Welcome!

SOA & WOA Authors: Liz McMillan, Vincent Brasseur, Elizabeth White, Ignacio M. Llorente, Natalie Lerner

Related Topics: SOA & WOA

SOA & WOA: Article

Who's Master of Your Domain?

Web services security in an unfriendly world

W.C. Fields once said, "The practice of keyhole-listening is usually confined to hotels and boarding houses. It is absolutely indefensible to stoop so low. If the transom is not ajar, remember there are plenty of other rooms in the building." Hackers on the Web can take a similarly cavalier attitude - surfing from site to site until they find one whose "transoms are ajar." The question for you is whether yours are among them.

Information is an increasingly valuable asset in most organizations. Information security is about protecting that asset. Computer security deals with protecting data on corporate systems, network security with protecting data in transit across corporate networks. William Stallings introduced the term internetwork security, combining elements of both computer and network security, to cover tools and techniques for protecting data in today's internetworked world.

Internetwork security is most relevant to Web services because it brings together the mechanisms for protecting clients and servers operating across interconnected networks such as the Internet. Internetwork security involves recognizing and countering attacks that may occur as part of transmitting information between parties across such open networks. The Web services recommendations and standards I cover in this article address three specific types of internetwork attacks:

  • Fabrication: Unauthorized parties masquerading their identities or inserting unauthorized messages.
  • Interception: Unauthorized parties "listening in" on conversations.
  • Modification: Unauthorized parties changing message content.
Web services counter these attacks by weaving together security services specifically designed to detect, prevent, or counter elements of the attacks to create "virtual trust domains" like that shown in Figure 1.

The National Institute of Standards and Technology (NIST) defines a trust domain as "a group that operates under the supervision of a Domain Policy Management Authority, uses consistent policies, and has similar Certification Practice Statements." Domain members enter into mutual trust relationships, either directly or through third parties, as part of any sensitive information exchange. Security policies governing these relationships may be broad, saying that parties can openly "talk" to anyone, or extremely narrow, saying parties must verify each and every aspect of every conversation. The sensitivity of the information, the number of unknown and untrusted parties in the network, and the price of compromise must all enter into the decision about how much security is enough.

When you make services available on the Internet, your security focus must shift from protecting systems and private networks to protecting individual machines, users, and applications (or services). The lack of a single policy management authority and agreed-upon certification practice statements makes creating trust domains in this environment extremely challenging. The Internet is a collection of cooperating internetworks, each potentially with its own security policies and certification authority, therefore Web services crossing domain boundaries must create "virtual trust domains" that are inclusive (contain all the parties to the transaction: the Web services client and server, potentially the UDDI service, and any third-party brokers) and bridge any policy differences. Web services integrate four basic security services to create such virtual trust domains:

  • Authentication: Verifying parties are in fact who they say they are.
  • Authorization: Ensuring parties only have permissions, accesses, and authorities they warrant.
  • Confidentiality: Ensuring intermediaries cannot see data exchanged between parties.
  • Integrity: Verifying intermediaries did not modify data in transit between parties.
Figure 2 shows how three key Web services standards (WS-Policy, WS-Security, and WS-Trust), in conjunction with a number of existing and derivative standards, provide the underlying framework for integrating these security services together. While I'll primarily talk about using security services to create relationships between Web services clients and servers, you can use the same techniques for establishing trust relationships among any of the actors.

WS-Policy
Security begins with a set of security policies. Security policies are rules marrying security tokens, which are representations of sets of security information or claims, to messages (the lingua franca for Web services exchanges). In an exchange, the client is responsible for including the right tokens in the message; the Web services server is responsible for using those tokens to enforce the security policy in place. Enforcement involves verifying the client's claims against the policy in determining whether to honor or deny the request. Verification may be in-band, part of the message flow, or out-of-band, based on a pre-set decision.

