Cyber Security

WEB SERVICES SECURITY

Web Service Security (WS Security) is a specification that defines how security measures are implemented in a web service to protect it from external attacks. It is a set of protocols that secure SOAP-based messages by implementing the principles of confidentiality, integrity, and authentication. 

Because web services are independent of hardware and software implementations, the WS-Security protocol must be flexible enough to accommodate new security mechanisms and provide alternative mechanisms if one approach is not appropriate. Because SOAP-based messages go through multiple intermediaries, security protocols need to be able to identify spoofed nodes and prevent data interpretation on all nodes. WS-Security combines the best approaches to solving a variety of security issues by allowing developers to customize specific security solutions for some of the issues. For example, developers can choose digital signatures for non-repudiation and Kerberos for authentication. 

AIM

The goal of WS-Security is to ensure that communication between the two parties is not interrupted or interpreted by an unauthorized third party. The recipient must be confident that the message was sent by the sender, and the sender must be confident that the recipient cannot refuse to receive the message. Finally, the data sent during communication should not be modified by unauthorized sources. All security-related data is added as part of the SOAP header. Therefore, there is considerable overhead in forming SOAP messages with security mechanisms enabled.

WS-Security SOAP Header

Developers are free to choose the underlying set of security mechanisms or protocols to achieve their goals. Security is implemented using a header consisting of a set of key/value pairs, and the value changes as the underlying security mechanism used changes. This mechanism helps identify the identity of the caller. If digital signatures are used, the header contains information about how the content was signed and the location of the key used to sign the message.

The encryption information is also stored in the SOAP header. The ID attribute is stored as part of the SOAP header, which simplifies the process. Timestamps serve as an additional layer of protection against attacks against message integrity. When a message is created, it is assigned a time stamp that indicates when it was created. Additional timestamps are used to indicate the expiration date of the message and when the message was received at the destination node.

Security Authentication Mechanisms

  • Username/Password approach: Username and password combinations are one of the basic authentication mechanisms used and correspond to HTTP digests and basic authentication methods. The username token element is used to pass user credentials for authentication. Passwords can be transferred in plain text or digest format. When using the digest approach, passwords are encrypted using SHA1 hashing technology.
  • Kerberos: The concept of tickets forms the underlying mechanism of Kerberos. Clients must authenticate to the Key Distribution Center (KDC) using a username/password combination or an X.509 certificate. Upon successful authentication, the user will be granted a Ticket Grant Ticket (TGT). Using TGT, the client attempts to access the Ticket Authorization Service (TGS). This step completes the first two roles of identification and approval. The client then requests a service ticket (ST) to purchase certain resources from TGS and receive the ST. The client uses ST to access the service.
  • X.509 approach: This approach identifies a user through a public key infrastructure that associates an X.509 certificate with a particular user. Security can be enhanced by encrypting and decrypting X.509 certificates using public and private keys. To prevent messages from repeating, you can set a time limit to reject messages that arrive after a certain elapsed time.
  • Digital Signature: XML signatures are used to protect messages from modification and interpretation. The signing must be done by a trusted party or the actual sender.
  • Encryption: XML encryption is used to protect data from interpretation by preventing unauthorized third parties from reading it. You can use both the symmetric and asymmetric approaches.

WS-Security allows you to properly use existing security mechanisms and avoid the overhead of integrating new mechanisms.

Cyber security is a huge domain comparable to an ocean, if you need to start your career in Online Cyber Security Training in Kochi or any cyber security platform will be your best choice. Choose good Ethical Hacking Training in Kochi to be an expert in cyber security.

Author: STEPS