XML Security Standards — Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Slides:

Advertisements

Similar presentations

GT 4 Security Goals & Plans Sam Meder

Advertisements

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

NAC 2007 Spring Conference OASIS XACML Update

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Service Standards, Security & Management Chris Peiris

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Authorization Infrastructure, a Standards View Hal Lockhart OASIS.

SAML, XACML & the Terrorism Information Sharing Environment “Interoperable Trust Networks” XML Community of Practice February 16, 2005 Martin Smith Program.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

OASIS XACML TC and Rights Language TC Hal Lockhart

Secure Systems Research Group - FAU Using patterns to compare web services standards E. Fernandez and N. Delessy.

XACML – The Standard Hal Lockhart, BEA Systems. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

SAML 2.1 Building on Success. Outline n Summary of SAML 2.0 n Work done since 2.0 n Objectives of SAML 2.1 n Proposed Task List n Undecided Issues n Invitation.

United States Department of Justice Implementing Privacy Policy in Justice Information Sharing: A Technical Framework John Ruegg,

Catalyst 2002 SAML InterOp July 15, 2002 San Francisco.

SAML 2.0: Federation Models, Use-Cases and Standards Roadmap

Introduction to Implementing XML web services authentication John Messing Law-on-Line, Inc. Prepared for Maricopa County ICJIS May 17, 2006.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.

Secure Systems Research Group - FAU A Trust Model for Web Services Ph.D Dissertation Progress Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.

Proposal for RBAC Features for SDD James Falkner Sun Microsystems October 11, 2006.

Fonkey Project Update: Target Applications TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

OASIS XACML Update Hal Lockhart Office of the CTO BEA Systems

11 Restricting key use with XACML* for access control * Zack’-a-mul.

Security Assertion Markup Language (SAML) Interoperability Demonstration.

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

OASIS ebXML Registry Standard Open Forum 2003 on Metadata Registries 10:30 – 11:15 January 20, 2003 Kathryn Breininger The Boeing Company Chair, OASIS.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart

XACML and Federated Identity Hal Lockhart BEA Systems.

Web Services Security Standards Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc.

SAML 2.0 and Related Work in XACML and WS-Security Hal Lockhart BEA Systems.

OASIS Juan Carlos Cruellas – UPC Stefan Drees - DSS-X co-chair Nick Pope – Thales eSecurity OASIS Digital Signature Services and ETSI standards Juan Carlos.

Eclipse Foundation, Inc. Eclipse Open Healthcare Framework v1.0 Interoperability Terminology HL7 v2 / v3 DICOM Archetypes Health Records Capture Storage.

Access Policy - Federation March 23, 2016

XACML The New Standard for Access Control Policy

OGSA-WG Basic Profile Session #1 Security

SAML New Features and Standardization Status

HMA Identity Management Status

XACML and the Cloud.

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Tim Bornholtz Director of Technology Services

Presentation transcript:

XML Security Standards — Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems

Topics Security Introduction Preliminary work at W3C SAML XACML Digital Signature Services WS-Security WS-SecureConversation, WS-Trust & WS-SecurityPolicy Interdependencies

Information Security Definition Technologies and procedures intended to implement organizational policy in spite of human efforts to the contrary. Suggested by Authorization Applies to all security services Protection against accidents is incidental Suggests four areas of attention

Information Security Areas Policy determination Expression: code, permissions, ACLs, Language Evaluation: semantics, architecture, performance Policy enforcement Maintain integrity of Trusted Computing Base (TCB) Enforce variable policy

Security Services Authentication – confirm asserted identity Authorization – permit or deny a request Integrity – prevent undetected modification of data Confidentiality – prevent unauthorized reading of data Audit – preserve evidence for accountability Administration – control configuration Others …

Topics Security Introduction Preliminary work at W3C SAML XACML Digital Signature Services WS-Security WS-SecureConversation, WS-Trust & WS-SecurityPolicy Interdependencies

W3C Security Recommendations Widespread use of XML – need for integrity & confidentiality XML Digital Signature WG (1999 to 2002) Defines rules to sign XML and record parameters and signature value Support all technologies in common use Key problem: Immaterial changes to XML documents Solution: Canonicalization XML Encryption WG (2001 and 2002) Defines rules to encrypt XML and record parameters Support all technologies in common use Key problem: Encrypted data not Schema-valid Solution: None

