WS-Security TC Christopher Kaler Kelvin Lawrence.

Slides:



Advertisements
Similar presentations
WS – Security Policy Prabath Siriwardena Director, Security Architecture.
Advertisements

Web Service Security CS409 Application Services Even Semester 2007.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Core Web Service Security Patterns
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Web services security I
Prashanth Kumar Muthoju
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
1 Web Services Security XML Encryption, XML Signature and WS-Security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Service Standards, Security & Management Chris Peiris
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Presented at: Demonstrations and Prototypes TIM 7 Presented by: Dominic Timoteo / Shoeb Jafri SWIM Implementation Team May 04, 2011 Federal Aviation Administration.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
Harshavardhan Achrekar - Grad Student Umass Lowell presents 1 Scenarios Authentication Patterns Direct Authentication v/s Brokered Authentication Kerberos.
Introduction to Implementing XML web services authentication John Messing Law-on-Line, Inc. Prepared for Maricopa County ICJIS May 17, 2006.
WS-Security Protocol Ramkumar Chandrasekharan CS 265.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Web305 Security Practices for Web Services (Part 1) : Now I Understand Eric Schmidt Technical Evangelist Platform Strategy & Partner Group Microsoft Corporation.
Second Generation Electronic Filing Specifications Legal XML Court Filing Committee April 26, 2004.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna
January 19, 2005 Andrew Nash Chief Technology Officer, Reactivity xmlCoP Interoperable Trust Networks.
Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session.
Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.
Mr. Abdelkrim Boujraf, Unisys Mr. Andreas Schaad, SAP Research Mr. Mohammad Ashiqur Rahaman, SAP Research funded by EU Integrated Project R4eGov R4eGov.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
Web Services Security Patterns Alex Mackman CM Group Ltd
Using WS-I to Build Secure Applications Anthony Nadalin Web Services Interoperability Organization (WS-I) Copyright 2008, WS-I, Inc. All rights reserved.
Leveraging Web Service Security Standards Richard Jacob WSRP F2F LA, March, 2004.
Security Assertion Markup Language (SAML) Interoperability Demonstration.
Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.
OASIS ebXML Registry Standard Open Forum 2003 on Metadata Registries 10:30 – 11:15 January 20, 2003 Kathryn Breininger The Boeing Company Chair, OASIS.
Web Services Security INFOSYS 290, Section 3 Web Services: Concepts, Design and Implementation Adam Blum
Web Services Security Mike Shaw Architectural Engineer.
Web Services Security with WSE 2.0 Muhammad Saqib Ilyas
1 WS-Security Yosi Taguri Microsoft Israel
Security in OPC Unified Architecture (UA) Dick Oyen IndustrialSysDev, Inc.
August 3, 2004WSRP Technical Committee WSRP v2 leveraging WS-Security 1. Motivation 2. WS-Securtiy Roadmap and Status 3. WSRP Use Cases 4. Strawman/Issues.
Eclipse Foundation, Inc. Eclipse Open Healthcare Framework v1.0 Interoperability Terminology HL7 v2 / v3 DICOM Archetypes Health Records Capture Storage.
Access Policy - Federation March 23, 2016
OGSA-WG Basic Profile Session #1 Security
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
11/9/2018 Web Services Security Maria Lizarraga CS691.
Presentation transcript:

WS-Security TC Christopher Kaler Kelvin Lawrence

2 Agenda Context for WS-Security Context for WS-Security WS-Security Elements and Example WS-Security Elements and Example TC Charter and Deliverables TC Charter and Deliverables

3 Web Service Security Issues Getting easier to build web services but who is sending the messages? Getting easier to build web services but who is sending the messages? Several approaches Several approaches  SSL with username and password  SSL with X509 client certificates  VPN with Kerberos  XrML, SAML, … Challenges Challenges  Computational cost  Inflexibility  Firewalls  Distributed management  Hop-to-hop vs. end-to-end Username/password Client certificates, Smart Cards, … VPN

4 Security and Web Services Security in a Web Services World Safer: no exposure at intermediaries Safer: no exposure at intermediaries Interoperable: broad vendor support Interoperable: broad vendor support  Leverages XML signature and XML encryption Flexible: builds on web infrastructure Flexible: builds on web infrastructure  Works with HTTP, SMTP, and transports  Works over firewall, through the DB, … Durable: security is available at the business request / application layer Durable: security is available at the business request / application layer Higher performance and scalability Higher performance and scalability  Supports both public and symmetric keys  Clients exchange security tokens and cache Easier: a simple common approach for manageable authentication, authorization, and permissions Easier: a simple common approach for manageable authentication, authorization, and permissions