WS-Policy and WS-SecurityPolicy make policies discoverable by providing grammars for describing policies as sets of conditions on actions (policy assertions) and for identifying specific elements of a security policy such as:

  • The security tokens a Web service will accept (user-id/password, Kerberos tickets, X.509 certificates, Security Assertion Markup Language [SAML] assertions, etc.)
  • The message digest algorithms a Web service supports
  • The encryption algorithms a Web service supports
  • The message elements or tags that must remain unencrypted
Using these grammars, servers can unambiguously publish their security policies and clients can discover them at runtime, if necessary. A server can publish its policies through either its UDDI entries or some other mechanism known and accessible to its clients.

WS-Security
The policy tells clients "which" security tokens to use; WS-Security tells them "how" to encode those tokens as XML. The standard includes elements for representing user IDs, passwords, Kerberos tickets, and X.509 certificates as part of the SOAP message header, and builds on the XML Encryption and XML Signature standards for providing message confidentiality and integrity. WS-Security also supports SAML because SAML assertions are simply wrappable XML.

WS-Trust
Some security tokens require third-party brokers. WS-Trust provides the request/response model, and syntax for requesting, obtaining, and verifying security tokens from such brokers. WS-SecureConversation extends WS-Trust for establishing security contexts for exchanging multiple messages by defining three types of contexts: those created by a token service, those created by one of the communicating parties, and those created through negotiation. Once parties establish a security context they can exchange multiple messages without having to reestablish claims.

Authentication
The authentication service validates identities as part of creating trust relationships. In direct trust relationships, the client presents unendorsed claims, such as a user ID and password. The server trusts these claims solely on the basis of the client's knowledge or possession of the necessary token. In brokered trust relationships, the server accepts claims that a trusted third party either endorses or presents on the client's behalf. The third-party is a security token service, such as a Certificate Authority (CA), Kerberos Key Distribution Center (KDC), or SAML service. Most consider third-party tokens more secure than simple user ID/password schemes because of the increased sophistication of the attack necessary to compromise them.

WS-Security does not specify a particular authentication method, so you have several options available for implementing authentication services. One option is to build authentication directly around traditional security tokens such as user ids and passwords, Kerberos tickets, or X.509 certificates. WS-Trust describes how to build trust relationships using these tokens following the model shown in Figure 3. IBM and Microsoft first presented this as a general model in their Security Roadmap subsuming more specific models such as identity-based security, access control lists, and capabilities-based security. In this model, if a component does not have the tokens necessary to substantiate claims, it contacts a Token Service it trusts to obtain those tokens.

SAML offers an option combining one or more external authorities and assertions. It defines three types of assertions: authentication for proving user identity, attribute for specifying details about the user, and authorization for describing what the user can do. Figure 4 illustrates the SAML model. In this model, the subject (client) sends its credentials to up to three different authorities to obtain assertion references it can include in the message it sends to the Policy Enforcement Point (PEP) (Web services server) that controls the resources. The PEP uses the references to request the actual assertions (authentication decision) from the issuing authority or Policy Decision Point (PDP).

Regardless of which authentication method you use, or how parties establish context, the parties must agree for it to succeed. From the authentication service's standpoint, it's all about who you trust. A brokered token from an untrusted broker is no better than a direct token from an untrusted client.

Authorization
The authorization, or access control, service maps the user's identity against their permissions for the resources being used or requested. It assumes authentication. Permissions are actions the user can perform. Primitive permissions include atomic activities such as create, read, update, and delete; advanced permissions include more abstract activities such as debit, credit, buy, and sell. In Web services applications, permissions often map to Web services transactions.

The two most prevalent approaches to access control on the Web are:

  • User-based access control (UBAC): User's identity determines their accesses.
  • Role-based access control (RBAC): Roles bring together collections of users and permissions.
The Extensible Access Control Markup Language (XACML) is the rapidly emerging authorization standard. XACML provides a grammar for expressing access control policies as access matrices of authorization rules stated as subjects, actions, objects, and conditions. It includes elements for expressing access control information within XML documents and a request/response language for determining specific access permissions. Figure 5 illustrates the XACML model where the subject (client) wants to take an action (request) on a resource belonging to a PEP (a Web services server). The PEP uses XACML to request the access authorization decision from a PDP that makes a determination based on XACML access policies and returns the decision to the PEP.

SAML and XACML are complementary standards sharing basic concepts and definitions, hence I foresee them becoming the predominant mechanisms once implementing products are widely available.

