Elektrotehniki vestnik XX(Y): 16, YEAR s Electrotechnical Review, Ljubljana, Slovenija

Analysis and Comparison of Web Services Security Standards

Jurij Laznik1 , Matja B. Juri2 , Marjan Heriko2 z c c
1 2

HERMES SoftLab d.d., 2001 Maribor, Zagrebka 104, Slovenia s Fakulteta za elektrotehniko, raunalnitvo in informatiko, 2000 Maribor, Smetanova 17, Slovenia c s E-pota: jurij.laznik@hermes.si, matjaz.juric@uni-mb.si, marjan.hericko@uni-mb.si s Abstract. Web services are one of the most important emerging technologies these days. Many of the analysis predict that web services will reach its peak in 2005. One of the most important areas that need to be covered is security, since web services are intended to be used in open and usually very hostile environments. In this article we will show current situation in security area. We will describe the most important security standards that are used today and their alternatives. We will describe digital signature, encryption, SOAP-Sec, WS-Security, SAML, XACML and XKMS. These standards do not provide full security. They are only one of the building blocks that makes web services more secure to use. The security area lately evolved so much, that web service security standards can help other technologies or as we can say that web services can work with other technologies in synergy. Key words: web services, security standards, XML, SOAP

Analiza in primerjava varnostnih standardov v spletnih storitvah

Povzetek. Spletne storitve so ena najbolj obetajoih c tehnologij danes. Mnogo raziskav napoveduje njihov razcvet v letu 2005. Ker spletne storitve delujejo v odprtem in pogosto zelo sovranem okolju, je podroje z c varnosti zelo pomembno. V tem lanku bomo opisali c trenutno stanje na podroju varnosti v spletnih storitc vah. Opisali bomo trenutno najpomembneje standarde s s podroja varnosti, ki so: digitalni podpis, enkripc cija, SOAP-Sec, WS-Security, SAML, XACML in XKMS. Dotaknili se bomo tudi alternativnim varnostnim standardom, ki trenutno nastajajo. Opisali bomo tudi alternativnim varnostnim standardom, predvsem ustanovitev nove organizacije WS - I in pa trenjem, ki nastajajo med novonastalo organizacijo in pa konzorcijema W3C in OASIS. Pravtako bomo opisali tudi prole, ki jih je predstavila organizacija WS - I. Tu govorimo predvsem o osnovnem (basic) in pa razirjenem (extended) prolu. s Predstavniki organizacije zagovarjajo plaevanje pravic c za uporabo standardov, hkrati ob tem pa zagotavljajo, da standardi ne bodo zapostavljeni, e bodo umeeni v c sc razirjeni prol, kot jim to oitajo nasprotniki. Varnostni s c standardi omenjeni v tem lanku ne zagotavljajo popolne c varnosti, so le gradniki, ki lahko omogoijo bolj varno c uporabo spletnih storitev. Podroje varnosti v spletnih c storitvah je v zadnjem asu tako napredovalo, da lahko le c - te pomagajo drugim tehnologijam pri prenosu zaupnih informacij. Kljune besede: spletne storitve, varnostni standardi, c XML, SOAP

Introduction

Received Accepted

Web services emerged in late 1999 as a new and revolutionary technology. Since then a lot has been done, but not enough on security area. This fact made a brake in some aspects of using web services more massive manner. The rule is that no organization is happy if sensitive information leak to competence. In last few years a lot of eort has been made in order to improve security in web services. But let us rst describe what web service actually is. We can say that web service represents service that usually includes some combination of programming and data. This service is then available to web users through application server. The very advantage of web services is robust architecture, loose coupling, independence of programming language and platform independence. The main purpose of web services is to provide unied and ecient communication between several customers. Till now almost all transactions between companies were made using EDI (Electronic Data Interchange), and we know that EDI was very money consuming which mean, that many mid-size or small company could not aord this technology. Beside that the transactions were mostly between two parties or peer - to - peer communication. Web services provide a great possibility for all kind of compa-

Laznik, Juri, Heriko c c 2.1 Digital signature of XML documents

nies to conduct business over web. But these companies made condition that before using web services, security of exchanging sensitive information must be provided. We intend to proof that developers made really good job in providing security standards for web services.

