Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tim Bornholtz Director of Technology Services

Published byRose Juneau Modified over 5 years ago

Similar presentations

Presentation on theme: "Tim Bornholtz Director of Technology Services"— Presentation transcript:

1 Tim Bornholtz Director of Technology Services tim@prioritytech.com
Securing Web Services Tim Bornholtz Director of Technology Services ©2001 Priority Technologies, Inc. All Rights Reserved

2 ©2001 Priority Technologies, Inc. All Rights Reserved
Web Services Web applications that use programmatic interfaces for application to application communications. Most definitions include these technologies: XML SOAP WSDL UDDI ©2001 Priority Technologies, Inc. All Rights Reserved

3 ©2001 Priority Technologies, Inc. All Rights Reserved
Concerns Using web services for basic system integration and XML interfaces is relatively stable Largest concern today is on securing web services ©2001 Priority Technologies, Inc. All Rights Reserved

4 Security Requirements
Three capabilities must exist for secure web services: Credential Transfer Message Integrity Message Confidentiality ©2001 Priority Technologies, Inc. All Rights Reserved

5 ©2001 Priority Technologies, Inc. All Rights Reserved
Why isn’t SOAP secure? SOAP is simply a standard for sending messages over HTTP using XML The SOAP specification does not address security at all. SOAP contains no protocol limitations Can use HTTP or HTTPS Can use just about any known protocol ©2001 Priority Technologies, Inc. All Rights Reserved

6 Security Standards The Internet Engineering Task Force (IETF) Organization for the Advancement of Structured Information Standards (OASIS) World Wide Web Consortium (W3C) Have worked on at least 13 different web services security standards. ©2001 Priority Technologies, Inc. All Rights Reserved

7 ©2001 Priority Technologies, Inc. All Rights Reserved
WS-Security W3C standards used XML Encryption XML Signatures Other extension functions Joint effort of many standards bodies and industries IBM Microsoft Verisign ©2001 Priority Technologies, Inc. All Rights Reserved

8 ©2001 Priority Technologies, Inc. All Rights Reserved
WS-Security Generally considered to be the best bet to emerge as the standard. WS-Security interoperability exists for Web Services Enhancements 1.0 for Microsoft .NET IBM Web Services ToolKit 3.3.2 Apache Axis with Apache XML Security ©2001 Priority Technologies, Inc. All Rights Reserved

9 ©2001 Priority Technologies, Inc. All Rights Reserved
Interoperability Interoperability exists depending on which algorithms are used. Common algorithms such as RSA and DSA work fine Each vendor may support algorithms that may not be interoperable with other toolkits ©2001 Priority Technologies, Inc. All Rights Reserved

10 ©2001 Priority Technologies, Inc. All Rights Reserved
XML Encryption Encrypt XML documents and use an XML syntax to represent: Encrypted Content – All encrypted content is still well formed XML Information that enables the intended recipient to decrypt the data ©2001 Priority Technologies, Inc. All Rights Reserved

11 ©2001 Priority Technologies, Inc. All Rights Reserved
XML Signatures XML syntax for representing the signature of a document Procedures for computing and verifying the signature. XML Encryption and XML Signatures are different standards and the use of one does not necessarily imply the use of the other ©2001 Priority Technologies, Inc. All Rights Reserved

12 Security Assertion Markup Language (SAML)
Framework for exchanging security information Assertions about subjects (people or computers) which have an identity in the network. Assertions are issued by SAML authorities - authentication authorities, attribute authorities, and policy decision points. ©2001 Priority Technologies, Inc. All Rights Reserved

13 ©2001 Priority Technologies, Inc. All Rights Reserved
SAML Assertions Authentication Previous authentication acts Assertions should not usually contain passwords Attributes Profile information Preference information Authorization Given the attributes, should access be allowed? ©2001 Priority Technologies, Inc. All Rights Reserved

14 ©2001 Priority Technologies, Inc. All Rights Reserved
Typical Assertion Issuer ID and issuance timestamp Assertion ID Subject Name and security domain Conditions under which the assertion is valid Assertion validity period (NotBefore and NotOnOrAfter) Audience restrictions Target restrictions (intended URLs for the assertion) Application specific conditions ©2001 Priority Technologies, Inc. All Rights Reserved

