OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

Slides:



Advertisements
Similar presentations
1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
Advertisements

© Siemens NV/SA, October 2004 Communications Network and Information Security Report ICTSB/NISSG Stefan Goeman.
Internet Protocol Security (IP Sec)
GT 4 Security Goals & Plans Sam Meder
Technical Presentation AIAC Group 11. System Rationale System Architecture Secure Channel Establishment Username/Password Cartão Cidadão Digital.
cetis Really Complex Web Service Specifications Scott Wilson.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
WS – Security Policy Prabath Siriwardena Director, Security Architecture.
Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.
OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WS-Security TC Christopher Kaler Kelvin Lawrence.
NHIN Specifications Richard Kernan, NHIN Specification Lead (Contractor), Office of the National Coordinator for Health IT Karen Witting, Contractor to.
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
Core Web Service Security Patterns
Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.
Peoplesoft: Building and Consuming Web Services
Web services security I
Prashanth Kumar Muthoju
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Service Standards, Security & Management Chris Peiris
Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.
Web Services Standards. Introduction A web service is a type of component that is available on the web and can be incorporated in applications or used.
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
Introduction to Implementing XML web services authentication John Messing Law-on-Line, Inc. Prepared for Maricopa County ICJIS May 17, 2006.
WS-Security Protocol Ramkumar Chandrasekharan CS 265.
Random Logic l Forum.NET l Web Services Enhancements for Microsoft.NET (WSE) Forum.NET ● October 4th, 2006.
Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
Genesis II “Open Source, OGSA Implementation” Genesis II: From Specification to Implementation Andrew Grimshaw, Mark Morgan Global Bio Grid Team University.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Web Services Presented By : Noam Ben Haim. Agenda Introduction What is a web service Basic Architecture Extended Architecture WS Stacks.
Manish Mehta, CS 590L Authentication Services in Open Grid Services by Manish Mehta April 27, 2004.
Kemal Baykal Rasim Ismayilov
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
Web Services Security Patterns Alex Mackman CM Group Ltd
Using WS-I to Build Secure Applications Anthony Nadalin Web Services Interoperability Organization (WS-I) Copyright 2008, WS-I, Inc. All rights reserved.
Leveraging Web Service Security Standards Richard Jacob WSRP F2F LA, March, 2004.
Web Services Security INFOSYS 290, Section 3 Web Services: Concepts, Design and Implementation Adam Blum
© 2005 Global Grid Forum The information contained herein is subject to change without notice Leading the pervasive adoption of grid computing for research.
Conformance Targets for Simple PGI Communication Andrew Grimshaw & Duane Merrill 1.
OGSA-WG Basic Profile Session #1 Security
Web Service Interview/VIVA
S/MIME T ANANDHAN.
Implementing a service-oriented architecture using SOAP
Technical Approach Chris Louden Enspier
Tim Bornholtz Director of Technology Services
Presentation transcript:

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007

Presentation Overview 1.Goals & non-goals of the OGSA-SP Motivation 3.Secure Addressing 4.Secure Transport 5.Secure SOAP 6.Questions

OGSA Security Profile 2.0 (A.K.A Express Authentication Profile) GOALS 1.Profile how to convey secure-communication requirements within EPRs 2.Define well-known, composable security policies for common security mechanisms 3.Provide minor mechanism clarifications and refinements as security mechanisms are adapted to Grid 4.Establish trustworthiness of EPRs (e.g., tamper- resistance via digital signature)

Intent IS TO: Enable discovery of common security mechanisms Or cleanly identify when interoperability is not possible Easily be extended to accommodate new mechanisms, credentials, etc. IS NOT TO: Impose common security mechanisms Invent new security mechanisms Invent new languages for describing security mechanisms

Motivation SECURITY: A systems ability to protect its assets Disclosure or theft of resources Modification (including destruction) of resources Resource service interruption Crucial for OGSA/Grid adoption Participants require protection from undue risk Participants must meet legal requirements

First Steps: Protocol Interoperability SOA Philosophy Presume nothing regarding service implementation Message format and endpoints are public knowledge Security mechanisms affect message format What do I have to do to my messages to communicate? Message payloads defined by well-known, static service interfaces Diverse (and possibly dynamic) security action requirements for messages