Security standards overview

Let us rst explore the reason why security standards were developed. As we already mentioned before most of the communication was performed in a peer - to - peer way. In this communication usually two parties were involved using SSL (Secure Socket Layer) [1], TLS (Transport Socket Layer) [2] and digital certicate mechanism. The modern type of business is performed via many parties (companies), or as we said end - to - end communication. Previously mentioned security standards do not conform to this kind of business, since documents (agreements, invoices and other sensitive information) pass more servers. There is a number of ways to intercept the sensitive information and this is the reason why additional security had been provided for secure communication. Security standards in web services are placed between transport layer and session layer as shown in Fig. 1.

The standard was created in order to provide digital signature of XML documents [4]. We can sign the whole XML document or just the part of the document. We can easily digital sign any content, such as: binary pictures (GIF, JPEG, etc.), dierent textual or binary documents, video, audio, etc. Digital signature is used, when we want to assure integrity of content we need to deliver to the recipients. We can digitally sign XML documents with several different cipher methods, such as RSA, DSA just to name some. We can put information about signing keys into XML document or deliver it separately. Information about digital signature can be delivered in the following three ways: Detached digital signature resides outside of the particular XML document, but has the references to digitally signed XML document. Enveloped digital signature is included in digitally signed XML document. Enveloping digital signature includes digitally signed XML document. We are saying that digital signature envelopes digitally signed XML document. The developers usually provide toolkit with APIs for digitally sign XML document. This APIs can be used in standardize applications, Java applets or simple in web services. There are two most common ways to digitally sign XML document: We can use direct digital signing of XML document. In this case the developer must write source code to create XML skeleton for digital signature and then add it to XML document for signing. More preferred way of signing XML documents is by using templates. Developer just needs to provide the template (skeleton) of digital signature for the application that does the signing. The maintenance in this way is much easier, because when the requirements for XML document are changed, we only need a person who knows XML language. We can use digital signature in many areas of everyday life: e-banking, e-government, insurance, health, etc. 2.2 Encryption of XML documents

Session Layer

XML digital signature SAML & XACML

XML encryption XKMS

WS Security

SECURITY SOAP Architecture - Web Services Transport Layer

Figure 1. Placement of security standards in web services.

Web services are based on SOAP (Simple Object Access Protocol) [3] technology. Communication in web services is done through SOAP messages exchange. SOAP presents XML - based protocol that enables exchange of structured and text information in distributed environment. In the following section we will take a tour through the web service security standards.

Standard that denes encryption of XML documents [5] is one of the most important building block of security. With this standard we can encrypt part of

Analysis and Comparison of Web Services Security Standards the XML document or whole XML document. Our intention is usually to hide content of XML document to everyone except for the recipient of the XML document. If we compare encryption standard with SSL, the conclusion could be that encryption standard replaces the SSL, but this is not true. Encryption standard is only additional building block in assuring security over networks. We can use both standards if we want. SSL standard provide mechanism to secure communication between two sides (point - to - point) and XML encryption standard provide mechanism to secure communication between more sides. The sender can encrypt dierent part of the XML document and the recipients can decrypt only those parts of the XML document to which they own proper security key. The security keys are usually exchanged before the communication begins, for example: Two partners exchange public keys before they start to exchange invoices. How keys are exchanged is left to developers decision. This can be done through snail mail exchange, via electronic mail or any other way. Encryption of XML documents can be used in a variety areas of life, for example: encryption of invoices, prescriptions, PIN, username/password and other. 2.3 Web services security standard

integrity and condentiality. This standard can be used when we want that content of SOAP messages is hidden from everyone except to the recipient. The following three use cases are most common when applying WS - Security into business environment: Digital signature of SOAP message. Encryption of SOAP message. Exchange of username and password via SOAP message. It is worth mention here that the default way of exchanging username and password is plain text. Using default way could introduce security leak if we dont use additional security, such as SSL and TLS. When using WS - Security standard developers are advised to use the following mechanisms in order to increase security: Timestamp: We add timestamp to SOAP message indicating the time of SOAP message creation. Sequence number: We can add sequence number to SOAP message. This number is increasing every time SOAP message is created. With this mechanism we can eliminate possibility of attacking by repeating SOAP messages. Expirations: Some information is added to SOAP message indication when the SOAP message will expire. WS - Security standard can be use in a variety of eld. It can be used in a communication between two companies, or a corporation that has units spread around the globe. We stated here only some possibility of usage, but the specter of usage is much wider. 2.4 SAML and XACML