Confidentiality
The confidentiality service generally uses an encryption function to ensure privacy. Encryption changes the data being protected from plain text into a cipher text that only the sender and receiver can understand. Encryption programs apply an algorithm in combination with an encryption key in order to make that transformation. The key may be a shared secret (a symmetric key that both parties share) or different halves of a public, private key pair (asymmetric algorithms use one of the keys to encrypt the data, the other to decrypt it). The strength of the encryption, how difficult it is to break, is a function of the algorithm and the key length. Encryption ensures confidentiality because while someone may still be able to steal the traffic, they are stealing meaningless bits unless they also know the algorithm and a key.

WS-Security leverages XML Encryption for confidentiality. XML Encryption provides for encrypting individual elements (including the tags), only their content, and complete documents. This flexibility enables end-to-end encryption in a Web services environment while supporting some processing by intermediaries - an advantage over point-to-point solutions such as SSL.

XML Encryption defines elements for carrying cipher text and information about underlying encryption algorithms and encryption keys. XML Encryption supports: Data Encryption Standard (DES) and Advanced Encryption Standard (AES) for block encryption and key wrapping, Rivest-Shamir-Adelman (RSA) for key transport, Diffie-Hellman for key agreement, and Secure Hash Algorithm (SHA) and RIPEMD for message digest. While XML Encryption does not include stream encryption algorithms, it is extensible given that parties agree on the algorithm and its usage. XML Encryption also supports super encryption, i.e., encrypting data multiple times to strengthen the encryption.

Integrity
The integrity service generally uses a digital signature capability to ensure nonrepudiation. WS-Security leverages XML Signature in this area. XML Signature provides for signing both individual elements and entire documents. The standard defines elements for describing: what is signed, the signature itself, the canonicalization method used to deal with different data streams within elements, any transformations applied prior to generating the message digest, and the digest method used to generate the signature.

Digital signature algorithms create signatures in a four-step process. The first step converts the document (or element) into a standard form through the application of a canonicalization, or standard serialization, algorithm. The Exclusive XML Canonicalization recommendation specifies Canonical XML (XML-C14N) as the standard serialization technique for Web services. The second step is to apply one or more transformations to the canonicalized content. The document (or element) in standard form becomes the input to the first transformation. The output of each transformation becomes the input to the subsequent transformation procedure. The output from the final transformation procedure becomes the input to the digest function. Transformation operations include canonicalization, encoding/decoding, compression/inflation, XSLT, XPath, XML Schema validation, and XInclude. The third step is to process the content through a secure hash function to create a message digest (message digest algorithms, such as Message Digest 5 [MD5] and SHA, use a hash function to create a unique code that becomes a digital fingerprint for the document). The final step encrypts the message digest, using the client's private encryption key, to create a digital signature. The digital signature is then appended to the document. The recipient recalculates the message digest and compares it to the sender's to ensure the document was not changed. The recipient uses the sender's public encryption key to verify the digital signature.

Communicating the order of the encryption and signing operations is an important consideration. WS-Security modifies XML Signature to add a decryption transformation. This allows the sender to include decryption order as part of the transformation information for the message. The recipient simply reverses the order to decrypt the correct message parts before recomputing the message digest.

Virtual Trust Domains
Figures 6 and 7 illustrate how these concepts come together in J2EE and .NET environments. In both cases, a client requests services from a Web services server hosted within a trust domain formed by one or more systems in physical trust relationships. The Web services server establishes a dynamic trust relationship with the client thereby creating a virtual trust domain. The client and Web services server then exchange whatever number of messages is relevant to the transaction including the necessary security tokens and signing and encrypting message parts, as appropriate. The security policies in place, in combination with the strength of the security tokens, encryption, and digest algorithms in use, establish the strength of the trust relationship.

Conclusion
The Web services and XML standards I've discussed provide the framework necessary to create security strategies in these environments. In creating your security strategy, you must also consider computer and network security of your systems and the vulnerabilities others' clients may introduce. You may want to leverage additional mechanisms, such as SSL and IPSec, where appropriate to bolster the techniques I've discussed. One size does not fit all. The important thing is that you take a comprehensive approach to ensure you are doing everything necessary in your Web services to protect sensitive information and resources they control. Remember, your services are only as secure as their weakest link. Are you master of your domain, or are your transoms ajar? Don't wait until after an attack to find out.

