Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Why use WS-Security?

advertisement 
Why use WS-Security?
Chris Seary Chris Seary Computing Ltd
MVP CISSP
CLAS Consultant
What is WS-Security?
WS-Security applies security functionality (such as integrity, non-repudiation,
authentication, confidentiality) to elements within an XML SOAP document. An XML
schema, held by OASIS (http://www.oasis-open.org/specs/index.php), describes how the
different elements are applied within a document.
Here is the XML from a basic SOAP method, sent within an HTTP POST.
Now, here is a call to the same method, but this time using WS-Security to add
authentication credentials.
1
In this example, you can see the <wsse:UsernameToken> element, which holds the
username and password.
The advantage of using a standard schema for adding security to a SOAP message is that
this is a global format, readable by all compliant systems across the internet. Without a
standard format, every web service would have to write custom code to perform these
security services.
As this is a standard format, components have been written by manufacturers such as Sun
and Microsoft to add security elements with a minimum of configuration.
Other options for securing communications
There has been a lot of confusion arising from the way that the newer web security
formats are described. As WS-Security emerged, often developers would refer to this as
application layer security, and more traditional protocols such as IPSec and SSL were
referred to as transport layer security.
The TCP/IP stack used for network communications between hosts has a number of
layers. As you can see, the protocol stack already has both an application layer and a
transport layer!
These different layers in the protocol stack offer security for confidentiality,
authentication and integrity.
2
SSL
IPSec
PPP
The two mechanisms traditionally used by developers when architecting secure
communications are SSL and IPSec.
SSL is usually implemented by configuring the web service in Internet Information
Services (IIS). A certificate, with the subject name matching the web site, is passed to the
client. The client then generates a symmetric key, which is sent back to the web server,
encrypted with the public key from the certificate. Only the web server, with its private
key matching the public key of the certificate, can decrypt this symmetric key. The
symmetric key is then used for secure communications during the request.
To perform similar authentication to the WS-Security example (shown earlier), username
and password would be passed in the HTTP variables. The web server would authenticate
the user against Active Directory.
IPSec uses the Diffie-Hellman key exchange algorithm. Each of the two servers
communicating passes key material to contribute to the secure creation of a symmetric
key. This key is then used to encrypt specific types of traffic passing between the two
servers. Security Associations are created on each server – if there are matching Security
Associations on each server, then security is applied.
http://technet2.microsoft.com/windowsserver/en/library/8fbd7659-ca23-4320-a3506890049086bc1033.mspx?mfr=true
Some of processing power required for IPSec encryption can be offloaded onto specially
designed Network Interface Cards.
IPSec and SSL are examples of security provided by networking protocols. WS-Security
is sometimes called a wire format, as it is the actual message that is directly secured.
3
Which to use: IPSec, SSL or WS-Security?
It’s important to match the security functionality provided by these different technologies
to requirements. Let’s look at the different security functionality generally required by
applications.
Integrity
If it’s necessary to ensure that data has not been tampered with during transit, then
cryptography is used to provide integrity. IPSec, SSL and WS-Security all provide this.
IPSec uses Authentication Headers (AH) mode, which adds a hash of the data to the
packet.
SSL securely generates and shares a symmetric key when negotiating the connection, and
so no other party can decrypt what is being sent. This means it cannot be altered without
the receiving party being aware.
WS-Security can be used to digitally sign either a part or the whole of a message.
Confidentiality
All three also provide confidentiality.
IPSec uses Encapsulating Security Payloads to encrypt all data sent with the symmetric
key generated during the Diffie Hellman exchange.
SSL, as stated before, securely passes a symmetric key between client and server for
every request. This means that each request is encrypted with a unique key.
WS-Security can encrypt the entire contents of the <body> or <header> elements, or
both. It is also able to encrypt only part of the message – perhaps just one element. What
is the advantage of this?
There are an increasing number of networks using Intrusion Detection Systems (IDS).
