Introduction to Web Secure
(Part II)
 X.509 Certificate Generator is a tool that allows you to generate
digital certificates in PFX format (Personal Information Exchange ),
on cryptographic smart card.

X.509 are digital certificates are commonly used to
authenticate clients and servers, encrypt, and digitally sign
messages.

A digital certificate is a part of a public key
infrastructure (PKI), which is a system of digital
certificates, certificate authorities, and other registration
authorities that verify and authenticate the validity of each
party involved in an electronic transaction through the use of
public key cryptography.
Kerberos is a network authentication protocol. It is
designed to provide strong authentication for client/server
applications by using secret-key cryptography.


Unlike a password, a security token is a physical
object. A key fob, for example, is practical and easy to carry,
and thus, easy for the user to protect. Even if the key fob falls
into the wrong hands, however, it can't be used to gain access
because the PIN (which only the rightful user knows) is also
needed.
In Summary





A Secure Token Service (STS) is a Web service that issues security
tokens.
It makes assertions based on evidence that it trusts, to whoever trusts
it (or to specific recipients).
To communicate trust, a service requires proof, such as a signature, to
prove knowledge of a security token or set of security tokens.
A typical example of the security token is a username token, in which
a user name and password are included as text.
Web services security defines how to encode binary security tokens
using methods such as X.509 certificates and Kerberos tickets.
Web Services Architecture
A Web service is a program that can be
accessed remotely using different XMLbased languages)EXtensible Markup
Language)
The Webservices programming
stack:
 The network is the foundation
layer for the stack. All Web
services must be available over
some network.

XML-based
messaging layer that
facilitates communications
between Web services and their
clients and encodes messages in
XML that can be understood by both
client and server . The messaging
layer is based on SOAP.
SOAP is
an XML protocol that facilitates the
publish, find, bind as shown in Web Service
Model
 WSDL is a specification that describes available Web services to clients.
For example, a banking Web service may implement functions to check an
account, print a statement, and deposit and withdraw funds. These functions are
described in a WSDL file.
 Simply, the WSDL file is the key communicative agent between the various
entities exchanging service messages, and instructions between them.



The three layers described thus far are required in
order to have interoperable Web services.
The remaining layers in the programming stack are optional.
UDDI (Universal Description, Discovery and Integration): UDDI is
used to register and look up services with a
central registry
This layer represents a way to publish and find web services over the Web.The
protocol that be to publish a web services is known as UDDI. The UDDI
Business Registry allows anyone to search existing UDDI data and enables you to
register your company and its services.

Infrastructure services:

Security, management, and quality-of-service managementmust
must be addressed at each layer of the stack.
web service specifications

There are a variety of specifications
associated with web services. These variety
of specifications are the basic web services
framework established by first-generation
standards represented by WSDL, SOAP and
UDDI
Web Services Security Specifications

There are a variety of specifications associated
with web services. These variety of specifications
are the basic web services framework established
by first-generation standards represented by
WSDL, SOAP and UDDI
WS-SecureConveration
WS-Federation
WS-Authorizatioon
WS-Policy
WS-Trust
WS-Privacy
WS-Security
SOAP Foundation

Figure. Web Services Security Specifications
WS-Security specification

The Web services WS-Security specification describes enhancements to SOAP
messaging to provide quality of protection through message integrity, message
confidentiality, and single message authentication. These mechanisms can be
used to accommodate a wide variety of security models and encryption
technologies.
 A Web service is a self-contained, self-describing modular application that can
be published, discovered, and invoked over a network using standard network
protocols. Typically, XML is used to tag the data, SOAP is used to transfer the
data, WSDL is used for describing the services available, and UDDI is used
for listing the services that are available.
 The WS-Security specification is one of several security standards that can be
used to secure a Web service. It provides message-level security, which means
it is independent of the transport protocol.
Web Services Security Concepts


Securing Web Services
The WS-Security specification provides the
following three mechanisms for securing Web
services at the message level:
 Authentication This mechanism uses a security
token to validate the user and determine whether a
client is valid in a particular context. A client can
be an end user, machine, application, or import.
Without authentication, an attacker can use
spoofing techniques to send a modified SOAP
message to the service provider.

Confidentiality This mechanism uses message
encryption to ensure that no unauthorized party or
process can access or disclose the information in
the message. When a SOAP message is encrypted,
only a service that knows the key for
confidentiality can decrypt and read the message.
Without confidentiality, an attacker can use
eavesdropping techniques to intercept a SOAP
message and read the contained information.

Integrity This mechanism uses message signing to
ensure that information is not changed, altered, or
lost in an unauthorized or accidental way. When
integrity is implemented, an XML digital
signature is generated on the contents of a SOAP
message. If the message data changes illegally, the
signature is not validated. Without integrity, an
attacker can use tampering techniques to intercept
a SOAP message between the Web service client
and server and then modify it.



•
•
•
Transport-level Security
Secure Socket Layer (SSL), otherwise known as Transport Layer
Security (TLS) are cryptographic protocols which are designed to
provide communication security over the Internet.
SSL, is the most widely used transport-level data-communication
protocol providing:
Authentication (the communication is established between two trusted
parties).
Confidentiality (the data exchanged is encrypted).
Message integrity (the data is checked for possible corruption).

SSL provides a secure communication channel, however, when the
data is not "in transit," the data is not protected. This makes the
environment vulnerable to attacks in multi-step transactions. (SSL
provides point-to-point security, as opposed to end-to-end security.)
Point to point security
End to end security


Application-level Security
Application-level security complements transport-level security.
Application-level security is based on XML frameworks defining
confidentiality, integrity, authenticity; message structure; trust
management and federation.