Enabling Interoperable Secure Web Services - WS-I

Download Report

Transcript Enabling Interoperable Secure Web Services - WS-I 

Enabling Interoperable Secure Web Services
Bret Hartman, DataPower Technology
July, 2004
THE CONTEXT
 Businesses need to innovate at an ever increasing pace
 Success requires broad interoperability
 Within an enterprise
 Between business partners
 Across a heterogeneous set of platforms, applications and programming
languages
 Internet technologies are assumed, interoperability is required
2
THE CONTEXT
 The shift to Web services is underway
 An Internet-native distributed computing model based on XML standards
has emerged
 Early implementations are solving problems today and generating new
requirements
 The Web services standards stack is increasing in size and complexity to
meet these requirements
 The fundamental characteristic of Web services is
interoperability
3
WHAT IS NEEDED?
 Guidance
 A common definition for Web services
 Implementation guidance and support for Web services adoption
 Interoperability
 Across platforms, applications, and languages
 Consistent, reliable interoperability between Web services technologies
from multiple vendors
 A standards integrator to help Web services advance in a structured,
coherent manner
4
ABOUT WS-I
 An open industry effort chartered to promote Web Services
interoperability across platforms, applications and programming
languages.
 A standards integrator to help Web services advance in a
structured, coherent manner
 Approximately 150 member organizations
70% vendors, 30% end-user organizations
80% North America with active worldwide membership
5
WS-I GOALS
Achieve Web services interoperability
 Integrate specifications
 Promote consistent implementations
 Provide a visible representation of conformance
 Accelerate Web services deployment
 Offer implementation guidance and best practices
 Deliver tools and sample applications
 Provide a implementer’s forum where developers can collaborate
 Encourage Web services adoption
 Build industry consensus to reduce early adopter risks
 Provide a forum for end users to communicate requirements
 Raise awareness of customer business requirements
6
WORKING GROUPS
 Basic Profile
 Addresses the core set of specifications (e.g., SOAP, WSDL, UDDI,
attachments, etc.) that provide the foundation for Web services
 Basic Security Profile (New!)
 Addresses transport security, SOAP messaging security, and other
security considerations
 Requirements Gathering
 Captures business requirements to drive future profile selection
 Sample Applications
 Illustrate best practices for implementations on multiple vendor platforms
 Testing Tools and Materials
 Develops self-administered tests to very conformance with WS-I profiles
7
WS-I, STANDARDS AND INDUSTRY
Standards
Specifications
Requirements
Implementation
Guidance
Requirements
Businesses, Industry Consortia, Developers, End Users
8
MILESTONES
 Basic Profile 1.0 Package
Delivered Basic Profile 1.0, and associated sample applications and test
tools as Final Material
More than 200 interoperability issues resolved in Basic Profile 1.0
Conventions around messaging, description and discovery
Vendors are incorporating the Basic Profile 1.0 into products and services
End-users are requiring conformance
9
CURRENT WORK: BASIC PROFILES
 Basic Profile 1.1
Derived from the Basic Profile 1.0 incorporating any errata to date and
separating out requirements related to the serialization of envelopes and
their representation in messages
 Attachments Profile 1.0
Complements Basic Profile 1.1 to add support for interoperable SOAP
messages with attachments
 Simple SOAP Binding Profile 1.0
Derived from those Basic Profile 1.0 requirements related to the serialization
of the envelope and its representation in the message, incorporating any
errata to date
 Board Approval Drafts of these profiles were delivered June 3
10
CURRENT WORK: BASIC SECURITY PROFILE
 Security Scenarios
Identifies security challenges and threats in building interoperable Web
services and countermeasures for these risks
 Basic Security Profile
Addresses transport security, SOAP messaging security and other security
considerations
References existing specifications used to provide security, including the
OASIS Web Services Security 1.0 specification
 HTTP over TLS
 SOAP with Attachments
 WS-Security with Username and X.509 token profiles
 SAML Token Profile and REL (XRML) Token Profile are being
considered
11
SECURITY SCENARIOS WORKING DRAFT
 Addresses
Security Challenges
Threats
Security Solutions and Mechanisms
Scenarios
 February, 2004 draft for public comment
http://ws-i.org/Profiles/BasicSecurity/2004-02/SecurityScenarios-0.15WGD.pdf
 Final Security Scenarios expected in August, 2004
12
SECURITY CHALLENGES
 Peer Identification and Authentication
 Data Origin Identification and Authentication
 Data Integrity
Transport Data Integrity
SOAP Message Integrity
 Data Confidentiality
Transport Data Confidentiality
SOAP Message Confidentiality
 Message Uniqueness
 Out of Scope
Credentials Issuance
13
THREATS











