Web Services Security Standards Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc.

Slides:

Advertisements

Similar presentations

April 23, XKMS Requirements Update Frederick Hirsch, Mike Just April 23, 2002 Goals Requirements Summary –General, Security Last Call Issues –For.

Advertisements

Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.

Web Services Security Standards Forum Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

NHIN Specifications Richard Kernan, NHIN Specification Lead (Contractor), Office of the National Coordinator for Health IT Karen Witting, Contractor to.

E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Using Digital Credentials On The World-Wide Web M. Winslett.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Applied Cryptography for Network Security

Web services security I

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Security COMP6017 Topics on Web Services Dr Nicholas Gibbins –

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Cryptography, Authentication and Digital Signatures

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

PKI Forum Business Panel March 6, 2000 Dr. Ray Wagner Sr. Director, Technology Research.

Network Security Introduction Light stuff – examples with Alice, Bob and Trudy Serious stuff - Security attacks, mechanisms and services.

Web - based business and XML security. Dagmar Brechlerova.

Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.

W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.

Semantic Web Technologies Research Topics and Projects discussion Brief Readings Discussion Research Presentations.

Dr. Rebhi S. Baraka Advanced Topics in Information Technology (SICT 4310) Department of Computer Science Faculty of Information Technology.

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester

 A Web service is a method of communication between two electronic devices over World Wide Web.

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.

CS453: Introduction to Information Security for E-Commerce Prof. Tom Horton.

Workshop IV Current Developments in Digital Trust.

Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.

Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.

Security Patterns for Web Services 02/03/05 Nelly A. Delessy.

Secure Web Services Arvind Easwaran CIS/TCOM 551 Spring 2004 Slide Set 7.

Secure Systems Research Group - FAU A Pattern for XML Signature Presented by Keiko Hashizume.

11 Restricting key use with XACML* for access control * Zack’-a-mul.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Task Force CoRD Meeting / XML Security for Statistical Data Exchange Gregory Farmakis Agilis SA.

E-Authentication October Objectives Provide a flexible, easy to implement authentication system that meets the needs of AES and its clients. Ensure.

BEA position on W3C ‘Web Services’ Standards Jags Ramnarayan 11th April 2001.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

Web Services Security Mike Shaw Architectural Engineer.

Presented by: Sonali Pagade Nibha Dhagat paper1.pdf.

1 XML Key Management Specification XKMS Dr Phillip Hallam-Baker FBCS CEng. VeriSign Inc.

Eclipse Foundation, Inc. Eclipse Open Healthcare Framework v1.0 Interoperability Terminology HL7 v2 / v3 DICOM Archetypes Health Records Capture Storage.

Tim Bornholtz Director of Technology Services

InfiNET Solutions 5/21/

Presentation transcript:

Web Services Security Standards Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc.

Objective Enable ‘Secure’ Interoperable Web Services What do we mean by secure? Are we willing to wait for interoperability? Where do we start?

Why New Security is Needed for Web Services Theory: This thing has 4 wheel drive But we only take it to the Mall Practice: In this environment we need 4 wheel drive

Do We Actually Want Standards? Standards Benefits –Interoperability –Vendor Independence Proprietary Benefits –Try scheme in practice before proposing standard –No negotiation = shorter time to market –Additional functionality beyond core standard Standards should be enablers, not limiters

Web Services Security Groups SAML XACML XrML XKMS XML Encryption XML Signature BiometricsWS-Security Provisioning W3C Architecture OASIS Joint Security

What Parts of Web Services Security Should Be Infrastructure? Operating System Subroutine Application Remote Subroutine Application Web Services Revolution

What Parts of Web Services Security Should Be Infrastructure? Replicate security context provided by O/S –Protected Memory Prevents modification of process state Prevents interception of function calls Prevent disclosure –Access Control Authentication Authorization Auditing

Problem Space Infrastructure Security Infrastructure Services Applications Confidentiality Integrity Access Control Policy Conversation Authentication Authorization Attributes TrustFunds Transfer Payroll Inventory Purchasing

Solution Space Applications Web Services Security Infrastructure Security Conversation Access Control Rights Management Privacy Key Management Policy XML & Web Services Foundation XML Signature XML Encryption WSDL Description SOAP

Part I – XML Infrastructure

XML Signature & Encryption Operate on the XML InfoSet –Not just a stream of bits Allow node level security enhancements –Sign parts of a document –Enveloped signature is inside signed node –Detached signature signs referenced content –Detached encryption data

XML Signature Operates on the InfoSet not Just Bits Source XML Parser Application Code XML Encoded BitsXML Infoset Traditional PKCS#7 XML Signature

Part II – Web Services Security Infrastructure

Is SSL Enough? For some applications –Yes As Infrastructure –No SSL Only supports data in transit, not in storage SSL does not support multi-party transactions SSL is all or nothing –Messages are opaque to firewalls SSL does not support non-Repudiation

WS-Security SOAP Message Level Security –Confidentiality –Integrity –Authentication Builds on XML Standards –XML Signature & Encryption

Ensuring a Secure Conversation Request / Response Correlation –Prevent Message Substitution Attacks Response Modification Response Replay Request Replay Denial of Service

Part III Web Services Infrastructure Security Applications Key Management –XKMS –Key Agreement TBA Distributed Access Control –SAML –XACML –XrML –Provisioning TBA [SPL]

XML Key Management Specification (XKMS) Management of Public Keys –Registration Alice registers her signature public key –[Alice might later request reissue, revocation, recovery] –Information Bob looks up the key for Bob checks to see if it is valid Core Objective: –Shield the client from the complexity of PKI

Distributed Access Control Authorization Decision –Can ‘Alice’ may access the general ledger? Authentication –Is ‘Alice’ the real Alice? Attributes –Alice is a Finance department employee Authorization Policy –Finance department employees may access the general ledger.

Distributed Access Control Authentication UserApplication User Attributes Authorization Policy Password Biometric Smartcard etc. Single Mechanism Request Authorization Decision Permit or Deny

SAML Authentication Statements Authentication Authority Member Site I really am Alice Connect as Alice Authentication Assertion

SAML Authorization Decision and Attribute Statements Authorization Authority Attribute Authority Service Should Alice Do X? Is Alice Creditworthy ? X

Why Standardize Authorization Policy? Support common Authorization Policy API Move policy with controlled object –Privacy Applications Healthcare (HIPPA) EU Privacy Directive –Digital Rights Management

XML Access Control Markup Language Allows Access Control Policy to be expressed –Encode in XML rules such as: 1.A person may read any record for which he or she is the designated patient. 2.A person may read any record for which he or she is the designated parent or guardian, and for which the patient is under 16 years of age. 3.A physician may write any medical element for which he or she is the designated primary care physician, provided an is sent to the patient, 4.An administrator shall not be permitted to read or write medical elements of a patient record. –Chief standards issue is naming How to identify ‘patient’, ‘record’, ‘guardian’ etc.

XrML Allows Digital Rights Policy to be expressed –Encode in XML rules such as: Consumer can view film 6 times within 6 months Consumer can view any content in super subscription plan for 1 month Consumer can listen to audio track X on the devices P, Q, R. Chief standards issue is naming –How to identify content, constraints etc.

Part IV Futures Support for Direct Trust WSDL Description of Security Enhancements

Support for Direct Trust It can’t be turtles all the way down. XKMS Application Must be a static mechanism

WSDL Description of Security Enhancements We know what to do –WSDL description of security enhancements I support WS-Security with AES Encryption The authentication key of my service is X I always authenticate responses with Y You must perform key agreement with Z Specification is dependent on: –WSDL specification –Web Services Security Specifications

Conclusions Without Security and Trust: Web Services are Dead On Arrival Considerable progress has already been made –Industry wide consensus on value of standards –Basic Infrastructure is in place or in development –There is considerable consensus on the roadmap –Security need not be the show stopper