12 A web application is a software application
웹어플리케이션 개요 (1/2) ▣ 웹어플리케이션이란? • A web application is a software application that is accessible using a web browser or HTTP(S) user agent. 3
웹어플리케이션 개요 (2/2) ▣ 웹어플리케이션의 전형적인 아키텍처 n-tiers SQL Database HTTP request (cleartext or SSL) Web Client Transport HTTP reply (HTML, Javascript, VBscript, etc) Web Server Apache, IIS, Netscape etc… Web app Perl, C/C++, JSP, etc. . Connector DB ADO, ODBC, etc. . 4
웹어플리케이션 보안의 필요성 (3/4) Billing APPLICATION ATTACK Human Resrcs Custom Developed Application Code Directories (응용계층에 보안 구멍이 존재) Databases Legacy Systems Web Services Application Layer ◈ Firewall, SSL, IDS, 보안 OS 등을 이용한 네트워크 계층에서의 방어만 으로는 응용 계층에 대한 공격을 막을 수 없음 Web Server Hardened OS Firewall Network Layer App Server 7
웹어플리케이션 보안의 필요성 (4/4) ◈ Firewall, IDS 등 네트워크 계층 보안기술의 한계 취약점: Business Logic SQL Injection Parameter Manipulation Application Server Web Server Authorization Solutions Operating System Host-based IDS Cookie Poisoning Cross-Site Scripting VPN Firewall PKI Networkbased IDS 8
웹서비스 구성 예 Company A Web App server Request Client Web service Response Transport Web App Firewall Web App server Internet Firewall Web App Web service Transport Company B 24
웹서비스 보안 XML Security Frameworks XML 보안정보 교환 (SAML) XML 접근제어 (XACML) XML 키 관리 (XKMS) Web Services Security (WS-Security) Non-XML Frameworks Simple Object Access Protocol (SOAP) HTTP, FTP, SMTP, JMS, etc Transport-Level Security : Secure Socket Layer (SSL) Transmission Control Protocol and Internet Protocol (TCP/IP) 25
XML 전자서명 (2/2) ▣ XML 전자서명된 메시지의 예 <? xml version="1. 0"? > <!DOCTYPE Signature SYSTEM "xml/xmldsig. dtd"> <Signature xmlns="http: //www. w 3. org/2000/09/xmldsig#"> <Signed. Info> <Canonicalization. Method Algorithm="http: //www. w 3. org/TR/2000/CR-xml-c 14 n-20001026"/> <Signature. Method Algorithm="http: //www. w 3. org/2000/09/xmldsig#dsa-sha 1"/> <Reference URI="xml/test. xml#jasonlee"> <Transforms> <Transform Algorithm="http: //www. w 3. org/TR/2000/CR-xml-c 14 n-20001026#With. Comments"/> </Transforms> <Digest. Method Algorithm="http: //www. w 3. org/2000/09/xmldsig#sha 1"/> <Digest. Value>Dm. Kp. HJWGGS 8 y 3 td. L 2 a 4 f 19 Pw. Yig=</Digest. Value> </Reference> </Signed. Info> <Signature. Value> MCw. CFHNYk 1 v. Kdj. I 1 FBR 07 MYJGw 5 QV 4 IYAh. QGKKt. VEcoa. XSYS 6 t. SG 8 TFFl. Phi/g== </Signature. Value> <Key. Info> <X 509 Data> <X 509 Subject. Name>CN=Jason, OU=ISTD, O=ETRI, L=Yusong, ST=Taejon, C=KR</X 509 Subject. Name> <X 509 Certificate> MIIC 7 z. CCAq 0 CBDq. Dqy. Aw. Cw. YHKo. ZIzjg. EAw. UAMF 0 x. Cz. AJBg. NVBAYTAkt. SMQ 8 w DQYDVQQIEw. ZUYWVqb 24 x. Dz. ANBg. NVBAc. TBll 1 c 29 u. Zz. ENMAs. GA 1 UECh. MERVRS STENMAs. GA 1 UECx. MESVNURDEOMAw. GA 1 UEAx. MFSm. Fzb 24 w. Hhc. NMDEw. Mj. A 5 MDgz ……………. </X 509 Certificate> </X 509 Data> </Key. Info> </Signature> 27
XML 암호 ▣ 전자문서 혹은 메시지에 대한 기밀성 제공 ◈ 암호화된 결과가 XML 형태로 XML 및 웹서비스 환경에 접목이 용이 ◈ XML에 대한 부분암호화 지원 <? xml version="1. 0"? > <!DOCTYPE customer_order SYSTEM "custord. dtd"> <customer_order> <items> <item> <name>Turnip Twaddler</name> <qty>3</qty> <price>9. 95</price> </item> <name>Snipe Curdler</name> <qty>1</qty> <price>19. 95</price> </items> <customer> <name>Doug Tidwell</name> <street>1234 Main Street</street> <city state="NC">Raleigh</city> <zip>11111</zip> </customer> <Encrypted. Element algorithm="DES/CBC/PKCS 5 Padding" content. Type="text/xml" encoding="base 64" iv="S 5 Rirg//p. NQ=">v. Jq. Np. Dr. QT 1 vm. CVby. GJf. Iwd. IDBYo. GXGmutgz 6 TVGo. Pu. KVG 7 Ix. NEN 50 i. Klw 8 pmtx Fixz 5 h. OCh. OXg. Tt. Pqkt. Qh. EHO 5+v. LOLAFg. Iio. DIRQGHHm. Hng 3 CLd+8 tvr. T 8 wx. PBCRSMUpx 4 d 2 TGXW 2 tq. Sepam 0 Zxdmw. UXw. NSAga. R 8 hmirom. D+bh+t. Dom. Pv 7 e. FZ 4 no 5 ft 3 JG 3 t 0 tr. Llw. Vup. F/5 va. IJim. USmu. Ukkgy G 8 x 9 Ac. S/k. XJx. Hpm. M=peq. Gz. IMf+8 A=</Encrypted. Element> </customer_order> 28
WS-Security (SOAP Message Security) (2/2) ▣ 보호처리된 SOAP 메시지의 구조 SOAP-Envelope SOAP-Header Timestamp Security Header Security Token Cipher Data Signature SOAP-Body Cipher Data 30
XKMS (XML Key Management Spec) (2/2) ▣ XKMS 서비스 모델 Signed & Encrypted XML Documents Key Pair User (1) Locate Reissue Revocation Recovery Validate SOAP Request Java Crypto Library SOAP Response Register XML Signature SOAP Request <Key. Binding> <…. . > PKI Module Interface SOAP Security Public Key X-KISS XML Encryption X-KRSS PKI Provider (1) PKI Provider (2) SOAP Response Result = Valid <Key. Binding> <Key. ID> <Key. Info> User (2) 32
XACML (e. Xtensible Access Control Markup Language) (2/2) ▣ XACML 서비스 모델 34
SAML (Security Assertion Markup Language) (2/2) ▣ SAML 서비스 모델 36
- Slides: 38