Multi-party Authentication in
Web Services
Madhumita Chatterjee
7/17/2016 3:02 PM
1
Overview







Web Services Architecture
Typical Scenario
Security Threats
Challenges and issues
Need for Session Authentication
Maruyama’s Approach
A Proposal
7/17/2016 3:02 PM
2
Demystifying Webservices:



Web services are modular software
components
Wrapped inside a specific set of Internet
communications protocols
Can communicate with other
components automatically without
human intervention.
7/17/2016 3:02 PM
3
Typical Web Services



airline ticket reservation process
real time travel advisory
a restaurant review article
7/17/2016 3:02 PM
4
Web Site/ Web Service
A Web service is designed to
be
accessed by applications.
7/17/2016 3:02 PM
5
Web Service Working



Each new request to a Web service is
automatically spawned as a new thread
in the Web Service process .
A Service could also delegate tasks to
other services.
Dynamic behavior of these short-lived
services, introduce new security
challenges.
7/17/2016 3:02 PM
6
Key roles in the Web services
architecture


3 key roles--------a service provider, a
service registry and a service requestor.
3 operations performed:



Publish--- makes the service description
publicly available.
Find operation discovers the Web service.
Bind operation allows the service to be
used by the person or program requesting
the service.
7/17/2016 3:02 PM
7
Architecture
7/17/2016 3:02 PM
8
Web Service Components


Internet based modular applications
Program to program communication




XML
WSDL
SOAP
UDDI
7/17/2016 3:02 PM
9
Web Services Description Lang


WSDL is the language used to create
service descriptions.
Able to create descriptions about the
location of the service, how to run it,
what business is hosting the service,
the kind of service it is, etc
7/17/2016 3:02 PM
10
Simple Object Access Protocol




SOAP is the means through which the service
provider, service registry and service
requestor communicate.
XML-based technology used to exchange
structured data between network
applications.
SOAP is used to publish the service
description to a service registry.
All other interactions between service registry,
service requestor and service provider are
done via SOAP.
7/17/2016 3:02 PM
11
Universal Description
Discovery & Integration



UDDI is the directory technology used
by service registries that contain the
description of Web services
Allows the directory to be searched for
a particular Web service.
UDDI is in essence a Yellow Pages that
can be used to locate Web services.
7/17/2016 3:02 PM
12
Web Service Architecture
Implementation of Services
(components)
UDDI
Interface
Description with
WSDL
1. Request
Service
requester
7/17/2016 3:02 PM
4. Request
Service
Broker
Web
Server
For SOAP
S
E
R
V
I
C
e
13
Web Service Security-A
concern

Web services are based on message
exchanges on the net with the
possibility of dynamic short-term
relationships.
Authentication: Establishing identity of

Authorization: Establishing what a user

user
is allowed to do.
7/17/2016 3:02 PM
14
Web Service Security……cont


Confidentiality: Ensuring that only the
intended recipient can read the
message, accompanied by encryption.
Integrity: Ensuring that the message
has not been tampered with, generally
accomplished with digital signatures.
7/17/2016 3:02 PM
15
Web Service Workflows




Dynamic composition
Multiple instances
Workflow involves service instances
belonging to different Web services
Multiple parties belong to a flow.
7/17/2016 3:02 PM
16
Typical Web Service Scenario
Financer
F.1
P.2
Provider
F.2
Insurance
P.1
I.1
Buyer
B.1
Govt service
G.1
Shipper
S.1
7/17/2016 3:02 PM
Service
Instance
17
Threats To Web Service Security

Malicious web service threats typically fall into
one of three categories:



Identity threats, such as authentication attacks,
eavesdropping etc.
Content-borne threats, which are attacks with
elements in the actual XML payload, such as XML
viruses.
XML Denial of Service (XdoS), which are new
application-level versions of network level DoS
attacks.
7/17/2016 3:02 PM
18
Identity Threats….

Unauthorized access


Parameter manipulation



Weak authentication and authorization
Unauthorized modification of data
Network eavesdropping
Message replay
7/17/2016 3:02 PM
19
Need for session
Authentication
Flight
TA-1
Hotel
TA-2
Car#1
Car#2
7/17/2016 3:02 PM
20
Maruyama’s protocol


Session Authenticator component
responsible for distributing keys and
authenticating messages
Each instance belonging to a session
gets the shared key
7/17/2016 3:02 PM
21
Maruyama’s protocol….cont

Message authentication protocol


transports authentication information
between session participants
Session management protocol

responsible for starting, running and
ending a particular session.
7/17/2016 3:02 PM
22
Message Authentication

Session Authenticator


Allows service instances to mutually verify
transient membership
Service Authenticator

