Research On Key Security Techniques In Web Services

With the development of Web service, its merits, like the loosely coupled, language-neutral, platform-independent, linking applications within organizations across Internet, are becoming more and more important. But in the same time, some weaknesses and limitations begin to emerge due to its heterogeneity, dynamic, complexity and the loosely coupled nature across organizations. As the typical distributed applications, web services security challenges include data confidentiality (including transport data confidentiality and SOAP message confidentiality), data integrity (including transport data integrity and SOAP message integrity), non-repudiation, identity authentication, trust, access control, auditing and security management. So business circles agree conformably that its security is the key issue that must be addressed before web service becomes the mainstream technique. Identity authentication, authorization, access control, trust establishment and delegation are the main security issues. Therefore, in depth research on the key security techniques in web services not only has academic value, but also has practice meaning.In web services environment, it usually needs more enterprises or organizations to cooperate to accomplish a task or implement a function, and every organization may participate in many such cooperation. Because those enterprises or organizations may use different identity authentication mechanism, it is the problem that web services must face how to give attention to two or more things the existent and forthcoming authentication mechanism and how to map the identity credentials between those enterprises or organizations. Furthermore, when user must invoke many web services to accomplish business processing, he/she do not want to provide his/her identity credential to every web entity, but he/she want to authenticate only once and gain access to all federative web sites, i.e. Single sign-on (SSO). SAML (Security Assertion Markup Language) and WS-Federation provide technique support for single sign-on. By analyzing SAML, WS-Federation and XKMS (XML Key Management Specification) are how to achieve single sign-on, we present security authentication system model for web services portal website based on SAML and Cookie. This system model achieves single sign-on both in a single management domain and in a trust federation with different management domains, which has the characteristics such as flexibility, extensibility and across-platform, and so on.Traditionally, authorization has been based on the identity of the entity requesting access to a resource, either directly or through roles assigned to entity. However, in the open environment like web service, resources and their requestors may come from different security domains and they often will not have any preexisting relationship, so much as they do not know each other. Therefore, identity information such as user names and password, or identity certificates, is usually inadequate to determine whether or not a party should be trusted. So an attribute-based access control (ABAC) approach has been proposed. In ABAC systems, authorization decisions are based on attributes of requestor, resource and environment. ABAC avoids the need for permissions to be assigned to individual requestors before the request is made. In this paper the modeling and extending for ABAC was discussed, and the implementation architecture of ABAC for web services based on XACML was presented. In the end, the attribute management throughout their lifecycle was discussed so as to use ABAC better.ABAC is particularly suitable for authorization and access control in open and distributed systems due to its flexibility and applicability. However, the higher flexibility and applicability of ABAC come along with higher complexity in the specification and maintenance of the policies and the problem of sensitive attributes exposure. Because the needed attributes in access control decision may come from the different security domains, they may be annotated and interpreted with different terminology, that is to say, their semantic may be completely different. This results in the requirement for semantic interoperability, which can be settled using semantic web technologies, especially Ontology. Semantic web technologies can be used to improve security in service-oriented, open heterogeneous environments and what semantic interoperability challenge must be met. In this paper, a new semantic-aware attributed-based access control (called S-ABAC) approach was presented based on an extension of the established XACML standard and semantic web technologies so as to resolve the issues in ABAC.In web services environment, resources and their requestors may come from different security domains, resources controller do not know the identity of requestor in advance, and requestors visit usually the resources at random. It is an every important problem how to establish dynamically the trust relationship between them. In existing solutions, it was assumed that there is a trusty third party authority to provide information to make authorization decision, but which is not realistic in open, dynamic and phantasmagoric web services environment. So we need a reasonable method to evaluate whether or not the third party or collaborator is trusty. Automated Trust Negotiation (ATN) is a means to establish mutual trust between resource requestor and resource provider through the exchange of sensitive attribute credentials and access control policies. In heterogeneous and distribute web services environment, the delegation technology is usually needed to control the access to resources. In this paper, the trust establishment mechanism in web services was analyzed, and a trust establishment model based on WS-Trust was proposed. An ATN-based access control model for web services was also presented. And a delegation model and framework was proposed based on SAML delegation assertion and WS-Trust in the end.