Web Services Security
Lin Yan
Department of ECE
University of Manitoba
Manitoba, Canada
Web Services Security






Introduction
Technologies for Web Services Security
Credit Card Web Service Architecture
Building a Credit Card Web Service using
SOAP, WSDL and UDDI
Credit Card Web Service Implementation
Comparison and Conclusions
2
Introduction

The Internet





Conceived in the 1960s
ARPANET went online in the 1970s
TCP/IP was created in 1980s
Changed the way business operate
Web Services



Definition
Purpose
Architecture
3
Introduction
Service
Provider
Publish
Bind
Service
Broker
Service
Requester
Find
Web Services Architecture
4
Introduction

Associated Web Services Standards

Extensible Markup Language - XML




A Syntax to define markup language
To structure the document in a standard way and make it
machine-readable
Operating system independent
Simple Object Access Protocol - SOAP


XML based protocol for the exchange of information in a
decentralized, distributed environment
Consists of three parts: envelope, encoding rules and
convention for representing RPCs and responses
5
Introduction

Associated Web Services Standards

Web Services Description Language - WSDL



Creates a standard way for specifying the details of a Web
service
Clients can use Web service even they have no prior
knowledge of the service
Universal Description, Discovery, Integration - UDDI


Directory service where businesses and organizations can
register, deregister and look up Web services
Platform-independent framework for describing services,
discovering businesses, and integrating business services
6
Introduction

Motivations and Objectives

Provide security issues while users access Web
services over the Internet




Confidentiality
Integrity
Non-repudiation
Accountability
7
Technologies for Web Services Security

Public Key Infrastructure

Security through cryptography



Certificates


Encryption key pair
Signing key pair
Contain the basic information detailing a person’s identity
and his/her public key
Certification Authority

A trusted entity that issues the certificates
8
Technologies for Web Services Security

Public Key Infrastructure

Public Key Infrastructure






Enabling trust through a Certification Authority
Certificate retrieval from a certificate repository
Certificate revocation
Key backup and recovery
Automatic update of key pairs and certificates
Non-repudiation
9
Technologies for Web Services Security

XML Signature




A specification for encrypting data and tags within
an XML document
A digital signature expressed in XML
Allows for signing part of an XML document
Example
10
Technologies for Web Services Security
<Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
</DigestMethod>
</Reference>
</SignedInfo>
<SignatureValue>MC0CFFrVLtRlk=...</SignatureValue>
<KeyInfo>
<KeyValue>
<DSAKeyValue>
…….
</DSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
11
Technologies for Web Services Security

XML Encryption




A specification for encrypting and decrypting digital
content
Encrypted content can be represented in XML
The portions of a document can be selectively
encrypted
Example
12
Technologies for Web Services Security

Encrypting the CreditCard Element
<?xml version='1.0'?>
<PaymentInfo xmlns='http://UM.edu/details'>
<Name>Alice</Name>
<EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element'
xmlns='http://www.w3.org/2001/04/xmlenc#'>
<CipherData>
<CipherValue>A23B45C56…</CipherValue>
</CipherData>
</EncryptedData>
</PaymentInfo>
13
Technologies for Web Services Security

XML Key Management Specification - XKMS



Outlines protocols for the distribution and registration of
public keys
Supports XML Encryption and XML Signature
Contains two parts:


XML Key Information Service Specification X-KISS
XML Key Registration Service Specification X-KRSS
14
Technologies for Web Services Security

XML Key Information Service Specification

Locates public key




Clients send a locate request to the XKMS service.
The locate service resolves the <ds:KeyInfo> element to
get the public key and its binding information
XKMS sends it back to client
Validates public key

The validate service validates the returned key according
to the policy of the validate service
15
Technologies for Web Services Security

XML Key Registration Service Specification

Register


Reissue



Enables the client to register a public key pair with an
XKMS service.
Allows the previously registered key binding to be issued
again
Revoke
Recover
16
Technologies for Web Services Security

WS-Security



A mechanism for signing and encrypting parts of a
SOAP message
A standard set of SOAP extensions to be used to build
secure Web services
Provides three major mechanism