14
Message alteration
Attachment alteration
Confidentiality
Falsified messages
Man in the middle
Principal spoofing
Repudiation
Forged claims
Replay of message parts
Replay
Denial of service - amplifier
SECURITY SOLUTIONS AND MECHANISMS
 Integrity, confidentiality, authentication, attributes
 Transport layer (HTTP/HTTPS)
HTTP and SSL/TLS mechanisms
 Message layer
WSS mechanisms
Securing SOAP with Attachments
 Combinations
Large number of theoretically possible combinations
Identified nine believed to be of practical utility
 Security considerations
Properties, threats addressed, limitations
15
SCENARIOS
 Generic requirements
Peer authentication
Integrity
Confidentiality
Origin authentication
 Scenario descriptions
One-way
Synchronous request / response
Basic callback
Others?
16
WS-I BASIC SECURITY PROFILE (BSP) 1.0
 Methodology
Reviewed WSS Documents (WSS core, username, X.509)
Comments to WSS TC
Generated potential profiling points (captured as issues)
Reviewed underlying documents
IETF RFCs covering TLS
XML Signature, XML Encryption
 Identified 90+ potential profiling points by looking for anything
other than MUST (e.g. options in specifications)
Many have since been dropped
 First public Working Draft published May, 2004
http://ws-i.org/Profiles/BasicSecurityProfile-1.0-2004-05-12.html
 Final BSP expected in September, 2004
17
BSP 1.0 QUESTIONS AND ANSWERS
 Cover SSL?
Yes, mentioned in WS-I Basic Profile 1.0
 Address SOAP intermediaries?
Yes, must be considered because of security implications
 What will document look like?
Identify constraints by category, as in Basic Profile
 If and how to handle security considerations?
Added security considerations section even though it is not testable
 One profile or several?
BSP 1.0 will be one document
Subsequent token profiles can be published separately
 How to secure Attachment Profile 1.0?
Decided to use WSS and to request OASIS TC to do this work
18
EXAMPLE REQUIREMENT
4. Transport Layer Security
This section of the Profile incorporates the following specifications by reference, and
defines extensibility points within them:
 HTTP over TLS
Extensibility points:
 E0001 - Ciphersuites - Additional ciphersuites may be specified.
4.1 SSL and TLS
The following specifications (or sections thereof) are referred to in this section of the
Profile;
HTTP over TLS: Section 2.2.1
SSL and TLS are both used as underlying protocols for HTTP/S. This profile places the
following constraints on those protocols:
4.1.1 Use of SSL 2.0
SSL 2.0 has known security issues and all current implementations of HTTP/S support
more recent protocols. Therefore this profile prohibits use of SSL 2.0.
R2001 A SENDER MUST NOT use SSL 2.0 as the underlying protocol for HTTP/S
R2002 A RECEIVER MUST NOT use SSL 2.0 as the underlying protocol
for HTTP/S
19
OTHER BSP 1.0 DELIVERABLES
scenarios and
sample
use cases
usage scenarios
applications
web services
profile
basic security profile
testing tools
and materials
20
testing
tools
other test
materials
sample
applications
TESTING AND DEMONSTRATING BSP 1.0
 How to test Basic Security Profile 1.0?
Basic Profile 1.0 testing tools used a man in the middle testing strategy
Will this work for BSP 1.0 since one of its objectives is to stop man in the
middle attacks?
What level does the testing take place at?
Highest level message syntax?
After parts of the message have been decrypted?
 BSP sample applications and usage scenarios
Based on sample application for Basic Profile 1.0 adding security aspects
21
FUTURE WORK PLANS
 Additional token profiles
Candidates include Kerberos, REL (XRML), SAML
Depends on progress by OASIS TC
Final material ETA: November, 2004
22
QUESTIONS
 Today
 Later
E-mail [email protected]
 Comments on BSP documents
E-mail [email protected]
 Security Scenarios published February, 2004
http://ws-i.org/Profiles/BasicSecurity/2004-02/SecurityScenarios-0.15WGD.pdf
 BSP 1.0 WD published May, 2004
http://ws-i.org/Profiles/BasicSecurityProfile-1.0-2004-05-12.html
Thanks to Paul Cotton, chair of WS-I Basic Security Profile
Working Group for much of the material in this presentation!
24