These systems monitor the type, source and destination of packets moving across the
network, inspecting their contents. In some circumstances, if an IDS is present, the
security architect in charge of the network may not allow traffic to be encrypted by IPSec
or SSL, as the traffic cannot be inspected due to encryption.
WS-Security gives the benefit of allowing small parts of the data (perhaps name, userid)
to be encrypted, leaving the rest of the communication in the clear. This would leave the
IDS able to perform its functionality while still giving the necessary level of
confidentiality.
4
Non-Repudiation
Non-repudiation means that someone cannot deny having done something. In this case, if
a message has been sent by one party to another (across a network), it may be necessary
to hold the originating party to what they have communicated. This may be the case in a
financial transaction.
Digital signatures not only provide integrity, they can provide non-repudiation when PKI
certificates are used.
Neither SSL nor IPSec offer this service. However, WS-Security does, allowing you to
sign all or just a part of a SOAP message.
Anyone who has had to implement digital signatures will appreciate how easy it is to
configure this via web service policy.
Authentication
IPSec functions at the network layer of the TCP/IP stack, and so it only authenticates
hosts, rather than users. When SSL is used with a web server, credentials can be passed,
allowing users to be identified. Credentials can also be passed via WS-Security,
authenticating users.
IPSec authenticates computers using either Kerberos, certificates or shared password (the
last one is only recommended for testing purposes).
SSL has a richer authentication mechanism – username/password, certificates, digest,
passport, Windows. Each of these authenticates against Active Directory.
WS-Security has all of the authentication mechanisms available to SSL, but the
authentication model is pluggable. Custom providers can be written to handle checking of
passwords, for instance.
What’s the advantage of this? When creating a standard .aspx web site, if one wishes to
use a database for holding users, Forms authentication is available. The authentication
mechanism is thus overridden, substituting a custom SQL database for Active Directory.
WS-Security and custom providers add this type of flexibility to web services.
WSE and WCF implementations allow the asp.net membership providers to be used for
authentication. The SQL database that comes with these providers can be quickly and
easily integrated into a web service.
5
Summary
The table below gives an overview of the security functionality provided by each of
IPSec, SSL and WS-Security.
WS-Security, although it is quite verbose, offers non-repudiation and a customizable
security database, which the other two technologies do not. It also allows fine-grain
security to be applied to individual sections of the SOAP document.
Integrity
Confidentiality
IPSec
Yes
SSL
Yes
Yes
Yes
No
Authenticates hosts
against Active
Directory.
-Certificates
-Kerberos
-Shared key
No
Authenticates users
against Active
Directory.
-Username/password
-Digest
-Passport
-Certificates
-Windows
NonRepudiation
Authentication
WS-Security
Yes
Yes – allows fine
grain encryption
Yes – fine grain
addition of digital
signatures to
document
Authenticates users
against Active
Directory or a custom
database/schema.
-Username/password
-Digest
-Passport
-Certificates
-Windows
As stated at the beginning of this piece, to get the most out of these tools it’s best to
match security capabilities to requirements. If you need non-repudiation, customizable
authentication functionality or fine grain security, only WS-Security will satisfy your
requirements.
WS-Security and WS-Trust are fundamental to WS-Federation, allowing Single Sign On
and Identity Management technologies to exist across the internet.
6
Related documents
Slides for lecture 26
Slides for lecture 26
Network-Security_Techniques_11-12-04
Network-Security_Techniques_11-12-04
Final Exam Review
Final Exam Review
Chapter 13
Chapter 13
OnlineBankingSecurit..
OnlineBankingSecurit..
Ch7- Study Guide
Ch7- Study Guide
Chapter 6: Internet Protocol Security
Chapter 6: Internet Protocol Security
Sample PowerPoint Presentation - Volunteer Centers of Michigan
Sample PowerPoint Presentation - Volunteer Centers of Michigan
CH20 Testbank Crypto6e
CH20 Testbank Crypto6e
Princess Nora Bint Abdul Rahman University College of Computer
Princess Nora Bint Abdul Rahman University College of Computer
Download
advertisement