More Stories By Rickland Hollar

Rickland Hollar is a senior applications architect with the Central Intelligence Agency with over 30 years of experience in the industry. The views expressed in this article are his own and not necessarily those of the Agency. Prior to joining the CIA, he was president of a Virginia-based software development firm.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
Scott Jenson leads a project called The Physical Web within the Chrome team at Google. Project members are working to take the scalability and openness of the web and use it to talk to the exponentially exploding range of smart devices. Nearly every company today working on the IoT comes up with the same basic solution: use my server and you'll be fine. But if we really believe there will be trillions of these devices, that just can't scale. We need a system that is open a scalable and by using the URL as a basic building block, we open this up and get the same resilience that the web enjoys.
The Internet of Things is tied together with a thin strand that is known as time. Coincidentally, at the core of nearly all data analytics is a timestamp. When working with time series data there are a few core principles that everyone should consider, especially across datasets where time is the common boundary. In his session at Internet of @ThingsExpo, Jim Scott, Director of Enterprise Strategy & Architecture at MapR Technologies, discussed single-value, geo-spatial, and log time series data. By focusing on enterprise applications and the data center, he will use OpenTSDB as an example t...
P2P RTC will impact the landscape of communications, shifting from traditional telephony style communications models to OTT (Over-The-Top) cloud assisted & PaaS (Platform as a Service) communication services. The P2P shift will impact many areas of our lives, from mobile communication, human interactive web services, RTC and telephony infrastructure, user federation, security and privacy implications, business costs, and scalability. In his session at @ThingsExpo, Robin Raymond, Chief Architect at Hookflash, will walk through the shifting landscape of traditional telephone and voice services ...
The Domain Name Service (DNS) is one of the most important components in networking infrastructure, enabling users and services to access applications by translating URLs (names) into IP addresses (numbers). Because every icon and URL and all embedded content on a website requires a DNS lookup loading complex sites necessitates hundreds of DNS queries. In addition, as more internet-enabled ‘Things' get connected, people will rely on DNS to name and find their fridges, toasters and toilets. According to a recent IDG Research Services Survey this rate of traffic will only grow. What's driving t...
Enthusiasm for the Internet of Things has reached an all-time high. In 2013 alone, venture capitalists spent more than $1 billion dollars investing in the IoT space. With "smart" appliances and devices, IoT covers wearable smart devices, cloud services to hardware companies. Nest, a Google company, detects temperatures inside homes and automatically adjusts it by tracking its user's habit. These technologies are quickly developing and with it come challenges such as bridging infrastructure gaps, abiding by privacy concerns and making the concept a reality. These challenges can't be addressed w...
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at Internet of @ThingsExpo, James Kirkland, Chief Architect for the Internet of Things and Intelligent Systems at Red Hat, described how to revolutioniz...
Bit6 today issued a challenge to the technology community implementing Web Real Time Communication (WebRTC). To leap beyond WebRTC’s significant limitations and fully leverage its underlying value to accelerate innovation, application developers need to consider the entire communications ecosystem.
The definition of IoT is not new, in fact it’s been around for over a decade. What has changed is the public's awareness that the technology we use on a daily basis has caught up on the vision of an always on, always connected world. If you look into the details of what comprises the IoT, you’ll see that it includes everything from cloud computing, Big Data analytics, “Things,” Web communication, applications, network, storage, etc. It is essentially including everything connected online from hardware to software, or as we like to say, it’s an Internet of many different things. The difference ...
Cloud Expo 2014 TV commercials will feature @ThingsExpo, which was launched in June, 2014 at New York City's Javits Center as the largest 'Internet of Things' event in the world.
SYS-CON Events announced today that Windstream, a leading provider of advanced network and cloud communications, has been named “Silver Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. Windstream (Nasdaq: WIN), a FORTUNE 500 and S&P 500 company, is a leading provider of advanced network communications, including cloud computing and managed services, to businesses nationwide. The company also offers broadband, phone and digital TV services to consumers primarily in rural areas.
"There is a natural synchronization between the business models, the IoT is there to support ,” explained Brendan O'Brien, Co-founder and Chief Architect of Aria Systems, in this SYS-CON.tv interview at the 15th International Cloud Expo®, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
The major cloud platforms defy a simple, side-by-side analysis. Each of the major IaaS public-cloud platforms offers their own unique strengths and functionality. Options for on-site private cloud are diverse as well, and must be designed and deployed while taking existing legacy architecture and infrastructure into account. Then the reality is that most enterprises are embarking on a hybrid cloud strategy and programs. In this Power Panel at 15th Cloud Expo (http://www.CloudComputingExpo.com), moderated by Ashar Baig, Research Director, Cloud, at Gigaom Research, Nate Gordon, Director of T...