Topics Security Introduction Preliminary work at W3C SAML XACML Digital Signature Services WS-Security WS-SecureConversation, WS-Trust & WS-SecurityPolicy Interdependencies

SAML Background Web Single Signon Web is stateless Very inconvenient for security Use of Web Server Farms User inconvenience, performance and risk, multiple repositories Federated Identity Federation – independent entities maintain user info The alternative is centralization – impractical The way the world works Requires agreed formats and protocols (standards)

SAML Key Ingredients for Standardization Web Access Management Vendors Already solved the problem using proprietary methods (multiple times) Broad agreement on requirements and solutions Marketplace Large scale projects would require standards Rising tide theory Willingness to standardize Random Factors XML becoming fashionable OASIS offered favorable environment (SAML became the first security-related TC at OASIS)

SAML Timeline SAML 1.0 Completed: May 2002 OASIS Standard: November 2002 SAML 1.1 Completed: May 2003 OASIS Standard: September 2003 Liberty 1.1 Completed: Jan 2003 Shibboleth OpenSAML 1.0 Completed: June 2003 SAML 2.0 Completed: January 2005 OASIS Standard: March 2005 Nov-2002: SAML wins PC Magazine Technology Excellence Award Oct-2003: SSTC receives Digital ID World “Balancing Innovation & Reality" award Shibboleth OpenSAML 1.1 Completed: August 2003 Liberty ID-FF 1.2 Completed: Oct 2003

SAML assertions Assertions are declarations of fact, according to someone SAML assertions are compounds of one or more of three kinds of “statement” about “subject” (human or program): Authentication Attribute Authorization decision You can extend SAML to make your own kinds of assertions and statements Assertions can be digitally signed

SAML protocol for getting assertions

SAML Standards Dependencies Uses XML Signature to protect assertions from modification Uses XML Encryption to protect privacy when assertions are stored Uses SSL and WS-Security to protect assertions on the wire Is used by WS-Security to identify users and keys

Current Work Sticking with SAML 2.0 to drive adoption Profiles reviewed or under review Metadata Extension for Query Requesters Protocol Extensions for Third-Party Requests Attribute Sharing Profile for X.509 Authentication Based Systems XPath Attribute Profile SAML V1.x Metadata Profile Shared Credentials Profiles Text-based Challenge Response HTTP POST “SimpleSign” Binding SAML 2.0 -> ITU-T Recommendation X.1141

Topics Security Introduction Preliminary work at W3C SAML XACML Digital Signature Services WS-Security WS-SecureConversation, WS-Trust & WS-SecurityPolicy Interdependencies

XACML TC Charter Define a core XML schema for representing authorization and entitlement policies Target - any object - referenced using XML Fine grained control, characteristics - access requestor, protocol, classes of activities, and content introspection Consistent with and building upon SAML

XACML TC History First Meeting – 21 May 2001 XACML OASIS Standard – 6 February 2003 XACML 1.1 – Committee Specification – 7 August 2003 XACML 2.0 – OASIS Standard – 1 February 2005 XACML 2.0 – ITU/T Recommendation X.1142

Policy Examples “Anyone view their own 401K information, but nobody else’s” “The print formatting service can access printers and temporary storage on behalf of any user with the print attribute” “The primary physician can have any of her patients’ medical records sent to a specialist in the same practice.” “Anyone can use web servers with the ‘spare’ property between 12:00 AM and 4:00 AM” “Salespeople can create orders, but if the total cost is greater that $1M, a supervisor must approve”

XACML Objectives Ability to locate policies in distributed environment Ability to federate administration of policies about the same resource Base decisions on wide range of inputs Multiple subjects, resource properties Decision expressions of unlimited complexity Ability to do policy-based delegation Usable in many different environments Types of Resources, Subjects, Actions Policy location and combination

Novel XACML Features Large Scale Environment Subjects, Resources, Attributes, etc. not necessarily exist or be known at Policy Creation time Multiple Administrators - potentially conflicting policy results Combining algorithms Request centric Use any information available at access request time Zero, one or more Subjects No invented concepts (privilege, role, etc.) Dynamically bound to request Not limited to Resource binding Only tell what policies apply in context of Request Two stage evaluation

