Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Web services security
Similaire à Web services security (20)
Dernier
Dernier (20)
Web services security
- 1. Web Services Security BY: NURMEEN RAFIQUE ANIK MALIK FAKHAR-UL-ISLAM
- 2. WS-Security Definition WS-Security (Web Services Security) is a proposed IT industry standard that addresses security when data is exchanged as part of a Web service. Web Service Security Requirements The use of transport security to protect the communication channel between the Web service consumer and Web service provider. Message-level security to ensure confidentiality, integrity and authentication.
- 3. Web services security includes several aspects: Authentication—Verifying that the user is who she claims to be. A user's identity is verified based on the credentials presented by that user, such as: password, biometric information etc. Authorization (or Access Control)—Granting access to specific resources based on an authenticated user's entitlements. Entitlements are defined by one or several attributes. An attribute is the property or characteristic of a user. Confidentiality, privacy—Keeping information secret. Accesses a message, for example a Web service request or an email, as well as the identity of the sending and receiving parties in a confidential manner. Confidentiality and privacy can be achieved by encrypting the content of a message and obfuscating the sending and receiving parties' identities. Integrity, non repudiation—Making sure that a message remains unaltered during transit by having the sender digitally sign the message. A digital signature is used to validate the signature and provides non-repudiation. The timestamp in the signature prevents anyone from replaying this message after the expiration.
- 4. Web Services Security at Transport Level and Message Level Web Services currently revolves around three important protocols: SOAP, WSDL and UDDI. There are two ways with which we can ensure security with Web Services: Transport Level Security Message Level Security
- 5. Transport-level Security It secures the actual transport over which the message passes through from client to a service. Secure Socket Layer (SSL), otherwise known as Transport Layer Security (TLS), is the most widely used transport-level data-communication protocol providing: Authentication (the communication is established between two trusted parties). Confidentiality (the data exchanged is encrypted). Message integrity (the data is checked for possible corruption). Secure key exchange between client and server.
- 8. Message Level Security Message level security is an application layer service and facilitates the protection of message data between applications. It secures the message itself that is being transported from client to a service and vice versa. Application-level security is based on standards available for securing Web Services at XML level. Data confidentiality is implemented by XML Encryption. Data integrity and authenticity are implemented by XML Signature. Message structure and message security are implemented by SOAP and its security extension, WS-Security.
- 10. Differences TLS: In this model, a Web Service client will use SSL to open a secure socket to a Web Service. The client then sends and receives SOAP messages over this secured socket using HTTPS. MLS: In message level security, security information is contained within the SOAP message, which allows security information to travel along with the message.ge level security, security information is contained within the SOAP message, which allows security information to travel along with the message.
- 11. Differences cont’d TRANSPORT LEVEL MESSAGE LEVEL Uses SSL Dose not use SSL Point-to-Point: Protects the "pipe Data Chunks are protected Does not work with Intermediaries Intended to work with Intermediaries Ubiquitous Standards still under development