Securing Web Services with XML aware digital ... - Semantic Scholar

Securing Web Services with XML aware digital signatures Sabbir Ahmed and Leisa Armstrong School of Computer and Information Science, Edith Cowan University E-mail: [email protected], [email protected]

Abstract The evolution of web services has facilitated the integration of business processes scattered across different geographical locations of the world. Along with the benefits that web services provide for high value online transactions, it also poses some security threats. A new standard of XML aware digital signatures, recommended by W3C, provides authentication, data integrity, and support for non-repudiation. Since web services communicate with each other through XML formatted messages, a solution may be found through the use of XML aware digital signatures in identifying the requester web service, validating message integrity and conforming non-repudiation thereby. This research project aims to form a theoretical framework and prototype a solution that will use XML aware digital signatures to ensure proper security in web services messaging. Keywords Web services, xml, digital signatures, machine to machine identity management, non-repudiation

INTRODUCTION Current trends in performing business-to-business transactions and enterprise application integration (EAI) have been extended to the use of web services. Web services facilitate the incorporation of different business processes belonging to various organisations into one single application (IBM developerWorks, 2003a). This article details the evolution and architecture of web services since the emergence of object oriented paradigm and assesses what factors influence the deployment of secure web services. A review of research on web services security suggests that digital signatures may be suitable to mitigate the current security concerns of web services. A research study is currently underway to investigate whether the use of XML aware digital signatures can mitigate current security concerns with web services. The research study aims to determine if the security of web services messaging technology can be improved through the introduction of third party applications which use XML digital signatures. The research will firstly determine whether XML digital signatures improve machine to machine identity management and secondly whether machine to machine identity management methodologies can be successfully integrated to fulfil the security requirement of non repudiation.

BACKGROUND The world of application and system development has seen the facilitation of code re-use through the introduction of the Objected Oriented (OO) paradigm. Concepts like inheritance, polymorphism and data abstraction presented by OO architecture have provided software developers with an enormous advantage in component based software development (Alhir, 1998). While the OO paradigm has enormous advantages, there are also limitations and innovative techniques are required to overcome these limitations (Champion, Ferris, Newcomer and Orchard, 2002). The most significant limitation is that all the classes in an Object Oriented based application have to be immediately accessible by either residing within the same project; or the API has to be downloaded and placed in the class path; or the compiled DLL needs to be referenced (Champion et al., 2002). This forces all components of an application to reside on one machine and therefore, fails to integrate business processes of the various organisations into one single solution. With the rapid growth of enterprises and spread of business opportunities, computing with an organisational perspective requires integration of far-located business processes. The inability of the Object Orientation paradigm to achieve this goal imposes the need for a mechanism which allows fragmented software teams to re-use components existing elsewhere on another network machine. According to IBM developerWorks (2003), the evolution of web services was suitable for facilitating the communication of such components. Though Common Object Request Broker Architecture (CORBA) is also a vendor-neutral and language-agnostic

protocol that is capable of performing similar operations, it is limited by its complicated, ad-hoc way of utilizing the flexibility of the Internet. Therefore, web services represent the next step beyond CORBA by leveraging the service-centric distributed nature of the Internet. The XML based messaging system used in web services can allow subscription-based access to organisation’s online services by other business partners. The adoption of web services as a standard messaging architecture could eliminate the expensive legacy system integration processes of Enterprise Application Integration (EAI), by wrapping the legacy applications with web service component interfaces (IBM developerWorks, 2003a).

THE EMERGENCE OF WEB SERVICES A recent survey conducted by Evans Data Corporation in the USA concluded that up to 40 percent of web developers surveyed, are currently using some form of web services technology (ITworld.com, 2002). Dixit (2002 cited in ITworld.com, 2002) concluded that nearly 82 percent of survey respondents considered using the “wonders of Web services” as a minor component of their existing applications, whereas nearly 18 percent of the developers were thinking of using a fully featured web services implementation, in all of their forthcoming applications. There has also been a reported increase in the expenditure on web services, despite the current depressed IT business environment. Lange (2003) has predicted a rise in expenditure on web services in the USA from nearly $1.2 billion in 2003 to a surprising $21 billion by 2007. IBM developersWorks (2003a) defines web services as programs that accept requests in XML format from other systems across the Internet or Intranet via lightweight and vendor-neutral communications protocols. For a web service to be implemented, the following processes must be competed. The web service application that requires access to the remote program sends a method with its arguments through a Remote Procedure Call (RPC). The lightweight, vendor-neutral protocol that is used for web service method calls is known as Simple Object Access Protocol (SOAP) (Champion, Ferris, Newcomer and Orchard, 2002). Each call is packaged in a SOAP message that makes use of XML document structure to contain all the information necessary to process its content. On receipt of the SOAP message, the remote application begins to process the content of the message and a response is sent back to the caller in XML format (IBM developersWorks, 2003a).

