|
 As
Web Services becomes more widespread, security issues become
more complex. There is a need for new thinking when it comes
to security for IT systems, says Hemant Adarkar, as
he presents an overview of the latest developments in security
from the Web Services perspective
The
latest on security
DEVELOPERS
interested in learning more about security and the latest
developments in this fascinating area would find useful information
at these websites:
-
For a general introduction to security in IT systems visit
www.rsa.com.
-
The Kerberos authentication service FAQ is at: web.mit.edu/kerberos/www/
-
Find out more on SAML at xml.coverpages.org/saml.html
-
XML Signature information is at xml.coverpages.org/xmlSig.html
-
For more on XML encryption go to xml.coverpages.org/xmlAndEncryption.html
-
XACML details are at xml.coverpages.org/xacl.html
-
XKMS can be studied in-depth at xml.coverpages.org/xkms.html
As
the dust settles down after the over-hyped dot com-dot gone
era, Web Services are being billed as the next big development
in the IT industry. This new technology in the arena of Internet-based
applications and transactions enables various systems hooked
on to a network to describe, locate and use applications programmatically.
“Silicon-based life forms can now communicate with each
other,” quips James Gosling, the leader of the Sun Microsystems
development team that invented Java.
Stable communication between two computers entails reliability
and security. The standards for the former have been clearly
led out through the acceptance of XML. Today, we know how
to parse the data around. The next question concerns security,
and this is precisely what is discussed in this article.
Seamless integration of systems and applications over a network
is the name of the game, and that is what the ultimate aim
of Web Services anyway is. But one implication of this grand
design is that there is a positive probability of sensitive
information finding its way to unknown parties.
Current security gaps
Traditional methods of securing e-commerce include aut-hentication
through a user ID and a password; OS-based access control
lists for various documents or files for authorisation; digests
for data integrity; and, Secure Sockets Layer (SSL) for encryption.
Alth-ough the traditional non-repudiation techniques such
as digital signatures and chronological stamping have been
around for a few years, their implementation continues to
be non-trivial and expensive.
At the moment, a strong security architecture for Web Services
does not exist even at a conceptual level. Microsoft’s
Passport is easy to crack if there is no transport layer encryption.
SSL is employed by many to cipher the network traffic but
has many lacunae. SSL loads processors due to its encryption
crunching; techniques to enhance the SSL speed are expensive
for the time being.
SSL security is fine as long as there are no intermediary
systems involved. In other words, SSL does not provide end-to-end
security. The details of initiator of the transaction are
not necessarily verified at each stage—it’s relegated
to more of an application logic issue rather than an architectural
consideration. In addition, the data can be easily altered
at an intermediate stage, such as a credit verification system,
during a payment transaction.
New developments
It’s time for injection of fresh ideas into the way we
think about security in IT systems. Evolution from client-server
to the Web to Web Services must be kept in mind before arriving
at new standards in security. The single sign-on of the intranet
and Web transforms into a global sign-on to enable authentication
of one’s access to multiple applications. It is heartening
to note that a serious academic project on authentication
technology at MIT—Kerberos—has now been accepted
by the commercial world. Kerberos uses cryptographic tokens
to identify users and is suitable for use in Web Services.
Microsoft is using this technology to strengthen its Passport
secure, single sign-on system. A non-Microsoft consortium
called the Liberty Alliance Project is developing a federated
or non-centralised authentication mechanism. The Liberty Alliance
Project (www.projectliberty.org) currently has nearly 40 members
including American Express, Hewlett-Packard, Novell, Sabre,
Sun Microsystems, Visa International, Verisign, Mastercard
International and Cisco Systems. These efforts are still nascent—the
Alliance plans to release initial specifications for decentralised
user authentication by the middle of this year. It is to be
noted that Smart Cards and other traditional techniques will
continue to play a role in robust authentication mechanisms.
Synergy is the killer app in the Web Services arena. Its technical
manifestation is interoperability. What is more interoperable
than XML? The XML front has more interesting developments
that will take security beyond SSL. These cover broad areas
of authorisation, authentication, encryption and even management
of keys. SAML (Security Assertion Markup
Language) is an XML based mechanism to interchange information
on authorisation and authentication.
It will provide the global sign-on for Web Services.
The XML community has been able to resolve the issue of canonicalisation—unique
input resulting in unique output after parsing. This development
enables the XML signature specification to define digital
signatures in XML. A document can now be signed as a whole
or partially. XML encryption standards spell out the specifics
of encryption and decryption of documents in entirety or in
sections.
Security policy is an essential ingredient of any robust security
infrastructure. XACML (Extensible Access Control Markup Language)
is a specification for expressing information access policies
over networks. Last but not the least, the development of
XKMS (XML Key Management Specifications) is an important step
in defining registration and distribution of public keys.
It also deals with first-ever handshake issues when two systems
have never communicated with each other before.
This article barely touches the tip of the iceberg on the
complicated issues involved in Web Services security. Web
Services are complex and there are several issues especially
on the server-side, including prevention of evil code from
executing. Then there are issues about information leakage
from organisations though MS-Office documents presented through
.Net Web Services without the notice of the CIO. What we have
covered here is just an introduction to Web Services security
for the developer community.
Unfortunately, the discussions on security seem to happen
at the CIO/CTO level and the developers carry out the implementation
of security policies almost in a “follow the leader”
manner. If the developer understands the importance of security,
it will reflect in the quality of the application. It will
also reduce wastage of time and resources and post-production
heartaches. The gospel truth is that security cannot be an
add-on.
The author is chief technology officer at Ways India. He
can be contacted at hemantadarkar@ways.com
|
