verybody’s talking about Web services. It’s the buzz term of the moment. The promise of application-to-application interactions using remote procedure calls over Web connections has grabbed the attention of many in the IT industry. As is often the case with new technologies, however, what Web services can do is discussed much more often than the security implementations that they require. This year’s RSA Conference in San Francisco devoted an entire track of sessions to secure Web services, indicating that the organizers recognize the importance of security in this burgeoning technology?and developers should also.
Ari Kermaier’s session, “Securing Web Services: XML Security Standards in Practice” gave developers an understanding of how they could implement the maturing XML security standards into their Web services applications. Kermaier, an engineering manager at Phaos Technology, illustrated the use of these standards in an end-to-end solution.
XML and Interoperable Security
Kermaier asserts that “XML is the format of choice for Web services, and a large number of protocols have emerged for XML from standards bodies like the W3C, OASIS, and the Liberty Alliance.” In fact, the number of standards and protocols is so large and comes from so many disparate sources that making sure Web services of all flavors can talk to each other is a major concern.
“I can’t emphasize enough the importance of open standards and interoperability testing to the success of Web services security,” stressed Kermaier. “The promise of Web services relies on common standards for locating and accessing resources (WSDL, UDDI, etc.), and Web service security standards will succeed largely to the degree that vendors and developers prioritize interoperability.”
To that end, Kermaier used three XML security standards in his demonstration that he believes are fairly mature and well suited to implementing Web services security today:
- XML signature ? a standard that supports various digital signature configurations (W3C recommendation)
- XML encryption ? a standard that supports different encryption types (W3C recommendation)
- XML Key Management Specification 2.0 (XKMS) ? a collection of protocols for key management via a Web service (W3C working draft)
XML Security Standards in Action
“Once you’ve chosen good cryptographic algorithms and standards, avoiding errors of implementation and deployment is the most important aspect of achieving real security,” said Kermaier. To help developers avoid such missteps, he outlined the four main aspects of Web services security in which each of the XML standards can be used:
- Data integrity ? Ensuring data wasn’t modified in transit (XML signature and XML encryption)
- Data confidentiality ? Ensuring data is visible only to the intended recipient (symmetric and public key encryption)
- Key management ? Ensuring reliable key distribution (traditional and proprietary PKI schemes)
- Authentication/identity management ? Ensuring users of the service are who they claim to be (SAML, Liberty Alliance, access controls, and user directories)
Data Integrity and Confidentiality
Developers traditionally have relied on SSL to ensure the type of transaction layer security (TLS) that supports data integrity and confidentiality. In the realm of Web services, however, TLS comes up a little short. TLS for a Web service is an all-or-nothing proposition, because it doesn’t allow developers to apply different levels of security to different parts of a document. TLS also doesn’t support secure persistent data nor does it leave an audit trail. Chained services and workflow applications are left out of TLS because of its point-to-point structure.
The solution Kermaier proposes is moving security inside the message document with XML signature and XML encryption, which developers can use to protect non-XML data as well. These standards allow developers to sign and encrypt elements within a document, and Kermaier believes that “developers who are already doing message-level processing, such as SOAP header inspection, should not find adding message-level security conceptually difficult.” He added, “encapsulating the security services in modular components allows changes and updates to be applied with minimal disruption of the code that implements an application’s business logic.”Key Management
Kermaier said, “making sure that your keys are securely stored and accessed, particularly in a distributed service deployment, is crucial. In a similar vein, implementers must carefully consider how sensitive data is stored and retrieved by the Web service.” XKMS is the standard that addresses these imperatives.
XKMS locates signer or recipient public keys, validates public key certificates, and supports core PKI functions such as key pair generation. Because it is Web service-based, XKMS removes all of its functions from the application domain.
As an example of where key management comes into play for the Web service developer, Kermaier offered the following scenario: “a distributed J2EE application using stateful session beans with container-managed state needs to be designed to make sure that secrets and keys are not unexpectedly serialized in ways that expose the data inappropriately. It is these kinds of implementation details that present a challenge to the developer who needs to incorporate strong security into Web services.”
Authentication and Identity Management
Kermaier cited SAML and Project Liberty as solutions for authentication and identity management in the Web services space. SAML offers a flexible, extensible, and abstract framework for businesses and Web services to exchange security information about their users. Project Liberty, which Kermaier calls “a giant step toward achieving interoperability goals in the realm of authentication and identity management,” uses SAML to define several profiles that developers can use to implement single sign-on and federated identity for their users.
Interoperability Is Key
Looking down the road of Web services security development, which developers, standards bodies, and vendors have only just begun to travel, Kermaier places interoperability above all other goals. “The key to successfully applying Web services security protocols will be interoperability. If implementers adhere to the open standards and participate in industry interoperability testing, the higher-level security protocols built on XML signatures and encryption will have a much better chance of reaching maturity and widespread adoption.”