THE SECURITY CRISIS AND RISE OF XML DIGITAL SIGNATURES Although the IT industry is discussing a broader scale implementation of web services on one hand, other parts of the IT industry specify that major security issues are restricting them from adopting this evolution in distributed computing. Dixit (2002 cited in ITworld.com, 2002) reported that 20 percent of those who participated in their survey had faced some sort of security breach within their organisation when using web services. Schmelzer (2003, cited in Parizo, 2003) asserts, the Secure Socket Layer that has gained great popularity in securing E-Commerce sites, merely provides these businesses with a transport time secured commutation and the data is therefore, left unprotected on the server side. Simon, Madsen and Adams (2001) suggest it is unlikely that data would be tempered during transmission; moreover identity management and non-repudiation issues have been looked over in the deployed version of SSL. This has been a concerning issue for companies wanting to deploy web services solutions to perform high value business transactions. As a result of great industry discussion, it has been proposed that there is a need for the development of a standard that provides a means of transforming thoroughly secured digital data. The new standard of digital signatures for XML documents developed by W3C and IETS provides authentication, data integrity, and support for non-repudiation to the data that has been signed. An excellent feature of this standard is the ability to sign a uniquely identified element of the XML tree, rather than the complete document (Simon, Madsen and Adams, 2001). The verification algorithm is designed to indicate the originator of the XML document and thereby revealing the sender’s identity.

IMPROVING WEB SERVICES SECURITY It is clear that for a successful adoption of web services technology and the facilitation of the application-toapplication transaction; improvements are needed in web service security. A review of literature has concluded

that there are different means of identity management and non-repudiation for low value consumer-toapplication transactions. The existing methodologies are cost-effective and can provide sufficient security, only in case of low value consumer to application transaction. The applicability of the new standard of XML digital signatures in application-to-application commercial transactions has immense potential and substantial probabilities. This is because, the emerging trend of application-to-application transaction is the usage of web service requests and responses using XML formatted data elements. The research study currently underway is investigating the technical requirements and methodologies of a third-party application, designed to manage identities of the machines and prevent repudiation for machine-tomachine high value commercial transactions. As a result of substantial expansion in the deployment of web services in the Industry, a number of IT corporations are also researching web service technologies. This study expands on previous research, carried out by IBM and is utilizing the IBM security suite as an initial starting point for the development of a prototype tool. All signature algorithms used within the proposed research, will be acquired from W3C sites through the use of RPCs, as an alternative to having to implement new algorithms. The boom of web-based applications and the drive to make information accessible world wide, has forced corporations to use a strong and scalable security infrastructure (Stanek, 2004). Nikander (1999) divides the security requirements that form the basis of an ideal corporate security infrastructure into three distinct parts: authentication, integrity and confidentiality.. As far as web services are concerned, Stanek (2004) asserts that web services like web-based applications, also need to meet the basic security requirements of authentication, integrity and confidentiality for its successful uptake by Industry. Organisations like W3C, Organization for the Advancement of Structured Information Standards (OASIS), and the Liberty Alliance have been working to develop protocols for web services messaging (Loeb, 2001). In fact, the number of standards and protocols emerged, is so large and has originated from so many disparate sources that, Kunene (2004) suggests, confirming that web services of all types can communicate with each other is a major concern. To that end, Kermaier (2004 cited in Kunene, 2004) suggested that there are three XML security standards that he believes are fairly mature and well suited to implement web services security today. These standards include XML signature and XML encryption which are both W3C recommendations; and XML Key Management Specification 2.0 (XKMS) which is currently a W3C working draft. Loeb (2001) asserts that “XML signatures have been designed with the multiple goals of providing integrity, message authentication, and signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere.” Further investigation by Salz (2003) has presented similar conclusions to Loeb (2001), concerning the goals of XML digital signatures. The idea of non-repudiation in the case of consumer-to-application transactions is to avert the merchant, along with the purchaser from denial of the committed operation (Tsai, 2003). In relation to formal technical standards and guidelines, Tsai (2003) concludes that little importance has been given to non repudiation and procedures for seamless implementation have not yet been defined. Amongst the techniques that attempt to provide non-repudiation, Tsai (2003) concludes that digital signatures are the most suitable and viable alternative to replace traditional signatures in consumer to application data processing. However, research studies have concluded that such an attempt to achieve non-repudiation with SSL is inadequate for web services messaging (Shin, 2003). Shin (2003) rationalises this due to SSL’s being transport-level security scheme as opposed to a message-level scheme and inability to provide element-wise signing. In the context of “federated identity management”, Lasance (2003) asserts that enterprises need a mechanism to maintain identity-based policy in this loosely coupled world of web services, where the identity data may need to be shared across organizational boundaries. Chanliau (2004) suggests that the use of security objects or tokens to represent entities may be a possibility. The WS-Security specification developed by OASIS, to ensure proper security of web services, supports various security tokens including X.509 certificates (Chanliau, 2004). Secure propagation of identity information of web services across organisations, through such security tokens (X.509) is being investigated in the current research investigation.