Message integrity
Message confidentiality
Ability to pass around security tokens as part of a
message
IBM/Microsoft Web Services Security Road Map
17
Credit Card Web Service Architecture

The Client/Server Model




Describes the relationship between two computer
programs
One program, the client, makes a service request to
another program, the server
The server fulfills the request
3-tier Architecture



User interface
Business logic
Databases and programming related to managing it
18
Credit Card Web Service Architecture

3-tier Architecture in a Credit Card Web Service

The presentation layer



Contains the presentation objects responsible for
presenting information to end-users
In our application, Input.jsp, Method.jsp and Result.jsp are
presentation objects to allow the user to input a credit card
number and perform the get limit action and display the
result
The business layer


Contains the business objects, each of which is
responsible for a specific business process
In our application, CreditCardService.java was defined as
a business object which is responsible for validating a
credit card
19
Credit Card Web Service Architecture

3-tier Architecture in Credit Card Web Service

The data layer



Contains the data objects (DO) and the methods used to
handle the different data components
In our application, a card DO contains the information of a
credit card. It can contain attributes such as card number,
card type, expiration date, etc.
A database manager controls an application’s pool of
database connections
20
Credit Card Web Service Architecture

Use Case Analysis


Explore the UML modeling technique to describe the
credit card system development
In our credit card checking scenario, there are four
actors:




The client
Browser
Controller
Database server
21
Credit Card Web Service Architecture

Entrust PKI

Entrust PKI Architecture





Authority
Authority Master Control
Registration Authority
Authority Database
Directory
22
Credit Card Web Service Architecture

Entrust PKI

Entrust PKI User Roles






Master user
Security officer
Administrator
Directory Administrator
Auditor
End user
23
Credit Card Web Service Architecture

Public-Key Cryptographic Standard #7



PKCS #7 is the Cryptographic Message Syntax
standard which describes a general syntax for data that
may have cryptography applied to it
Supports many different content types
PKCS #7 was used in the Credit Card Web Services
application to encrypt and digitally sign the sensitive
information
24
Building Credit Card Web Service using SOAP, WSDL and UDDI

Credit Card Web Service Overview



Provides credit card validation and limit check
business functions
Also a Web Services consumer. It consumes other
Web Services such as update card service, cancel
card service
Credit card validation service example
25
Building Credit Card Web Service using SOAP, WSDL and UDDI

SOAP Message Structure


SOAP request for the getLimit service
The request takes a string parameter, an encrypted
credit card number
<soap:Body>
<m:getLimitRequest xmlns:
m=”http://tempuri.org/um.edu.CreditCardService”>
<cardNo xsi:type=’xsd:string’ >ATKEKDL…</cardNo>
</m:getLimitRequest>
</soap:Body>
26
Building Credit Card Web Service using SOAP, WSDL and UDDI

SOAP Message Structure


SOAP response for the getLimit service
The response returns a float, the limit amount of
the card
<soap:Body>
<m:getLimitResponse xmlns:
m=”http://tempuri.org/um.edu.CreditCardService”>
<Limit>3000.00</Limit>
</m:getLimitResponse>
</soap:Body>
27
Building Credit Card Web Service using SOAP, WSDL and UDDI

SOAP Message Encoding



Provides a standard data encoding scheme
Makes use of types defined in XML schema and
creates the mapping for language-specific type
definition to ensure interoperability
“xsd:string” indicates a mapping from Java type
String t XML Schema type string
28
Building Credit Card Web Service using SOAP, WSDL and UDDI

WSDL


A WSDL document provides the necessary details for a
service requestor to contact and consume a service
Consists of a set of definitions







Definition
Types
Message
PortType
Binding
Port
Service
29
Building Credit Card Web Service using SOAP, WSDL and UDDI

UDDI

UDDI Business Registry


An implementation of the UDDI specification
Public UDDI Business Registry



Operator site
Node operators
Private UDDI Business Registry
30
Building Credit Card Web Service using SOAP, WSDL and UDDI

UDDI

Using UDDI to Register and Find a Service

Register Credit Card Web Service through IBM
UDDI Business Registry




Obtain a user account
Register the business information and get a unique
business ID
Register the Credit Card Web Service to get a unique
service ID and specify the access point
Find a registered business
31
Credit Card Web Service Implementation

