B Security Threats and Solutions

This appendix describes the security threats that are present in today's Web services environment, and how Oracle Application Server Web Services Security responds to these threats. The descriptions of the security threats are provided by the Web Services Interoperability (WS-I) Organization's document Security Challenges, Threats and Countermeasures Version 1.0. This document identifies the following information:

• the security challenges: these are the goals or features that help you decide specific security scenarios.

• the threats that prevent the fulfillment of each goal.

• the countermeasures you can employ to guard against each threat.

• the possible usage scenarios and the security challenges and threats that might apply to each.

See Also:

For more information on these security mechanisms and threats, see Security Challenges, Threats and Countermeasures Version 1.0 at the following Web site.

http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf.

This appendix identifies how the functionality in OracleAS Web Services can be used to address the threats described in the Security Challenges document. For example, Table B-1 describes message-level security threats and Table B-2 describes transport-level security threats. These tables also identify possible solutions to the security threats and whether you can implement the solutions with Application Server Control or Oracle JDeveloper. The tables also provide a roadmap to where you can find more information on the solutions in the documentation.

These tables use tags, such as SC1, SA1, and BISP1, to indicate message and transport layer security mechanisms. These tags are briefly described in Table B-3. These tables also use threat IDs, such as T-01 and T-02 to indicate types of security threats. These threats are briefly described in Table B-4.

