OTP-WSS-Token John Linn, RSA Laboratories DRAFT: 24 May 2005.

Slides:

Advertisements

Similar presentations

CT-KIP Magnus Nyström, RSA Security 23 May Overview A client-server protocol for initialization (and configuration) of cryptographic tokens —Intended.

Advertisements

CT-KIP Magnus Nyström, RSA Security OTPS Workshop, October 2005.

OTP-ValidationService: Summary, Status, and Next Steps OTPS Workshop, February 2006.

WS – Security Policy Prabath Siriwardena Director, Security Architecture.

NZ igovt/RealMe proposed consent service: overview Kantara eGov Working Group April 8 th 2013 CROWN COPYRIGHT © This work is licensed under the Creative.

UDDI v3.0 (Universal Description, Discovery and Integration)

Web Service Security CS409 Application Services Even Semester 2007.

XML Encryption Prabath Siriwardena Director, Security Architecture.

Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

WS-Security TC Christopher Kaler Kelvin Lawrence.

Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.

WS-PolicyNegotiate A Web Service Standard for Policy Negotiation by Nicholis Bufmack.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Peoplesoft: Building and Consuming Web Services

Web services security I

1 Web Services Security XML Encryption, XML Signature and WS-Security.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

DICOM Security Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington University in St. Louis School of Medicine.

Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.

National Institute of Standards and Technology Technology Administration U.S. Department of Commerce 1 Patient Care Devices Domain Test Effort Integrating.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

2005/08/31ACS WG - Data transport with SOAP message 1 Data transport with SOAP message There is a W3C note proposing the SOAP with attachment: –

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

Introduction to Implementing XML web services authentication John Messing Law-on-Line, Inc. Prepared for Maricopa County ICJIS May 17, 2006.

An XML based Security Assertion Markup Language

Slide 1 © 2004 Reactivity The Gap Between Reliability and Security Eric Gravengaard Reactivity.

OTP-ValidationService John Linn, RSA Laboratories 11 May 2005.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna

Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.

IETF63 - enum WG1 ENUM validation architecture & friends Alex Mayrhofer enum.at / 3.4.e164.arpa Bernie Höneisen SWITCH.

1 Possible Principles and Requirements Frederick Hirsch, Nokia 12 July 2008.

One-Time Password Specifications (OTPS): Overview, Workshop Agenda, and Process DRAFT – 18 May 2005.

EAP-POTP Magnus Nyström, RSA Security 23 May 2005.

1 NIST Key State Models SP Part 1SP (Draft)

Scenario w/ WS-Federation to SAML 2.0 interop challenge for Danish public sector The following slides illustrates in a basic manner the technical/security.

Using XML Transactions Presented By Tony Alwardt The Boeing Company.

WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.

SAML for SIP Hannes Tschofenig, Jon Peterson, James Polk, Douglas Sicker, Marcus Tegnander.

Service Component Architecture (SCA) Policy TC … Face to Face Agenda – Jan 24,

Security Assertion Markup Language (SAML) Interoperability Demonstration.

Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.

1 G52IWS: Web Services Description Language (WSDL) Chris Greenhalgh

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

DICOM Security Andrei Leontiev, Dynamic Imaging Presentation prepared by: Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington.

Portable Symmetric Key Container (PSKC) Mingliang Pei Philip Hoyer Dec. 3, th IETF, Vancouver.

11/18/2003 Smart Card Authentication Mechanism Tim W. Baldridge, CISSP Marshall Space Flight Center Office of the Chief Information Officer.

ESRIN, 15 December 2009 Slide 1 Web Service Security in HMA-T HMA-T Final Presentation 14 December 2009 S. Gianfranceschi, Intecs.

Receipt Token Profile for Web Services Eric Gravengaard Reactivity.

OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.

© ETNIC l l Anne Noseda l WSGenCon 2.0 Presentation 1 WSGenCon /02/2010 E2SA – Equipe Support Standard Architecture.

