Securing Web Services:
Companies worldwide are actively deploying Web services, both in intranet and extranet environments. While Web services offer many advantages over current alternatives, they still present key challenges, especially in terms of security.
Computer Associates International, Inc. (CA), addresses Web services security with an innovative, standardsbased solution called eTrust TransactionMinder. This document describes eTrust TransactionMinder in detail.
This document is intended for technical people already familiar with Web services, XML security and eTrust SiteMinder, the company's market-leading access management software solution.
Web Services Security
Web services security relies on authentication (verifying a user's identity based on submitted credentials), authorization (granting access to specific resources based on an authenticated user's entitlements) and accounting or audit (a record of activities).
By and large, companies deploying Web services rely on traditional transport-level security for authentication and application-specific security for authorization and accounting or audit.
Transport-Level Security
Secure Socket Layer (SSL) is the most widely used transport-level data-communication protocol. SSL provides authentication (the communication is established between two trusted parties), confidentiality (the data exchanged is encrypted) and message integrity (the data is checked for possible corruption).
SSL supports transport-level security between two SSL-enabled parties. This means that when the data is not "in transit" on the secure communication channel, it's not encrypted, therefore it's not secure. This is the case when you have multiple steps in a transaction. For example, when an application invokes Web service A for purchasing and Web service B for shipping, you need two SSL sessions. When the documents involved in the transaction are between two SSL sessions, they are vulnerable to attacks. This is the reason why transport-level security is not enough, particularly in multi-step Web services transactions.
Application-Based Authorization and Audit
Most companies provide authorization directly in the back-end application, which creates a "silo" infrastructure in which each application performs its own local authorization. Each application's security needs to be managed independently, thus increasing administration overhead and complex updates. Likewise, each application often includes accounting and audit information which needs to be reconciled with the overall infrastructure to preserve security and consistency across the enterprise. Companies need to be able to validate the content of the message requesting a Web service before that message reaches the Web service, and we need to keep track of who (or what type of application) is trying to access the Web service.
Application-Level Security
Transport-level SSL can be complemented with XMLbased, application-level security, including message structure, XML content confidentiality, integrity, authenticity, and fine-grained XML content access control.
Message Structure
- Web Services Security (WS-Security). An XML framework that defines security extensions to the SOAP protocol (described in more detail later in this document).
XML Content Confidentiality, Integrity, and Authenticity
- XML Encryption. Represents the encrypted content of XML data, the information that enables a recipient to decrypt it, and a mechanism for conveying encryption-key information to the recipient.
- XML Signature. Defines the representation of signatures on digital content, and procedures for processing those signatures. XML Signature provides detailed elements supporting data integrity, signature assurance, and nonrepudiation for Web services data.
Trust Management
- Security Assertion Markup Language (SAML). Describes authentication, attributes, and authorization-decision objects (or assertions) that can be exchanged between trusted partners.
Figure 1 shows the various layers involved in securing Web services. As previously mentioned, SSL is designed to encrypt a complete XML document and send it securely to a Web service provider. However, in many cases, there is a need to secure only parts of a document, whether it is being sent to another party or stored before being further processed. In this case, XML Encryption and XML Signature are used.
The SOAP messaging framework is used to send requests to, and receive responses from, a Web service. SOAP is augmented with a security layer defined in the WS-Security specification.
WS-Security is used to implement confidentiality (through XML Encryption) and message-level integrity (through XML Signature). WS-Security also defines 6 security token profiles:
- Username token (together with an optional password digest).
- XML tokens: SAML assertions, REL (digital rights management) documents, and XCBF (common biometric format) documents.
- Binary tokens: X.509 certificates and Kerberos tickets.
Securing Web Sevices Article
