Why use WS-Security?

pleasantrollΑσφάλεια

16 Φεβ 2014 (πριν από 2 χρόνια και 9 μήνες)

46 εμφανίσεις


1

Why use WS
-
Security?

Chris Seary
Chris Seary Computing Ltd

MVP CISSP

CLAS Consultant

What is WS
-
Security?


WS
-
Security
applies

security
functionality
(
such as
integrity, non
-
repudiation,
authentication, confidentiality)
to

elements within an

XML SOAP document
.

An XML
schema,
held by OASIS (
http://www.oasis
-
open.org/specs/index.php
)
, describes how the
dif
ferent elements are applied
within

a

document.


Here is
the XML from
a basic SOAP me
thod, sent within an HTTP POST.


Now, here is a call to
the same method, but this time using WS
-
Security to add
authentication credentials.



2


In this example, you can see the <wsse:UsernameToken> element, which holds the
username and password.


The advantage of using a

standard schema for adding s
ecurity to a
SOAP
message is that
this is a
global

format, readable by all compliant systems across the internet. Without a
standard format, every web service would have to
write custom

code to perform these
security services.


As
this

is a standard format, components
have been written by manufacturers such as Sun
and Microsoft to add security
elements
with a minimum of configuration.

Other options for securing communications


There has been a lot of confusion arising from the way that
the
newer web security
formats ar
e described. As WS
-
Security emerged, often developers would refer to this as
application layer security, and more traditional protocols such as IPSec and SSL were
referred
to as transport layer security.


The TCP/IP stack used for network communications be
tween hosts has a number of
layers.

As you can see, the protocol stack already has both an application layer and a
transport layer!


These different layers in the protocol stack offer security for confidentiality,
authentication and integrity.


3



The
two mechanisms traditionally

used by developers when architecting secure
communications are SSL and IPSec.


SSL is usually implemented by configuring the web service in Internet Information
Services (IIS). A certificate, with the subject name matching the web site, is passed to the
client. The client then
generates a symmetric key, which is sent back to the web
server,
encrypted with the public key from the certificate. Only the web server, with its private
key matching the public key of the certificate, can decrypt this symmetric key. The
symmetric key is then used for secure communications during the request.


To perform similar authentication to the WS
-
Security example

(shown earlier)
, username
and password would be passed in the HTTP variables. The web server would authenticate
the user against Active Directory.


IPSec uses the Diffie
-
Hellman key exchange algo
rithm. Each of the two servers
communicating passes key material to contribute to the secure creation of a symmetric
key. This key is then used to encrypt specific types of traffic passing between the two
servers. Security Associations are created on each
server


if there are matching Security
Associations on each server, then security is applied.


http://technet2.microsoft.com/wind
owsserver/en/library/8fbd7659
-
ca23
-
4320
-
a350
-
6890049086bc1033.mspx?mfr=true


Some of processing power required for IPSec encryption can be offloaded onto specially
designed Network Interface Cards.


IPSec and SSL are examples of security provided by networ
king protocols. WS
-
Security
is sometimes called a wire format, as it is the actual message that is directly secured.


SSL

IPSec

PPP


4

Which to use: IPSec, SSL or WS
-
Security?


It’s important to match the security functionality provided by these different technologies
to requirements.
Let’s

look at
the different security functionality generally required by
applications.

Integrity


If it’s necessary to ensure that data has not bee
n tampered with during transit, then
cryptography

is used to provide integrity. IPSec, SSL and WS
-
Security all provide this.


IPSec uses Authentication Headers (AH) mode, which adds a hash of the data to the
packet.


SSL securely
generates and shares

a sy
mmetric key when negotiating the connection, and
so no other party can decrypt what is being sent. This means it cannot be altered without
the receiving party being aware.


WS
-
Security can be used to digitally sign either a part or the whole of a message.

Confidentiality


All three also provide confidentiality.


IPSec uses Encapsulating Security Payloads to encrypt all data sent with the symmetric
key
generated

during the Diffie Hellman exchange.


