Web Service Security:
Theory and Practice
Andy Gordon (
Microsoft Research
)
Software and Web Engineering in the Microsoft .NET Environment
Microsoft Research Fourth Crash Course for Faculty and PhDs
Saint John's College, Cambridge, March 25–28, 2003
2
What’s a Web Service?

“A web service is a web site intended for use by
computer programs instead of human beings.”
(Barclay et al, MSR-TR-2002-53)

Internet examples: (bye bye, screen-scraping!)

/>
/>




Within intranet: vendor-neutral middleware to
interconnect existing systems

Between intranets: inter-institution workflow (e-
business, e-science); eg Globus OGSA based on WS
3
Example: A Google Client


Create a local proxy class, instantiate, and invoke

The proxy class GoogleSearchService generated from
a WSDL file, an XML-encoded service description
GoogleSearchService s = new GoogleSearchService();
foreach (string q in queries)
{
GoogleSearchResult r = s.doGoogleSearch(myKey, q);
int estResults = r.estimatedTotalResultsCount;
w.WriteLine("\t{0}\t{1}", q, estResults);
}
4
Outline Architecture
SOAP
SOAP
Request
Request
Implementation via
proxy class and
HTTP transport
My Desktop
Windows
Google.com/apis
Unix/Linux?
GoogleSearchService s =
new GoogleSearchService();
foreach (string q in queries)
{… s.doGoogleSearch(myKey, q); …}
Implementation via
WebService classes

in Web Server
SOAP
SOAP
Response
Response
[WebMethod]
… doGoogleSearch(myKey, q) …
Google
database
Vendor-neutral
XML-encoding
over HTTP
The Internet
TCP/IP
5
Web Services: What’s New?

Though their core is roughly SOAP-encoded RPC, what’s
new about web services is the combination of:

Vendor-neutral interoperability

Internet-scale

Toolsets for “mere mortals” (Barclay et al)

Signs of fervour,

Wide support from commercial & OSS suppliers


Weekly news of progress at OASIS and W3C

yet reasons for caution,

Cost of SOAP encoding?

Lack of SOAP security?
6
The 2002 Security Story

The 2002 best practice was to build secure web
services using an SSL (as in https) transport

SSL encrypts all traffic between client and web server,
so opaque to intermediaries:

Messages cannot be monitored by firewalls

Messages cannot be forwarded by routers

Messages not encrypted in files or databases

Moreover, SSL has scalability problems

Party line: security within SOAP envelopes is better:

Avoids problems with SSL

Avoids dependency on HTTP transport


And is the subject of this talk…
7
Parts I-II: The Official Version

Theory: IBM/MS/VeriSign/… WS specs

Security Roadmap, Apr 2002

WS-Security, Apr 2002

Practice: MS WSE (Web Service Enhancements)

RTW Dec 2002, plugin for VS.NET

Product implementing WS-Security, WS-Routing,
and DIME attachments

Signature, encryption based on passwords,
certificates
8
Parts III-V: The Research Version

Theory: MSRC/DePaul Cryptyc type system, etc

Tool for specifying/verifying crypto protocols, such
as the broad family expressible with WS-Security

Practice: MSRC DS V1 (Declarative Security V1)

ACM

XML Security 2002
paper; MSR-TR-2002-108

Research prototype using VS.NET

Declarations for signature, encryption; formal
model of programming abstraction, and verification
of protocol
Part I:
A Bottom-Up View of a
WSE Message
To understand what WSE delivers,
either you read the specs, docs,
samples, etc; or you snoop at what’s
going on the wire…
Fellow snoopers: Karthik Bhargavan
adnd Cédric Fournet, MSRC
10
A Sample SOAP Request
<soap:Envelope xmlns:soap=" /> xmlns:xsi=" /> xmlns:xsd=" /> <soap:Body>
<AddInt xmlns=" /> <a>20</a>
<b>40</b>
</AddInt>
</soap:Body>
</soap:Envelope>

Says: “please compute 20+40”

XML not meant to be read by humans, so we’ll omit
namespace info, and trailing brackets…

11
A Sample SOAP Request
<Envelope>
<Body>
<AddInt>
<a>20</>
<b>40</>

Says: “please compute 20+40”

