Multiparty Authentication in Web Services

1
Multi-party Authentication in Web
Services

• Madhumita Chatterjee

2
Overview

• Web Services Architecture
• Typical Scenario
• Security Threats
• Challenges and issues
• Need for Session Authentication
• Maruyamas Approach
• A Proposal

3
Demystifying Webservices

• Web services are modular software components
• Wrapped inside a specific set of Internet
  communications protocols
• Can communicate with other components
  automatically without human intervention.

4
Typical Web Services

• airline ticket reservation process
• real time travel advisory
• a restaurant review article

5
Web Site/ Web Service
A Web service is designed to be accessed by
applications.
6
Web Service Working

• Each new request to a Web service is
  automatically spawned as a new thread in the Web
  Service process .
• A Service could also delegate tasks to other
  services.
• Dynamic behavior of these short-lived services,
  introduce new security challenges.

7
Key roles in the Web services architecture

• 3 key roles--------a service provider, a service
  registry and a service requestor.
• 3 operations performed
• Publish--- makes the service description publicly
  available.
• Find operation discovers the Web service.
• Bind operation allows the service to be used by
  the person or program requesting the service.

8
Architecture
9
Web Service Components

• Internet based modular applications
• Program to program communication
• XML
• WSDL
• SOAP
• UDDI

10
Web Services Description Lang

• WSDL is the language used to create service
  descriptions.
• Able to create descriptions about the location of
  the service, how to run it, what business is
  hosting the service, the kind of service it is,
  etc

11
Simple Object Access Protocol

• SOAP is the means through which the service
  provider, service registry and service requestor
  communicate.
• XML-based technology used to exchange structured
  data between network applications.
• SOAP is used to publish the service description
  to a service registry.
• All other interactions between service registry,
  service requestor and service provider are done
  via SOAP.

12
Universal Description Discovery Integration

• UDDI is the directory technology used by
  service registries that contain the description
  of Web services
• Allows the directory to be searched for a
  particular Web service.
• UDDI is in essence a Yellow Pages that can be
  used to locate Web services.

13
Web Service Architecture
Implementation of Services
(components)
UDDI
Interface Description with WSDL
1. Request
4. Request
Service Broker
Web Server For SOAP
Service requester
S E R V I C e
14
Web Service Security-A concern

• Web services are based on message exchanges on
  the net with the possibility of dynamic
  short-term relationships.
• Authentication Establishing identity of user
• Authorization Establishing what a user is
  allowed to do.

15
Web Service Securitycont

• Confidentiality Ensuring that only the intended
  recipient can read the message, accompanied by
  encryption.
• Integrity Ensuring that the message has not been
  tampered with, generally accomplished with
  digital signatures.

16
Web Service Workflows

• Dynamic composition
• Multiple instances
• Workflow involves service instances belonging to
  different Web services
• Multiple parties belong to a flow.

17
Typical Web Service Scenario
18
 Threats To Web Service Security

• Malicious web service threats typically fall into
  one of three categories
• Identity threats, such as authentication attacks,
  eavesdropping etc.
• Content-borne threats, which are attacks with
  elements in the actual XML payload, such as XML
  viruses.
• XML Denial of Service (XdoS), which are new
  application-level versions of network level DoS
  attacks.

19
Identity Threats.

• Unauthorized access
• Weak authentication and authorization
• Parameter manipulation
• Unauthorized modification of data
• Network eavesdropping
• Message replay

20
Need for session Authentication
21
Maruyamas protocol

• Session Authenticator component responsible for
  distributing keys and authenticating messages
• Each instance belonging to a session gets the
  shared key

22
Maruyamas protocol.cont

• Message authentication protocol
• transports authentication information between
  session participants
• Session management protocol
• responsible for starting, running and ending a
  particular session.

23
Message Authentication

• Session Authenticator
• Allows service instances to mutually verify
  transient membership
• Service Authenticator
• Protocol for sending Web service to send MACed
  SOAP envelope to receiving Web Service

24
Session Authenticator

• Sending instance prepares SOAP envelope
• Optionally uses XML encryption
• Adds authentication to SOAP header
• Using SOAP-DSIG applies MAC to envelope under
  session key.