Protocol for sending Web service to send
MACed SOAP envelope to receiving Web
Service
7/17/2016 3:02 PM
23
Session Authenticator




Sending instance prepares SOAP
envelope
Optionally uses XML encryption
Adds authentication to SOAP header
Using SOAP-DSIG applies MAC to
envelope under session key.
7/17/2016 3:02 PM
24
Session Auth….cont…





Receiver checks for session key.
Else obtains key from session manager.
Validates MAC and accepts SOAP
envelope.
Decrypts encrypted message.
Receiver now has authenticated mesg
and session handle.
7/17/2016 3:02 PM
25
Service Authenticator





Sending service prepares SOAP
envelope.
Adds authentication header.
Uses SOAP-DSIG to digitally sign mesg.
Optionally uses XML encryption.
Receiver decrypts, validates signature,
verifies its own sign and accepts.
7/17/2016 3:02 PM
26
Session Management

Initiator of session could be SA





Assigning session Ids.
Creating session secrets.
Maintaining status information for each
session.
Keeping participants informed of the
status.
Shutting down sessions.
7/17/2016 3:02 PM
27
Online session Management
7/17/2016 3:02 PM
28
Drawbacks ..




SA cannot measure the validity of
service instance
Anyone who has session ID can contact
SA.
An attacker who has compromised an
instance can request to join session
No unique identifier for each instance
7/17/2016 3:02 PM
29
Issues not considered

What if Session Manager is malicious??
7/17/2016 3:02 PM
30
WS-Security specifications



The WS-Security specifications protect
against:
Message alteration—By including
digital signatures for all or parts of the
SOAP body and the SOAP header.
Message disclosure—By supporting
message encryption.
7/17/2016 3:02 PM
31
….Specifications cont


Preserve message integrity through the
use of strong key algorithms.
Authenticate messages through the use
of various token mechanisms such as
Kerberos and X.509.
7/17/2016 3:02 PM
32
Challenges




Dealing with un-trusted clients.
Application internals are exposed.
SOAP messages are not point to point
Challenge is to preserve security of
SOAP message from initial SOAP sender
to ultimate SOAP receiver.
7/17/2016 3:02 PM
33
SSL is inadequate




SSL cannot be used to authenticate
dynamically generated participants
SSL provides point-to-point security
Web Services need end-to-end security
SSL does not support



End-to-end confidentiality
Element wise signing and encryption
Non-repudiation
7/17/2016 3:02 PM
34
A Proposal….Adaptive
approach



Requirements of users may vary.
Is there need for stringent measures
uniformly to every node and transaction
Can we apply as much security as a
particular transaction requires?
7/17/2016 3:02 PM
35
Sophisticated Web Services

E.g order for aircraft engine





Spawns multiple supporting transactions
Orders to individual parts
Orders for shipping containers
Etc
Involves handling huge volumes of
traffic
7/17/2016 3:02 PM
36
Adaptive approach ….cont



For Simple Web services existing
security measures may suffice.
For sophisticated Web Services
involving long transactions trusted third
party model desirable.
Can an adaptive/hybrid approach be
implemented???
7/17/2016 3:02 PM
37
References
1. S. Hada and H. Maruyama, “Session Authentication Protocol for Web Services,”
Proc. 2002 IEEE Symposium on Application and the Internet, pp. 158-165, Jan. 2002.
2. Dacheng Zhang and Jie Xu, “Multi-Party Authentication for Web Services:
Protocols, Implementation and Evaluation,” Proc. 2004 IEEE Symposium on
Object Oriented Real-time Distributed Computing.
3. M.Hondo, N. Nagaratnam, A.Nadalin, “Securing Web Services,” IBM Systems Journal,
Vol 41, No. 2, 2002.
4. David Geer, “Taking Steps to Secure Web Services,” IEEE Computer, Vol 36,
Oct 2003.
5. V Vasudevan, “A Web Services Primer”,
http://www.xml.com/pub/a/2001/04/04/Webservices/, April 2001.
6. Y. Nakamur, S. Hada and R. Neyama, “Towards the Integration of
Web Services Security on Enterprise Environments,” Proc. 2002 Symposium on
Applications and the Internet, pp. 166-177, Jan 2002.
7. W3C NOTE, Simple Object Access Protocol (SOAP) 1.1, http://www.w3.org/TR/SOAP/
7/17/2016 3:02 PM
38
References
8. W3C NOTE, SOAP Security Extensions: Digital Signature,
http://www.w3.org/TR/SOAP-dsig.
9. Web `Services Security(WS-Security),
http://www.ibm/developerworks/library/ws-secure.
10. Web Services Security Threats and Countermeasures,
Microsoft Corporation, Jan 2004.
7/17/2016 3:02 PM
39