Global Journal of Computer Science and Technology Network, Web & Security Volume 12 Issue 17 Version 1.0 Year 2012 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals Inc. (USA) Online ISSN: 0975-4172 & Print ISSN: 0975-4350 Secured Web Services Specifications By Sudeep Mukherjee & Dr. Rizwan Beg Integral University Lucknow, India Abstract - The proliferation of XML based web services in the IT industry not only gives rise to opportunities but challenges too. Namely the challenges of security and a standard way of maintaining it across domains and organisational boundaries. OASIS, W3C and other organisations have done some great work in bringing about this synergy. What I look in this paper are some of the more popular standards in vogue today and clubbed under WS-* specification. I will try to give an overview of various frameworks and protocols being used to keep web-services secure. Some of the major protocols looked into are WS-Security, SAML, WS-Federation, WS-Trust, XML-Encryption and Signature. This paper will give you a brief introduction to impact of using WS-* on time complexity due to the extra load of encrypting and certificates. Windows communication foundation (WCF) is one of the best designed toolset for this though WCF is not the topic of discussion in this paper. Keywords : soa; web-service; ws-security; ws-trust; ws-federation; xml; soap. GJCST-E Classification : D.4.6 Secured Web Services Specifications Strictly as per the compliance and regulations of: © 2012. Sudeep Mukherjee & Dr. Rizwan Beg. This is a research/review paper, distributed under the terms of the Creative Commons Attribution-Noncommercial 3.0 Unported License http://creativecommons.org/licenses/by-nc/3.0/), permitting all non-commercial use, distribution, and reproduction inany medium, provided the original work is properly cited. Secured Web Services Specifications Sudeep Mukherjee α & Dr. Rizwan Beg σ Abstract - The proliferation of XML based web services in the option just install a firewall or intrusion detection IT industry not only gives rise to opportunities but challenges software this kept their domain and data safe but as too. Namely the challenges of security and a standard way of mentioned earlier with the new concept of application- maintaining it across domains and organisational boundaries. to-application cross domain communication firewalls OASIS, W3C and other organisations have done some great have become defunct to a large extent. Firewalls isolate work in bringing about this synergy. What I look in this paper are some of the more popular standards in vogue today and an organization’s network system but allow two TCP 2012 clubbed under WS-* specification. I will try to give an overview ports remain open - port 80 for HTTP and port 447 for Year of various frameworks and protocols being used to keep web- HTTPS[2]. services secure. Some of the major protocols looked into are These ports are used for communication to 15 WS-Security, SAML, WS-Federation, WS-Trust, XML- send and receive Web pages. This deadly combination Encryption and Signature. This paper will give you a brief of easy access and human readable data is a goldmine introduction to impact of using WS-* on time complexity due to for attackers. Irrespective of the level of SOA integration the extra load of encrypting and certificates. Windows security should be one of the top priorities of any communication foundation (WCF) is one of the best designed organisation. Every computer based organization must toolset for this though WCF is not the topic of discussion in this paper. revisit their security strategy for facing new security Keywords : soa; web-service; ws-security; ws-trust; ws- challenges posed by Web Services. Some of these federation; xml; soap. issues are • Legacy applications work on the concept that I. INTRODUCTION authentication alone can filter out the unwanted ependable and secure computing intends to attackers unfortunately this assumption in new provide services with a high degree of internet infrastructure is grossly mistaken. These availability(A), reliability, safety, integrity (I), applications do not have the where withals to face D the new age attackers. ) D DD E maintainability, and confidentiality (C)[1]. Old D fashioned Human-to-Machine interaction is a forgotten • Most organisations to save cost have used the ( story on World Wide Web. Increasingly we see that strategy to keep their core application the same and application-to-application interaction is running our expose them to the World Wide Web through a layer internet. Therefore it is not surprising when we humans of web-services, this causes an immediate security interact with the web majority of work is done by these hole and more often than not the business logic is software agents communicating with other computer compromised. systems requesting service and getting the desired • Validation checks are kept on the client-side UI, this result in response. is not the approved way of doing business in a SOA This