate state and federal 9 Web Services Security Issues in a Justice Environment laws applicable to accessing law being piloted to protect the system enforcement information systems from fraudulent access. are a part of the documentation. Agency chiefs must download a PDF These security mechanisms are file, sign, date, and then mail or fax added to the SAICS Web services to the information. The central SAICS provide identification, authentication, administrator then verifies that access control, and confidentiality. The information, and a verification phone SAICS application does not depend call is made. If this is successful, upon Web services-specific protocols or then access is granted to the local standards to implement security. agency head or his/her designee. They then assume the responsibility for vetting and adding local users. Conclusion
· Individual user access is configurable down to the data element level on each database This places the responsibility for being indexed. Local data owners developing secure Web services set the access guidelines for their applications on justice information data. For example, the sheriff of system software engineers. Without Mobile County has agreed to share a comprehensive set of standards his jail management system data and complying products, engineers with the SAICS system users. He will, by necessity, end up developing has reserved the right to only allow solutions that use temporary official law enforcement personnel from the immediate surrounding workarounds and have proprietary counties to access certain portions aspects.
of the data. From the central repository, a flag is set that allows only those agencies that meet the Web services involve a fundamental criteria to see the information. shift in how justice agencies will manage, access, and share information. · There is a five-tier level of access Within the Web services architecture, from full administrative rights down security is key in justice implemen- to no access. At the local agency tations involving sensitive but level, individual user access to data unclassified information. While address- is further configurable by the local ing Web services security is the first administrator. step, deciding the best way to implement security is obviously more · The use of 128-bit encryption under complex. While there is substantial SSL is required for all access to the progress being made in developing system . The confidentiality of the standards, the effort is complicated XML messages is protected at the by a number of factors, such as session level by the SSL protocol. organizational structure and policies between two justice agencies who wish · Additionally, some elements of to share information, compatibility of access require further levels of standards implementations among encryption. This is handled via a justice organizations, and the necessity VPN at the client level or at the to make Web services as flexible as router level, as appropriate. possible. Web services workarounds are a necessary step until WS-Security · The use of keyboard fingerprint standards mature over the next few scanners at the user level, in years. addition to user ID and password, is 10
Glossary
Authentication A process used to verify the identity of a user, often as a prerequisite to allowing access to resources in a system. Authentication methods can include passwords, hardware tokens, software tokens, Smartcards, software Smartcards, and biometrics devices.
Authorization The granting or denying of appropriate access rights to a user, program, or process.
Common Information A standard for extensible, object-oriented schema for managing Model (CIM) information collected from computers, networking devices, protocols, and applications.
Customer Information An online transaction processing (OLTP) program from IBM Control System that, together with the COBOL programming language, has (CICS) formed over the past several decades the most common set of tools for building customer transaction applications in the world of large enterprise mainframe computing.
Data Integrity Proof that a file or communication has been changed only by authorized parties.
Denial of Service A hacker attack designed to shut down or overwhelm a critical system, such as an authentication server or Web server.
DES Data Encryption Standard.
Digital Certificate A data structure used in a public key infrastructure to bind a particular individual to a particular public key.
Digital Signature The result of a cryptographic transformation of data that, when properly implemented, provides a code that is attached to the message or document that acts as a signature; the signature guarantees the source and integrity of the message. ebXML Electronic business XML.
Encryption The process of cryptographically converting plain text electronic data to a form unintelligible to anyone except the intended recipient.
Extensible Markup The universal language for computers to exchange information Language (XML) with other computers over the World Wide Web.
Firewall Any system or device that strives to allow safe network traffic to pass while restricting or denying unsafe traffic.
11
HIPAA The Health Insurance Portability & Accountability Act of 1996 (August 21), Public Law 104-191, which amends the Internal Revenue Service Code of 1986. Also known as the Kennedy- Kassebaum Act.
HyperText Markup The universal language for computers to present multimedia Language (HTML) information to people over the Web.
HyperText Transfer The set of rules for exchanging files (text, graphic images, Protocol (HTTP) sound, video, and other multimedia files) on the Web.
I&A Identification and Authentication.
Key The secret used to encrypt or decrypt cipher text; the security of encryption depends on keeping the key secret.
OASIS Organization for the Advancement of Structured Information Standards.
OMI Open Model Interface.
Protocol In information technology, a protocol is the special set of rules that end points in a telecommunication connection use when they communicate. Protocols exist at several levels in a telecommunication connection. There are hardware telephone protocols, and there are protocols between each of several functional layers and each corresponding layer at the other end of a communication. Both end points must recognize and observe a protocol.
Public Key One of two keys used in an asymmetric encryption system. The public key is made public, to be used in conjunction with a corresponding private key.
Public Key A collection of people, processes, and computers which are Infrastructure (PKI) used to bind public keys to entities, enable other entities to verify public key bindings, revoke such bindings, and provide other services critical to managing public keys.
SAICS Southwest Alabama Integrated Criminal-Justice System.
Security Assertion An XML security standard for exchanging authentication and Markup Language authorization information. (SAML)
Security Token A device issued to authorized individuals that generates a code used to provide proof of their identity in a two-factor authentication system; can be a hardware or software token. Also called an authenticator.
Simple Object Access A Web protocol that defines specific fields in an XML message Protocol (SOAP) that enables multiple programs to communicate over the Web.
12
Symmetric Encryption An approach that uses the same algorithm and key to both encrypt and decrypt information.
TCP Transmission Control Protocol. The main protocol of the Internet.
Transport Level A protocol that ensures privacy between communicating Security (TLS) applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Socket Layer (SSL).
Tuxedo Tuxedo (which stands for Transactions for Unix, Enhanced for distributed Operation) is a middleware product that uses a message-based communications system to distribute applications across various operating system platforms and databases.
Universal Description, An XML-based registry of services listed in Web services Discovery, and description language format. Integration (UDDI)
Virtual Private A collection of technologies that creates secure connections Network (VPN) over a public network such as the Internet.
W3C World Wide Web Consortium.
Web Services An XML-based standard that is used to describe the types of Description Language services that an online business (or justice organization) might (WSDL) offer. WDSL works in conjunction with UDDI.
Web Services for OASIS Technical Committee that is working on specifications Interactive for Web services for interactive applications. Applications (WSIA)
Web Services Remote OASIS Technical Committee that is working on specifications Portal (WSRP) for Web services remote portals.
WS-Security Web Services Security is a proposed information technology industry standard that addresses security when data is exchanged as part of a Web service.
XML Key A proposed XML security standard that defines trust issues Management beyond the XML Signature specification. Specification (XKMS)
13
Resources
Information on Glossary definitions: www.whatis.com
Information on XML digital signature: http://www.w3.org/Signature
Information on XML Encryption: http://www.w3.org/Encryption
Information on XKMS: http://www.w3.org/TR/xkms
Information on SAML: http://oasis-open.org/committees/security
Information on XACML: http://www.oasis-open.org/committees/xacml
Information on WS-Security: http://www.oasis -open.org/committees/wss
Information on Web Services Security (WS-Security) Specification: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/html/ws-security.asp
“Security in a Web Services World: A Proposed Architecture” (see footnote 4).
14