Web Services Security Initiatives

SOAP is simplistic: it allows for basic communication between services through structured data exchange, independent of language or platform. It depends upon underlying transport protocols (e.g., HTTPS and others) for its security. The initial SOAP specification focused primarily on extensibility and made security a second-class citizen.

One principle of Web services is to build on and extend what already exists and implement by merging existing technologies. SOAP is the foundation of the Web services infrastructure and is the focus of emerging security efforts. To create enterprise Web services, security considerations must extend past the SOAP specifications and go deeper into the underlying messaging approach. Many business transactions, such as establishing trust relationships and exchanging confidential information, require building additional security into SOAP.

Some of the XML specifications covered in this chapter are encryption, digital signatures, and key management services. Other standards-based organizations, such as OASIS and WS-I, are working on additional specifications related to SOAP security, including Extensible Access Control Markup Language (XACML) and Security Assertion Markup Language (SAML). The above standards provide the security foundation for SOAP and other XML-based messaging paradigms. This will become crucial for XML messages that pass through intermediaries.

Message Layer Security

Compared to transport-based security schemes such as SSL, incorporating security into the SOAP message provides several important advantages in Web services architecture. First, the interoperable nature of SOAP allows it to use a variety of transport protocols, including HTTP, SMTP, and others. In these scenarios, the message is transported from the originator through one-to-many intermediaries to the ultimate destination. When an intermediary receives a SOAP message, it processes entries contained in the header intended for itself and removes them before sending the message to the next destination.

Design

Privacy for Web services and the sensitivity of the messages over the public Internet could mandate the use of encryption in your architecture. Encryption is the act of taking data (usually referred to as clear text) and a short string (the key) and producing data (cipher text). The resulting cipher text is meaningless to a third party who does not know the key. Decryption is the inverse of encryption: taking cipher text and key and producing clear text.

Password encryption derives an encryption key from a user-supplied password. To make the task of discovering the key from the password more time-consuming, many implementations mix in a random variable, known as a salt, to create the key.

Several industry-standard algorithms can be chosen for a custom encryption mechanism. One of the elements to consider is whether the encrypted data needs to be decrypted once encrypted. Some algorithms are appropriate for one-way encryption, typically used in login and authentication scenarios. One-way encryption prevents the data from being reversed, which is important for credentials. Two-way encryption allows for reversible encryption.

A key agreement is a protocol in which two or more parties establish the same cryptographic keys without exchanging any secret information. Message authentication codes are a way for two parties to check the integrity of information stored in or transmitted over an unreliable medium and are based on a secret key. Typically, both parties have the same key, referred to as a shared secret.

Using Secure Sockets Layer to access your Web service will prevent "man-in-the-middle" attacks and stop data from being read or modified in transit. As previously mentioned, SSL does require additional processing overhead if done in software. This can be alleviated by using SSL accelerator network-interface cards.

XML Digital Signatures

XML Digital Signatures is a standard that allows for specifying the syntax and processing rules for attaching digital signatures to XML documents. An XML digital signature takes data objects, calculates a digest (fixed-length representation of a variable-length stream), and places the result into the signature element.

The standard allows XML to functionally sign itself over an insecure network. XML signatures can be attached to any form of digital content, including XML (data objects). An XML signature can sign more than one type of resource, such as HTML, binary-encoded data (GIFs and JPEGs), or an XML-encoded section of an XML file.

Security Assertions Markup Language

Security Assertions Markup Language (SAML) is an XML-based framework used to exchange security information between business partners over the Internet. The driving force behind the creation of SAML is to enable interoperability between different security service providers. Prior to Web services, security was implemented primarily within a single organization. Now that organizations need to collaborate with business partners electronically, the ability to authenticate a user or service across organizations becomes imperative.

A Web services transaction started by one Web service can be completed at a different Web service and may require security information to be shared across all services involved in the transaction. SAML allows services to exchange authentication, authorization, and attribute information without organizations and their partners having to modify their current security solutions. SAML is designed to work with multiple industry-standard protocols such as HTTP and SMTP and integrates document-exchange protocols such as SOAP, BizTalk, and EbXML.

