1 / 39

XML Security Standards — Overview for the Non-Specialist

XML Security Standards — Overview for the Non-Specialist. Hal Lockhart Office of the CTO BEA Systems. Topics. Security Introduction Preliminary work at W3C SAML XACML Digital Signature Services WS-Security WS-SecureConversation, WS-Trust & WS-SecurityPolicy Interdependencies.

devaki
Download Presentation

XML Security Standards — Overview for the Non-Specialist

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. XML Security Standards — Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems

  2. Topics • Security Introduction • Preliminary work at W3C • SAML • XACML • Digital Signature Services • WS-Security • WS-SecureConversation, WS-Trust & WS-SecurityPolicy • Interdependencies

  3. Information Security Definition Technologies and procedures intended to implement organizational policy in spite of human efforts to the contrary. • Suggested by Authorization • Applies to all security services • Protection against accidents is incidental • Suggests four areas of attention

  4. Information Security Areas • Policy determination • Expression: code, permissions, ACLs, Language • Evaluation: semantics, architecture, performance • Policy enforcement • Maintain integrity of Trusted Computing Base (TCB) • Enforce variable policy

  5. Security Services • Authentication – confirm asserted identity • Authorization – permit or deny a request • Integrity – prevent undetected modification of data • Confidentiality – prevent unauthorized reading of data • Audit – preserve evidence for accountability • Administration – control configuration • Others …

  6. Topics • Security Introduction • Preliminary work at W3C • SAML • XACML • Digital Signature Services • WS-Security • WS-SecureConversation, WS-Trust & WS-SecurityPolicy • Interdependencies

  7. W3C Security Recommendations • Widespread use of XML – need for integrity & confidentiality • XML Digital Signature WG (1999 to 2002) • Defines rules to sign XML and record parameters and signature value • Support all technologies in common use • Key problem: Immaterial changes to XML documents • Solution: Canonicalization • XML Encryption WG (2001 and 2002) • Defines rules to encrypt XML and record parameters • Support all technologies in common use • Key problem: Encrypted data not Schema-valid • Solution: None

  8. Topics • Security Introduction • Preliminary work at W3C • SAML • XACML • Digital Signature Services • WS-Security • WS-SecureConversation, WS-Trust & WS-SecurityPolicy • Interdependencies

  9. SAML Background • Web Single Signon • Web is stateless • Very inconvenient for security • Use of Web Server Farms • User inconvenience, performance and risk, multiple repositories • Federated Identity • Federation – independent entities maintain user info • The alternative is centralization – impractical • The way the world works • Requires agreed formats and protocols (standards)

  10. SAMLKey Ingredients for Standardization • Web Access Management Vendors • Already solved the problem using proprietary methods (multiple times) • Broad agreement on requirements and solutions • Marketplace • Large scale projects would require standards • Rising tide theory • Willingness to standardize • Random Factors • XML becoming fashionable • OASIS offered favorable environment • (SAML became the first security-related TC at OASIS)

  11. Liberty 1.1 Completed: Jan 2003 SAML 1.1 Completed: May 2003 OASIS Standard: September 2003 Shibboleth OpenSAML 1.0 Completed: June 2003 Shibboleth OpenSAML 1.1 Completed: August 2003 Liberty ID-FF 1.2 Completed: Oct 2003 Oct-2003: SSTC receives Digital ID World “Balancing Innovation & Reality" award SAML 2.0 Completed: January 2005 OASIS Standard: March 2005 SAML Timeline SAML 1.0 Completed: May 2002 OASIS Standard: November 2002 Nov-2002: SAML wins PC Magazine Technology Excellence Award

  12. SAML assertions • Assertions are declarations of fact, according to someone • SAML assertions are compounds of one or more of three kinds of “statement” about “subject” (human or program): • Authentication • Attribute • Authorization decision • You can extend SAML to make your own kinds of assertions and statements • Assertions can be digitally signed

  13. SAML protocol for getting assertions

  14. SAML Standards Dependencies • Uses XML Signature to protect assertions from modification • Uses XML Encryption to protect privacy when assertions are stored • Uses SSL and WS-Security to protect assertions on the wire • Is used by WS-Security to identify users and keys

  15. Current Work • Sticking with SAML 2.0 to drive adoption • Profiles reviewed or under review • Metadata Extension for Query Requesters • Protocol Extensions for Third-Party Requests • Attribute Sharing Profile for X.509 Authentication Based Systems • XPath Attribute Profile • SAML V1.x Metadata Profile • Shared Credentials Profiles • Text-based Challenge Response • HTTP POST “SimpleSign” Binding • SAML 2.0 -> ITU-T Recommendation X.1141

  16. Topics • Security Introduction • Preliminary work at W3C • SAML • XACML • Digital Signature Services • WS-Security • WS-SecureConversation, WS-Trust & WS-SecurityPolicy • Interdependencies

  17. XACML TC Charter • Define a core XML schema for representing authorization and entitlement policies • Target - any object - referenced using XML • Fine grained control, characteristics - access requestor, protocol, classes of activities, and content introspection • Consistent with and building upon SAML

  18. XACML TC History • First Meeting – 21 May 2001 • XACML 1.0 - OASIS Standard – 6 February 2003 • XACML 1.1 – Committee Specification – 7 August 2003 • XACML 2.0 – OASIS Standard – 1 February 2005 • XACML 2.0 – ITU/T Recommendation X.1142

