Security Standards (…and Competing Standards … and Implementations … and Interoperability) Marty Humphrey Assistant Professor Computer Science Department.

Slides:

Advertisements

Similar presentations

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

Advertisements

UDDI v3.0 (Universal Description, Discovery and Integration)

VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

WS-Security TC Christopher Kaler Kelvin Lawrence.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

Security COMP6017 Topics on Web Services Dr Nicholas Gibbins –

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Service Standards, Security & Management Chris Peiris

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Session 1194 JBuilder 2005 Web Services Designer Ravi Kumar Principal Engineer Borland.

OGSA SEC WG [OGSA= Open Grid Services Architecture] Co-chairs: Nataraj Nagaratnam, IBM, USA Marty Humphrey University of Virginia, USA GGF9.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004.

Herndon, VA October 12, 2006 Navigating Web Services Standards NIST Special Publication

Grid Computing and Web Services Marty Humphrey Assistant Professor Computer Science Department University of Virginia.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

Developing Web Services Using ASP.NET and WSE That Interoperate with the Windows Communications Foundation ("Indigo") Mark Fussell COM432 Lead Program.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

January 19, 2005 Andrew Nash Chief Technology Officer, Reactivity xmlCoP Interoperable Trust Networks.

Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.

OGSA Security Roadmap Discussion GGF5 – 7/24/02. Outline l Introduction l Architecture Goal l Roadmap Goal l Proposed Specs l Challenges l Next Steps.

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Supporting education and research Security and Authentication for the Grid Alan Robiette, JISC Development Group.

Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.

CaGrid 2.0 Security Prototype 1. Goals Prototype some proposed security solutions – Ensure interoperability across programming models – Ensure interoperability.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Description WS Standards WS-Federation Picture Grid Security GridShib References 2.

Kemal Baykal Rasim Ismayilov

Grid Security: What is it? Where is it going? Why? Von Welch National Center for Supercomputing Applications Globus Alliance.

Grid Authorization Landscape and Futures Von Welch NCSA

Using WS-I to Build Secure Applications Anthony Nadalin Web Services Interoperability Organization (WS-I) Copyright 2008, WS-I, Inc. All rights reserved.

Andrew McNabGESA/Authz, GGF9, 7 Oct 2003Slide 1 Authorization status Andrew McNab High Energy Physics University of Manchester

INFSO-RI Enabling Grids for E-sciencE Web Services Mike Mineter National e-Science Centre, Edinburgh.

Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

August 3, 2004WSRP Technical Committee WSRP v2 leveraging WS-Security 1. Motivation 2. WS-Securtiy Roadmap and Status 3. WSRP Use Cases 4. Strawman/Issues.

Florida Atlantic University Department of Electrical and Computer Engineering &Computer Science ( ECECS ) &Computer Science ( ECECS ) Security Systems.

The FederID project The First Identity Management and Federation Free Software.

Eclipse Foundation, Inc. Eclipse Open Healthcare Framework v1.0 Interoperability Terminology HL7 v2 / v3 DICOM Archetypes Health Records Capture Storage.

Security and reliability in distributed applications

Access Policy - Federation March 23, 2016

OGSA-WG Basic Profile Session #1 Security

Some Basics of Globus Web Services

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

University of Virginia, USA GGF9, Chicago, Illinois, US

Web Services Security Challenges

Presentation transcript:

Security Standards (…and Competing Standards … and Implementations … and Interoperability) Marty Humphrey Assistant Professor Computer Science Department University of Virginia UK e-Science Core Programme Town Meeting Monday 11th April 2005

“Security in a Web Services World” IBM/MS White Paper April 2002 This is a composable Architecture “only use what you need” SOAP Foundation WS-Security WS-PolicyWS-TrustWS-Privacy WS-SecureConversationWS-FederationWS-Authorization time today

WS Security Roadmap exists, so why do we? (slide from GGF6, Oct 2002) 1. What if boxes never materialize? 2. What if boxes appear too late? 3. What if there are licensing issues with box(es)? 4. What if “their roadmap” has missing pieces? 5. What if Grid Computing != Web Services? 6. MS-IBM Roadmap is wire-oriented; we need to be wire- oriented AND service-oriented (i.e., portTypes) How do we make our existing security services “fit” with OGSA Architecture?

