Presentation is loading. Please wait.

Presentation is loading. Please wait.

W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.

Similar presentations


Presentation on theme: "W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks."— Presentation transcript:

1 W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. abbieb@nortelnetworks.com Nortel Networks

2 1 Agenda Web Services Security RequirementsWeb Services Security Requirements Brief Review of Web Services Security WorkBrief Review of Web Services Security Work DiscussionDiscussion Next StepsNext Steps

3 2 Web Services Security Requirements Authentication to verify identity Authorization to access resources Confidentiality such that information is accessible only to intended parties Data integrity of transactions and communications Non-repudiation so that party to a transaction cannot deny the transaction Controlled access to systems and their components Integrate with Enterprise Security policies End-to-end integrity and confidentiality of messages QOS, Reliability, Scalability, and Manageability

4 3 Web Services in a Nutshell Transport (TCP/IP, UDP,…) Transfer (HTTP, SMTP, …. ) XML + Namespaces + Information Set SOAP WS Routing WS Referral WS Security XML SchemaRDF?, DAML?... Subscribe Search Register WSCI BPEL4WS WSDL WS messagingWS descriptionsWS discovery Envelope (MIME, DIME, BEEP, …. ) Canonical XML XML Encryption XML Signature WS Coordination WS Transaction UDDI WS-Inspection SAML WS License

5 4 TLS/SSL Protocol Provides the following properties: Authentication One-way authentication (in general) Privacy Data encryption, Integrity Connection is reliable (Message integrity check) Point to point based, not application specific Can be used behind firewalls Out of band operations Customers Suppliers Sellers Security Context Audit Trail End to End Security SOAP Requires Security in the MessageSOAP Requires Security in the Message SSL

6 5 Web Services Security Resources Security Assertion Markup Language (SAML) An XML based framework for exchanging security information –Enables disparate security services systems to interoperate A set of specifications that define its components: –Assertions and request/response protocols –An assertion is a declaration of fact about a subject user, based on an assertion issuer –SAML has three kinds, all related to security: –Authentication ; Attribute ; Authorization decision –Assertions can be digitally signed

7 6 SAML: Single Sign On (SSO) Authentication Server 1 1 1 1 4 4 4 4 3 3 3 3 Web Services Server 2 2 LDAP Directory 2 2 LDAP Directory Requestor SAML: How It Works 1.User accesses authentication server Authentication server asks for user ID and password 2.End user enters ID and password Authentication server checks with LDAP directory and authenticates user 3.End user requests a resource from destination/Web services server Authentication server opens a session with destination server 4.Authentication server sends uniform resource identifier (URI) to end user End user browser is redirected to URI, that connects him to Web service

8 7 Web Services Security Resources XML Key Management Specification (XKMS) Integrating PKI with Web Services Shield applications from the complexity of PKI –Delegate details of digital certificate processing to a separate Web service. Protocols for distributing and registering public keys XML Key Information Service Specification (X-KISS) –Application delegates, to a service, the processing of Key Information associated with an XML signature, XML encryption, or other public key XML Key Registration Service Specification (X-KRSS) –Protocol for registration of a key pair by a key pair holder, with the intent that the key pair subsequently is usable in conjunction with X-KISS.

9 8 XACML: Communicating Policy Information XML Access Control Markup Language (XACML) Closely related to SAML How policy information related to access control is expressed and transferred Rules that defines what Web services can exercise or what it can access –Privileges for which XML documents For example, a healthcare provider can specify which portions of a patient’s Medical record could be exposed to appropriate parties Web Services Security Resources

10 9 Message Integrity and Confidentiality XML-Signature / XML-Encryption Provide mechanisms for handling whole or partial documents Address varying requirements for access authority, confidentiality and data integrity within one document Need XML Canonical Form Web Services Security Resources

11 10 Some thoughts about SOAP SOAP is an intrinsically complex specification SOAP can easily pass through firewalls Moves security issues and protocol developments into the hands of the software developers –May not have the proper training or background Firewalls may need to do XML parsing to recognize SOAP –Cannot easily do pattern recognition –Example, various ways of encoding binary data Any method could be a read method or a write method –Harder to track actions or do action filtering In Web Services a single URI can be a SOAP endpoint that is used for many resources

12 11 WS-Security Securing SOAPSecuring SOAP Work in progressWork in progress OASIS basedOASIS based Supported by major playersSupported by major players Ensures InteroperabilityEnsures Interoperability Web Services Security Resources XML Encryption Multiple Parties Document parts Confidentiality SOAP Message WS-Security: Signature, Encryption SAML Token: Authentication, Authorization XML Signature: Integrity X.509 Certificate: Encryption, Signature verification XML Schema Validation

13 12 Discussion 1.WSA architecture and WSS 2.Need to see how other requirements such as Reliability, QoS effects security 3.Need to incorporate any requirements on security as a result from WSA work 4.Need to decide how to go about them W3C or OASIS or What


Download ppt "W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks."

Similar presentations


Ads by Google