Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Slides:



Advertisements
Similar presentations
SOAP.
Advertisements

Web Service Security CS409 Application Services Even Semester 2007.
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
A New Computing Paradigm. Overview of Web Services Over 66 percent of respondents to a 2001 InfoWorld magazine poll agreed that "Web services are likely.
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
Web services security I
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
1 Web Services Security XML Encryption, XML Signature and WS-Security.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Service Standards, Security & Management Chris Peiris
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Identity Management Report By Jean Carreon and Marlon Gonzales.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Cryptography, Authentication and Digital Signatures
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
Web Services Standards. Introduction A web service is a type of component that is available on the web and can be incorporated in applications or used.
XML Web Services Architecture Siddharth Ruchandani CS 6362 – SW Architecture & Design Summer /11/05.
NDSU Lunchbytes "Are They Really Who They Say They Are?" Digital or Electronic Signature Information Rick Johnson, Theresa Semmens, Lorna Olsen April 24,
Random Logic l Forum.NET l Web Services Enhancements for Microsoft.NET (WSE) Forum.NET ● October 4th, 2006.
An XML based Security Assertion Markup Language
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
Navigating the Standards Landscape Andrew Owen SEARCH.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
Shibboleth: An Introduction
Semantic Web Technologies Research Topics and Projects discussion Brief Readings Discussion Research Presentations.
MagicNET: Security System for Protection of Mobile Agents.
Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Proposal for RBAC Features for SDD James Falkner Sun Microsystems October 11, 2006.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.
Kemal Baykal Rasim Ismayilov
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
11 Restricting key use with XACML* for access control * Zack’-a-mul.
AMQP, Message Broker Babu Ram Dawadi. overview Why MOM architecture? Messaging broker like RabbitMQ in brief RabbitMQ AMQP – What is it ?
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Web Services Blake Schernekau March 27 th, Learning Objectives Understand Web Services Understand Web Services Figure out SOAP and what it is used.
Presented by: Sonali Pagade Nibha Dhagat paper1.pdf.
Access Policy - Federation March 23, 2016
HMA Identity Management Status
Computer Security Security Concepts September 20, 2018
Tim Bornholtz Director of Technology Services
Presentation transcript:

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield

OASIS   Web Services are a way of implementing service- orientation architecture  Supposed to be Internet-based  XML-oriented  More than just connecting web pages Must be structure behind them Self-contained (i.e. self-describing)  What was the original intention of it?  How do they treat the security issues in service- oriented architecture?  Helps to resolve contradicting standards among multiple needs

OASIS

 WS security as enhancements to SOAP messaging to provide message integrity and confidentiality.  Requirements:  Multiple security token formats  Multiple trust domains  Multiple signature formats  Multiple encryption technologies  End-to-end message content security and not just transport-level security

OASIS  Concepts  Security Tokens  Signatures  Security Concerns  Confidentiality: Encryption  Integrity: Signature  Policy Definition Location

OASIS  Signatures  Provide a way for the recipients to verify the integrity of the message  Sign the important parts of the message  To verify if the policies of a security token apply to the sender

OASIS  Is the security policy specified only once?  R: No. Security policy can be targeted for the destination as well as for any intermediary therefore can be present a number of times in the SOAP message once for each target (multiple headers).

OASIS  Can you have multiple signatures attached to a message?  R: Yes. Multiple signatures can reference different or overlapping parts of the message, reason being in distributed applications messages usually go through multiple processing stages (workflow).

OASIS  Can you see the issues involved with multiple processing stages?  R: There are issues with the signatures for important parts of the message that need to be legitimately altered during the various stages of processing.

OASIS  Encryption  Can encrypt header blocks, body blocks, or part of them  Common symmetric key shared by the sender and the receiver  Encrypted symmetric key inside the message

OASIS  Can you have overlapping encryption for parts of message? Why? In which order should they be encrypted?  R: Yes. Because the decryption might be done in the different stages of processing. The order has to be predefined by prior agreement.

OASIS  Can you think what “freshness” of security semantics means?  R: If security semantics are “old”, they might be ignored by the receiver. Need to specify time references but the specification does not provide a mechanism for synchronizing time.

OASIS  Where would you specify the time references?  R: XML Schema (web services are XML based).

SAML  Security Assertion Markup Language  Designed to provide a single point of authorization  Aims to ‘solve the web single sign-on’ problem  One identity provider in group allows access  Public/Private Key Foundation  Competitors  Microsoft Passport  OpenID (VeriSign)  Global Login System (Open Source)

SAML  Three main components (from tip/1,289483,sid26_gci818643,00.html ) tip/1,289483,sid26_gci818643,00.html  Assertions: SAML has three kinds of assertions. Authentication assertions are those in which the user has proven his identity. Attribute assertions contain specific information about the user, such as his spending limits. Authorization decision assertions identify what the user can do, for example, whether he can buy an item.  Protocol: This defines the way that SAML asks for and gets assertions, for example, using SOAP over HTTP for now, although using other methods in the future.  Binding: This details exactly how SAML message exchanges are mapped into SOAP exchanges.

SAML  Do you think SOAP is an efficient platform for security?

SAML  Are you comfortable knowing that part of your security implementation was written by the community? (Open-source)

SAML  How do you think we should handle multiple system types across a network? Do you think we need a new protocol to address this, or should SAML be expanded? (Federations)

SAML  How do we deal with older systems that don’t support this protocol with those that do?

SAML  Outstanding Issues  Performance No Caching Text-based transfer Does not specify encryption (policies may be compromisable) Binary must be encoded in Base64 Must be implemented over HTTP protocol via SOAP  Ownership Sun developed large amount of it (via OpenSAML) Claims it will not assert ownership What happens if they do?  Federations Authentication protcols not specified Multiple domains are an issue SAML 2.0 supposed to address this; will it be at the cost of becoming monolithic?  Legacy Applications Very expensive to retro-fit

XACML  eXtensible Access Control Markup Language  Highlights (from OASIS):  Combines multiple rules into a single policy  Permit multiple users to have different roles  Provide separation between policy writing and application environment  Ultimately standardizes access control languages

XACML  Users interact with resources  Every resource is protected by an entity known as a Policy Enforcement Point (PEP)  This is where the language is actually used  Does not actually determine access  PEP sends it’s request to a Policy Decision Point (PDP)  Policies may or may not be actually stored here  Makes the final say on access  Decision is relayed to PEP, which then grants or denies access

XACML  Do you think a system is more secure or less secure when it is distributed across multiple computers? What about a single system responsible for all?

XACML  How would you feel if you were using work that a corporation gave on it’s word on alone that it would never assert the rights to it?

XACML  Should policies be self-contained, or is it OK for them to reference each other? Is cross-PDP communication safe?

XACML  Outstanding Issues  Distributed Responsibility What happens when the PEP is responsible for multiple objects? What happens when we can compromise the PDP or spoof it’s communication? How do we guarantee that we reference the right object? While the system is distributed, a policy is still in only one location  Ownership Contributors like Sun have again done work in this area Same as with SAML  Policy Cross-Referencing One policy may access another Typical issues arrise as with inheritance and unions/intersections of related work How do we deal with conflicts?

References  Sun’s XACML Documentation:  OpenSAML:  OASIS:  Wikipedia’s Entry on SAML:

Questions ?