Second Wave Specifications Slide from Felipe Cabrera

Web Services Specifications Process Example: WS-Security Specification Published Customer and Industry Feedback Gathered Publish Addendum, Deliver Dev Product OASIS Standardization April 2002 April - August 2002 August 2002 September 2002 WS-I Interoperability Profile April 2003 Three Partners Over 30 Partners Over 100 Partners Slide from Felipe Cabrera

Today: Status of Specs WS-Security (“SOAP Message Security 1.0”) OASIS Standard 15 Mar 2004 WS-Policy (Dec 2002): Updated Sept 2004 (6 companies) – royalty-free – not in standards body WS-SecureConversation (Dec 2002): Updated Feb 2005 (13 companies) – royalty-free – not in standards body WS-Trust (Dec 2002): Updated Feb 2005 (12 companies) – royalty-free (?) – not in standards body WS-Federation (Jul 2003): No update since July 2003? WS-Privacy: ??? WS-Authorization: ???

WS-I Basic Security Profile Draft: Jan How to use: SSL/TLS SOAP Message Security Username Token Profile X.509 Certificate Token Profile XML-Signature XML-Encryption

Security Access Markup Language (SAML) Framework — OASIS Standard Assertions: Authentication, Attribute, Authorization Decision Protocols: e.g., request from a SAML authority one or more assertions Bindings: e.g., SAML SOAP binding Profiles: constraints and/or extensions for a particular application (e.g., Web SSO Profile) Protocol Response Assertion Protocol Request Binding

eXtensible Access Control Markup Language (XACML) – OASIS Standard V 2.0, 6 Dec 2004 (142 pages!) Authors include Sun, BEA, CA, Entrust, Frank Siebenlist, and IBM Capabilities Access Control: who can do what when Queries about whether a particular access should be allowed (requests) and describes answers to those queries (responses) XACML and SAML XACML policy specifies what a provider should do when it receives a SAML Assertion XACML-based attributes can be expressed in SAML XACML v3.0 in the works

Liberty Alliance Industry consortium defining standards for federated identity (formed Sept 2001) IBM recently joined Web Service Framework (ID-WSF) Authentication: Identity Federation Framework (ID-FF) uses SAML Message protection: e.g., TLS, SAML Assertion in WS-Security Service discovery and addressing Policy “Common data access protocols”: Liberty Data Services Template Specification

Open Issues/Concerns Privacy: SAML 2.0 Privacy Mechanisms? XACML and WS-[Security]Policy overlap XACML and SAML overlap Both have protocols for requesting security information WS-Federation and Liberty Alliance overlap WS-* and ID-WSF overlap Delegation Service interface (WS-Delegation) Protocol (X.509 Proxy Certs RFC 3820 and SAML Delegation)

WS-Delegation Led by Olle Mulmo Standalone Web services portType Based on WS-Trust (until recently – April 05?) My group’s contribution D. Del Vecchio, J. Basney, N. Nagaratnam, and M. Humphrey. “CredEx: User-Centric Credential Selection and Management for Grid and Web Services” Long-term or short-term multiple per-user credential storage and exchange Support for multiple platforms and languages (Java and.NET) Multiple token types Initially support for both password-to-X.509 and X.509-to-password exchanges Potential support for more token types through WS-Security and WS-Trust specifications

Java Client exchangeForPassword() X.509 Signature CredEx System Overview.Net Client exchangeForCert() Username/Password invokeMethod() Username/Password invokeMethod() X.509 Credential Password-based Web Service (Java/.Net) X.509-based Grid Service (Java/GT3) CredentialService (Java/Tomcat/Axis)

“Extending the Security Assertion Markup Language to Support Delegation for Web Services and Grid Services” (J. Wang, D. Del Vecchio, and M. Humphrey) Delegation request as a SAML request Delegation response as a SAML response RequestRequest ResponseResponse Please schedule my jobs SAML assertion Please run my job SAML assertion Please save my file Please send a disk request for Bob

Direct SAML Delegation with Web Service Security: Bob has Delegated to Superscheduler Soap header Assertion Superscheduler’s Key Delegation: Bob Right: Full Bob’s Signature Superscheduler’s Signature SAML Token Profile X509 Token Profile

Indirect SAML Delegation with Web Service Security: Bob has Delegated to Broker through Superscheduler Soap Header Assertion Broker’s Key Delegation: Bob Right: End Entity Superscheduler’s Signature Assertion Superscheduler’s Key Delegation: Bob Right: Full Bob’s Signature Broker’s Signature SAML Token Profile X509 Token Profile

Summary April 2002: Much optimism with “IBM/MS Security Roadmap” Emergence of standardized boxes slower than expected Community appears to be converging, but some aspects not clear XACML/SAML, XACML/WS-SecurityPolicy, Delegation Many challenges Interop will not come directly from standards (see WS-I)