Security
1) Transport Level - Secure connections bewteen consumer and producer. Use SSL. SSL provide authetical, confidentiality and message integrety. Issue if there is an intermediatery in between (eg. router) then it will get the SOAP message in plain text.
2) Message Level - Secure message. Digitally signed and encrypted. For authetication use username, x.509 or SAML tokens.
WS-Security specification has usernameTokenProfile(Sign, Encrypt and propogate). For authetication, we can use
- SAML-Assetion
- X.509 certificates
- Kerberos Tickets
- Userid/Password credentials
- Ws-Security defines how to attach XML signature and XML Encryption headers to SOAP message.
- <wsse:UserNameToken>
SAML framework is for exchanging security information between different partie through XML documents
- Authetication Assertion
- Autherization Assertion
- Attribute Assertion
WS-Security allows SAML assertion to be placed inside a SOAP header. It defines how to insert the information in to SOA envolpe.
Security applied to various levels of the network protocol stack
- Application - Application Specific: Passwords
- Presentation - Software Encryption: Secure Socket Layer (SSL)
- Session - End-to-End Authentication/Encryption
- Transport - Port Filtering
- Network- IP Address Filtering
- Data Link - Snoop Prevention
- Physical - Point-to-Point Hardware Encryption: (Class I & II)
Difference between Hacking and Cranking
Hacking
- Don’t learn to hack…Hack to learn!
- Make things work & Fix
- Modify & Improve
- Find weaknesses & strengthen security
Cracking
- Obtain root access
- Infiltrate
- Damage
- Change
- Control
- Steal
RFC - Request for comment !.
0 comments:
Post a Comment