Table B-1 Message Layer Security Solutions

Solution	Threat Number and Name	Supported Solutions	Application Server Control Support	Oracle JDeveloper Support	Where Documented
Sender Authentication Username with clear text password or digest password with encrypted password/digest (SA1)	T-05: Principal Spoofing	SA1	Inbound configuration: (verifying username token) is supported. Outbound configuration: (username token), Application Server Control does not support encrypting or decrypting the username token.	Inbound configuration: (verifying username token) is supported. Outbound configuration: (username token with clear text/digest password) is supported. Encrypting and decrypting the username token are manual steps	"Encrypting Elements of a SOAP Message" and "Decrypting Elements of a SOAP Message" provides information on encrypting and decrypting the username token. "Assembling a Secure Web Service" provides bottom up and top down examples which use username token.
Sender Authentication Username with clear text password or digest password (SA2)	T-05: Principal Spoofing	SA2	Inbound configuration is supported by the verify-username-token element.	Both inbound and outbound configuration are supported.	"Using a Username Token" .
Message Integrity, Sender Authentication XML Digital Signature (SI1) with: Username with clear text password or digest password (SA2), or X509 Certificate (SA3), or SAML Token (SA5), or REL Token (SA6)	T-01: Message Alteration T-05: Principal Spoofing	SI1, SA2, SA3 and SA5 are supportedSA6 is not supported.	Inbound policy for SI1 (verify signature) is supported through Application Server Control. You must configure an instance/port level keystore with a signature key. Inbound policies for SA2, SA3 and SA5 are supported through Application Server Control. Outbound policies for SA2, SA3 and SA5 are not supported through Application Server Control.	Both Inbound and Outbound policies for SI1, SA2, SA3, SA5 are supported through Oracle JDeveloper. You must configure a key store with a signature key.	Chapter 2, "Configuring Web Service Security" "Assembling Security into a Web Service Bottom Up" describes the bottom up XML Signature and Username token cases.
Message Confidentiality, Sender Authentication XML Encryption (SC1) with: Username token with password or digest with encrypted password (SA1), or Username token with password or digest (SA2), or X509 Token (SA3), or SAML Token (SA5), or REL Token (SA6)	T-02: Message Confidentiality T-05: Principal Spoofing	SC1, SA1, SA2, SA3, and SA5 are supportedSA6 is not supported.	Inbound policy for SC1 is supported through Application Server Control. You must configure an instance/port- level keystore with an encryption key. Inbound policies for SA2, SA3, and SA5 are supported through Application Server Control. Outbound policies for SA2, SA3, SA5, and SC1 are not supported through Application Server Control.	Both Inbound and Outbound policies for SC1, SA2, SA3, and SA5 are supported through Oracle JDeveloper. You must configure an instance/port-level keystore with an encryption key.	Configuring security tokens and encryption are covered in Chapter 3, "Administering Web Services Security" "Assembling Security into a Web Service Bottom Up" describes the bottom up XML Encryption case.
One-Way AnyNode – AnyNode Message Confidentiality, Integrity, Sender Authentication XML Digital Signature (SI1) with: XML Encryption (SC1), or Username token with password or digest with encrypted password (SA1), or Username token with password or digest (SA2), or X509 Token (SA3), or SAML Token (SA5), or REL Token (SA6)	T-01: Message Alteration T-02: Confidentiality T-05: Principal Spoofing T-06: Forged claims	SI1, SC1, SA1, SA2, SA3, and SA5 are supportedSA6 is not supported	Inbound policies for SI1 and SC1 are supported through Application Server Control. Inbound policies for SA2, SA3, and SA5 are supported through Application Server Control. Outbound policies for SC1, SC2, SA2, SA3, and SA5 are not supported through Application Server Control	Both Inbound and Outbound policies for SI1, SC1, SA2, SA3, and SA5 are supported through Oracle JDeveloper. You must configure a keystore with signature and encryption keys.	Configuring security tokens and XML signature are covered in Chapter 3, "Administering Web Services Security"
Two-Way AnyNode – AnyNode Message Confidentiality, Integrity, Sender Authentication XML Digital Signature (SI1) with: XML Encryption (SC1), or Username token with password/digest with encrypted password (SA1), or Username token with password/digest (SA2), or X509 Token (SA3), or SAML Token (SA5), or REL Token (SA6)	T-01: Message Alteration T-02: Message Confidentiality T-05: Principal Spoofing T-06: Forged claims	SI1, SC1, SA1, SA2, SA3, and SA5 are supportedSA6 is not supported	Inbound policies for SI1 and SC1 are supported through Application Server Control. Inbound policies for SA2, SA3, and SA5 are supported through Application Server Control. Outbound policies for SI1, SC1, SA2, SA3, and SA5 are not supported through Application Server Control	Both Inbound and Outbound policies for SI1, SC1, SA2, SA3, SA5 are supported through Oracle JDeveloper.	Configuring security tokens and XML signature are covered in Chapter 3, "Administering Web Services Security"
Hybrid: Transport Integrity and Confidentiality, AnyNode-AnyNode Message Confidentiality, Integrity, Mutual Authentication SSL/TLS (BISP1) with XML Signature (SI1) with: XML Encryption (SC1), or Username token with password/digest with encrypted password (SA1), or Username token with password/digest (SA2), or X509 Token (SA3), or SAML Token (SA5), or REL Token (SA6)	T-01: Message Alteration T-02: Message Confidentiality T-03: Falsified Messages T-04: Man in the Middle T-05: Principal Spoofing T-06: Forged claims T-07: Replay of Message Parts T-08: Replay	BISP, BC1, SI1, SC1, SA1, SA2, SA3, and SA5 are supportedSA6 is not supported	Inbound policies for SI1 and SC1 are supported through Application Server Control.Inbound policies for SA2, SA3, and SA5 are supported through Application Server Control.Outbound policies for SC1, SI1, SA2, SA3, SA5, BISP, and BC1 are not supported through Application Server Control	Both Inbound and Outbound policies for SI1, SC1, SA2, SA3, and SA5 are supported through Oracle JDeveloper.BISP and BC1 are not supported through Oracle JDeveloper.	Configuring security tokens and XML signature are covered in Chapter 3, "Administering Web Services Security" For the manual steps to configure SSL, see the Oracle Containers for J2EE Security Guide
Hybrid: Transport Integrity and Confidentiality, Mutual Authentication AnyNode-AnyNode Message Confidentiality, Integrity, Mutual Authentication SSL/TLS (BISP) with SSL/TLS and client authentication (BC1) with: XML Signature (SI1), or XML Encryption (SC1), or Username token with password/digest with encrypted password (SA1), or Username token with password/digest (SA2), or X509 Token (SA3), or SAML Token (SA5), or REL Token (SA6)	T-01: Message Alteration T-02: Message Confidentiality T-03: Falsified Messages T-04: Man in the Middle T-05: Principal Spoofing T-06: Forged claims T-07: Replay of Message Parts T-08: Replay	BISP, SI1, SC1, SA1, SA2, SA3, and SA5 are supportedSA6 is not supported	Inbound policies for SI1 and SC1 are supported through Application Server Control.Inbound policies for SA2, SA3, and SA5 are supported through Application Server Control.Outbound policies for SI1, SC1, SA2, SA3, SA5, and BISP are not supported through Application Server Control	Both Inbound and Outbound policy for SI1, SC1, SA2, SA3, and SA5 are supported through Oracle JDeveloper. BISP is not supported through Oracle JDeveloper	Manual steps for configuring SSL are described in the Oracle Containers for J2EE Security Guide.

