Wolkite University College of Computing and Informatics Department of IT

Chapter Two
Fundamental of IS

Web Services Security (WS Security)

Web Services Security (WS Security) is a specification that defines how security measures are
implemented in web services to protect them from external attacks. It is a set of protocols that
ensure security for SOAP-based messages by implementing the principles of confidentiality,
integrity and authentication.

Security is critical to web services. However, neither XML-RPC nor SOAP specifications make
any explicit security or authentication requirements.

The aim of WS-Security is to ensure that communication between two parties is not interrupted
or interpreted by an unauthorized third party. The receiver needs to be assured that the message
was indeed sent by the sender, and the sender should be assured the receiver cannot deny
receiving the message. Finally, the data sent during communication should not be altered by an
unauthorized source. All data related to security is added as part of the SOAP header. Therefore,
a considerable overhead is imposed on the SOAP message formation when security mechanisms
are activated.

There are three specific security issues with web services −

 Confidentiality
 Authentication
 Network Security

Confidentiality

If a client sends an XML request to a server, can we ensure that the communication remains
confidential?

Answer lies here −

 XML-RPC and SOAP run primarily on top of HTTP.

 HTTP has support for Secure Sockets Layer (SSL).
 Communication can be encrypted via SSL.
 SSL is a proven technology and widely deployed.

A single web service may consist of a chain of applications. For example, one large service
might tie together the services of three other applications. In this case, SSL is not adequate; the
messages need to be encrypted at each node along the service path, and each node represents a
potential weak link in the chain. Currently, there is no agreed-upon solution to this issue, but one
promising solution is the W3C XML Encryption Standard. This standard provides a framework
for encrypting and decrypting entire XML documents or just portions of an XML document.
1
IAS Chapter 2 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

Authentication

If a client connects to a web service, how do we identify the user? Is the user authorized to use
the service?

The following options can be considered but there is no clear consensus on a strong
authentication scheme.

 HTTP includes built-in support for Basic and Digest authentication, and services can
therefore be protected in much the same manner as HTML documents are currently
protected.

 SOAP Digital Signature (SOAP-DSIG) leverages public key cryptography to digitally

sign SOAP messages. It enables the client or server to validate the identity of the other
party.

 The Organization for the Advancement of Structured Information Standards (OASIS) is

working on the Security Assertion Markup Language (SAML).

Network Security

There is currently no easy answer to this problem, and it has been the subject of much debate.
For now, if you are truly intent on filtering out SOAP or XML-RPC messages, one possibility is
to filter out all HTTP POST requests that set their content type to text/xml.

Another alternative is to filter the SOAP Action HTTP header attribute. Firewall vendors are also
currently developing tools explicitly designed to filter web service traffic.

2
IAS Chapter 2 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

WS-Security SOAP Header:

Security is implemented using a header which consists of a set of key-value pairs where the
value changes appropriately with changes in the underlying security mechanism used. This
mechanism helps to identify the caller’s identity. If a digital signature is used, the header
contains information about how the content has been signed and the location of the key used to
sign the message.

Information related to encryption is also stored in the SOAP header. The ID attribute is stored as
part of the SOAP header, which simplifies processing. The timestamp is used as an additional
level of protection against attacks on the message integrity. When a message is created, a
timestamp is associated with the message indicating when it was created. Additional timestamps
are used for the expiry of the message and to indicate when the message was received at the
destination node.

3
IAS Chapter 2 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

WS-Security Authentication Mechanisms

 Username/Password approach: The username and password combination are one of the
basic authentication mechanisms used, and is analogous to HTTP Digest and Basic based
authentication methods. The username token element is used to pass user credentials for
authentication. The password can be transported as plain text or in digest format. When
the digest approach is used, the password is encrypted using the SHA1 hashing
technique.
 X.509 approach: This approach identifies the user by a public key infrastructure which
maps the X.509 certificate to a particular user. More security can be added by using a
public key and a private key to encrypt and decrypt the X.509 certificate. To ensure that
messages are not replayed, a time limit can be set to decline messages which arrive after
a certain elapsed duration.
 Kerberos: The concept of a ticket forms the underlying mechanism of Kerberos. The
client needs to authenticate with a key distribution center (KDC) using a
username/password combination or an X.509 certificate. On successful authentication,
the user is granted a ticket granting ticket (TGT). Using the TGT, the client tries to access
a ticket granting service (TGS). At this step, the first two roles of identification and
authorization are over. The client then requests a service ticket (ST) to acquire a
particular resource from the TGS and is granted the ST. The client uses the ST to access
the service.

4
IAS Chapter 2 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 Digital Signature: XML signatures are used to protect the message from modification
and interpretation. The signing must be performed by a reliable party or the real sender.
 Encryption: XML encryption is used to protect data from interpretation by making it
unreadable to an unauthorized third party. Both symmetric and asymmetric approaches
can be used.

WS-Security allows existing security mechanisms to be leveraged appropriately to prevent any

overhead in incorporating new mechanisms.

Convergence
 Security convergence refers to the convergence of two historically distinct security
functions – physical security and information security – within enterprises; both are
integral parts of any coherent risk management program.

 Convergence is the coming together of two different entities, and in the contexts of
computing and technology, is the integration of two or more different technologies in a
single device or system.

5
IAS Chapter 2 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 The simple concept of convergence allows multiple tasks to be performed on a single

device, which effectively conserves space and power.

For example, rather than carrying separate devices – like a cell phone, camera and digital
organizer – each technology converges on a single device, or smartphone.

- Another good example is surfing the Internet on a high-definition TV (HDTV).

Network Convergence
Network convergence is the efficient coexistence of telephone, video and data communication
within a single network. The use of multiple communication modes on a single network offers
convenience and flexibility that are not possible with separate infrastructures. Network
convergence is also called media convergence.

Before network convergence, many services used different network infrastructures, hardware and
protocol to connect to servers. Today, consumers, businesses, educational institutions and
government agencies use an expanded collection of media types, including:

 Texting - the act of sending short, alphanumeric communications between

cellphones, pagers or other hand-held devices, as implemented by a wireless carrier.
 Web surfing - exploring a sequence of web sites in a random, unplanned way, or simply
using the web to look for something in a questing way.
 Voice over IP (VoIP) - the transmission of voice and multimedia content over Internet
Protocol (IP) networks. 
 Streaming media - video or audio content sent in compressed form over the Internet and
played immediately, rather than being saved to the hard drive.
 Videoconference applications - a live, visual connection between two or more people
residing in separate locations for the purpose of communication.
 Online gaming - the running of specialized applications known as electronic games or
video games on game consoles like X-box and PlayStation or on personal computers.
 E-commerce - the buying and selling of goods and services, or the transmitting of funds
or data, over an electronic network, primarily the internet.

Assignment 1

Explain in detail:

 Wired/Wireless PKI (Public Key Infrastructure)

 Internet Security
 Internet Protocol version 4 (IPv4) and
 Internet Protocol version 4 (IPv6)
6
IAS Chapter 2 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 Enterprise Security Architecture (ESA) and

 Intrusion Detection /Prevention System (IDS/IPS)

7
IAS Chapter 2 Lecture Note Prepared by Abraham A