WS - Security [6] standard did arise as an add - on for SOAP - Sec [7] standard. SOAP - Sec was at rst developed in order to provide secure exchange of SOAP messages between multiple servers via internet. As we know SOAP messages can travel from sender to recipient via multiple SOAP servers and this fact increases possibility of information leak. Specication of SOAP - Sec standard is based on digital signature of XML documents standard with additional functionality provided for SOAP environment. The SOAP - Sec standard applies its specication into two main areas: Authentication of SOAP messages or how to recognize identity of SOAP message sender, and Digital signing of SOAP messages or how can receiver trust SOAP messages. We must be aware of the fact that SOAP protocol is HTTP - based protocol and so can SOAP messages travel through rewall if HTTP ports are opened. If a company has its own web page then HTTP port is usually enabled. To blindly trust every SOAP message that comes through the rewall would be very wrong. Now let get back to WS - Security standard. This standard includes every functionality from SOAP - Sec plus some additional functionality like: security tokens propagation, SOAP message

SAML (Security Assertion Markup Language) [8] and XACML (eXtensible Access Control Markup Language) [9] standards were introduced because of a need for standardize way of managing and using access to resources. More precise denitions of standards are: SAML represents standardized XML - based language for ecient exchange of authorization and authentication data. XACML represents standardized XML - based language for managing and exchanging data about access rights for resources. We will now describe three situation in which we would use SAML:

Laznik, Juri, Heriko c c Single Sign On (SSO): User only registers once. On other friendly web pages, the data from registration can be used to sign in. Such examples can be for example Microsoft Passport. Distributed Transactions: Let say that a customer wants to buy a car. Customers provide necessary data to the car seller. When customer wants to make insurance to a car, insurance company already can retrieve data about car and customers data. Authorization Service: Employer of one company can buy certain article in other company only if she/he has proper rights that are established through SAML standard. XML Key Information Service Specication or X-KISS denes XML - based protocol for gathering and exchanging information about public/private keys via network and XML Key Registration Service Specication or X-KRSS denes XML - based protocol for registering of public/private keys. We can later access registered keys with X-KISS protocol. X-KISS protocol is designed on the following three levels, depending on the developer and user needs: First level represents processing of RetrivalMethod element in XML documents. This processing is pretty much the same as processing of digital signature in XML document. Next level represents the Locate service. With Locate service, we can retrieve information about keys to the requesters. The service is not obligate to return authenticated information about public/private key. The most top level is presented by Validation service. In this case the service search for information about requested key and send them to requester. Validation service can also provide information about validity and authenticity of the requested key which are not mandatory for Locate service. The X-KRSS protocol consists of two separated parts. First one is registration of user created keys. The user requests for key registration and thus provides public key to the registration service. Registration service can demand additional proof of ownership form the user. Another part of protocol standardizes registration of server created keys. In this case the server creates both (public and secret) keys and send secret key to a user. We should mention here that by sending secret key we can create a security hole, because of a possibility of data being intercepted. We use XKMS standard when we want to have public/private keys centrally organized. Level of organization can be easily dened. The organization can be local, small or medium size or even worldwide. XKMS can be additional building block to existing technologies already used, like PKI or Kerberos. Standard can also be used when we want to act as authorization organization for some interest group.

