Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Services Security Mike Shaw Architectural Engineer.

Published byDavid Morrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Services Security Mike Shaw Architectural Engineer."— Presentation transcript:

1 Web Services Security Mike Shaw mikeshaw@microsoft.com.NET Architectural Engineer

2 Agenda Trust Worthy Computing Trust Worthy Computing What are Web Services? What are Web Services? XML Signatures XML Signatures XML Encryption XML Encryption What is WS-Security? What is WS-Security? Links Links

3 Trustworthy Computing Microsoft is committed to Trustworthy Computing: Microsoft is committed to Trustworthy Computing:  Security  Privacy  Reliability  Business Integrity Trustworthy computing can only be achieved through partnership & teamwork Trustworthy computing can only be achieved through partnership & teamwork Trustworthy Computing is a journey with a long term vision and highlights and obstacles along the road Trustworthy Computing is a journey with a long term vision and highlights and obstacles along the road

4 Trustworthy Computing Security Privacy Reliability Business Integrity Resilient to attack Protects confidentiality, integrity, availability and data Dependable Available when needed Performs at expected levels Individuals control personal data Products and Online Services adhere to fair information principles Vendors provide quality products Product support is appropriate

5 Goals Understand the goals and application of WS-Security Understand the goals and application of WS-Security Provide you a roadmap on how to implement secure Web services Provide you a roadmap on how to implement secure Web services

6 Today: Point to Point Service SSL/TLS

7 C Service A End to End Messaging Service B Any Web service capable application. WS-Security for Encryption and Signing Secure SOAP message using WS-Security Channel doesn’t matter. Could be HTTP, SSL, MIME/SMIME Authentication Message Validation Maybe ISA Server Auditing/logging Confidentialmessageprocessing Encryptedmessage SignedMessage

8 End-to-End Security Cons Cons  Standards are evolving and will be delivered incrementally Pros Pros  Is implemented at the messaging layer  Enables heterogeneous architecture  Supports non-repudiation  Can be independent of transport

9 How is security implemented today? Point-to-Point Point-to-Point  Channel  SSL, IPSec  Entry Point  ACLs and Roles, IP Restriction End-to-End End-to-End  Message Based  Web Services

10 Web Services Industry standards for interoperability Based on Internet standards Based on Internet standards Not wedded to any platform Not wedded to any platform Loosely coupled programming Loosely coupled programming Preserve and connect existing systems Preserve and connect existing systems Integrate inside and outside the firewall Integrate inside and outside the firewall Broad industry support Broad industry support Enable End-to-End messaging systems Enable End-to-End messaging systems

11 What is a Web Service today? Message processor Message processor Standards based Standards based  SOAP 1.1  Language and transport neutral  WSDL 1.1 Predominantly participate in point-to- point scenarios due to lack of additional standards Predominantly participate in point-to- point scenarios due to lack of additional standards Inherently insecure Inherently insecure Web Service SOAP 1.1 WSDL 1.1 Implementation

12 Industry initiative for Web services Industry initiative for Web services  Over 150 members  Facilitates customer adoption  Ensures interoperability Broad alignment around Web services Broad alignment around Web services  First testing tools this year More info: http://www.ws-i.org More info: http://www.ws-i.org

13 WSA Core Services WSA WSA Internet Transports Metadata & DiscoveryMessagingSecurityTransactions SOAP and XML

14 Security Model Policy Services have policies Policies require claims Security tokens assert claims ? Security Engine

15 Enable End-to-End message Security Flexible message-level security Flexible message-level security Maintain core tenets Maintain core tenets  Integrity (XML Digital Signatures)  Confidentiality (XML Encryption)  Authentication Tokens Leverage existing infrastructure and standards Leverage existing infrastructure and standards  Kerberos  PKI  SAML  Custom …  SSL/TLS  XML Signature  XML Encryption  …

16 XML Signature http://www.w3.org/TR/xmldsig-core/ http://www.w3.org/TR/xmldsig-core/  XML syntax used to represent a digital signature over any digital content  Verified whether a message was altered during transit  Enables non-repudiation  Sign specific portions of the XML document or message  One-way transformation via private key  Defined schema

17 XML Signature Schema <Signature> ( ( ( )? ( )? )+ )+ ( )? ( )? ( )* ( )*</Signature> Root Signed Item Location (Enveloped or Detached) Hash Info Signature of Digest Public Key Source Data

18 XML Encryption http://www.w3.org/TR/xmlenc-core/ http://www.w3.org/TR/xmlenc-core/  Encrypt specific portions of the XML document or message  Supports symmetric and asymmetric key algorithms  Defined schema

