RubiX ID - SOA Security - Ingrid Cox

47
SOA Security an Introduction Ingrid Cox www.rubix.nl

Transcript of RubiX ID - SOA Security - Ingrid Cox

Page 1: RubiX ID - SOA Security - Ingrid Cox

www.rubix.nl

SOA Security an Introduction

Ingrid Cox

Page 2: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Agenda

Why SOA Security?

Fundamental Security Terminology and Concepts

Fundamental Security Mechanisms

Security Industry Standards and Technologies

Common SOA Security Threat Definitions

Service Security Patterns

SOA School / Certified SOA Security Specialist

Page 3: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Why SOA Security?

Page 4: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Why SOA Security?

Services and service compositions can be subject to distinct security threats due to tendencies, such as:• Reliance on open networks• Openly published technical contracts• Reuse by and exposure to widely distributed

service consumers• Involvement of service intermediaries and

service agents• Exchange of data as plain text XML messages

Page 5: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Fundamental Security Terminology and Concepts

Page 6: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Fundamental Security Terminology and Concepts

TrustClaims

Tokens

IntegrityConfidentiality

Authorization

Authentication

IdentificationNon-repudiation

Policies

Message Layer Security

Transport Layer Security

Page 7: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

CIA Triad (Information Security)

Services

Confidentiality

AvailabilityIntegrity

Page 8: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Confidentiality

“Information is not made available or disclosed to unauthorized individuals, entities, or processes”

Sender Recipient

“Can this document be disclosed to

unauthorized parties?”

Page 9: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Integrity

“Maintaining and assuring the accuracy and completeness of data over its entire life-cycle.

This means that data cannot be modified in an unauthorized or undetected manner.”

Sender Recipient

“Has this message been changed since you send it?”

Page 10: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Availability

“For any information system to serve its purpose, the information must be available when it is needed.”

• The computing systems used to store and process the information• The security controls used to protect it• The communication channels used to access it• But also preventing common security threats

Page 11: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Non-repudiation

In digital security, the cryptologic meaning and application of non-repudiation shifts to mean:• A service that provides proof of

the integrity and origin of data.• An authentication that can be asserted to be genuine

with high assurance.

Sender Recipient

“Is this document

actually send by you?”

Page 12: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Transport Layer Security vs Message Layer Security

Secure Not secure

Sender RecipientIntermediary Intermediary

Not secure SecureSecure

TLS

Sender RecipientIntermediary

Secure

IntermediaryMLS

Page 13: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Fundamental Security Mechanisms

Page 14: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Security Mechanisms

Hashing Encryption Decryption

Digital SignatureIdentity & Access Management

Public Key Infrastructure

Digital Certificates

Single Sign-OnSymmetric EncryptionAsymmetric Encryption

Secret Key Cryptography

Public Key Cryptography

Page 15: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Hashing

Cryptographic Hash Function

----------------------------Plain Text----------------------------

Used to verify the integrity of the message

DigestInput

Page 16: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Hashing functions

input MD5 Digest SHA-256 Digest

rubix 32cab8d5115f0c7814994a65257e2014

D093570cb166eeb9d17a4c8358a2f6ceeccb5679af1c08ccd72b104133b665d1

Rubix D89525d0a4550368ba8085a36a6ddb78

97b6ef22acaf52f4dab67ffa5ab7b481d9cb09b1228351bc7ecbf6b308c511dc

Rubix ID 708739c108aab7f15c2e1b8edb72b626

B5a1c516688ccb7125aa65f800abd5af29b1004de8ebe903f39083793771d733

Rubix ID event 3fe0453a093464a5abafe7e0f6bdadd3

C6f301b80a4f9a93bfd91af56bb26de8f9d8f27f326ea4eb09b65950c16867c1

Rubix ID event, a very interesting event organized by Rubix ....

5bd80cd151f14dac32476238fe5f5f47

E376e493a9d3a7ccf3004b1ddfd0bed641369fb9393c0231a4146a4f2c4dd8e6

Page 17: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Encryption / Decryption

Encryption Algorithm

----------------------------Plain Text----------------------------

Key

Cipher Text

Decryption Algorithm

----------------------------Plain Text----------------------------

Key

Can be used for confidentiality

Page 18: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Symmetric Encryption

• Same key for encryption and decryption• Key needs to be known by both parties• Very efficient (100 times faster than asymmetric)• Challenges:• Reliance on a single key (secret key)• Not for non-repudiation

• Examples: • DES, RC4, RC5, AES

Page 19: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Asymmetric Encryption

• Private key decrypts cipher text encrypted with public key• Public key decrypts cipher text encrypted with private

key• Public key is public, no security needed• Private key should stay private• losing it compromises the identity of the owner

• PKI can be used for administration of keys and owners

Page 20: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Asymmetric EncryptionConfidentiality

Page 21: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Asymmetric EncryptionDigital Signature

• A message digest encrypted by a private key• It proves that the message:• Is sent by the intended

sender• Is not altered

• Can be used for:• Authentication• Integrity• Non-repudiation

Page 22: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Security Industry Standards and Technologies

Page 23: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Security Industry Standards and Technologies

XML encryption XML signature

Security assertion markup language (SAML)

Decrypt transform for XML signatureCanonical XML

Web service security (WS-Security)

Page 24: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

XML Encryption

• Most commonly used to apply encryption for confidentiality for XML data• It specifies how to encrypt elements within a XML doc• Plaintext replaced with cipher text -> still well formed• All or part of the XML doc can be encrypted

Page 25: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

XML Signature

• The specific XML syntax used to represent a digital signature over any arbitrary digital content.• Is generated from a hash over

the canonical form of a signature manifest.

