Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.

Slides:

Advertisements

Similar presentations

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

Advertisements

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

WS-Security TC Christopher Kaler Kelvin Lawrence.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.

Web services security I

Prashanth Kumar Muthoju

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

1 Web Services Security XML Encryption, XML Signature and WS-Security.

Security COMP6017 Topics on Web Services Dr Nicholas Gibbins –

Web Service Standards, Security & Management Chris Peiris

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Secure Systems Research Group - FAU Using patterns to compare web services standards E. Fernandez and N. Delessy.

Secure Systems Research Group - FAU Web Services Cryptographic Patterns Presented by Keiko Hashizume Advisor: Prof. Eduardo Fernandez.

WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

WS-Security Protocol Ramkumar Chandrasekharan CS 265.

Random Logic l Forum.NET l Web Services Enhancements for Microsoft.NET (WSE) Forum.NET ● October 4th, 2006.

Web - based business and XML security. Dagmar Brechlerova.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna

January 19, 2005 Andrew Nash Chief Technology Officer, Reactivity xmlCoP Interoperable Trust Networks.

W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.

Web Services Security and Further References Presented by Ashraf Memon Presented by Ashraf Memon.

Semantic Web Technologies Research Topics and Projects discussion Brief Readings Discussion Research Presentations.

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

 A Web service is a method of communication between two electronic devices over World Wide Web.

Secure Systems Research Group - FAU A Trust Model for Web Services Ph.D Dissertation Progress Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.

Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session.

WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.

Grid Authorization Landscape and Futures Von Welch NCSA

Secure Systems Research Group - FAU A Pattern for XML Signature Presented by Keiko Hashizume.

Gridshell Security Master Project Akylbek Zhumabayev Rochester Institute of Technology.

Leveraging Web Service Security Standards Richard Jacob WSRP F2F LA, March, 2004.

1 WS-Policy. 2 What’s the Problem? To use a web service a client needs more information than is provided in WSDL file. Examples: –Does service support.

Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.

Web Services Security INFOSYS 290, Section 3 Web Services: Concepts, Design and Implementation Adam Blum

Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.

Web Services Security Standards Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc.

Web Services Security Mike Shaw Architectural Engineer.

Web Services Security with WSE 2.0 Muhammad Saqib Ilyas

1 WS-Security Yosi Taguri Microsoft Israel

Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.

August 3, 2004WSRP Technical Committee WSRP v2 leveraging WS-Security 1. Motivation 2. WS-Securtiy Roadmap and Status 3. WSRP Use Cases 4. Strawman/Issues.

Florida Atlantic University Department of Electrical and Computer Engineering &Computer Science ( ECECS ) &Computer Science ( ECECS ) Security Systems.

Security and reliability in distributed applications

11/9/2018 Web Services Security Maria Lizarraga CS691.

Presentation transcript:

Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume

Secure Systems Research Group - FAU Outline Introduction Patterns for Web Services Security Standards WS-Security Conclusions

Secure Systems Research Group - FAU Introduction Web services standards are confusing which makes it difficult for vendors to develop products that comply with standards and for users to decide what product to use. That is why we need to develop patterns for these standards. – Patterns embody the knowledge and experience of software developers about a recurrent problem. A pattern solves a specific problem in a given context and can be tailored to fit different situations.

Secure Systems Research Group - FAU Existing Patterns for WS Security Standards XACML (eXtensible Access Control Markup Language) Policy Language XACML Access Control Evaluation WSPL (Web Service Policy Language) WS-Policy SAML (Security Assertion Markup Language)

Secure Systems Research Group - FAU Web Services Security Standards without Patterns SPML (Service Provisioning Markup Language) WS-Security XML digital signature XML encryption XKMS (XML Key Management Specification) XrML (Extensible Rights Management Language) XCBF (XML Common Biometric Format) WS- Authorization WS-Encryption WS-Federation Language WS-Federation: Active Requestor Profile WS-Federation: Passive Requestor Profile WS-Signature WS-Privacy WS-SecureConversation WS-Security Kerberos Binding WS-SecurityPolicy WS-Trust 1.3

Secure Systems Research Group - FAU WS-Security Standard Originally developed by IBM, Microsoft, VeriSign, and Forum Systems. OASIS Specification Latest Version: WS-Security 1.1 Approved on February 2006

Secure Systems Research Group - FAU WS-Security Standard Security Header: – The header block provides a mechanism for attaching security-related message information.

Secure Systems Research Group - FAU WS-Security Standard WS-Security Specification provides three main mechanisms: – The ability to send security tokens as part of a message – Message integrity – is provided by XML Signature – Message confidentiality – is provided by XML Encryption

Secure Systems Research Group - FAU Security Tokens WS-Security defines how security tokens are attached to messages. There are different types of security tokens: – UsernameToken – Binary Security Tokens – XML Tokens

Secure Systems Research Group - FAU UsernameToken Profile The UsernameToken propagates a username and a password (optional)

Secure Systems Research Group - FAU Binary Security Tokens WS-Security provides a element that can be included in the header block. The following is an overview of the syntax: Examples X.509 certificates Kerberos tickets

Secure Systems Research Group - FAU XML Tokens XML Tokens are offered in two formats: – Security Assertion Markup Language (SAML) – Extensible rights Markup Language (XrML) Example of a WS Security with a SAML assertion Token

Secure Systems Research Group - FAU Signatures Digital signatures provide message integrity and authentication. WS-Security builds on XML Signature. This specification describes: – Signing Messages – Signing Tokens

Secure Systems Research Group - FAU Signing Messages To add signature to a block, a element conforming to the XML Signature specification must be present in the header block.

Secure Systems Research Group - FAU Signing Tokens WS-Security allows different tokens to have their own unique reference.

Secure Systems Research Group - FAU Encryption WS-Security allows encryption of the body and header blocks by either a common symmetric key shared by the producer and the recipient or a symmetric key carried in the message in an encrypted form. WS-Security leverages the XML Encryption standard. This specification describes how the two elements and can be used within the header block.

Secure Systems Research Group - FAU Encryption The element that needs to be encrypted must be replaced by a corresponding.

Secure Systems Research Group - FAU Encryption When the encryption involves encrypting element contents within a SOAP envelope with a symmetric key, that is encrypted and embedded in the message, may be used for carrying such an encrypted key.

Secure Systems Research Group - FAU Encryption

Secure Systems Research Group - FAU Class Diagram for WS-Security

Secure Systems Research Group - FAU Conclusion We need to develop more patterns for web services security standards. A good catalog of patterns is needed. We also need pattern classification and selection approaches, e.g. pattern map, policy to pattern mapping.