5 A Typical Challenge CertificationPartner WebService Business Partners Company A 1. Run Application 3. Get Proof of Certification 2. Request Fails 5. Approve 5. Approve 4. Fax Certification

6 A WS-Security Solution CertificationPartner 1. Run Application 3. Request Succeeds 2. Get Proof of Certification WebService Business Partners Company A

How Does it Work? 1.Security tokens assert claims 2.Web services have policies 3.A security token service is just a web service that issues security tokens

8 Security Tokens X.509, Kerberos, XrML, SAML, … Security tokens assert claims IdentityKeys Privileges, rights, capabilities Custom…

9 Policies Policy Services have policies ? Does the request have the correct security tokens? Policies describe the required claims Security tokens assert the claims

10 Security Token Service Policy WebService Policy SecurityTokenService A security token service issues security tokens It is just a web service A solution may require multiple token services

11 Agenda Context for WS-Security Context for WS-Security WS-Security Elements and Example WS-Security Elements and Example TC Charter and Deliverables TC Charter and Deliverables

12 New SOAP Elements WS-Security New New  Header   Existing Existing  XML Signature  XML Encryption  Token formats (e.g., X.509, Kerberos, XrML, SAML)

13 <Security> SOAP:actor is optional SOAP:actor is optional One header per actor One header per actor All security information together All security information together Sub-elements are pre-pendend Sub-elements are pre-pendend Supports multiple signatures Supports multiple signatures...

14 Elements In Elements In Including and referencing security tokens Including and referencing security tokens   Signature Signature   Encryption Manifest Encryption Manifest   Encrypted Attachments Encrypted Attachments   Other… Other…

15 Simple Example Requesting a stock quote Requesting a stock quote Security token indicates username Security token indicates username Signature uses key generated from password Signature uses key generated from password

16 Simple Example (1 of 2) (001) (001) (002) (002) (003) (003) (004) (004) (005) (005) (006) (006) (007) uuid:84b9f5d0-33fb-4a81-b02b-5b760641c1d6 (007) uuid:84b9f5d0-33fb-4a81-b02b-5b760641c1d6 (008) (008) (009) (009) (010) (010) (011) Zoe (011) Zoe (012) (012) (013) (013) (014) (014) (015) (015) (016) (016)

17 Simple Example (2 of 2) (017) (017) (018) (018) (019) LyLsF0Pi4wPU... (019) LyLsF0Pi4wPU... (020) (020) (021) (021) (022) DJbchm5gK... (022) DJbchm5gK... (023) (023) (024) (024) (025) (025) (026) (026) (027) (027) (028) (028) (029) (029) (030) (030) (031) (031) (032) QQQ (032) QQQ (033) (033)

18 Agenda Context for WS-Security Context for WS-Security WS-Security Elements and Example WS-Security Elements and Example TC Charter and Deliverables TC Charter and Deliverables

19 WS-Security TC Charter Continue work on the Web service security foundations published in the WS-Security specification and under the context of the Web Services Security roadmap

20 WS-Security TC Scope Using XML signature to provide SOAP message integrity for Web services Using XML signature to provide SOAP message integrity for Web services Using XML encryption to provide SOAP message confidentiality for Web services Using XML encryption to provide SOAP message confidentiality for Web services Attaching and/or referencing security tokens in headers of SOAP messages Attaching and/or referencing security tokens in headers of SOAP messages Carrying security information for potentially multiple, designated actors Carrying security information for potentially multiple, designated actors Associating signatures with security tokens Associating signatures with security tokens Representing specific forms of binary security tokens as defined in WS-Security specification. Representing specific forms of binary security tokens as defined in WS-Security specification.

21 WS-Security TC Deliverables Accept as input the Web Services Security (WS- Security) Accept as input the Web Services Security (WS- Security) Produce as output a specification for Web Services Security. This specification will reflect refinements and changes made to the submitted version of WS- Security that are identified by the WSS TC members for additional functionality within the scope of the TC charter. Produce as output a specification for Web Services Security. This specification will reflect refinements and changes made to the submitted version of WS- Security that are identified by the WSS TC members for additional functionality within the scope of the TC charter. Liaise and/or forge relationships with other Web services efforts to assist in leveraging WS-Security as a part of their specifications or solutions. Liaise and/or forge relationships with other Web services efforts to assist in leveraging WS-Security as a part of their specifications or solutions. Coordinate with the chairs of the other OASIS security related groups via the Security Joint Coordination Committee. Coordinate with the chairs of the other OASIS security related groups via the Security Joint Coordination Committee. Oversee ongoing maintenance and errata of the WS- Security specification. Oversee ongoing maintenance and errata of the WS- Security specification.

22 Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.