Page 26: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Canonical XML

• Two XML documents can be semantical identical but syntactical have differences • i.e. white spaces, different ordering of attributes.• XML canonicalization is the process of standardizing

the syntax of XML docs to be signed, so that when a digital signature is verified, it produces the same message digest for assessing message integrity

Page 27: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Decrypt transform for XML signature

• A message can be encrypted and signed in any order• For the recipient to correctly verify and decrypt the

message it needs to know in which order the messages was signed and encrypted• Transform elements• A transform is an ordered list of actions to a

document before signing and verification

Page 28: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Web service security (WS-Security)

• Foundational security architecture for web services• Message layer security• Encryption , Signature + more (not addressed today)

Page 29: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Common Security Threat Definitions

Page 30: RubiX ID - SOA Security - Ingrid Cox

Common Security Threat Definitions

03-05-2023

Buffer Overrun Information Leakage

XML External Entity AttackSQL InjectionXPath Injection

Exception GenerationXML Bomb Attack

XML Schema Poisoning AttackDocument Structure AttackXML Parser Attack

Malicious Intermediary

Page 31: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Information Leakage Attacks (Data oriented)

• Specially crafted requests message, causing the service to include more information in its response than intended• The objective:

• Get access to confidential information• Get information that could be used to access underlying service

implementation resources• Consequences of this attack can ripple beyond a service

architecture.

Page 32: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Information Leakage Exception Generation

• Send erroneous request messages to make the service logic trigger an exception • That may return error or fault data that includes

sensitive information• This could include connection strings, server names,

SQL queries. XPath commands, stack traces, and data schemas

Page 33: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

SQL Injection

Page 34: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

XML Parser Attack (Access oriented)

• Goal: to cause the XML parser to either consume an inordinate amount of resources and crash, or to execute the attacker’s own code.• Will affect any service composition that depends on

this service as well. • If a single hosting platform is used, all service

running on that host could become non-responsive if the runtime is unable to recover from this attack.

Page 35: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

XML Parser Attack Document Structure Attack

• A request message with an XML document structure that causes problems for the parser• Could be achieved by extremely deep nesting of

elements, or just an extremely large document

Page 36: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Malicious Intermediary

• A given message can pass through several intermediaries before it reaches its ultimate receiver • An (active) intermediary can transmit an altered

message, the message confidentiality and integrity cannot be guaranteed

Page 37: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Malicious Intermediary

• A (passive) intermediary can log the message when it is not authorized to do so, the confidentiality of the message cannot be guaranteed• Might need MLS to prevent this from happening

Page 38: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Service Security Patterns

Page 39: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Service Security Patterns

Exception Shielding

Trusted SubsystemService Perimeter Guard

Message Screening

Page 40: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Exception Shielding

• Unsafe exception-related data is “sanitized”• Sanitized exception messages do not contain

sensitive data• Note that unhandled exceptions can be wrapped by

another exception. So check nesting!

Page 41: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Message Screening

• Invalid request messages can cause the service or other downstream systems to behave in an undesirable manner• Accidentally inserted by a service consumer • Intentionally added by an attacker

• Assume that all input data is harmful, until proven otherwise• Specialized threat screening routines are added to the internal

service logic.

Page 42: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Trusted Subsystem

• When underlying service recourses (i.e. databases), can be accessed directly by the service consumers the security of the resource can be compromised by malicious attackers• The service is the sole means by which underlying resources

can be accessed by service consumer programs• The service uses its own credentials to access the resource.

Page 43: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Service Perimeter Guard

• External service consumers require access to services in a private network. • Exposing those service directly to the outside world, is too risky• Intermediate services at the perimeter of the private network

(DMZ) as the sole contact point for external service consumers.• The location and contract of the internal service remains

hidden.

Page 44: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Access-Oriented ThreatsGeneral Mitigation

One of the best practical techniques for avoiding access-oriented threats is to apply the Service Perimeter Guard pattern in order to position a perimeter service as a buffer between potential attackers and internally protected services.These services can further act as policy enforcements points to establish a strong first layer of defense.

Service A

• Policy Enforcement Point• Schema validation• Attack Mitigation

Protected services

Service B

Service Perimeter

Guard

Service Consumer

Use Perimeter Services

Page 45: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

SOA School / Certified SOA Security Specialist

Page 46: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

SOA School / Certified SOA Security Specialist

Module 1: Fundamental SOA & Service-Oriented Computing

Module 2: SOA Technology Concepts

Module 3: SOA Design & Architecture

Module 18: Fundamental SOA Security

Module 19: Advanced SOA Security

Module 20: SOA Security Lab

Page 47: RubiX ID - SOA Security - Ingrid Cox

03-05-2023

Questions?