Access Policy - Federation March 23, 2016

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

11/9/2018 Web Services Security Maria Lizarraga CS691.

Put SAML assertion in context

Tim Bornholtz Director of Technology Services

Presentation transcript:

OTP-WSS-Token John Linn, RSA Laboratories DRAFT: 24 May 2005

OTP-WSS-Token Goal: support OTP-based authentication from claimants to relying parties (RPs) in web service environments XML-encoded object carries OTP-based authenticator data Functionally analogous to OASIS Web Services Security TC's UsernameToken Profile, but tailored to support OTP authentication methods Can be applied to support token devices operating in multiple modes, including time-based, challenge-response, counter-based —Challenges may be client-generated or obtained from verifier through out- of-band means

OTP-WSS-Token: Operational Context OTP authentication can be integrated with Web Services Security: SOAP Message Security (WSS:SMS) in different ways, such as: —Directly, using the OTPToken type proposed in this draft —Indirectly, using SAML message token with assertion based on OTP authentication —At a stream level, as by using OTP to authenticate WS- SecureConversation or SASL This draft's approach authenticates a single SOAP request, and is particularly suited for stand-alone actions like acquiring login credentials

OTP-WSS-Token: Recent and Potential Changes Technical changes in 1-0d2 draft, 8 April 2005 —Namespace now "otps-wst" —No default algorithm identifier Potential changes to consider —Token identifier change from TokID (XML ID type) to WSS:SMS wsu:Id type to simplify WSS:SMS integration —Further treatment of OTPToken placement and referencing in WSS:SMS environment (see next slide) To identify OTPToken(s) used for authentication Possibly to identify OTPToken(s) used to provide key derivation inputs?

Proposals for Referencing OTPTokens in WSS:SMS Recommended placement: direct descendant of header, not Embedded —Working assumption: in the usual case, OTPTokens will be carried within the messages they authenticate, not referenced from external sources —Can reference using OTPToken's identifier value Can qualify reference with ValueType of #OTPToken Perhaps use KeyIdentifier reference to obtain OTPToken's OTP value as input for key derivation? —Q: Define a key derivation algorithm within the document?

OTP-WSS-Token: OTPToken Elements All optional except which carries the value being presented for OTP-based authentication —Use of other elements may vary for different algorithms and use cases carries time for time-based OTP algorithms and/or acts as a replay countermeasure carries a challenge, acts as a replay countermeasure, and/or enables use of multiple OTP results within a single time quantum carries additional state elements as needed —e.g., counter for counter-based OTP algorithms carries user's PIN data identifies target service for OTP authentication —Q: priority for support within token vs. externally? provides in-band linkage to continue multi-step authentication transactions —Q: priority for support within token vs. externally?

OTP-WSS-Token: OTPToken Attributes TokQual attribute group can identify user's device by user identity (TokUser) and/or serial number (Serial) —Must provide at least one form to construct valid OTPToken Optional TokID attribute supports linkage to data object from other message elements Optional TokAlg attribute identifies token device's OTP algorithm —Must provide value unless unambiguous from context Optional TokOTPTransform attribute identifies preprocessing performed on token device output before inclusion in

OTP-WSS-Token: Exception Cases In WSS:SMS context, can indicate authentication failures with SOAP fault and FailedAuthentication value with Fault/Detail entry —If New PIN needed, can contact separate PIN change service, then generate new and make a new request —If additional OTP needed for resynchronization, can generate new with next value and retry using —Additional cases and recovery actions can be profiled separately

OTP-WSS-Token: OTPToken Schema Type definition for token-based authentication

OTP-WSS-Token: Example OTPToken T20:25:42Z VXUzoS1a4r7kQQ5c/Iua4LqKeq3ciF zEv/MbZhA==

OTP-WSS-Token: Next Steps Consensus and stabilization on document content Proceed towards contribution derived from content, likely to OASIS WSS TC?