XML not meant to be read by humans, so we’ll omit
namespace info, and trailing brackets…that’s better
12
A Sample SOAP Response
<Envelope>
<Header>
<Timestamp>
<Created>2003-03-11T23:36:06Z</>
<Expires>2003-03-11T23:41:06Z</>
<Body>
<AddIntResponse>
<AddIntResult>60</>

Unlike the client making the request, the server has
included a timestamp in the optional Header

Next, the client-side architecture in more detail…
A SOAP header; WSE filters
out messages with invalid
timestamps

13
Client Sends a Message…
User Code
WSE Runtime
SOAP
Context
SOAP
Custom filters
DIME
Security
Routing
14
Client Receives a Message…
User Code
WSE Runtime
SOAP
Context
SOAP
Custom filters
DIME
Security
Routing
15
An Aside: WS-Routing

Client requests a service from server A, which in fact routes it
on to server B

Routing determined by a
referral cache

at A

If B needs to be taken offline, we can update the cache to point
at C, transparently to the client

Aside to an aside: DIME enables non-XML, binary attachments
16
An Encrypted Request
<Envelope>
<Header>
<path actor="next">
<action> /> <to>http://
mydomain
/symmetricencryption.asmx</>
<id>uuid:ced7a259…</id>
<Timestamp>
<Created>2003-03-13T18:24:43Z</>
<Expires>2003-03-13T18:25:43Z</>
<Security>
<ReferenceList>
<DataReference URI="#EncryptedContent-90853130…" />
<Body>
<EncryptedData Id="EncryptedContent-90853130…“
<EncryptionMethod Algorithm="tripledes-cbc" />
<KeyInfo><KeyName>WSE Sample Symmetric Key</></>
<CipherData><CipherValue>fnNQgEFqOes5+g…</></>
WS-Routing header
WS-Timestamp header
WS-Security header
ReferenceList element:

list of pointers to
EncryptedData elements
Encrypted SOAP body
17
Processing Security Headers…

Security layer processes each header in order, to
transform and validate the SOAP message

Each EncryptedData element referred to by a
ReferenceList is decrypted in turn

Customisable DecryptionKeyProvider class
invoked with the KeyInfo, to get suitable
decryption key

WSE supports messages encrypted using (1) shared
symmetric keys, or (2) X509-based public-key crypto

WSE supports messages signed using (1), (2), and (3)
keys derived from username/password combos, as in
the next slide
A Signed Request
<Envelope>
<Header>
<path actor="next">
<action> /> <to>http://
mydomain
/usernamesigning.asmx</>
<id>uuid:5ba86b04-3c0f-428b-8dd6-17804286fe40</>

<Timestamp>
<Created>2003-02-04T16:49:45Z</>
<Expires>2003-02-04T16:50:45Z</>
<Security>
<UsernameToken>
<Username>adg</>
<Password>Ouywn2V6ikNNtWYL29gl9R3CPBk=</>
<Nonce>cGxr8w2AnBUzuhLzDYDoVw==</>
<Created>2003-02-04T16:49:45Z</>
<Signature>
<SignedInfo>
<Reference URI="#..."><DigestValue>Ego0...</>
<Reference URI="#..."><DigestValue>5GHl...</>
<Reference URI="#..."><DigestValue>efb0...</>
<Reference URI="#..."><DigestValue>dFGb...</>
<Reference URI="#..."><DigestValue>23io...</>
<Reference URI="#..."><DigestValue>E4G0...</>
<SignatureValue>vSB9JU/Wr8ykpAlaxCx2KdvjZcc=</>
<KeyInfo><SecurityTokenReference><Reference URI="#..."/>
<Body>
<AddInt>
<a>20</>
<b>6</>
Routing and timestamp
headers as before
UsernameToken assumes
both parties know adg’s
secret password
pw
Password digest =

sha1(
nonce
+
time
+
pw
)
proves knowledge of
pw
Nonce to prevent replays;
receiver needs to cache
recently seen nonces
hmacsha1
(
key
, Signature) where
key
=psha1(
pw
+
nonce
+
time
)
Each DigestValue is the
sha1 hash of the URI target
URI arrows implemented
using GUID Id attributes
Hence, signature can
prove this is a fresh

message from adg