SP 800-95, NIST SPECIAL PUBLICATION: GUIDE TO SECURE WEB SERVICES (AUG 2007)

SP 800-95, NIST SPECIAL PUBLICATION: GUIDE TO SECURE WEB SERVICES (AUG 2007)., The advance of Web services technologies promises to have far-reaching effects on the Internet and enterprise networks. Web services based on the eXtensible Markup Language (XML), SOAP, and related open standards, and deployed in Service Oriented Architectures (SOA) allow data and applications to interact without human intervention through dynamic and ad hoc connections. Web services technology can be implemented in a wide variety of architectures, can co-exist with other technologies and software design approaches, and can be adopted in an evolutionary manner without requiring major transformations to legacy applications and databases. The security challenges presented by the Web services approach are formidable and unavoidable. Many of the features that make Web services attractive, including greater accessibility of data, dynamic application-to-application connections, and relative autonomy (lack of human intervention) are at odds with traditional security models and controls. The primary purpose of this publication is to inform people about securing Web services. Difficult issues and unsolved problems exist, such as protecting the following: 􀀟 Confidentiality and integrity of data that is transmitted via Web services protocols in service-toservice transactions, including data that traverses intermediary services 􀀟 Functional integrity of the Web services that requires the establishment of trust between services on a transaction-by-transaction basis 􀀟 Availability in the face of denial of service attacks that exploit vulnerabilities unique to Web service technologies, especially targeting core services, such as discovery service, on which other services rely. Perimeter-based network security technologies (e.g., firewalls) are inadequate to protect SOAs for the following reasons: 􀀟 SOAs are dynamic and can seldom be fully constrained to the physical boundaries of a single network. 􀀟 SOAP is transmitted over HyperText Transfer Protocol (HTTP), which is allowed to flow without restriction through most firewalls. Moreover, Transport Layer Security (TLS), which is used to authenticate and encrypt Web-based messages, is inadequate for protecting SOAP messages because it is designed to operate between two endpoints. TLS cannot accommodate Web services' inherent ability to forward messages to multiple other Web services simultaneously. The Web service processing model requires the ability to secure SOAP messages and XML documents as they are forwarded along potentially long and complex chains of consumer, provider, and intermediary services. The nature of Web services processing makes those services subject to unique attacks, as well as variations on familiar attacks targeting Web servers. Ensuring the security of Web services involves augmenting traditional security mechanisms with security frameworks based on use of authentication, authorization, confidentiality, and integrity mechanisms. This document describes how to implement those security mechanisms in Web services. It also discusses how to make Web services and portal applications robust against the attacks to which they are subject. The following is a summary of security techniques for Web services: Confidentiality of Web service messages using XML Encryption1. This is a specification from the World Wide Web Consortium (W3C) and it provides a mechanism to encrypt XML documents. 􀀟 Integrity of Web service messages using XML Signature2. This is a specification produced jointly by the W3C and the Internet Engineering Task Force (IETF). The power of XML Signature is to selectively sign XML data. 􀀟 Web service authentication and authorization using XML Signature, Security Assertion Markup Language (SAML) and eXtensible Access Control Markup Language (XACML) as proposed by the Organization for Advancement of Structured Information Standards (OASIS) group. SAML and XACML provide mechanisms for authentication and authorization in a Web services environment. 􀀟 Web Services (WS)-Security3. This specification, produced by OASIS, defines a set of SOAP header extensions for end-to-end SOAP messaging security. It supports message integrity and confidentiality by allowing communicating partners to exchange signed encrypted messages in a Web services environment. 􀀟 Security for Universal Description, Discovery and Integration (UDDI)4. Produced by OASIS, UDDI allows Web services to be easily located and subsequently invoked. Security for UDDI enables publishers, inquirers and subscribers to authenticate themselves and authorize the information published in the directory.