Writing Secure Web Services

[Scott]

I know this is Ruby-specific, but we plan to implement this system
using Ruby and ActionWebService. We need to create a secure web
service for B2B integration (ick, sounds too Enterprise-y). The
request follows the following path:

Client Web Site -> Our Web Service (ActiveWebService) -> Our Database,
and back.

We'd like to eliminate the overhead of a challenge/response type of
system. We've come up with this:

The client GPG Signs a UUID+Time. This way an interception of the token
is worthless since it's only good for one request. Since the time
portion of tokens are sequential, we don't need to store a lot of them.
We can just provide a 1 minute window around our latest token.

So tokens are only good for one request. We have to store the latest
token. Since the tokens are signed, tokens can't be generated by a
third party without first compromising the client's private key.

Can anyone poke holes in this idea for us? Or do you have any better
ideas?

Thanks!
Scott

 

[roland.schmitt]

Hello Scott,

I know this is Ruby-specific, but we plan to implement this system
using Ruby and ActionWebService. We need to create a secure web
service for B2B integration (ick, sounds too Enterprise-y). The
request follows the following path:

Client Web Site -> Our Web Service (ActiveWebService) -> Our Database,
and back.

We'd like to eliminate the overhead of a challenge/response type of
system. We've come up with this:

The client GPG Signs a UUID+Time. This way an interception of the token
is worthless since it's only good for one request. Since the time
portion of tokens are sequential, we don't need to store a lot of them.
We can just provide a 1 minute window around our latest token.

So tokens are only good for one request. We have to store the latest
token. Since the tokens are signed, tokens can't be generated by a
third party without first compromising the client's private key.

Can anyone poke holes in this idea for us? Or do you have any better
ideas?

Another idea is using wss4r with ActiveWebService. You can then encrypt
and/or sign the requests/responses from both client and server. WSS4R
uses certificates for signing and encryption. Another advantage is that
it is conform to some web service specs, so you can use other clients
like java or .NET.

There is an example ActiveWebService/rails application that uses
encryption and signing and also clients in ruby and C#/.NET.


[1] http://www.rubyforge.org/projects/wss4r

Regards,
Roland

 

[Roland Schmitt]

Hello Scott,

I know this is Ruby-specific, but we plan to implement this system
using Ruby and ActionWebService. We need to create a secure web
service for B2B integration (ick, sounds too Enterprise-y). The
request follows the following path:

Client Web Site -> Our Web Service (ActiveWebService) -> Our Database,
and back.

We'd like to eliminate the overhead of a challenge/response type of
system. We've come up with this:

The client GPG Signs a UUID+Time. This way an interception of the
token is worthless since it's only good for one request. Since the
time portion of tokens are sequential, we don't need to store a lot of them.
We can just provide a 1 minute window around our latest token.

So tokens are only good for one request. We have to store the latest
token. Since the tokens are signed, tokens can't be generated by a
third party without first compromising the client's private key.

Can anyone poke holes in this idea for us? Or do you have any better
ideas?

Another idea is using wss4r with ActiveWebService. You can then encrypt
and/or sign the requests/responses from both client and server. WSS4R uses
certificates for signing and encryption. Another advantage is that it is
conform to some web service specs, so you can use other clients like java or
NET.

There is an example ActiveWebService/rails application that uses encryption
and signing and also clients in ruby and C#/.NET.


[1] http://www.rubyforge.org/projects/wss4r

Regards,
Roland

 

[rcoder]

We'd like to eliminate the overhead of a challenge/response type of

system.

No offense, but "eliminating the overhead" by introducing a full
round-trip through GPG each time is kind of rediculous. Why not simply
generate SSL client certs and distribute them to your clients? It's no
less secure (or more work for you) than importing GPG/PGP keys, and
re-uses the existing HTTPS security model.

-Lennon

 

[Scott]

The library looks promising, although I'm having problems with the
given examples. The server runs fine, but when I try to run the client
under the rails folder (examples/rails/simple/client/client.rb), I get
the following error:

c:/ruby/lib/ruby/1.8/i386-mswin32/digest.so: Class is not a module
(TypeError)
from
c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:in `re
quire'
from
c:/ruby/lib/ruby/gems/1.8/gems/activesupport-1.2.5/lib/active_suppo
rt/dependencies.rb:214:in `require'
from c:/ruby/lib/ruby/1.8/pstore.rb:11
from
c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:in `re
quire'
from
c:/ruby/lib/ruby/gems/1.8/gems/activesupport-1.2.5/lib/active_suppo
rt/dependencies.rb:214:in `require'
from c:/ruby/lib/ruby/1.8/cgi/session/pstore.rb:13
from
c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:in `re
quire'
from
c:/ruby/lib/ruby/gems/1.8/gems/activesupport-1.2.5/lib/active_suppo
rt/dependencies.rb:214:in `require'
... 17 levels...
from
c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:in `re
quire'
from c:/ruby/lib/ruby/site_ruby/1.8/wss4r/rpc/wssdriver.rb:4
from
c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:in `re
quire'
from client.rb:2

This is on a Windows XP machine with Ruby 1.8.4. Any ideas?

 

[Scott]

Yea, I agree. Maybe a little research on Web Service Security would
have been in in order before posting this question. I appreciate your
frank response though. It seems that just using SSL w/client
certificates would be the best solution.

Thanks,
Scott

 

[roland.schmitt]

Hello Scott,

The library looks promising, although I'm having problems with the
given examples. The server runs fine, but when I try to run the client
under the rails folder (examples/rails/simple/client/client.rb), I get
the following error:

c:/ruby/lib/ruby/1.8/i386-mswin32/digest.so: Class is not a module
(TypeError)
from
c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:in `re
quire'
from
c:/ruby/lib/ruby/gems/1.8/gems/activesupport-1.2.5/lib/active_suppo
rt/dependencies.rb:214:in `require'
from c:/ruby/lib/ruby/1.8/pstore.rb:11
from
c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:in `re
quire'
from
c:/ruby/lib/ruby/gems/1.8/gems/activesupport-1.2.5/lib/active_suppo
rt/dependencies.rb:214:in `require'
from c:/ruby/lib/ruby/1.8/cgi/session/pstore.rb:13
from
c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:in `re
quire'
from
c:/ruby/lib/ruby/gems/1.8/gems/activesupport-1.2.5/lib/active_suppo
rt/dependencies.rb:214:in `require'
... 17 levels...
from
c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:in `re
quire'
from c:/ruby/lib/ruby/site_ruby/1.8/wss4r/rpc/wssdriver.rb:4
from
c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:21:in `re
quire'
from client.rb:2

This is on a Windows XP machine with Ruby 1.8.4. Any ideas?

sorry for the late reply.
I've tested with WinXP and Ruby 1.8.4 too, but i will look into this
problem. Perhaps the openssl-bindings are not working with your
installation?

Kind regards,
Roland