Request and Response Context

XACML Profiles Digital Signature Integrity protection of Policies Hierarchical Resources Using XACML to protect files, directory entries, web pages Privacy Determine “purpose” of access RBAC Support ANSI RBAC Profile with XACML SAML Integration XACML-based decision request Fetch applicable policies Attribute alignment

XACML Standards Dependencies XACML uses SAML assertions structure and protocols to protect and distribute policies therefore it: Uses XML Signature to protect assertions from modification Uses XML Encryption to protect privacy when assertions are stored Uses SSL and WS-Security to protect assertions on the wire XACML is also referenced by a number of other specifications as the access control mechanism

XACML Version 3.0 Administrative policies “HR-Admins can create policies concerning the Payroll servers” Policy delegation “Jack can approve expenses while Mary is on vacation” Policy provisioning Enhanced Obligation processing Policy queries Revocation

Topics Security Introduction Preliminary work at W3C SAML XACML Digital Signature Services WS-Security WS-SecureConversation, WS-Trust & WS-SecurityPolicy Interdependencies

Digital Signature Services (DSS) Web Service to create / verify signatures & timestamps on behalf of users Complexities & security issues of key management etc taken from user Supports range of signature formats including: W3C XML Signatures CMS (RFC 3852) Signatures RFC 3161 Timestamps Intended primarily where signatures have lasting significance Electronic Commerce Aligned with legal requirements in various venues

DSS Specifications Core Generic protocol and core features Profiles Selects options from Core and extends if necessary Current DSS profiles Time-stamping Asynchronous operation Code signing Entity seal Electronic Post Mark German signature law Advanced electronic signature Signature gateway

DSS Status Core at 3rd CD takes into account Interoperability trials Feedback from implementers within & outside group Profiles updated to align with 3rd CD Currently in public review To be followed by OASIS Std Vote

Topics Security Introduction Preliminary work at W3C SAML XACML Digital Signature Services WS-Security WS-SecureConversation, WS-Trust & WS-SecurityPolicy Interdependencies

WS-Security Overview Basic SOAP Message Protection Signatures, Encryption, Timestamps Multiple token types Username, X.509, Kerberos, SAML, REL Token References

Web Services Security History Submitted to OASIS September 2002 Interoperability testing began Summer 2003 OASIS Standard - April 2004 Core Specification + Username and X.509 Profiles SAML & REL Profiles OASIS Standard - December 2004 Public Interoperability Demo – April 2005 WSS 1.1 – OASIS Standard February 2006 Includes Attachments & Kerberos Formal WSS 1.1 Errata approved November 2006 Vote to Close TC WS-I Basic Security Profile 1.0 & 1.1

Topics Security Introduction Preliminary work at W3C SAML XACML Digital Signature Services WS-Security WS-SecureConversation, WS-Trust & WS-SecurityPolicy Interdependencies

WS-SX Overview Three new security specifications building on WS-Security WS-Trust Mechanisms to issue tokens and associated keys WS-SecureConversation Allows establishment of secure session (think SSL for SOAP) WS-SecurityPolicy Allows Web Service to express Security Policies

WS-SX TC History New TC formed December 2005 Under new IPR policy (RF-RAND) Privately published specifications Substantial interop & review of WS-SC & WS-Trust prior to TC start WS-SP is much less mature

WS-SX Currently Charter goal: complete in 18 months 2nd F2F Meeting held in April 2006 Weekly con calls Interop testing of WS-SecCon & WS-Trust over summer 60 day Public Review complete Dec 2 Interop of WS-SecurityPolicy underway Public review this winter Submission to OASIS for vote as a Standard Security Policy Usecases also under development

Topics Security Introduction Preliminary work at W3C SAML XACML Digital Signature Services WS-Security WS-SecureConversation, WS-Trust & WS-SecurityPolicy Interdependencies

Security Standards Interdependencies XML EncryptionXML Digital Signature DSS XACML SAML WSS WS-Trust WS-SecureConversation WS-SecurityPolicy

Questions?