Extensible Access Control Markup Language

Extensible Access Control Markup Language (XACML) defines standardized security access control using XML to state authorization rules over a public connection. XACML also allows validation and revocation, based on defined authorization rules.

Key Management Specification

XML Key Management Specification (XKMS) is a standard that detail protocols for registration and distribution of public keys, so that the keys can be used in combination with XML digital signatures and encryption. XKMS was created to simplify the integration of digital certificates and public key infrastructure (PKI) with a multitude of applications. Applications that use this specification can easily integrate authentication, digital signature, and encryption services. XKMS includes support for certificate processing and revocation status checking.

Encryption Algorithm Selection

Algorithms can be generically categorized as either symmetric or asymmetric. A symmetric-key algorithm, better known as a shared secret, uses a single key for encryption and decryption. This is suitable when two parties have established a relationship in advance. Table 15.2 shows some of the algorithms that can be used in a symmetric scenario.

Asymmetric algorithms are better known as public/private-key. This encryption is best used between two parties who have no prior knowledge of each other but want to exchange data securely. Unlike symmetric algorithms, asymmetric algorithms use two different cryptographic keys to encrypt and decrypt plain text. The two keys have a mathematical relationship. A message encrypted by the algorithm using one key can be decrypted by the same algorithm using the other key. Some asymmetric algorithms have the property that one key is deducible from the other. These algorithms are typically incorporated into public/private-key algorithms commonly used by certificate providers.

Encryption mechanisms typically use various algorithms for their routines. Listed below are some of the algorithms that can be used to develop your own encryption mechanism, along with their relative strengths and weaknesses. Many other encryption algorithms can be part of your toolkit but are not in widespread usage. If you want to go down this path, we recommend Applied Cryptography, by Bruce Schneier (Wiley, 1996).

Blowfish

Blowfish is a 64-bit block cipher algorithm. This essentially means that data is encrypted in 64-bit chunks. The Blowfish algorithm allows for varying key lengths, from 32 to 448 bits, and uses sixteen iterations of the main algorithm. The number of iterations is exponentially proportional to the time required to find a key using a brute-force attack. As the number of iterations increases, so does the algorithm's security.

SkipJack

SkipJack is 64-bit algorithm that transforms a 64-bit input block into a 64-bit output block. The transformation is parameterized by an 80-bit key and involves performing 32 iterations of a nonlinear complex function. In a key-based algorithm, the number of possible keys is directly related to the length of the key. Since SkipJack uses 80-bit keys, it means that there are 280, or more than one trillion trillion, possible keys.

Twofish

Twofish is a 128-bit block cipher algorithm. This essentially means that data is encrypted in 128-bit chunks. The Twofish algorithm allows for varying key lengths. It also uses sixteen iterations of its main algorithm, to ensure maximum security. This algorithm has been compromised with five iterations but never with sixteen. More than sixteen iterations can be used, but the tradeoff in slower speed is not worth the higher security.

Triple DES

The DES algorithm was invented by IBM around 1970 and was initially designed with a key size of 128 bits. This algorithm has been successfully cracked by a group of Internet users (DESCHALL) using spare computer cycles. Based on current computer technology, this algorithm can be cracked in anywhere from six hours to as little as three minutes. Triple DES uses the DES algorithm but encrypts data with DES three times, using three different keys. It is useful for securing low-security data, such as grade books or diaries.

MD5 and SHA1

A digest, such as MD5 or SHA1, takes an arbitrary-sized byte array and generates a fixed-size output, commonly referred to as a digest or hash. The fundamental requirements of a digest are that it should never reveal anything about the input used to generate it. While two different messages could potentially generate the same hash value, it should be computationally infeasible to do so. These algorithms are typically used for "fingerprinting" or digital signatures.

S/MIME

S/MIME is an emerging standard that uses a 40-bit symmetrical encryption for all messages. The message contains a digital signature the receiving party must receive before decrypting the message.