SSL, as stated before, securely passes a symmetric key betwe
en client and server

for
every request. This means that e
ach request is
encrypted with a unique key.


WS
-
Security can encrypt the entire contents of the <body> or <header> elements, or
both. It is also able to encrypt only part of the message


perhaps jus
t one element. What
is the advantage of this?


There are an increasing number of networks using Intrusion Detection Systems (IDS).
These systems monitor the type, source and destination of packets moving across the
network, inspecting their contents.
In so
me circumstances
, if an IDS is present, the
security architect in charge of the network
may

not allow traffic to be encrypted by IPSec
or SSL, as the traffic cannot be inspected due to encryption.


WS
-
Security gives the benefit of allowing small parts of t
he data (perhaps name, userid)
to be encrypted, leaving the rest of the communication in the clear. This would leave the
IDS able to perform its functionality while still giving the necessary level of
confidentiality.



5

Non
-
Repudiation


Non
-
repudiation mean
s that someone cannot deny having done something. In this case, if
a message has been sent by one party to another (across a network), it may be necessary
to hold the originating party to what they have
communicated
. This
may

be the case in a
financial tra
nsaction.


Digital signatures not only provide integrity, they can provide non
-
repudiation when PKI
certificates are used.


Neither SSL nor IPSec offer this service. However, WS
-
Security does, allowing you to
sign all or just a part of a SOAP message.


Anyone who has had to implement digital signatures will appreciate how easy it is to
configure this via web service policy.

Authentication


IPSec functions at the network layer of the TCP/IP stack, and so it only authenticates
hosts, rather than users. Whe
n SSL is used with a web server, credentials can be passed,
allowing
users to be identified. Credentials can also be passed via WS
-
Security,
authenticating users.


IPSec authenticates computers using either Kerberos, certificates or shared password (the
la
st one is only recommended for testing purposes).


SSL has a richer authentication mechanism


username/password, certificates, digest,
passport, Windows. Each of these authenticates against Active Directory.


WS
-
Security has all of the authentication mech
anisms available to SSL, but the
authentication model is pluggable. Custom providers can be written to handle checking of
passwords, fo
r

instance.


What’s the advantage of this? When creating
a standard .aspx web site
, if one wishes to
use a database for h
olding users, Forms authentication is available. The authentication
mechanism
is thus

overridden
, substituting a custom SQL database for Active Directory
.
WS
-
Security and custom provider
s add

this type of flexibility to web services.


WSE and WCF implement
ations allow the asp.net membership providers to be used
for
authentication. T
he SQL database
that comes with these providers
can be quickly
and
easily
integrated into
a web service.





6

Summary


The table below gives an overview of the security functionality provided by each of
IPSec, SSL and WS
-
Security.


WS
-
Security, although it is quite verbose, offers non
-
repudiation and a customizable
security database
, which the other two technologies do no
t
.

It also allows fine
-
grain
security to be applied to individual sections of the SOAP document.



IPSec

SSL

WS
-
Security

Integrity

Yes

Yes

Yes

Confidentiality

Yes

Yes

Yes



allows fine
grain encryption

Non
-
Repudiation

No

No

Yes



fine grain
addition of digital
signatures to
document

Authentication

Authenticates
hosts

against Active
Directory.

-
Certificates

-
Kerberos

-
Shared key

Authenticates
users

against Active
Directory.

-
Username/password

-
Digest

-
Passport

-
Certificates

-
Win
dows

Authenticates
users

against Active
Directory
or a custom
database/schema
.

-
Username/password

-
Digest

-
Passport

-
Certificates

-
Windows


As stated at the beginning of this piece, to get the most out of these tools it’s best to
match security
capabilities to requirements.

If you need non
-
repudiation,
customizable
authentication functionality

or fine grain security
, only WS
-
Security will satisfy your
requirements.


WS
-
Security and WS
-
Trust are fundamental to WS
-
Federation, allowing Single Sign O
n
and Identity Management technologies to exist across the internet.