Monday, November 28, 2011
Web Services Security - The Basics
Wiki defines Web services as “Application programming interfaces (API) or web APIs that can be accessed over a network, such as the Internet, and executed on a remote system hosting the requested services”. So putting this down in simpler words, it is a function of the application that can be made available for use for other developers to integrate it into their applications.
Say I have a piece of code which precisely calculates the age of any girl based on 5 questions and their answers. Believe me this is really a difficult piece of code and everyone will wish to have it on their website. Now if I publish this code as a service, you as a developer can simply use this service and integrate into your application instead of itching your gray cells and trying to write one of your own. Since web services can be used to connect to data sources from even outside the enterprise, they are prone to hacker attacks.
Before moving towards basic security concepts lets first understand the four technologies that form the basis of web services:
Web Services thus aim to deliver interoperability and reusability thus helping different business applications to talk/transact across multiple platforms. And like any other technology, even Web Services do not have security incorporated or enabled by default. Web Services Security can broadly be divided into two categories: interface and implementation security and message security.
Interface and implementation security includes controls such as Secure Socket Layer (SSL), Access Control Lists (ACL) etc. These are the basic web based security implementations.
For message security, XML mechanisms such as WS-Security, the Security Assertion Markup Language (SAML), XML Signature and XML Encryption can sign, encrypt, and authenticate message data. Thus the trust in confidentiality and authenticity in the transit of data increases giving a greater sense of security. Let us have their quick overview.
Defines XML syntax for digital signatures. Also referred as XML DSig, it is more flexible than PGP and other form of digital signatures as the fact that it operates on XML infoset rather than binary data. (XML infoset in simpler words is describing XML document as a data model in terms of information items). It is core to WS-Security, XKMS, and other Web services security standards. It provides integrity and non-repudiation, and can play a vital role in the process of key sharing that is needed by XML Encryption.
Another important concept is canonicalization. Verifying data integrity in XML is particularly challenging since the differences in platforms and XML parsers can result in logically equivalent documents being physically different. So canonicalization signs only the necessary element, eliminating meaningless differences like white space and line endings.
XML Encryption provides end-to-end security for applications that require secure exchange of structured data. XML-based encryption is the best suited way to handle complex XML requirements for security in data interchange applications. TLS/SSL is originally used to encrypt the data. However XML encryption provides a mechanism for security requirements that are not covered by SSL. The following are the two important areas not addressed by SSL:
XML encryption are divided into two main parts:
XML Encryption applies standard algorithms to data and then stores that encrypted result in XML.
Security Assertion Markup Language is an XML-based standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). Assertion applies to an individual or entity which is attached to the message. Thus in short SAML provides a set of rules that can be used to obtain these assertions from trusted third party services that make authorization and authentication decisions about individuals and entities. After the authority makes its assertion, SAML also provides a way to exchange the information.
Also the other single most important problem that SAML is trying to solve is the Web Browser Single Sign-On (SSO) problem
WS-Security deals more with SOAP security and is the member of WS-* family of web service specifications which were published by OASIS. The protocol specifies how integrity and confidentiality can be enforced on messages and it abstracts different security technologies into claims and tokens. Its main focus is the use of XML Signature and XML Encryption to provide end-to-end security.
WS-Security describes three main mechanisms:
Other than above mentioned basic controls, auditing should also be enabled. This can help detect any “broken into” kind of requests. They can also reveal larger weaknesses that might affect regulatory compliance and even corporate governance. Auditing can basically include the following categories:
Other issues which needs to be considered while securing web services include:
Thus we have done a brief walk-through of security concepts and controls that can be implemented in Web Services. Controls for encryption, authentication, authorization, non-repudiation and availability when implemented correctly can help protect your web services against preying eyes of hackers.