Ralph Merkle's Puzzle Protocol

A puzzle is a string that takes precisely a known amount of time to decrypt. For example, one way to create a puzzle is to encrypt a message with a symmetric cipher and a very short key of 20 bits. Let us say that no better way exists for attacking the cipher than brute force. Therefore, anyone attempting to crack the puzzle will have to try every possible 20-bit key. Searching the entire key space will take 220 operations. The odds are good that the key will be discovered halfway through, so it is expected to take 219 operations.

Diffie-Hellman

The Diffie-Hellman key agreement protocol, developed in 1996, allows two users to exchange a secret key over an insecure medium without any prior secrets. This protocol depends on a discrete logarithmic problem for its security. It makes the assumption that it is computationally unfeasible to calculate a shared secret key, given two public values that are sufficiently large. This protocol has limitations, in that it does not validate either party.

DSA

The National Institute for Standards and Technology (NIST) published the Digital Signature Algorithm (DSA) as part of the government's Capstone project, which seeks to develop a standard for publicly available cryptography. The Capstone project used 80-bit symmetric keys.

DSA signature generation is significantly faster than signature verification and is therefore not an optimal algorithm compared to RSA. Typically, a message may be signed once but read many times. Therefore, it is advantageous to have faster signature verification.

RSA

The first known asymmetric algorithm was invented by Clifford Cocks but was not public. It was therefore reinvented by Ronald Rivest, Adi Shamir, and Leonard Adelman, (RSA) at MIT during the 1970s. RSA is a public-key cryptographic approach that allows for both encryption and digital signatures. The RSA algorithm relies for its security on factoring very large integers. Encryption and authentication occur without sharing private keys. Each party uses the other's public key or its own private key for operations. Any party can send an encrypted message and/or verify a signed message, but only the party that possesses the correct private key can decrypt or sign a message. RSA has certain weaknesses and is vulnerable to attack by factoring the modulus part of the public key.

Elliptic Curves

Elliptic-curve algorithms, created by Victor Miller and Neal Koblitz in the mid-1980s, are analogs of existing public-key approaches in which elliptic curves replace modular arithmetic operations. An elliptic curve is a mathematical construction from number theory and algebraic geometry and can be defined over any field.

Example: Asymmetric Puzzles

Let us look at the procedure for using Merkle's Puzzle to encrypt legal documents sent between Flute Bank's Loan Officer (Rodney) and a customer (Alicia):

1. Alicia creates a puzzle using the signed contract received from Rodney. Alicia encrypts her signed contract with a very long, randomly chosen key, using a symmetric algorithm such as Blowfish. Since the key is large, Alicia will not wait for Rodney to read the contract, because it will take a long time to be decrypted.

2. Alicia sends the puzzle to Rodney and asks for a return receipt.

3. Alicia receives the return receipt, whereby Rodney asks for a "hint" for the puzzle. Rodney will use this hint to solve the puzzle instead of computing it himself. The hint does not reveal the contract (message).

4. Alicia in turn sends Rodney the first few bits of the key and asks for a return receipt for the hint.

5. When Alicia receives no additional requests for hints, this means that either the mathematical combinations have been reduced to a point where they are easy to calculate or the puzzle has been solved.

When Rodney sends Alicia a return receipt for the puzzle, she knows he possesses enough information to reconstruct the message. Every time she receives a request for a hint from him, she knows how much time is left until he can read the message. Also, because she does not give out hints until Rodney requests them by sending a return receipt, she knows how much of a hint he has.

You may have noticed that asymmetric algorithms are slower than comparably secure symmetric algorithms—sometimes on the order of magnitude of one hundred times slower. Many cryptographic systems use a combination of both approaches, where a receiver's public key encrypts a symmetric-key algorithm used to encrypt a message. This uses the best of both worlds when properly done.

Organizations that operate outside the United States and Canada must be aware of national laws and export regulations. Many of the encryption algorithms that use large keys cannot be exported to certain foreign countries: Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Serbia, Sudan, Syria, and others. France also has its own unique laws in this regard. For further information on export rules, visit www.bxa.doc.gov.

Many open source activities, such as www.openjce.org, provide additional algorithms that are secure and do not have export restrictions. It is up to you to determine which of the listed algorithms fits your business needs and falls within legal guidelines.