Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Published byGregory Shawn Ball Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems."— Presentation transcript:

1 Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems

2 Topics n Web Services Security Introduction n Preliminary work at W3C n WS-Security n SAML n WS-Trust n WS-SecureConversation n WS-SecurityPolicy n WS-Federation n Interdependencies

3 Information Security Definition Technologies and procedures intended to implement organizational policy in spite of human efforts to the contrary. n Suggested by Authorization n Applies to all security services n Protection against accidents is incidental n Suggests four areas of attention

4 Information Security Areas n Policy determination l Expression: code, permissions, ACLs, Language l Evaluation: semantics, architecture, performance n Policy enforcement l Maintain integrity of Trusted Computing Base (TCB) l Enforce variable policy

5 Security Services n Authentication – confirm asserted identity n Authorization – permit or deny a request n Integrity – prevent undetected modification of data n Confidentiality – prevent unauthorized reading of data n Audit – preserve evidence for accountability n Administration – control configuration n Others …

6 Web Services Security n Standards for Interoperability l Between systems, not internal behavior l Authentication, Integrity, Confidentiality, Key Exchange n Consistent with XML, SOAP, WSDL, WS-Policy n Authentication methods already exist n Need to support multiple infrastructure types l Passwords, X.509, Kerberos, SAML, etc. n Most of WSS is not about stronger security n Better scaling, easier deployment

7 W3C Security Recommendations n Widespread use of XML – need for integrity & confidentiality n XML Digital Signature WG (1999 to 2002) l Defines rules to sign XML and record parameters and signature value l Support all technologies in common use l Key problem: Immaterial changes to XML documents l Solution: Canonicalization n XML Encryption WG (2001 and 2002) l Defines rules to encrypt XML and record parameters l Support all technologies in common use l Key problem: Encrypted data not Schema-valid l Solution: None n Follow-on work currently at W3C

8 WS-Security Overview n Basic SOAP Message Protection n Signatures, Encryption, Timestamps n Multiple token types l Username, X.509, Kerberos, SAML, REL n Token References

9 Security Tokens n Abstraction of the common elements of information objects which represent identities l Claims, Key, Issuer, Validity etc. n In some cases, Tokens can be utilized w/o knowledge of specific Token format n Doesn’t work in all cases l Passwords are not the same as keys n Generally WSS uses Tokens to indicate keys n Claims are passed along for Authorization

10 WS-Security General Approach n Security element in SOAP header n Can contain Tokens, Token References, Timestamp, Signatures, Encryptions n Physical order of elements determines processing order of signatures and encryptions n Signed and encrypted data can appear anywhere in envelope n A toolkit, not a protocol

11 SAML in Web Services Security n SAML provides a very flexible, XML token n Use of browser profiles not required n SAML Assertions may or may not contain l Keys l Real world names or pseudonyms l Attributes n Viewed as easy and cheap to generate

12 WS-Trust n Defines generic Security Token Service (STS) n Issue, renew, cancel, validate Tokens n Support for many different configurations and trust relationships n Only defines generic elements n Other specifications intended to extend and specify the details, l WS-SecureConversation, WS-Federation

13 WS-Secure Conversation n Builds on WS-Security and WS-Trust n Allows establishment of secure session n More efficient and secure than using long term secrets directly n Like SSL/TLS except at SOAP layer n Useful in conjunction with reliable messaging n Adds two new Token types l Security Context Token (holds session info, including keys) l Derived Key Token (enables key derivation) n Two party and three party flows n Also a toolkit, but less so

14 Key Agreement Scenarios Unilateral Mutual Third Party

15 WS-Security Policy n Allows Web Service to express Security Policies l What needs to be protected l What tokens to use l Algorithms, reference types, etc. n Builds on WS-Policy l Uses nested policy to provide scope n Defines various groups of policy assertions l Correspond to features of WSS, Secure Conversation, Trust, etc. n Expressed in WSDL per WS-PolicyAttachment n Constrains content and layout of security header n Defines a number of Assertion types

16 WS-SecurityPolicy Assertion Types n Protection assertions l What parts of msgs need to be protected – Confidentiality, Integrity n Token assertions l Types of tokens, in band or out of band n Binding assertions l Transport, Symmetric, Asymmetric Bindings l Can apply to response as well as request n Supporting Token assertions l Additional signatures, e.g. Endorsements n Protocol assertions l Other properties, e.g. Algorithms, Timestamps, Reference types

17 WS-Federation n Builds on WS-Trust n Web SSO alternative to SAML profiles n Uses WS-Trust to issue tokens, including SAML l More generic, less access to SAML-specific features n Federation Metadata n Reference Tokens n Authorization Tokens n Extends WS-SecurityPolicy

18 Related Standards n Web Single Signon and Signoff l SAML Web Browser Profiles l WS-Federation (passive requestors) n Authorization Policy – XACML n Digital Signature Services (DSS) l Create & verify signatures, signed timestamps

19 Key OASIS Technical Committees n Security Services (2001-present) l SAML n WS-Security (2003-2006) l Core spec + Token Profiles l Now Closed n WS-SX (2006-present) l WS-Trust, WS-SecureConversation, WS-SecurityPolicy n WS-Federation (2007) n XACML (2001-present) n DSS (closed) DS-SX (2007) l Digital Signature Services

20 Security Standards Interdependencies XML EncryptionXML Digital Signature DSS XACML SAML WSS WS-Trust WS-SecureConversation WS-SecurityPolicy WS-Federation

21 Questions?

Download ppt "Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems."

Similar presentations

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
XML Security Standards — Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

XML Security Standards — Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.

CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Core Web Service Security Patterns

Core Web Service Security Patterns
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.

Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.
Web services security I

Web services security I
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
Security COMP6017 Topics on Web Services Dr Nicholas Gibbins – 2012-2013.

Security COMP6017 Topics on Web Services Dr Nicholas Gibbins –
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google