Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems

Topics n Web Services Security Introduction n Preliminary work at W3C n WS-Security n SAML n WS-Trust n WS-SecureConversation n WS-SecurityPolicy n WS-Federation n Interdependencies

Information Security Definition Technologies and procedures intended to implement organizational policy in spite of human efforts to the contrary. n Suggested by Authorization n Applies to all security services n Protection against accidents is incidental n Suggests four areas of attention

Information Security Areas n Policy determination l Expression: code, permissions, ACLs, Language l Evaluation: semantics, architecture, performance n Policy enforcement l Maintain integrity of Trusted Computing Base (TCB) l Enforce variable policy

Security Services n Authentication – confirm asserted identity n Authorization – permit or deny a request n Integrity – prevent undetected modification of data n Confidentiality – prevent unauthorized reading of data n Audit – preserve evidence for accountability n Administration – control configuration n Others …

Web Services Security n Standards for Interoperability l Between systems, not internal behavior l Authentication, Integrity, Confidentiality, Key Exchange n Consistent with XML, SOAP, WSDL, WS-Policy n Authentication methods already exist n Need to support multiple infrastructure types l Passwords, X.509, Kerberos, SAML, etc. n Most of WSS is not about stronger security n Better scaling, easier deployment

W3C Security Recommendations n Widespread use of XML – need for integrity & confidentiality n XML Digital Signature WG (1999 to 2002) l Defines rules to sign XML and record parameters and signature value l Support all technologies in common use l Key problem: Immaterial changes to XML documents l Solution: Canonicalization n XML Encryption WG (2001 and 2002) l Defines rules to encrypt XML and record parameters l Support all technologies in common use l Key problem: Encrypted data not Schema-valid l Solution: None n Follow-on work currently at W3C

WS-Security Overview n Basic SOAP Message Protection n Signatures, Encryption, Timestamps n Multiple token types l Username, X.509, Kerberos, SAML, REL n Token References

Security Tokens n Abstraction of the common elements of information objects which represent identities l Claims, Key, Issuer, Validity etc. n In some cases, Tokens can be utilized w/o knowledge of specific Token format n Doesn’t work in all cases l Passwords are not the same as keys n Generally WSS uses Tokens to indicate keys n Claims are passed along for Authorization

WS-Security General Approach n Security element in SOAP header n Can contain Tokens, Token References, Timestamp, Signatures, Encryptions n Physical order of elements determines processing order of signatures and encryptions n Signed and encrypted data can appear anywhere in envelope n A toolkit, not a protocol

SAML in Web Services Security n SAML provides a very flexible, XML token n Use of browser profiles not required n SAML Assertions may or may not contain l Keys l Real world names or pseudonyms l Attributes n Viewed as easy and cheap to generate

WS-Trust n Defines generic Security Token Service (STS) n Issue, renew, cancel, validate Tokens n Support for many different configurations and trust relationships n Only defines generic elements n Other specifications intended to extend and specify the details, l WS-SecureConversation, WS-Federation

WS-Secure Conversation n Builds on WS-Security and WS-Trust n Allows establishment of secure session n More efficient and secure than using long term secrets directly n Like SSL/TLS except at SOAP layer n Useful in conjunction with reliable messaging n Adds two new Token types l Security Context Token (holds session info, including keys) l Derived Key Token (enables key derivation) n Two party and three party flows n Also a toolkit, but less so

Key Agreement Scenarios Unilateral Mutual Third Party

WS-Security Policy n Allows Web Service to express Security Policies l What needs to be protected l What tokens to use l Algorithms, reference types, etc. n Builds on WS-Policy l Uses nested policy to provide scope n Defines various groups of policy assertions l Correspond to features of WSS, Secure Conversation, Trust, etc. n Expressed in WSDL per WS-PolicyAttachment n Constrains content and layout of security header n Defines a number of Assertion types

WS-SecurityPolicy Assertion Types n Protection assertions l What parts of msgs need to be protected – Confidentiality, Integrity n Token assertions l Types of tokens, in band or out of band n Binding assertions l Transport, Symmetric, Asymmetric Bindings l Can apply to response as well as request n Supporting Token assertions l Additional signatures, e.g. Endorsements n Protocol assertions l Other properties, e.g. Algorithms, Timestamps, Reference types

WS-Federation n Builds on WS-Trust n Web SSO alternative to SAML profiles n Uses WS-Trust to issue tokens, including SAML l More generic, less access to SAML-specific features n Federation Metadata n Reference Tokens n Authorization Tokens n Extends WS-SecurityPolicy

Related Standards n Web Single Signon and Signoff l SAML Web Browser Profiles l WS-Federation (passive requestors) n Authorization Policy – XACML n Digital Signature Services (DSS) l Create & verify signatures, signed timestamps

Key OASIS Technical Committees n Security Services (2001-present) l SAML n WS-Security ( ) l Core spec + Token Profiles l Now Closed n WS-SX (2006-present) l WS-Trust, WS-SecureConversation, WS-SecurityPolicy n WS-Federation (2007) n XACML (2001-present) n DSS (closed) DS-SX (2007) l Digital Signature Services

Security Standards Interdependencies XML EncryptionXML Digital Signature DSS XACML SAML WSS WS-Trust WS-SecureConversation WS-SecurityPolicy WS-Federation

Questions?