Professional Documents
Culture Documents
Chapter Two
Fundamental of IS
Web Services Security (WS Security) is a specification that defines how security measures are
implemented in web services to protect them from external attacks. It is a set of protocols that
ensure security for SOAP-based messages by implementing the principles of confidentiality,
integrity and authentication.
Security is critical to web services. However, neither XML-RPC nor SOAP specifications make
any explicit security or authentication requirements.
The aim of WS-Security is to ensure that communication between two parties is not interrupted
or interpreted by an unauthorized third party. The receiver needs to be assured that the message
was indeed sent by the sender, and the sender should be assured the receiver cannot deny
receiving the message. Finally, the data sent during communication should not be altered by an
unauthorized source. All data related to security is added as part of the SOAP header. Therefore,
a considerable overhead is imposed on the SOAP message formation when security mechanisms
are activated.
Confidentiality
Authentication
Network Security
Confidentiality
If a client sends an XML request to a server, can we ensure that the communication remains
confidential?
A single web service may consist of a chain of applications. For example, one large service
might tie together the services of three other applications. In this case, SSL is not adequate; the
messages need to be encrypted at each node along the service path, and each node represents a
potential weak link in the chain. Currently, there is no agreed-upon solution to this issue, but one
promising solution is the W3C XML Encryption Standard. This standard provides a framework
for encrypting and decrypting entire XML documents or just portions of an XML document.
1
IAS Chapter 2 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT
Authentication
If a client connects to a web service, how do we identify the user? Is the user authorized to use
the service?
The following options can be considered but there is no clear consensus on a strong
authentication scheme.
HTTP includes built-in support for Basic and Digest authentication, and services can
therefore be protected in much the same manner as HTML documents are currently
protected.
Network Security
There is currently no easy answer to this problem, and it has been the subject of much debate.
For now, if you are truly intent on filtering out SOAP or XML-RPC messages, one possibility is
to filter out all HTTP POST requests that set their content type to text/xml.
Another alternative is to filter the SOAP Action HTTP header attribute. Firewall vendors are also
currently developing tools explicitly designed to filter web service traffic.
2
IAS Chapter 2 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT
Information related to encryption is also stored in the SOAP header. The ID attribute is stored as
part of the SOAP header, which simplifies processing. The timestamp is used as an additional
level of protection against attacks on the message integrity. When a message is created, a
timestamp is associated with the message indicating when it was created. Additional timestamps
are used for the expiry of the message and to indicate when the message was received at the
destination node.
3
IAS Chapter 2 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT
Username/Password approach: The username and password combination are one of the
basic authentication mechanisms used, and is analogous to HTTP Digest and Basic based
authentication methods. The username token element is used to pass user credentials for
authentication. The password can be transported as plain text or in digest format. When
the digest approach is used, the password is encrypted using the SHA1 hashing
technique.
X.509 approach: This approach identifies the user by a public key infrastructure which
maps the X.509 certificate to a particular user. More security can be added by using a
public key and a private key to encrypt and decrypt the X.509 certificate. To ensure that
messages are not replayed, a time limit can be set to decline messages which arrive after
a certain elapsed duration.
Kerberos: The concept of a ticket forms the underlying mechanism of Kerberos. The
client needs to authenticate with a key distribution center (KDC) using a
username/password combination or an X.509 certificate. On successful authentication,
the user is granted a ticket granting ticket (TGT). Using the TGT, the client tries to access
a ticket granting service (TGS). At this step, the first two roles of identification and
authorization are over. The client then requests a service ticket (ST) to acquire a
particular resource from the TGS and is granted the ST. The client uses the ST to access
the service.
4
IAS Chapter 2 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT
Digital Signature: XML signatures are used to protect the message from modification
and interpretation. The signing must be performed by a reliable party or the real sender.
Encryption: XML encryption is used to protect data from interpretation by making it
unreadable to an unauthorized third party. Both symmetric and asymmetric approaches
can be used.
Convergence
Security convergence refers to the convergence of two historically distinct security
functions – physical security and information security – within enterprises; both are
integral parts of any coherent risk management program.
Convergence is the coming together of two different entities, and in the contexts of
computing and technology, is the integration of two or more different technologies in a
single device or system.
5
IAS Chapter 2 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT
For example, rather than carrying separate devices – like a cell phone, camera and digital
organizer – each technology converges on a single device, or smartphone.
Network Convergence
Network convergence is the efficient coexistence of telephone, video and data communication
within a single network. The use of multiple communication modes on a single network offers
convenience and flexibility that are not possible with separate infrastructures. Network
convergence is also called media convergence.
Before network convergence, many services used different network infrastructures, hardware and
protocol to connect to servers. Today, consumers, businesses, educational institutions and
government agencies use an expanded collection of media types, including:
Assignment 1
Explain in detail:
7
IAS Chapter 2 Lecture Note Prepared by Abraham A