enabling interoperable secure web services

Enabling Interoperable Secure Web Services

Bret Hartman, DataPower TechnologyJuly, 2004

2

THE CONTEXT

Businesses need to innovate at an ever increasing pace Success requires broad interoperability

Within an enterprise

Between business partners

Across a heterogeneous set of platforms, applications and programming languages

Internet technologies are assumed, interoperability is required

3

THE CONTEXT

The shift to Web services is underway

An Internet-native distributed computing model based on XML standards has emerged

Early implementations are solving problems today and generating new requirements

The Web services standards stack is increasing in size and complexity to meet these requirements

The fundamental characteristic of Web services is interoperability

4

WHAT IS NEEDED?

Guidance

A common definition for Web services

Implementation guidance and support for Web services adoption

Interoperability

Across platforms, applications, and languages

Consistent, reliable interoperability between Web services technologies from multiple vendors

A standards integrator to help Web services advance in a structured, coherent manner

5

ABOUT WS-I

An open industry effort chartered to promote Web Services interoperability across platforms, applications and programming languages.

A standards integrator to help Web services advance in a structured, coherent manner

Approximately 150 member organizations

70% vendors, 30% end-user organizations

80% North America with active worldwide membership

6

WS-I GOALS

Achieve Web services interoperability

Integrate specifications

Promote consistent implementations

Provide a visible representation of conformance

Accelerate Web services deployment

Offer implementation guidance and best practices

Deliver tools and sample applications

Provide a implementer’s forum where developers can collaborate

Encourage Web services adoption

Build industry consensus to reduce early adopter risks

Provide a forum for end users to communicate requirements

Raise awareness of customer business requirements

7

WORKING GROUPS

Basic Profile

Addresses the core set of specifications (e.g., SOAP, WSDL, UDDI, attachments, etc.) that provide the foundation for Web services

Basic Security Profile (New!)

Addresses transport security, SOAP messaging security, and other security considerations

Requirements Gathering

Captures business requirements to drive future profile selection

Sample Applications

Illustrate best practices for implementations on multiple vendor platforms

Testing Tools and Materials

Develops self-administered tests to very conformance with WS-I profiles

8

WS-I, STANDARDS AND INDUSTRY

Businesses, Industry Consortia, Developers, End Users

ImplementationGuidance

StandardsSpecifications

Requirements

Requirements

9

MILESTONES

Basic Profile 1.0 Package

Delivered Basic Profile 1.0, and associated sample applications and test tools as Final Material

More than 200 interoperability issues resolved in Basic Profile 1.0

Conventions around messaging, description and discovery

Vendors are incorporating the Basic Profile 1.0 into products and services

End-users are requiring conformance

10

CURRENT WORK: BASIC PROFILES

Basic Profile 1.1

Derived from the Basic Profile 1.0 incorporating any errata to date and separating out requirements related to the serialization of envelopes and their representation in messages

Attachments Profile 1.0

Complements Basic Profile 1.1 to add support for interoperable SOAP messages with attachments

Simple SOAP Binding Profile 1.0

Derived from those Basic Profile 1.0 requirements related to the serialization of the envelope and its representation in the message, incorporating any errata to date

Board Approval Drafts of these profiles were delivered June 3

11

CURRENT WORK: BASIC SECURITY PROFILE

Security Scenarios Identifies security challenges and threats in building interoperable Web

services and countermeasures for these risks Basic Security Profile

Addresses transport security, SOAP messaging security and other security considerations

References existing specifications used to provide security, including the OASIS Web Services Security 1.0 specification

HTTP over TLS

SOAP with Attachments

WS-Security with Username and X.509 token profiles

SAML Token Profile and REL (XRML) Token Profile are being considered

12

SECURITY SCENARIOS WORKING DRAFT

Addresses

Security Challenges

Threats

Security Solutions and Mechanisms

Scenarios

February, 2004 draft for public comment

http://ws-i.org/Profiles/BasicSecurity/2004-02/SecurityScenarios-0.15-WGD.pdf

Final Security Scenarios expected in August, 2004

13

SECURITY CHALLENGES

Peer Identification and Authentication Data Origin Identification and Authentication Data Integrity