  19. Policy Examples • “Anyone view their own 401K information, but nobody else’s” • “The print formatting service can access printers and temporary storage on behalf of any user with the print attribute” • “The primary physician can have any of her patients’ medical records sent to a specialist in the same practice.” • “Anyone can use web servers with the ‘spare’ property between 12:00 AM and 4:00 AM” • “Salespeople can create orders, but if the total cost is greater that $1M, a supervisor must approve”

  20. XACML Objectives • Ability to locate policies in distributed environment • Ability to federate administration of policies about the same resource • Base decisions on wide range of inputs • Multiple subjects, resource properties • Decision expressions of unlimited complexity • Ability to do policy-based delegation • Usable in many different environments • Types of Resources, Subjects, Actions • Policy location and combination

  21. Novel XACML Features • Large Scale Environment • Subjects, Resources, Attributes, etc. not necessarily exist or be known at Policy Creation time • Multiple Administrators - potentially conflicting policy results • Combining algorithms • Request centric • Use any information available at access request time • Zero, one or more Subjects • No invented concepts (privilege, role, etc.) • Dynamically bound to request • Not limited to Resource binding • Only tell what policies apply in context of Request • Two stage evaluation

  22. Request and Response Context

  23. XACML Profiles • Digital Signature • Integrity protection of Policies • Hierarchical Resources • Using XACML to protect files, directory entries, web pages • Privacy • Determine “purpose” of access • RBAC • Support ANSI RBAC Profile with XACML • SAML Integration • XACML-based decision request • Fetch applicable policies • Attribute alignment

  24. XACML Standards Dependencies • XACML uses SAML assertions structure and protocols to protect and distribute policies therefore it: • Uses XML Signature to protect assertions from modification • Uses XML Encryption to protect privacy when assertions are stored • Uses SSL and WS-Security to protect assertions on the wire • XACML is also referenced by a number of other specifications as the access control mechanism

  25. XACML Version 3.0 • Administrative policies • “HR-Admins can create policies concerning the Payroll servers” • Policy delegation • “Jack can approve expenses while Mary is on vacation” • Policy provisioning • Enhanced Obligation processing • Policy queries • Revocation

  26. Topics • Security Introduction • Preliminary work at W3C • SAML • XACML • Digital Signature Services • WS-Security • WS-SecureConversation, WS-Trust & WS-SecurityPolicy • Interdependencies

  27. www.oasis-open.org Digital Signature Services (DSS) • Web Service to create / verify signatures & timestamps on behalf of users • Complexities & security issues of key management etc taken from user • Supports range of signature formats including: • W3C XML Signatures • CMS (RFC 3852) Signatures • RFC 3161 Timestamps • Intended primarily where signatures have lasting significance • Electronic Commerce • Aligned with legal requirements in various venues

  28. DSS Specifications • Core • Generic protocol and core features • Profiles • Selects options from Core and extends if necessary • Current DSS profiles • Time-stamping • Asynchronous operation • Code signing • Entity seal • Electronic Post Mark • German signature law • Advanced electronic signature • Signature gateway

  29. DSS Status • Core at 3rd CD takes into account • Interoperability trials • Feedback from implementers within & outside group • Profiles updated to align with 3rd CD • Currently in public review • To be followed by OASIS Std Vote

  30. Topics • Security Introduction • Preliminary work at W3C • SAML • XACML • Digital Signature Services • WS-Security • WS-SecureConversation, WS-Trust & WS-SecurityPolicy • Interdependencies

  31. WS-Security Overview • Basic SOAP Message Protection • Signatures, Encryption, Timestamps • Multiple token types • Username, X.509, Kerberos, SAML, REL • Token References

  32. Web Services Security History • Submitted to OASIS September 2002 • Interoperability testing began Summer 2003 • OASIS Standard - April 2004 • Core Specification + Username and X.509 Profiles • SAML & REL Profiles OASIS Standard - December 2004 • Public Interoperability Demo – April 2005 • WSS 1.1 – OASIS Standard February 2006 • Includes Attachments & Kerberos • Formal WSS 1.1 Errata approved November 2006 • Vote to Close TC • WS-I Basic Security Profile 1.0 & 1.1

  33. Topics • Security Introduction • Preliminary work at W3C • SAML • XACML • Digital Signature Services • WS-Security • WS-SecureConversation, WS-Trust & WS-SecurityPolicy • Interdependencies

  34. WS-SX Overview • Three new security specifications building on WS-Security • WS-Trust • Mechanisms to issue tokens and associated keys • WS-SecureConversation • Allows establishment of secure session (think SSL for SOAP) • WS-SecurityPolicy • Allows Web Service to express Security Policies

  35. WS-SX TC History • New TC formed December 2005 • Under new IPR policy (RF-RAND) • Privately published specifications • Substantial interop & review of WS-SC & WS-Trust prior to TC start • WS-SP is much less mature

  36. WS-SX Currently • Charter goal: complete in 18 months • 2nd F2F Meeting held in April 2006 • Weekly con calls • Interop testing of WS-SecCon & WS-Trust over summer • 60 day Public Review complete Dec 2 • Interop of WS-SecurityPolicy underway • Public review this winter • Submission to OASIS for vote as a Standard • Security Policy Usecases also under development

  37. Topics • Security Introduction • Preliminary work at W3C • SAML • XACML • Digital Signature Services • WS-Security • WS-SecureConversation, WS-Trust & WS-SecurityPolicy • Interdependencies

  38. Security Standards Interdependencies WS-SecurityPolicy WS-SecureConversation WS-Trust WSS DSS XACML SAML XML Digital Signature XML Encryption

  39. Questions?

More Related