25
Session Auth.cont

• Receiver checks for session key.
• Else obtains key from session manager.
• Validates MAC and accepts SOAP envelope.
• Decrypts encrypted message.
• Receiver now has authenticated mesg and session
  handle.

26
Service Authenticator

• Sending service prepares SOAP envelope.
• Adds authentication header.
• Uses SOAP-DSIG to digitally sign mesg.
• Optionally uses XML encryption.
• Receiver decrypts, validates signature, verifies
  its own sign and accepts.

27
Session Management

• Initiator of session could be SA
• Assigning session Ids.
• Creating session secrets.
• Maintaining status information for each session.
• Keeping participants informed of the status.
• Shutting down sessions.

28
Online session Management
29
Drawbacks ..

• SA cannot measure the validity of service
  instance
• Anyone who has session ID can contact SA.
• An attacker who has compromised an instance can
  request to join session
• No unique identifier for each instance

30
Issues not considered

• What if Session Manager is malicious??

31
WS-Security specifications

• The WS-Security specifications protect against
• Message alterationBy including digital
  signatures for all or parts of the SOAP body and
  the SOAP header.
• Message disclosureBy supporting message
  encryption.

32
.Specifications cont

• Preserve message integrity through the use of
  strong key algorithms.
• Authenticate messages through the use of various
  token mechanisms such as Kerberos and X.509.

33
Challenges

• Dealing with un-trusted clients.
• Application internals are exposed.
• SOAP messages are not point to point
• Challenge is to preserve security of SOAP message
  from initial SOAP sender to ultimate SOAP
  receiver.

34
SSL is inadequate

• SSL cannot be used to authenticate dynamically
  generated participants
• SSL provides point-to-point security
• Web Services need end-to-end security
• SSL does not support
• End-to-end confidentiality
• Element wise signing and encryption
• Non-repudiation

35
A Proposal.Adaptive approach

• Requirements of users may vary.
• Is there need for stringent measures uniformly to
  every node and transaction
• Can we apply as much security as a particular
  transaction requires?

36
Sophisticated Web Services

• E.g order for aircraft engine
• Spawns multiple supporting transactions
• Orders to individual parts
• Orders for shipping containers
• Etc
• Involves handling huge volumes of traffic

37
Adaptive approach .cont

• For Simple Web services existing security
  measures may suffice.
• For sophisticated Web Services involving long
  transactions trusted third party model desirable.
• Can an adaptive/hybrid approach be implemented???

38
References

• 1. S. Hada and H. Maruyama, Session
  Authentication Protocol for Web Services,
• Proc. 2002 IEEE Symposium on Application
  and the Internet, pp. 158-165, Jan. 2002.
• 2. Dacheng Zhang and Jie Xu, Multi-Party
  Authentication for Web Services
• Protocols, Implementation and Evaluation,
  Proc. 2004 IEEE Symposium on
• Object Oriented Real-time Distributed
  Computing.
• 3. M.Hondo, N. Nagaratnam, A.Nadalin, Securing
  Web Services, IBM Systems Journal,
• Vol 41, No. 2, 2002.
• 4. David Geer, Taking Steps to Secure Web
  Services, IEEE Computer, Vol 36,
• Oct 2003.
• 5. V Vasudevan, A Web Services Primer,
  
• http//www.xml.com/pub/a/2001/04/04/Webservic
  es/, April 2001.
• 6. Y. Nakamur, S. Hada and R. Neyama, Towards
  the Integration of
• Web Services Security on Enterprise
  Environments, Proc. 2002 Symposium on
• Applications and the Internet, pp. 166-177,
  Jan 2002.
• 7. W3C NOTE, Simple Object Access Protocol (SOAP)
  1.1, http//www.w3.org/TR/SOAP/

39
References

• 8.  W3C NOTE, SOAP Security Extensions Digital
  Signature,
• http//www.w3.org/TR/SOAP-dsig.
• 9. Web Services Security(WS-Security),
• http//www.ibm/developerworks/library/ws-sec
  ure.
• 10. Web Services Security Threats and
  Countermeasures,
• Microsoft Corporation, Jan 2004.