19 XML Encryption Schema ? ? ? ? ? ? ? ?</EncryptedData> Root Encrypted Info Driven by cryptography type Arjun Mitra X.509

20 How does this materialize in a Web services model? Composition via SOAP Headers Composition via SOAP Headers SOAP headers can be anything so we need a schema to ensure interoperability across all implementations SOAP headers can be anything so we need a schema to ensure interoperability across all implementations WS-Security 1.0 a specification with OASIS WS-Security 1.0 a specification with OASIS  Joint proposal from IBM, VeriSign & Microsoft

21 WS-Security 1.0 Security Model Security Model  Security Token + Digital Signature = Proof of Key Possession Claims Public Key Proof of possession Of Private Key + =

22 WS-Security 1.0 Trust Model Trust Model  Security Token  Unendorsed = Not signed by an authority  Proof-of-Possession = claim that can be mutually verified  Endorsed = Signed by an authority ? Signing Authority

23 WS-Security 1.0 Protection Protection  Integrity = XML Signature + Security Tokens  Confidentiality = XML Encryption + Security Tokens

24 Demo WS-Security Using WS-Security prototype Code Using WS-Security prototype Code  Request a Signed Security Token for authentication (X.509)  Request a Signed Security Token for authorization (X.509)  Call Web service with authorization token Notables Notables  The Certificate Authority in.NET Server is a huge improvement over Windows 2000  I could have used a Kerberos model  Certificate lifetime and management is tough issue that requires planning

25 Non-Goals of WS-Security Establishing a security context that requires multiple exchanges (WS- SecureConversation) Establishing a security context that requires multiple exchanges (WS- SecureConversation) Key exchange and derived keys Key exchange and derived keys How trust is established (WS-Trust) How trust is established (WS-Trust) Policy Definition (WS-Policy) Policy Definition (WS-Policy) Provisioning of certificates (XKMS) Provisioning of certificates (XKMS) Rights (XrML) Rights (XrML) etc etc

26 Security Roadmap SOAP WS-Security WS-PolicyWS-Trust WS-Federation WS-Privacy WS-Authorization WS-Secure Conversation Refer to Security Roadmap – http://msdn.microsoft.com/webservices Today

27 Your tasks at hand… Think big, start small Think big, start small  Understand your security topology  What does the end-to-end messaging path look like for your scenarios? Understand Understand  XML Signature  XML Encryption  WS Security  System.Security.Cryptography namespace Create a threat model for your Web service environment Create a threat model for your Web service environment Blend point-to-point security with end-to-end security Blend point-to-point security with end-to-end security  Leverage the.NET Framework base classes, Windows Crypto API, CAPICOM,.NET Server Certificate Authority

28 Call to action 1. For a copy of this presentation visit: www.microsoft.com/uk/security 2. For regular information subscribe at: register.microsoft.com/subscription/subscribeMe.asp?lcid=1033&id=155 3. For the Microsoft security resource toolkit visit: www.microsoft.com/uk/security

29 Microsoft - Stand 670 Firewall and VPN Firewall and VPN Identity Management Identity Management Securing Windows Securing Windows Windows Server 2003 Security Windows Server 2003 Security Wireless Security Wireless Security

30 Microsoft Security Seminars

31 Questions? Visit the Microsoft stand. We’ll be there for 1 hour after this session. Thank You!

32 Trustworthy Computing Mike Shaw mikeshaw@microsoft.com.NET Architectural Engineer

Download ppt "Web Services Security Mike Shaw Architectural Engineer."

Similar presentations

Securing Wireless LANs A Windows Server 2003 Certificate Services Solution Ian Hellen – Principal Consultant Stirling Goetz – Principal Consultant.

Securing Wireless LANs A Windows Server 2003 Certificate Services Solution Ian Hellen – Principal Consultant Stirling Goetz – Principal Consultant.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
CS651/551 Federated Trust Systems Alfred C. Weaver

CS651/551 Federated Trust Systems Alfred C. Weaver
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Core Web Service Security Patterns

Core Web Service Security Patterns
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
© 2007 Charteris plc20 June 2015 1 1 Extending Web Service Security with WS-* Presented by Chris Seary MVP Charteris plc, 39-40 Bartholomew Close, London.

© 2007 Charteris plc20 June Extending Web Service Security with WS-* Presented by Chris Seary MVP Charteris plc, Bartholomew Close, London.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Web services security I

Web services security I
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Similar presentations

Ads by Google