Transport Data Integrity

SOAP Message Integrity Data Confidentiality

Transport Data Confidentiality

SOAP Message Confidentiality Message Uniqueness Out of Scope

Credentials Issuance

14

THREATS

Message alteration Attachment alteration Confidentiality Falsified messages Man in the middle Principal spoofing Repudiation Forged claims Replay of message parts Replay Denial of service - amplifier

15

SECURITY SOLUTIONS AND MECHANISMS

Integrity, confidentiality, authentication, attributes Transport layer (HTTP/HTTPS)

HTTP and SSL/TLS mechanisms Message layer

WSS mechanisms

Securing SOAP with Attachments Combinations

Large number of theoretically possible combinations

Identified nine believed to be of practical utility Security considerations

Properties, threats addressed, limitations

16

SCENARIOS

Generic requirements Peer authentication

Integrity

Confidentiality

Origin authentication Scenario descriptions

One-way

Synchronous request / response

Basic callback

Others?

17

WS-I BASIC SECURITY PROFILE (BSP) 1.0

Methodology Reviewed WSS Documents (WSS core, username, X.509)

Comments to WSS TC

Generated potential profiling points (captured as issues)

Reviewed underlying documents

IETF RFCs covering TLS

XML Signature, XML Encryption Identified 90+ potential profiling points by looking for anything

other than MUST (e.g. options in specifications) Many have since been dropped

First public Working Draft published May, 2004 http://ws-i.org/Profiles/BasicSecurityProfile-1.0-2004-05-12.html

Final BSP expected in September, 2004

18

BSP 1.0 QUESTIONS AND ANSWERS

Cover SSL? Yes, mentioned in WS-I Basic Profile 1.0

Address SOAP intermediaries? Yes, must be considered because of security implications

What will document look like? Identify constraints by category, as in Basic Profile

If and how to handle security considerations? Added security considerations section even though it is not testable

One profile or several? BSP 1.0 will be one document Subsequent token profiles can be published separately

How to secure Attachment Profile 1.0? Decided to use WSS and to request OASIS TC to do this work

19

EXAMPLE REQUIREMENT

4. Transport Layer SecurityThis section of the Profile incorporates the following specifications by reference, and defines extensibility points within them: HTTP over TLS

Extensibility points: E0001 - Ciphersuites - Additional ciphersuites may be specified.

4.1 SSL and TLSThe following specifications (or sections thereof) are referred to in this section of the Profile;

HTTP over TLS: Section 2.2.1 SSL and TLS are both used as underlying protocols for HTTP/S. This profile places the following constraints on those protocols:

4.1.1 Use of SSL 2.0

SSL 2.0 has known security issues and all current implementations of HTTP/S support more recent protocols. Therefore this profile prohibits use of SSL 2.0.

R2001 A SENDER MUST NOT use SSL 2.0 as the underlying protocol for HTTP/S

R2002 A RECEIVER MUST NOT use SSL 2.0 as the underlying protocol for HTTP/S

20

OTHER BSP 1.0 DELIVERABLES

usage scenarios sampleapplications

scenarios and

sample

applications

use cases

web services

basic security profile

testingtools

other test materials

testing tools

and materials

profile

21

TESTING AND DEMONSTRATING BSP 1.0

How to test Basic Security Profile 1.0?

Basic Profile 1.0 testing tools used a man in the middle testing strategy

Will this work for BSP 1.0 since one of its objectives is to stop man in the middle attacks?

What level does the testing take place at?

Highest level message syntax?

After parts of the message have been decrypted?

BSP sample applications and usage scenarios

Based on sample application for Basic Profile 1.0 adding security aspects

22

FUTURE WORK PLANS

Additional token profiles

Candidates include Kerberos, REL (XRML), SAML

Depends on progress by OASIS TC

Final material ETA: November, 2004

24

QUESTIONS

Today Later

E-mail bhartman@datapower.com Comments on BSP documents

E-mail wsi_secprofile_comment@lists.ws-i.org Security Scenarios published February, 2004

http://ws-i.org/Profiles/BasicSecurity/2004-02/SecurityScenarios-0.15-WGD.pdf

BSP 1.0 WD published May, 2004 http://ws-i.org/Profiles/BasicSecurityProfile-1.0-2004-05-12.html

Thanks to Paul Cotton, chair of WS-I Basic Security Profile Working Group for much of the material in this presentation!