Strategies for Securing

Web Services

Jim Ducharme
Director of Development
Netegrity, Inc.

Session 1372
 Overall Presentation Goal

Provide an understanding of the

issues around securing Web services
and some of the technologies and
solutions being developed to help
address them

2 Session 1372
 Learning Objectives

• As a result of this presentation, you will

be able to:
– Understand some of the key concepts
of application security
– Understand how these concepts apply
to Web services and what issues arise
– Learn about new technologies and solutions
being developed to address these issues
– Understand how these technologies
and solutions can be leveraged in a
centralized model

3 Session 1372
 Agenda

• What do we mean by security?

• Access Control and identity management
– Authentication techniques
– Hosted identity services
– Sharing user identity information
• Secure content
• Centralized access control model

4 Session 1372
 What Is Security?

• Access control
– Identity management—Who are your users?
– Authentication—verifying user identity
– Authorization—what a user can do
– Auditing—keep track of what a user does
• Secure communication
– Keeping the conversation between
two parties private

5 Session 1372
 Identity Management

Knowing Who Your Users Are

• Profile information
• Authentication information
• Shared secret
• Public key information
• Certificate information
• Authorization entitlements
• Gold card member
• Administrator
• Web services magnifies the issue
of ‘federated’ identity
6 Session 1372
 Authentication Issues

Proving Who Someone Says They Are

• User credentials need to travel with
the message
– Part of message transport (SSL w/ Certs)
– Included in the message itself
• How do you pass credentials with an
XML message?
– Part of XML DTD/Schema
– SOAP headers
• How do we keep this information safe?

7 Session 1372
 Authentication Schemes

XML Document-Based Credentials

• Credentials passed in document or
SOAP header
• Requires secure transport of the message
• Credentials extracted/removed from
message upon arrival

8 Session 1372
 Authentication Schemes (Cont.)

X.509 Client Certificates

• Client certificate passed in SSL connection
• Requires all clients to have certificates
• Works with existing access control products
• Provides identity and secure message
transport
• Requires server side to be integrated with
PKI—(OCSP, XKMS, Key stores)
• Limited to point-to-point communication

9 Session 1372
 Authentication Schemes (Cont.)

XML Signatures
• Binds a user identity to an XML document
• Proves messages are unaltered since
were signed
– What they signed is what you got…
• Document is signed using the sender’s
private key
• Signature is verified using the sender’s
public key
• Issue: How does the recipient get the
user’s public key?
10 Session 1372
 Sharing User Information

W3C XML Key Management WG

• Based on XKMS 1.0
• Eases integration of PKI solutions
• Specification for registering, transporting,
locating, and validating key information
• Can eliminate the need to store and
validate keys
• Can eliminate the need to maintain the
configuration required to validate keys
(list of trusted parties, revocation lists, etc.)

11 Session 1372
 Sharing User Information (Cont.)

SAML
• XML specification based on S2ML
being finalized out of OASIS TC
• Provides ability to pass user profile
information, authentication tokens,
and authorization entitlements
• Based on the concept of assertions
– A trusted authenticating authority
can state facts it knows about a user
– Authentication assertions
– Authorization assertions
12 Session 1372
 How SAML Works
1. Employee of Widgets,
(3) Inc. authenticates
with SAML Enabled
XML HTTP POST XML access control product
PO PO w/ 2. Employee retrieves a
SAML set of SAML assertions
(1) (2) and binds it to the XML
Credentials SAML (4) purchase order
SAML
(Includes Authentication
assertion and attribute
SAML Enabled SAML Enabled assertions with
spending limits)
Auth engine Auth Engine 3. PO w/ SAML assertions
is sent to Pens Inc.
(5)
4. Assertion is extracted
from PO, verified.
Web Partner is authenticated
Users Partners Service and employee is
authorized
5. If authorized, Web
Widgets, Inc. Pens, Inc. service request
is passed on
13 Session 1372
 Hosted Identity Services

• Centralized/federated user identity

information
• User authentication
• Single sign-on across supported sites
• Reduces management and infrastructure
costs for Web sites and services
• Improves user experience with single point
of identity management and authentication

14 Session 1372
 Hosted Identity Services (Cont.)

Microsoft Passport
• Part of Microsoft’s .NET strategy
• Centralized user store and authentication
service
• Reduces identity management and
authentication burden of service providers
• Currently limited to browser-based apps
• Attractive to consumer based services

15 Session 1372
 Hosted Identity Services (Cont.)

Liberty Alliance
• Formed in Sept ’01
– Sun, AOL, etc.
• Developing a solution to support “federated”
user identity
• Common framework to enable single sign-on
and identity sharing
• A lot of muscle behind the effort but no real
solutions available yet

16 Session 1372
 Secure Communication

Keeping the Conversation Private

• SSL
– Secures the message transport
– Limited to point-to-point communication
• XML Encryption
– W3C Working group—v.1.0 recommendation 10/01
– Secures the document itself
– Document may be sent safely over unsecured
protocols
– Only intended recipient of message can view
message content
– Different portions of document can be encrypted
17
for use by different recipients
Session 1372
 Pulling It All Together

Centralized Access Control

• Treating security as a shared service to
protect applications of all kinds
• Proven successful in large-scale, Web-
based applications today
• Significantly reduce cost of deployment
and maintenance
• Will evolve to support new technologies
and identity models of Web services
• Usable today for securing Web services

18 Session 1372
 How Centralized Access
Control Works

Delegated Administration
and Management

Policy Trading Partner

Store Partner UDDI
Web Service
Web Service

Discover Auth/Az
Users Encryption
Web Service
Transport

Non-repudiation
Digital Signing
Web Service
Consume SAML
Discovery
Web Service
TransactionMinder

Internet DMZ Intranet

19 Session 1372
 Summary

• Security starts with user identity

• New technologies to address unique
authentication requirements of Web services
• New technologies target the XML content,
not the transport
• User identity is moving outside the enterprise
• Hosted identity services to support federated
user identity
• Centralized access control model will continue
to evolve to support new technologies
and identity models
20 Session 1372
 So Remember…

The model for securing applications

does not change for Web services,
there are just new technologies
to support it. Plan to leverage existing
centralized access control products
to protect your Web services

21 Session 1372
 For More Information…

• Securing Web Services Whitepaper:

http://members.netegrity.com/access/files/TransactionMinder.pdf
• SAML:
http://www.oasis-open.org/committees/security
• JSAML Toolkit:
http://www.netegrity.com/products
• JSAML Whitepaper:
http://www.netegrity.com/files/JSAMLwhitepaper.pdf
• XML Sig:
http://www.w3.org/Signature
• XML Encryption:
http://www.w3.org/Encryption/2001
• XKMS:
http://www.w3.org/2001/XKMS
• Microsoft Passport:
http://www.passport.com
• Liberty Alliance project:
http://www.projectliberty.org
22 Session 1372
Session 1372
Session 1372