1 / 12

Web Service Security

Web Service Security. CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang. Outline. Introduction Web Services Security Model Terminology Web Services Security Specification Relating Web Services Security to Today’s Security Models Scenarios References. Introduction.

clark-lawson
Download Presentation

Web Service Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang

  2. Outline • Introduction • Web Services Security Model Terminology • Web Services Security Specification • Relating Web Services Security to Today’s Security Models • Scenarios • References

  3. Introduction • What is web service security? WS- Security is flexible and is designed to be used as the basis for the construction of a wide variety of security models including PKI, Kerberos, and SSL. • What are the goals of web service security? The goal of WS-Security is to enable applications to construct secure SOAP message exchange. • What are the requirements of web service security? • Multiple security tokens for authentication or authorization • Multiple trust domains • Multiple encryption technologies • End-to-end message-level security and not just transport-level security

  4. Web Services Security Model Terminology • Web service Broadly applicable to a wide variety of network based application topologies. • Security Token Define a security token as a representation of security-related information (e.g.X.509 certificate, Kerberos tickes and authenticators, mobile device security from SIM cards, username, etc.) • Signed Security Token It contains a set of related claims cryptographically endorsed by an issuer.

  5. Web Services Security Model Terminology • Claims A statement about a subject either by the subject or by an relying party that associates the subject with the claim. • Subject The subject of the security token is a principal about which the claims expressed in the security token apply. • Proof-of-Possession To be information used in the process of proving ownership of a security tiken or set of claims.

  6. Web Service Security Model Terminology • Web Service Endpoint Policy Web services have complete flexibility in specifying the claims they require in order to process messages. • Claim Requirements Whole messages or elements of messages,to all actions of a given type or to actions only under certain circumstances. • Intermediaries It perform actions such as routing the message or even modifying the message. • Actor An intermediary or endpoint which is identified by a URI and which processes a SOAP message.

  7. Web Services Security Specifications • The combination of security specifications, related activities, and interoperability profiles will enable customers to easily build interoperable secure Web services. Figure. Web Services Security Specifications WS-SecureConveration WS-Federation WS-Authorizatioon WS-Policy WS-Trust WS-Privacy WS-Security Today SOAP Foundation

  8. Relating WS-Security to Today’s Security Models • Transport Security Existing technologies can provide simple point-to-point integrity and confidentiality for a message.WS-Security to provide end-to-end integrity and confidentiality in multiple transports, intermediaries, transmission protocols. • PKI The PKI model involves certificate authorities issuing certificates with public asymmetric keys. The WS-Security model supports security token services issuing security tokens using public asymmetric keys. • Kerberos The Kerberos model relies on communication with the Key Distribution Center to broker trust between parties by issuing symmetric keys encrypted for both parties. The web services model , builds upon the core model with security token services brokering trust by issuing security tokens.

  9. Scenarios • Scenarios supported by the proposed initial specifications and associated deliverables: • Direct Trust using Username/Password and Transport-Level Security • Direct Trust using Security Tokens • Security Token Acquisition • Firewall Processing • Issued Security Token • Enforcing Business Policy • Privacy • Web Clients • Mobile Clients

  10. Scenarios • These scenarios can be built on the current deliverables, like WS-SecureConversation. • Enabling Federation • Validation Service • Supporting Delegation • Access Control • Auditing

  11. References • Web Services Security • [Kerberos] – J.Kohl and C. Neuman, “The Kerberos Network Authentication Service(v5)” • [SOAP]-W3C Note, “SOAP: Simple Object Access Protocol 1.1” • [WS-Routing]-H. Nielsen, S. Thatte, “Web Services Routing Protocol”, Microsoft • [X509]-S. Santesson, et al, “Internet X.509 public Key Infrastructure Qualified Certificates Profile,” • [XML-Encrypt]-W3C Working Draft, “XML Encrypt Syntax and Processing,”

  12. Thank You

More Related