Presentation is loading. Please wait.

Presentation is loading. Please wait.

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

Similar presentations


Presentation on theme: "0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents."— Presentation transcript:

1 0 Web Service Security JongSu Bae

2 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents

3 2 1. Introduction  Web Service Security concept (1)To prevent unexpected external threat or risk (2)To secure Web services Provide Secure or trusted message communication mechanisms for Web Services Secure Messaging

4 3 1. Introduction  Web Service Security trend Gartner, Web Services Projects Remain a Priority, 2004/4 Gartner, Hype Cycle for Web Services, 2004/6

5 4 2. Web Service Security  Web Service Security Threat Message Alteration affect message integrity, whereby, an attacker may modify parts (or the whole) message Confidentiality unauthorized entities obtain access to information with in a message or message parts Man-in-the-middle attacker to compromise a SOAP intermediary and then intercepts messages between the web service requester and the ultimate receiver Spoofing attacker assumes the identity of a trusted entity in order to sabotage the security of the target entity Denial of Service focus on preventing legitimate users of a service from the ability to use the service Replay Attacks an intruder intercepts a message and then replays it back to a targeted agent

6 5  Web Service Security Requirement 2. Web Service Security Authentication Mechanisms verify the identities of the requester and provider agents Authorizationcontrol the requester access to appropriate system resources Data Integrity and Confidentiality Ensures that the data is only accessible by the intended parties Integrity of Transactions and Communications ensure that the business process was done properly and the flow of operations was executed in a correct manner End-to-End Integrity and Confidentiality of Messages integrity and confidentiality of messages must be ensured even in the presence of intermediaries Audit Trails play the role of an audit guard that can monitor; watch resources and other agents Distributed Enforcement of Security Policies define a security policy and enforce it across various platforms with varying privileges Non-Repudiationprovide evidence about the occurrence of transactions

7 6 2. Web Service Security  Web Service Security Standard OrganizationWorking GroupProtocol NameCurrent State W3C XML Encryption Working Group XML SignatureApproved XML Encryption Working Group XML EncryptionApproved XML Key Management Working Group XKMS 2.0Approved OASIS Security Services TC(Technical Committee) SAML 2.0Approved eXtensible Access Control Markup Language TC XACML 2.0Approved Web Services Security TCWS-Security 1.1Approved WS-I Basic Security Profile Working Group WS-I Basic Security Profile Draft

8 7 3. Web Service Security Mechanism  Web Service Security Methods Security methodTechnologiesDescriptions Transmission Level Security (Point-to-point) SSL/TLSsecure sockets layer, transport layer security XML Firewall/ Gateway Provide network level message validation Message Level Security (End-to-End) XML encryptionAdd ciphered text in SOAP Message XML signatureAdd signature in SOAP Message WS-SecurityEnhancing SOAP message to provide integrity and confidentiality by accommodate a wide variety of security models and encryption technologies like SAML, XML Encryption, etc. SAMLAllows business entities to make assertions XKMSXML Key Management XACMLDefines access control policy OthersWS-SecureConversation, WS-Federation, WS- Authorization, WS-Policy, WS-Trust, WS-Privacy

9 8 3. Web Service Security Mechanism  Message Level Security Original requester Ultimate receiver Intermediary All Message Decrypt All Message Encrypt Original requester Ultimate receiver Intermediary All Message Encrypt Message Encrypt All Message Decrypt Message Decrypt http, etc SOAP Security model  Transmission Level Security vs Message Level Security

10 9 3. Web Service Security Mechanism  Transmission Level Security Provides Point-to-point security mechanism Secures each communication entries O O O O O XML Firewall/Gateway  SSL/TLS Send or Receive message by secure communication session Works transmission and TCP/IP Layer Software based  XML Firewall/Gateway validate XML schema based incoming message Software & Hardware based O O O O O

11 10 3. Web Service Security Mechanism  Message Level Security  XML signature  XML Encryption Enveloping Signature Enveloped Signature Detached Signature Gil-dong,Hong …… s98asd32fl2kjJSD9 …… s98asd32fl2kjJSD9

12 11 4. Tool Support  Security Requirement and Standard XML Signatur e XML Encryption WS- Security XKMSSAMLXACML WS- Trust WS- Policy Confidentiality Integrity Authentication Authorization Nonrepudiation Key Management Trust Management Privacy Policies

13 12 4. Tool Support  Web Service Security support tool VendorWAS/Development ToolSupportetc BEAWebLogic Server 8.1 / WebLogic Workshop 8.1 Web Services Security(WS- Security) Version 1.0 (2002/4/5) IBMWebSphere Application Server 5.1 / WebSphere Studio Application Developer 5.1.1 Web Services Security(WS- Security) Version 1.0 (2002/4/5) Web Services Security Addendum (2002/8/18) Web Services Security: SOAP Message Security Working Draft13 (2003/5/13) MSIIS6.0/ Microsoft Windows Server / Microsoft Visual Studio.NET Web Services Security(WS- Security) Version 1.0 (2002/4/5) Web Services Security Addendum (2002/8/18) WSE (Web Service Enhancement)

14 13 5. Q&A Thank you for listening


Download ppt "0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents."

Similar presentations


Ads by Google