Diverse Security Requirements Credential requirements Users & resources tied to existing credential infrastructures (e.g., Kerberos, X.509 PKI, SAML, etc.) No lowest common denominator OGSA security model tasked with integration of these trust and security domains Security action requirements Grid applications created via service composition Application-specific security requirements imposed on component services E.g., ByteIO resources may have confidentiality requirements in some cases, not others

Why another mechanism for security requirement discovery? Attachment of WS-SecurityPolicy requirements to WSDL and UDDI WS-I Conformance Claim Attachment Mechanism to WSDL " Issues: WSDL not always fine-grained enough WSDL not always published Non-standardized conventions for locating WSDL Scope limited to interface/application

Why another mechanism for security requirement discovery? (Continued) CaGrid exposes requirements through reflective service operations getSecurityMetadata() Chicken-before-egg problem Extra communication required Liberty exposes requirements within EPRs urn:liberty:security: :ClientTLS:SAMLV2 Not as expressive as WS-SecurityPolicy No means to communicate individual integrity/confidentiality requirements

Why EPRs? Grid utility is derived from the composition (often dynamic) of services EPRs extensively incorporated into core service interfaces, e.g.: Notification (WS-Eventing) Execution management (BES activity creation) Directory services (RNS) EPRs are how services refer and address each other EPRs serve as invocation contexts: Everything one needs to know to for communication

OGSA SP 2.0 Document Architecture Multiple documents composed in a hierarchical, extensible fashion. OGSA-BSP Secure Addressing Defines the general WS-SecurityPolicy attachment mechanism to EPRs Profile EPR digital signature OGSA-SP Secure Transport Defines well-known policies for de-facto transport-level secure communication configurations. OGSA-SP Secure SOAP Messaging Defines analogous policies for de-facto message-level security mechanisms

Secure Addressing Idea : Apply WS-SecurityPolicy to the extensible portion of the EPR WS-SecurityPolicy : Extension to WS-Policy framework New OASIS standard Grammar for asserting token types, cryptographic algorithms and mechanisms, including using transport level security

… urn:soapaction:* …

Secure Addressing Cont (Optional) Digital signing of EPRs: Extend WS-Addressing to profile a element as a child of the document Such a signature MUST cover the following elements:

Secure Transport Defines secure transport bindings to be referenced by name: Server-authenticated TLS w/ Server Certificate Server-authenticated TLS w/o Server Certificate Mutually-authenticated TLS w/ Sever Certificate Mutually-authenticated TLS w/o Sever Certificate If the Server Certificate is present, the Profile mandates hostname verification as per RFC 2818 – HTTP over TLS TLS/SSL algorithm suites are restricted to those listed in WS-SecurityPolicy

TLS_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA Server-authenticated TLS w/o Server Cert Policy Mutually-authenticated TLS w/o Server Cert Policy

Back to Secure Addressing EPRs may also need to perform key distribution: Extra hostname-verification at the transport-level Message-level encryption Want to embed tokens directly into the EPR, yet WS- SecurityPolicy does not provide for this Token assertions may contain a element to indicate the EPR of a location from which to obtain a token Solution: extend WS-SecPols token assertions to optionally contain an alternative We can put embedded tokens in tags within the document

<wsse:Reference URI='#RecipientTransportIdentity' ValueType=" /> Server-authenticated TLS w/ Server Cert Policy

Secure SOAP Defines common secure message-level bindings to be referenced by name: Username-token (simple) Password-digest username-token (digest of password, timestamp, and nonce) X.509 Mutual authentication

<wsp:Policy wsu:Id=PasswordDigest <wsp:Policy wsu:Id=UsernameToken Username-Token PolicyPassword-Digest Policy

(01) (02) (03) (04) (05) (06) (07) (08) (09) (10) (11) (12) (13) (14) (15) (16) (17) (18) (19) (20) (21) (22) … Mutually-Authenticated X.509 Policy

… (23) (24) (25) (26) (27) (28) (29) <wsse:Reference URI='#RecipientMessageIdentity ValueType=" (30) (31) (32) (33) (34) (35) … Mutually-Authenticated X.509 Policy

… (74) (75) (76) (77) (78) (79) (80) (81) (82) (83) (84) (85) (86) (87) (88) (89) (90) (91) (92) Mutually-Authenticated X.509 Policy

Specifying Additional Protection Policy...

Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.