Table B-2 describes the security threats that can impact the transport layer and the possible solutions that can be implemented under OracleAS Web Services Security.

Table B-2 Transport Layer Security Solutions

Solution	Threat Number and Name	Solutions Supported	Application Server Control Support	Oracle JDeveloper Support	Where Documented
Consumer Authentication HTTP Basic Authentication (BC2), or HTTP Digest Authentication (BC3), or HTTP Attributes (BC4)	T-05: Principal Spoofing	Yes	No	No	"Adding Transport-Level Security to a Web Service". See also, the Oracle Containers for J2EE Security Guide.
Transport Integrity, Confidentiality, Provider Authentication SSL/TLS (BISP1)	T-01: Message Alteration T-02: Message Confidentiality	Yes	No	No	"Adding Transport-Level Security to a Web Service". See also the Oracle Containers for J2EE Security Guide.
Transport Integrity, Confidentiality, Mutual Authentication SSL/TLS (BISP1) with SSL/TLS with client authentication (BC1)	T-01: Message Alteration T-02: Message Confidentiality T-03: Falsified Messages T-04: Man in the Middle T-05: Principal Spoofing T-06: Forged claims T-07: Replay of Message Parts T-08: Replay	Yes	No	No	"Adding Transport-Level Security to a Web Service". See also the Oracle Containers for J2EE Security Guide.
Transport Integrity, Confidentiality, Mutual Authentication with Enhanced Consumer Authentication SSL/TLS (BISP1) with HTTP Basic/ HTTP Digest Authentication (BC5)	T-01: Message Alteration T-02: Message Confidentiality T-03: Falsified Messages T-05: Principal Spoofing T-06: Forged claims T-07: Replay of Message Parts T-08: Replay	Yes	No	No	"Adding Transport-Level Security to a Web Service". See also, the Oracle Containers for J2EE Security Guide.

Table B-3 provides a brief description of the tags that represent message- and transport-layer security mechanisms described in Table B-1 and Table B-2.

Table B-3 Unique IDs for Message and Transport Layer Security Mechanisms

Tag	Description
BC1	SSL/TLS with client authentication
BC2	HTTP basic
BC3	HTTP digest
BC4	HTTP attributes
BC5	HTTP basic or HTTP digest
BISP1	SSL/TSL
SA1	XML encryption, username token with either password or digest
SA2	username and either password or digest
SA3	X.509 certificate
SA5	SAML token
SA6	REL token
SC1	XML encryption
SI1	XML digital signature

Table B-4 provides a brief description of the security threat IDs and names used in Table B-1 and Table B-2.

Table B-4 Security Threats Addressed by OracleAS Web Services Security

Threat ID	Threat Name	Description
T-01	Message Alteration	The message information is altered by inserting, removing or otherwise modifying information created by the originator of the information and mistaken by the receiver as being the originators intention.
T-02	Confidentiality	Information within the message is viewable by unintended and unauthorized participants.
T-03	Falsified Messages	Fake messages are constructed and sent to a receiver who believes them to have come from a party other than the sender.
T-04	Man in the Middle	A party poses as the other participant to the real sender and receiver in order to fool both participants (for example, the attacker is able to downgrade the level of cryptography used to secure the message).
T-05	Principal Spoofing	A message is sent which appears to be from another principal.
T-06	Forged claims	A message is sent in which the security claims are forged in an effort to gain access to otherwise unauthorized information (for example, a security token is used which wasn't really issued by the specified authority).
T-07	Replay of Message Parts	A message is sent which includes portions of another message in an effort to gain access to otherwise unauthorized information or to cause the receiver to take some action.
T-08	Replay	A whole message is resent by an attacker.
T-09	Denial of Service	Amplifier Attack: attacker does a small amount of work and forces system under attack to do a large amount of work.