Both SAML and XACML are tightly connected because XACML uses SAML standard to collect information about subjects. XACML standard is used for managing access rights for web services and for managing access right at ne - grained level. At ne - grained level user of a standard can actually dene which functions can execute which user. Since the XACML standard implementation is still in early stages we will only describe some most exciting use cases here: Medical record evidence. Computer guided medical records are one of the most complex elds of informatics. There are wide range of sensitive data, which could do harm to a patient if they are not handled properly. The same is true for the banking services. Banking services. These types of data contain a large number of sensitive information about client nancial status. These data should also be accessible only to some selected people and should not be available to anyone. Web servers. With a help of XACML standard we can specify which web services can be executed by which user. Even more, we can specify what classes can be executed by particular user. We use both of the standards (SAML and XACML) when we want to have centralized way of managing data about resource access rights and data about authorization and authentication. Such central - driven datastore can be provided via web services. 2.5 XML Key management specication

Web services interoperability

XKMS (XML Key Management Specication) [10] is a standard intended for managing private and public keys. The standard consist of the following two parts:

In last few years there has become a big struggle in a eld of web services. Developers of standard have divided into two camps. First group has opinion that

Analysis and Comparison of Web Services Security Standards web services are developing too slowly and the second group represents belief that web services are developing just with the right speed. Members of the rst group have decided to establish new standardization organization with goal to bring fresh wind into the sails of web services development. So the founders (IBM, Microsoft and others) established Web Services Interoperability Organization (WS - I) [11]. The goal of the WS - I is not to develop new standard, but to extract the best practices from the existing one. WS - I would also like to provide a mechanism to validate and certicate programming solutions. Sun already announced compliance of Java WSDP (Java Web Services Development Pack) [12] with basic WS - I prole. Web Services Interoperability Organization has dened a set of proles that correspond to a dierent need of a work with web services. Those proles are basic and extended as shown in Fig. 2.

WS-I
WS-SecureConversation WS-Federation WS-Authorization WS-Trust WS-Privacy WS-Policy Extended profile

of security standards, from digital signature to public key infrastructure. We have also stated that some companies are not satised with progress of developing security standards for web services. Thus they decided to establish new organization for promoting web services security. At the moment there is no real product (commercial or open source) that would include all the security standards for web services. Developers of security standards rather provide toolkits which are then integrated with application servers, for instance: BEA Weblogic [13], IBM WebSphere [14], Apache AXIS [15], JBoss [16], Microsoft .NET [19], just to name some of the most important ones. Anyway we can say that web services will remain on scene for quite some time. History of distributed computing has shown that success of a new technology widely depends on critical mass, so called network eect. In short this means that more the technology is used and spread the bigger is the possibility of domination of such technology in the future. We can most denitely state here that web services already reached and even more exceed the critical mass and the we can predict bright future for web services.

References

[1] Alan O. Freier, Philip Karlton, Paul C. Kocher, The SSL Protocol, Version 3.0, http://wp.netscape.com/eng/ssl3/draft302.txt, November 1996.

Basic profile

[2] Tim Dierks, Eric Rescorla, The TLS Protocol, Version 1.1, http://www.ietf.org/internetdrafts/draft-ietf-tls-rfc2246-bis-05.txt, June 2003. [3] Don Box, David Ehnebuske, Gopal Kakivaya, Andrew Layman, Noah Mendelsohn, Henrik Frystyk Nielsen, Satish Thatte, Dave Winer, Simple Object Access Protocol (SOAP) 1.1, http://www.w3.org/TR/SOAP/, May 2000. [4] Mark Bartel, John Boyer, Barb Fox, Brian LaMacchia, Ed Simon, XML-Signature Syntax and Processing., http://www.w3.org/TR/xmldsig-core/, February 2002. [5] Takeshi Imamura, Blair Dillaway, Ed Simon, XML Encryption Syntax and Processing., http://www.w3.org/TR/xmlenc-core/, December 2002. [6] Bob Atkinson, Giovanni Della-Libera, Satoshi Hada, Maryann Hondo, Phillip Hallam-Baker, Johannes Klein, Brian LaMacchia, Paul Leach, John Manferdelli, Hiroshi Maruyama, Anthony Nadalin, Nataraj Nagaratnam, Hemma Prafullchandra, John Shewchuk, Dan Simon, Web Services Security (WS-Security)., http://www106.ibm.com/developerworks/library/ws-secure/, April 2002. [7] Allen Brown, Barbara Fox, Satoshi Hada, Brian LaMacchia, Hiroshi Maruyama, SOAP Security Extensions., http://www.w3.org/TR/SOAP-dsig/, February 2001.