has radically changed the efficiency as well based architecture as customer satisfaction for online business houses, so • As mentioned earlier firewalls or packet-filters at the much so that many business models have no to minimal network level are incapable of detecting malicious human intervention. As such new technologies, behaviour of XML/SOAP based attackers. protocols and frameworks have flooded the market. Yet Transport Layer Security (TLS), is the most this great leap has a very dark side to it too. The popular tool used to secure web-based data through expansion of application-application messaging authentication and encryption. Unfortunately in the case infrastructure has attracted old and new attackers who of SOA because TLS works between two endpoints it are bent upon destroying or breaking this system for has no way of protecting multiple points or financial gains. intermediaries. SOAP requires protection of its E-commerce application are the favourite messages as it is passed through a chain of Global Journal of Computer Science and Technology Volume XII Issue XVII Version I hunting ground for attackers who would like nothing intermediaries, this is the inherent nature that makes more than to get their hands on the sensitive back end Web-Services most vulnerable. data like, customer profile, cards, addresses etc. In the As security solution on a transport layer, the TLS years gone by most of the companies had an easy couldn’t provide flexibility for message transmitting, such as encrypted different elements of the message by Author α : Department of Computer Science & Engineering, Integral different key, in which recipients could only read parts of University Lucknow, India. E-mail : [email protected] Author σ : HOD Department of Computer Science & Engineering, the message about him.[3] Integral University Lucknow, India. E-mail : [email protected] ©2012 Global Journals Inc. (US) Secured Web Services Specifications Because of their nature (loosely coupled authorization data between entities SAML is a product of connections) and their use of open access (mainly the OASIS Security Services Technical Committee.[6] HTTP), SOA infrastructures implemented by web A SAML specification defines services add a new set of requirements to the security • Assertions: It basically defines the three A’s i.e. landscape. Web services security requirements also Attribute, Authentication and Authorization data. involve credential mediation (exchanging security tokens • Protocol: This defines the main elements taking in a trusted environment), and service capabilities and place in the Web-Service Request/Response constraints (defining what a web service can do, under standard and they help in packaging assertions. what circumstances).[4] • Bindings: Clearly lays out the way to map SAML Let’s look at some of the ways to keep Web- Protocols on all the other messaging and Services secure. This paper tries to enumerate few of communication protocols. 2012 the security tools that have been introduced by the • Profiles: Defines the combination of bindings, industry which make Web Services more secure. The assertions and protocols to support a particular use Year first major aspect that I will look into is Authentication. case. 16 II. AUTHENTICATION Authentication is needed to protect resources and control the access to these resources. If SOA concepts are to be implemented then the authentication procedure should be seamless between different entities and the user should not be asked to login more than once. Service-to-service authentication is possible using variety of methods like HTTP-based to SSL certificate based. If we look into the SOAP message then the new protocols gives us an added option of passing tokens along with the SOAP request. Mostly the Figure 1 : SAML Structure HTTP and SSL based authentication is transparent to ) the Web service while SOAP-based token protocols An assertion contains a packet of security D DD E D ( require interaction between Web services. information Web services that use tokens for authentication <saml:Assertion…> are best served by the OASIS WS-Security standard. … Currently five token types are defined. These are the </saml:Assertion> Username Token, X.509 token, the SAML token, saml:AssertionType Kerberos token, and the Rights Expression Language (REL) token. When a service provider attempts to saml:Issuer access a remote Web service, it has the option to send an authentication token, impersonating the user within a ds:Signature WS-Security message. Assertions saml:Subject 1) Username Token 2) X.509 Certificate Token saml:Condition An X.509 certificate specifies a binding between a public key and a set of attributes that includes (at saml:Advice least) a subject name, issuer name, serial number and validity interval. This binding may be subject to saml:Statement subsequent revocation advertised by mechanisms that include issuance of CRLs, OCSP tokens or mechanisms saml:AuthnStatement that are outside the X.509 framework, such as XKMS.