Web Services Security

A service is an application offered by an organization that can be accessed through a programmable interface. Web services allow computers running on different operating platforms to access and share each other’s databases by using open standards, such as extensible markup language (XML) and simple object access protocol (SOAP). In this chapter, the following Web services mechanisms are discussed: (1) XML encryption, XML signature, and XML key management specification (XKMS); (2) security assertion markup language (SAML); and (3) Web services security (WS-security).

TLS, SSL, and SET

In an Internet commercial transaction, the secure Web server and the buyer’s computer authenticate each other and encipher the data transmitted using transport layer security (TLS) or secure socket layer (SSL) protocols. When a purchase is made online using a credit card, does the customer’s bank need to know what was purchased? Not really. Does the seller need to know the customer’s credit card number? Actually, the answer is no. The responses to these questions were the main premises of the secure electronic transaction (SET). In the late 1990’s, SET was approved as the credit card standard, but it failed to be accepted because of its cost and the problems regarding distribution of end-user certificates. However, SET is explained in this chapter as an ideal protocol, from the point of view of certificates, digital signatures, and cryptography for securing credit card transactions over the Internet.

Access Authentication

Unless a corporation can reliably authenticate its network users, it is not possible to keep unauthorized users out of its networks. Authentication is essential for two parties to be able to trust in each other’s identities. Authentication is based on something you know (a password), on something you have (a token card, a digital certificate), or something that is part of you (fingerprints, voiceprint). A strong authentication requires at least two of these factors. The following mechanisms of authentication are described in this chapter: (1) IEEE 802.1X Access Control Protocol; (2) Extensible Authentication Protocol (EAP) and EAP methods; (3) traditional passwords; (4) Remote Authentication Dial-in Service (RADIUS); (5) Kerberos authentication service; and (6) X.509 authentication.

Certificates and Public Key Infrastructure

In public-key encryption, the secrecy of the public key is not required, but the authenticity of the public key is necessary to guarantee its integrity and to avoid spoofing and playback attacks. A user’s public key can be authenticated (signed) by a certificate authority that verifies that a public key belongs to a specific user. In this chapter, digital certificates, which are used to validate public keys, and certificate authorities are discussed. When public-key is used, it is necessary to have a comprehensive system that provides public key encryption and digital signature services to ensure confidentiality, access control, data integrity, authentication, and non-repudiation. That system, public-key infrastructure or PKI, is also discussed in this chapter.

Confidentiality

In the world of communications, assurance is sought that (1) a message is not accidentally or deliberately modified in transit by replacement, insertion, or deletion; (2) the message is coming from the source from which it claims to come; (3) the message is protected against unauthorized individuals reading information that is supposed to be kept private; and (4) there is protection against an individual denying that the individual sent or received a message. These assurances are provided through the use of security mechanisms. Chapters IV, V, VI, and VII discuss security mechanisms such as confidentiality, integrity, and access authentication that are used to implement the security services listed above. This chapter covers two types of symmetric encryption: stream ciphers and block ciphers. The theory behind using shift registers as stream ciphers, as well as the DES and the Advanced Encryption Standard (AES), are also covered in this chapter.

Number Theory and Finite Fields

Mathematics plays an important role in encryption, public-key, authentication, and digital signatures. Knowing certain basic math concepts such as counting techniques, permutations, plotting a curve, raising a number to a power, modular arithmetic, and congruence would help to understand the material in this book.

Electronic Mail Security

In previous chapters of this book, crypto systems, security mechanisms, and security services have been discussed and reviewed as separate crypto modules. In Chapters 10 to 14, how these crypto modules are used to provide network security will be discussed. Electronic mail enables users to exchange messages using computer communications facilities, but sending an e-mail message is like sending a postcard that anyone can read as it travels from post office to post office. When an e-mail message travels from one e-mail server to another, the e-mail is first stored in an e-mail server before it is sent to the next e-mail server. A way to protect e-mail is by using writer-to-reader security in which the message is encrypted at the sender station and deciphered at the receiver station. There are several ways to make e-mail secure. Pretty Good Privacy (PGP) and Secure MIME (S/MIME) are presented in this chapter.

Elliptic Curve Cryptograpy

For the same level of security that public-key cryptosystems such as RSA have, elliptic curve cryptography (ECC) offers the benefit of smaller key sizes, hence smaller memory and processor requirements. The Diffie-Hellman key exchange, ElGamal encryption, digital signatures, and the Digital Signature Algorithm (DSA) can all be implemented in ECC. This makes ECC a very attractive algorithm for wireless devices such as handhelds and PDAs, which have limited bandwidth and processing power. Running on the same platform, ECC runs more TLS/SSL transactions per second than RSA. This chapter describes the basic concepts and definitions of elliptic curve cryptography.

Information Assurance

The TCP/IP protocol is becoming the world standard for network and computer communications. The number of TCP/IP applications on the Internet and in corporate networks is continually growing, with a resulting increase in network vulnerability. When data communications security is discussed in this text, it refers to communications security for the TCP/IP protocol and to the security mechanisms implemented at the different layers of the TCP/IP stack protocol. This chapter also describes, in a general way, which security mechanisms are used for specific security services.

Wireless Security

The nature of wireless is that of a physically open medium which makes authentication, access control, and confidentiality necessary in the implementation of a wireless LAN. There are three primary categories of networks: wireless local area network (WLAN), wireless metropolitan-area network (WMAN), and wireless personal area network (WPAN). The security for each of these types of wireless networks is discussed in this chapter.