Many organisations are currently working on developing tools and techniques which provide some type of security mechanism in support of web service based applications. For example, Westbridge Technology Inc. (Parizo, 2003) has investigated the methodologies of developing rule-based authorization software that would enable a web service to identify a pre-approved web service request. Software corporations such as IBM and Microsoft have released a number of security white papers (IBM developersWorks, 2003b) which have focussed on the issue of web service security concerns. A number of companies such as Netegrity Inc., VeriSign Inc., RSA Security Inc., and Oblix Inc., have already gone a long way to exhibit their commitment in web services security by offering illustrative identity management products (Parizo, 2003).

RESEARCH IN PROGRESS The current research study has adopted a grounded theory as its principle research methodology (Martin and Turner 1986). The studies objective is to form a descriptive and explanatory theory, regarding the probabilities of utilising XML aware digital signatures in machine to machine identity management and preventing repudiation of SOAP messages. Other research methodologies have also been described for Information Technology implementation (Ginzberg 1981, Markus 1983); however these methodologies concentrate on the development part of the software and focus comprehensively on user relations. Since the users of the proposed study would be pre-programmed machines and underlying theory development would be critical as per the probability identification, the traditional view of information technology implementation is considered less applicable. The research study consists of two distinct parallel phases; prototyping a third party tool and theory formation. The prototyping phase of the study focuses on the analysis, design and construction of a third party tool, to generate data, with an aim to attest the validity of the usage of XML aware digital signature. The prototype tool would reside in multiple machines, be integrated with “dummy” web services and be used to study the maturity of the proposed hypothesis. The tool is independent of the programming language with which the web services are written. Web services used in the research experiments are based on both Java and .Net framework, depending on the strategic information architecture of the provider. Experiments will be carried out to establish the susceptibilities of web services (dummy representatives) deploying common security measures in place (SSL for example). This would form a base line, to gauge what improvements in security the study could achieve. In order to make conclusions as to the general suitability of XML aware digital signatures, in improving the security of web services and in particular, recognising the identities of machines along with preventing repudiation, a number of variables have been identified to determine whether the prototype tool has been successful in securing the web service information. Suitability will be assessed based on whether the prototype tool meets the following criteria; verifies the requestor of the messages, verifies the message integrity, verifies the signatures validity, separates the data and signature element, ensures the creator and sender are the same, ensures the sender can not refuse sent messages, ensures the sender can not claim sent messages are tempered, confirms the machine identity, repudiation and assures suitability. Each criteria would be measured under two scenarios, firstly, with the dummy web services deploying existing security mechanisms and secondly, with the web services deploying the prototyped security mechanism. Data generated from these replicated experiments will be used to refine the theory suggesting the appropriate mechanism of securing web services messaging.

CONCLUSIONS The emergence of web services as a means facilitate the exchange of business data has a number of benefits including the ability to support high value transactions. However it is clear that the IT industry is concerned by the security threats. This article has demonstrated that one possible solution is the use of the new standard of XML aware digital signatures, recommended by W3C. This standard can provide authentication, data integrity, and support for non-repudiation. Since web services communicate with each other through XML formatted messages, a solution may be found through the use of XML aware digital signatures in identifying the requester web service, validating message integrity and conforming non-repudiation thereby. The research currently underway proposes the prototyping of a solution that uses XML aware digital signatures to ensure proper security in web services messaging. The research study described in this article is in progress and will be completed by the end of 2004.