ARMONK, N.Y., Nov. 20, 2014 /PRNewswire/ --  IBM (NYSE: IBM) today announced that it is bringing a greater level of control, security and flexibility to cloud-based application development and delivery with a single-tenant version of Bluemix, IBM's platform-as-a-service. The new platform enables developers to build ap...

An entirely new security model is needed for the Internet of Things, or is it? Can we save some old and tested controls for this new and different environment? In his session at @ThingsExpo, New York's at the Javits Center, Davi Ottenheimer, EMC Senior Director of Trust, reviewed hands-on lessons with IoT devices and reveal a new risk balance you might not expect. Davi Ottenheimer, EMC Senior Director of Trust, has more than nineteen years' experience managing global security operations and assessments, including a decade of leading incident response and digital forensics. He is co-author of t...
Technology is enabling a new approach to collecting and using data. This approach, commonly referred to as the "Internet of Things" (IoT), enables businesses to use real-time data from all sorts of things including machines, devices and sensors to make better decisions, improve customer service, and lower the risk in the creation of new revenue opportunities. In his General Session at Internet of @ThingsExpo, Dave Wagstaff, Vice President and Chief Architect at BSQUARE Corporation, discuss the real benefits to focus on, how to understand the requirements of a successful solution, the flow of ...
The security devil is always in the details of the attack: the ones you've endured, the ones you prepare yourself to fend off, and the ones that, you fear, will catch you completely unaware and defenseless. The Internet of Things (IoT) is nothing if not an endless proliferation of details. It's the vision of a world in which continuous Internet connectivity and addressability is embedded into a growing range of human artifacts, into the natural world, and even into our smartphones, appliances, and physical persons. In the IoT vision, every new "thing" - sensor, actuator, data source, data con...
"BSQUARE is in the business of selling software solutions for smart connected devices. It's obvious that IoT has moved from being a technology to being a fundamental part of business, and in the last 18 months people have said let's figure out how to do it and let's put some focus on it, " explained Dave Wagstaff, VP & Chief Architect, at BSQUARE Corporation, in this SYS-CON.tv interview at @ThingsExpo, held Nov 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Focused on this fast-growing market’s needs, Vitesse Semiconductor Corporation (Nasdaq: VTSS), a leading provider of IC solutions to advance "Ethernet Everywhere" in Carrier, Enterprise and Internet of Things (IoT) networks, introduced its IStaX™ software (VSC6815SDK), a robust protocol stack to simplify deployment and management of Industrial-IoT network applications such as Industrial Ethernet switching, surveillance, video distribution, LCD signage, intelligent sensors, and metering equipment. Leveraging technologies proven in the Carrier and Enterprise markets, IStaX is designed to work ac...
C-Labs LLC, a leading provider of remote and mobile access for the Internet of Things (IoT), announced the appointment of John Traynor to the position of chief operating officer. Previously a strategic advisor to the firm, Mr. Traynor will now oversee sales, marketing, finance, and operations. Mr. Traynor is based out of the C-Labs office in Redmond, Washington. He reports to Chris Muench, Chief Executive Officer. Mr. Traynor brings valuable business leadership and technology industry expertise to C-Labs. With over 30 years' experience in the high-tech sector, John Traynor has held numerous...
The 3rd International @ThingsExpo, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that it is now accepting Keynote Proposals. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades.