ESRIN, 15 December 2009 Slide 1 Web Service Security in HMA-T HMA-T Final Presentation 14 December 2009 S. Gianfranceschi, Intecs.

Slides:



Advertisements
Similar presentations
Service Bus Service Bus Access Control.
Advertisements

Web Services and AIXM. Introduction Subramanyam “Subbu” Nadavala Contractor, L-3 Communications FAA Air Traffic Organization (ATO) Information Technology.
Web Service Security CS409 Application Services Even Semester 2007.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.
WS-PolicyNegotiate A Web Service Standard for Policy Negotiation by Nicholis Bufmack.
X.509 support in WCF Exploring support for X.509 Certificates in Microsoft’s Windows Communication Foundation Paul Cormier UCCS CS591 Fall 2009.
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.
Peoplesoft: Building and Consuming Web Services
GFIPM Web Services Implementation Status Update GFIPM Delivery Team Meeting November 2011.
Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.
Troubleshooting Federation, AD FS 2.0, and More…
Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.
CSCI 6962: Server-side Design and Programming
X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Public-key Cryptography Strengths and Weaknesses Matt Blumenthal.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Navigating the Standards Landscape Andrew Owen SEARCH.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna
Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
1 Session 4 Module 6: Digital signatures. Digital Signatures / Session4 / 2 of 18 Module 4, 5 - Review (1)  Java 2 security model provides a consistent.
1 WS-Policy. 2 What’s the Problem? To use a web service a client needs more information than is provided in WSDL file. Examples: –Does service support.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Web Services Security INFOSYS 290, Section 3 Web Services: Concepts, Design and Implementation Adam Blum
Web Services Security Mike Shaw Architectural Engineer.
1 WS-Security Yosi Taguri Microsoft Israel
2013Prof. Reuven Aviv, Mail Security1 Pretty Good Privacy (PGP) Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.
From Coulouris, Dollimore, Kindberg and Blair Distributed Systems: Concepts and Design Edition 5, © Addison-Wesley 2012 Slides for Chapter 9 Web Services.
ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 AR Meeting 15 July 2009 S. Gianfranceschi, Intecs.
IEEE SISWG (P1619.3)‏ Messaging & Transport. AGENDA Transport Protocols & Channel Protection Messaging Layer Capability Exchange & Authentication Groups.
Frascati, December 2009 Slide 1 Identity Management in ESA Grid on-Demand Infrastructure HMA-T Final Presentation 14 December 2009, Frascati Fabrice.
ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs.
HMA-T User Management (07-118) Abstract Test Suite Dr Andrew Woolf STFC Rutherford Appleton Lab.
Access Policy - Federation March 23, 2016
HMA Identity Management Status
Training for developers of X-Road interfaces
SAML New Features and Standardization Status
HMA Identity Management Status
NAAS 2.0 Features and Enhancements
What’s changed in the Shibboleth 1.2 Origin
HMA-Testbed Phase 2 AR-2 Meeting July 2009, Frascati
Put SAML assertion in context
Tim Bornholtz Director of Technology Services
Web Service Security support in the SSE Toolbox
Web Service Security support in the SSE Toolbox
Presentation transcript:

ESRIN, 15 December 2009 Slide 1 Web Service Security in HMA-T HMA-T Final Presentation 14 December 2009 S. Gianfranceschi, Intecs

ESRIN, 15 December 2009 Slide 2 Agenda  Introduction  OGC r  ATS issues  ETS issues  Security library issues  Final remarks

ESRIN, 15 December 2009 Slide 3  Introduction  OGC r  ATS issues  ETS issues  Security library issues  Final remarks Agenda

ESRIN, 15 December 2009 Slide 4 Introduction  Issue: the OGC specification has undergone a major update  HMA-T OGC specification baseline: OGC r1 version  Current OGC specification: OGC r3 version  Changes involve several aspects ranging from the authentication interface definition to authorization issues ATS, ETS and security library changed accordingly

ESRIN, 15 December 2009 Slide 5  Introduction  OGC r  ATS issues  ETS issues  Security library issues  Final remarks Agenda

ESRIN, 15 December 2009 Slide 6 OGC r3 Authentication  The authentication interface specification schema has changed: The custom “Assertion” tag defined in the “ namespace has been removed;  The authentication scenarios have been reviewed Authentication through external IdP simplified  The structure of the SAML Token has been reviewed Attributes no longer normative The IdP public certificate no longer inserted in the signature  The authentication requests assume SOAP version 1.2 as the protocol binding

ESRIN, 15 December 2009 Slide 7 OGC r3 Authorization  The service requests are now aligned to WS-Security Web Services Security: SOAP Message Security 1.1: No custom “ tag in the ws-security tag of the SOAP Header “EncryptedData” directly inserted as child of the ws-security tag as foreseen by the specification  The service requests assume version 1.2 as the reference version of SOAP supported by the service endpoint SOAP version 1.1 still supported for legacy systems  Asynchronous Authorization still to be better defined

ESRIN, 15 December 2009 Slide 8  Introduction  OGC r  ATS issues  ETS issues  Security library issues  Final remarks Agenda

ESRIN, 15 December 2009 Slide 9 OGC r3 ATS  ATS has changed according to the OGC specification update  ATS is still made of three modules M1 for testing the basic requirements of both the Identity and Service providers M2 for testing the authentication capabilities of the Identity Provider M3 for testing the authorization capabilities of the Service Provider  ATS first two modules heavily reviewed Number of test cases reduced Better specification of the test steps

ESRIN, 15 December 2009 Slide 10 OGC r3 ATS  ATS Module 1 changes: OGC version 0.0.3OGC version SOAP version 1.1SOAP version 1.2 (version 1.1 support for service requests to legacy services) Mandatory GMES list of attributes in SAML token List of SAML token attributes not checked Encryption and digest method support checked on WSDL Direct check of the support for AES-128 encryption method SHA-1 digest method on the SAML Token returned by IdP Precondition: private key of the service known Check on the order of signature and encryption (SAML Token first signed and then encrypted) Removed since redundant

ESRIN, 15 December 2009 Slide 11 OGC r3 ATS  ATS Module 2 changes: OGC version 0.0.3OGC version SOAP version 1.1SOAP version 1.2 Two test cases for authentication requests with no IdP provided in input 1.Test case for local IdP handling 2.Test case for external IdP handling A unique test case for authentication requests with no IdP provided (always Interpreted as directed to the local IdP)  ATS Module 3 changes: OGC version 0.0.3OGC version SOAP version 1.1SOAP version 1.2 or version 1.1 for legacy systems

ESRIN, 15 December 2009 Slide 12  Introduction  OGC r  ATS issues  ETS issues  Security library issues  Final remarks Agenda

ESRIN, 15 December 2009 Slide 13 OGC r3 ETS  ETS graphical interface: Improved general layout Added the choice between SOAP 1.1 and SOAP 1.2 for service requests Removed the entry for requesting the WSDL of the service (no longer needed)  ETS modules changed according to new ATS new (completely reviewed) security library  ETS structure reviewed simplified management of service requests with either SOAP 1.1 or SOAP 1.2

ESRIN, 15 December 2009 Slide 14  Introduction  OGC r  ATS issues  ETS issues  Security library issues  Final remarks Agenda

ESRIN, 15 December 2009 Slide 15 OGC r3 security library  Security library reviewed Renamed in order to match the hma-t security project context Provided with a cleaner structure of packages and classes Updated to match the latest versions of the Apache libraries used  Signature part modified in order to match removal of public certificate from SAML Token signature The “checkSignature” method, if the public certificate key is not present in the signature, looks up a local “public_certicates.jks” keystore; The “public_certificates.jks” contains all of the public keys of the trusted Identity Providers If no public key in the keystore can be used to verify signature, the check fails.

ESRIN, 15 December 2009 Slide 16  Introduction  OGC r  ATS issues  ETS issues  Security library issues  Final remarks Agenda

ESRIN, 15 December 2009 Slide 17 OGC r3 final remarks  OGC still in course of specification, with foreseen updates and improvements ATS and ETS are consequently foreseen to undergo significant changes as the specification matures  Further inputs are expected from the GENESIS project Authentication and authorization scenarios implemented according to the OGC specification Security issues involve services of different types and not only the EO context

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.