Figure 2. Security standards proposed by Web Services Interoperability Organization.

With introduction of proles WS - I introduced some anxiety to the web services arena. Some say that security standards from basic prole will have advantage in developing over ones that are in extended prole. One of the obstacle that some see is a wish of WS - I to license web services standard which is just the opposite of the stand defended by W3C [17] and OASIS [18] organization. We will not go any deeper into describing WS - I proles, basically we can look at them as a house that we can see it on Fig. 2. The basic prole denes the foundation of the house and thus security. Extended prole presents the walls of the house, and this proles are under roof of the WS - I organization.

Conclusion

In this article we have described the situation as is at the moment in the web services security area. We saw that the web services area include a wide range

[8] Security Assertion Markup Language, http://www.oasis-open.org/committees/security/, September 2003. [9] OASIS eXtensible Access Control Markup Language TC , http://www.oasis-open.org/committees/ xacml/, February 2003. [10] Warwick Ford, Phillip Hallam-Baker, Barbara Fox, Blair Dillaway, Brian LaMacchia, Jeremy Epstein, Joe Lapp, XML Key Management Specication (XKMS), http://www.w3.org/TR/xkms/, March 2001. [11] Web Services Interoperability http://www.ws-i.org/. Organization,

Dr. Marjan Heriko is an Assoc. Professor and c the deputy head of the Institute of Informatics at the Faculty of Electrical Engineering and Computer Science, University of Maribor. His research areas are related to all aspects of object technology and component development with focus on knowledge management, modern architectures, metrics and software quality. He presented his experiences in many articles at Slovenian and also foreign conferences and journals. He is technical coordinator at Center for object technology and chairman of the conference OTS Object Technology in Slovenia. During last 5 years he was a member of 12 project teams in projects related to SPI and OO technologies. He is author or coauthor of more than 290 publications.

[12] Qusay H. Mahmoud, Whats New in Java Web Services Developer Pack (Java WSDP) 1.2, http://developer.java.sun.com/developer/ technicalArticles/WebServices/JWSDP 1.2/, September 2003 [13] BEA Weblogic Application Server, http://www.bea.com/framework.jsp? CNT=index.htm&FP=/content/products/server, 2003. [14] IBM Websphere Application Server,http://www3.ibm.com/software/info1/websphere/index.jsp? tab=products/appserv, 2003. [15] Apache Web Services - Axis, http://ws.apache.org/axis/,2003. [16] JBoss Application Server, http://www.jboss.org/index.html, 2003. [17] World Wide Web Consortium, http://www.w3c.org/, 2003. [18] OASIS Consortium, http://www.oasis-open.org/home/index.php, 2003. [19] Microsoft .NET Homepage, http://www.microsoft.com/net/, 2003. Mag. Jurij Laznik was born in Hrastnik, Slovenia in 1975. He received B. Sc. degree from University of Maribor in 2001 and his M. Sc. degree from University of Maribor in 2004. His research interests include web services, security and distributed computing. He is Ph. D. Student at University of Maribor. Dr. Matja B. Juri is an Asst. Professor at z c the University of Maribor. He has been involved in several large-scale object technology projects. In cooperation with the IBM Java Technology Centre, he worked on performance analysis and optimization in RMI-IIOP development, an integral part of the Java 2 Platform. Matjaz has authored or co-authored the following books: Business Process Execution Language for Web Services (Packt Publishing), J2EE Design Patterns Applied, Professional J2EE EAI, and Professional EJB (Wrox Press, part of Wiley Publishing), and has published a chapter in More Java Gems (Cambridge University Press) and Technology Supporting Business Solutions (Nova Science Publishers). He has published in journals and magazines, such as Web Services Journal, eai Journal, Java Developers Journal, Java Report, Java World, ACM journals, Elsevier Journals, and presented at conferences such as OOPSLA, XML Europe, SIGS Java Development, BEA Forums, Wrox Conferences, SCI, and others. He is also a reviewer, program committee member and conference co-organizer.