15 ©2001 Priority Technologies, Inc. All Rights Reserved
Meteor Security All security in Meteor is through the use of industry standard technologies. Centralized registry SAML XML Signatures SSL ©2001 Priority Technologies, Inc. All Rights Reserved

16 ©2001 Priority Technologies, Inc. All Rights Reserved
Centralized Registry Meteor uses a centralized LDAP server to contain: Public keys of all participants Network status information (active, pending, suspended) Contact Information ©2001 Priority Technologies, Inc. All Rights Reserved

17 ©2001 Priority Technologies, Inc. All Rights Reserved
SAML Assertions Meteor SAML Assertions contain Authentication Statement Timestamp, Creator, and Locality (machine) Attributes Subject (Creator) Attribute Name Attribute Namespace Attribute Value ©2001 Priority Technologies, Inc. All Rights Reserved

18 Authentication Statement
<saml:AuthenticationStatement AuthenticationInstant=" T03:12:01CDT" AuthenticationMethod="nchelp.org/meteor"> <saml:Subject> <saml:NameIdentifier Name="ED.TIM" SecurityDomain="nchelp.org/meteor"/> </saml:Subject> <saml:AuthenticationLocality DNSAddress="meteor.prioritytech.com" IPAddress=" "> </saml:AuthenticationLocality> </saml:AuthenticationStatement> ©2001 Priority Technologies, Inc. All Rights Reserved

19 ©2001 Priority Technologies, Inc. All Rights Reserved
Attributes <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier Name="ED.TIM" SecurityDomain="nchelp.org/meteor"> </saml:NameIdentifier> </saml:Subject> <saml:Attribute AttributeName="Role" AttributeNamespace="nchelp.org/meteor"> <saml:AttributeValue>BORROWER</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> ©2001 Priority Technologies, Inc. All Rights Reserved

20 Multiple Security Assertions
One SAML Assertion may contain authentication, authorization, and attribute information from several different authorities. Not necessary to have separate assertions for each different SAML authority. ©2001 Priority Technologies, Inc. All Rights Reserved

21 ©2001 Priority Technologies, Inc. All Rights Reserved
XML Signatures The SAML assertion is signed by the entity that created it. When signed, all irrelevant white-space is removed. Sample: Signed Assertion Once signed, the document may not be modified in any way. The entire request is not signed. ©2001 Priority Technologies, Inc. All Rights Reserved

22 ©2001 Priority Technologies, Inc. All Rights Reserved
Encryption Meteor does not use XML Encryption The Specification was not available when we began development Plan to move to this as the technology matures Currently all communication is over SSL ©2001 Priority Technologies, Inc. All Rights Reserved

23 Meteor Security Requirements
Three capabilities must exist for secure web services: Credential Transfer SAML Assertions Message Integrity XML Signatures and SSL Message Confidentiality SSL ©2001 Priority Technologies, Inc. All Rights Reserved

24 Planning an Implementation
When planning your own Web Services: Gain a detailed understanding of the potential risks (viruses, hackers, natural disasters) Make a proactive analysis of the consequences and countermeasures in relation to risks Create an implementation strategy for integrating security measures into your enterprise network. ©2001 Priority Technologies, Inc. All Rights Reserved

Download ppt "Tim Bornholtz Director of Technology Services"

Similar presentations

UDDI v3.0 (Universal Description, Discovery and Integration)

UDDI v3.0 (Universal Description, Discovery and Integration)
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Web services security I

Web services security I
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Service Standards, Security & Management Chris Peiris www.ChrisPeiris.com.

Web Service Standards, Security & Management Chris Peiris
1 Web Services and E-Authentication Adele Marsh, AES Charlie Miller, RIHEAA Session 35.

1 Web Services and E-Authentication Adele Marsh, AES Charlie Miller, RIHEAA Session 35.
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Web Services Description Language (WSDL) Jason Glenn CDA 5937 Process Coordination in Service and Computational Grids September 30, 2002.

Web Services Description Language (WSDL) Jason Glenn CDA 5937 Process Coordination in Service and Computational Grids September 30, 2002.
WSDL Tutorial Ching-Long Yeh 葉慶隆 Department of Computer Science and Engineering Tatung University

WSDL Tutorial Ching-Long Yeh 葉慶隆 Department of Computer Science and Engineering Tatung University
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Similar presentations

Ads by Google