REFERENCES: Alhir, S. S. (1998, October 23). The Object-Oriented Paradigm. Retrieved July 28, 2004, from http://home.earthlink.net/~salhir/TheObjectOrientedParadigm.pdf Champion, M.; Ferris, C.; Newcomer, E.; & Orchard, D. (2002, November 14). Web Services Architecture. Retrieved July 27, 2004, from http://www.w3.org/TR/2002/ WD-ws-arch-20021114/ Chanliau, M (2004, May 06). Getting a grip on federated identity. Retrieved May 6, 2004, from http://www.computerworld.com/developmenttopics/development/webservices/story/0,10801,92737,00.html Ginzberg, M.J. (1981, April). Early Diagnosis of MIS Implementation Failure: Promising Results and Unanswered Questions. Management Science, 27(4), 459-478. IBM developersWorks (2003a). XML Web services fundamentals. Retrieved April 10, 2004, from https://www6.software.ibm.com/developerworks/education/ws-intwsdk51/ws-intwsdk51-2-1.html IBM developerWorks (2003b). IBM WebSphere SDK for Web Services (WSDK) Version 5.1. Retrieved May 9, 2004, from http: //www.106.ibm.com/developerworks/webservices/wsdk/ ITworld.com (2002). Study: Web services, security top developer concerns. Retrieved April 10, 2004, from http://utilitycomputing.itworld.com/4605/020424webservicessecurity/page_1.html Kunene, G. (2004). XML Standards Provide Web Services Security. Retrieved April 13, 2004, from http://www.devx.com/security/Article/11934/1954?pf=true Lange, L. (2003). Web Services Security Gets Serious. Retrieved April 15, 2004, from http://www.techweb.com/tech/security/20030129_security Lasance, M. (2003). Identity Management and Web Services: The need for a more federated approach to identity management. Retrieved May 5, 2004, from http://www.ecominfo.net/arts/899_maxware.htm Loeb, L. (2001). XML signatures: Behind the curtain. Retrieved May 2, 2004, from http://www106.ibm.com/developerworks/library/s-digsig.html Markus, M. L. (1983, June). Power, Politics, and MIS Implementation. Communications of the ACM, 26(6), 430-444. Martin, P.Y. & B.A. Turner (1986). Grounded Theory and Organizational Research. The Journal of Applied Behavioral Science, 22(2), 141-157. Nikander, P. (1999, November). IPSEC - Internet Protocol Security. Retrieved May 7, 2004, from http://www.tml.hut.fi/Tutkimus/IPSEC/ Parizo, E. B. (2003). Identity, authentication key to Web services security. Retrieved April 21, 2004, from http://searchwebservices.techtarget.com/originalContent/0,289142,sid26_gci929656,00.html Salz, R. (2003). Understanding XML Digital Signature. Retrieved May 3, 2004, from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebsrv/html/ underxmldigsig.asp Shin, S. (2003, March 18). Secure Web services. The upcoming Web services security schemes should help drive Web services forward. April 12, 2004, from http://www.javaworld.com/javaworld/jw-03-2003/jw-0321wssecurity-tote_p.html Simon, E.; Madsen, P. & Adams, C. (2001). An Introduction to XML Digital Signatures. Retrieved April 25, 2004, from http://www.xml.com/pub/ a/2001/08/08/xmldsig.html Stanek, R (2004, April 20). Future of Web Services Expert(s). Retrieved May 8, 2004, from http://searchwebservices.techtarget.com/ateQuestionNResponse/0,289625,sid26_cid582964_tax294589,00.html Stylus Inc. (2004). Software Development Life Cycle. Retrieved April 28, 2004, from http://stylusinc.com/Common/Concerns/SoftwareDevtPhilosophy.php Tsai, C. (2003). Non-Repudiation In Practice Retrieved April 1, 2004, from http://dsns.csie.nctu.edu.tw/iwap/proceedings/proceedings/sessionD/6.pdf

COPYRIGHT Sabbir Ahmed and Leisa Armstrong © 2004. The author/s assign the We-B Centre & Edith Cowan University a non-exclusive license to use this document for personal use provided that the article is used in full and this

copyright statement is reproduced. The authors also grant a non-exclusive license to the We-B Centre & ECU to publish this document in full in the Conference Proceedings. Such documents may be published on the World Wide Web, CD-ROM, in printed form, and on mirror sites on the World Wide Web. Any other usage is prohibited without the express permission of the authors