Implementation Language

Java 1.5





Portability
Extensibility
Cost effectiveness
Performance
Implementation Tools


Entrust Authority Security Toolkit for Java
IBM Websphere Studio
32
Credit Card Web Service Implementation

Entrust Authority Security Toolkit for Java

Overview



Gives the ability to add trusted security to our application
Gives our application access to the underlying security
structure of a PKI
Architecture


Low-level API resides on top of JCE (Java Cryptography
Extension
High-level API provides classes that implement frequently
used cryptographic tasks
33
Credit Card Web Service Implementation

Entrust Authority Security Toolkit for Java

Credentials



Used to describe a set of data that contains a user’s
critical cryptographic information
In an Entrust PKI, an Entrust Profile is used to contain a
user’s public and private credentials
Identifying a User


The process of logging in involves reading and verifying a
user’s credentials
In our case, we use an Entrust Profile yanlin.epf to
perform the log in task
34
Credit Card Web Service Implementation

IBM Websphere Studio



State-of-art Java IDE
Provides development tools to enable the creation,
development and deployment of Web service
Logic flow of Credit Card Web Service in WSAD
 Create a Credit Card Web Service
 Generate Deployment Descriptor to deploy this Web
Service on the server
 Generated CreditCardServiceProxy to accept the
client requests
 Used SOAP to encode invocation parameters and
results over HTTP
35
Credit Card Web Service Implementation

PKCS #7 Implementation with Entrust Toolkit
 Encode





Instantiate, and log in, a user
Create PKCS7EncodeStream object
Specify the digest and encryption algorithms
Specify the input data and write the encrypted and
signed data to the output stream
Decode



Instantiate, and log in, a user
Create PKCS7DecodeStream object
Read the decrypted and signed data
36
Credit Card Web Service Implementation

Database Design and Implementation




IBM DB2 Universal Database was chosen as the
DBMS system
Established a database with a name CCARD which
stores the information of credit cards and card
holders
Two tables were defined, linked by the card number
attribute
JDBC is used to access the database through the
business layer
37
Comparison with other Web Services Security Solutions

Benefits/Limitations of existing technologies




Security Assertions Markup Language – SAML
Extensible Access Control Markup Language –
XACML
Put web services security technologies together
Benefits/Limitations of the proposed solutions
38
Comparison with other Web Services Security Solutions

SAML

Includes four main components





Assertions, which are declarations of fact about a subject
Request/response protocol to exchange assertions
Bindings to transport SAML assertion messages
Profiles defines constraints and/or extensions of the core
protocols and assertions
Enables cross-domain trust



Single sign-on
Distributed transaction
An authorization service
39
Comparison with other Web Services Security Solutions

XACML







Describes both an access control policy language and a
request/response language
Consistent with and builds on SAML
Reduces the cost of developing an application-specific
access control language
Helps applications interoperate more easily
Extensible
Too complicated, needs too much configuration while
setting up hierarchical resources
Response message is more verbose
40
Comparison with other Web Services Security Solutions

Putting It Together





How Web services security standards work together
The standards are new emerging technologies, not yet
mature
Adding the security information into the SOAP header
increases the overhead, may affect the efficiency
XML encryption and XML signatures are complex
Identity collisions may occur when encrypted contents
generated in one context are dropped in another context
41
Comparison with other Web Services Security Solutions

Benefits of the proposed solutions



Mature technology PKI as our basic underlying security
infrastructure
PKI is the fundamental component of Web services
security architecture
PKI can let the companies to build their own security
system






Act as their own Certificate Authority (CA)
Confidentiality
Authentication
Non-repudiation
Integrity
Automatic key management
42
Comparison with other Web Services Security Solutions

Limitations of the proposed solutions



Discovery and validation of the certification paths is
complex
Cost
Build and manage circles of trust
43
Conclusions




Designed and developed a Credit Card Web
Service using SOAP, WSDL and UDDI
Presented a viable approach for securing the Credit
Card Web service through the use of PKI and
PKCS #7 standard
Increased the security of transferring XML
messages over the Internet
Drew a comparison between this approach and the
new emerging Web services security standards
44
Thanks …...
45