1 / 21

Web Services Security Standards Overview for the Non-Specialist

Web Services Security Standards Overview for the Non-Specialist. Hal Lockhart Office of the CTO BEA Systems. Topics. Web Services Security Introduction Preliminary work at W3C WS-Security SAML WS-Trust WS-SecureConversation WS-SecurityPolicy WS-Federation Interdependencies.

richelle-lucas
Download Presentation

Web Services Security Standards Overview for the Non-Specialist

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Services Security StandardsOverview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems

  2. Topics • Web Services Security Introduction • Preliminary work at W3C • WS-Security • SAML • WS-Trust • WS-SecureConversation • WS-SecurityPolicy • WS-Federation • Interdependencies

  3. Information Security Definition Technologies and procedures intended to implement organizational policy in spite of human efforts to the contrary. • Suggested by Authorization • Applies to all security services • Protection against accidents is incidental • Suggests four areas of attention

  4. Information Security Areas • Policy determination • Expression: code, permissions, ACLs, Language • Evaluation: semantics, architecture, performance • Policy enforcement • Maintain integrity of Trusted Computing Base (TCB) • Enforce variable policy

  5. Security Services • Authentication – confirm asserted identity • Authorization – permit or deny a request • Integrity – prevent undetected modification of data • Confidentiality – prevent unauthorized reading of data • Audit – preserve evidence for accountability • Administration – control configuration • Others …

  6. Web Services Security • Standards for Interoperability • Between systems, not internal behavior • Authentication, Integrity, Confidentiality, Key Exchange • Consistent with XML, SOAP, WSDL, WS-Policy • Authentication methods already exist • Need to support multiple infrastructure types • Passwords, X.509, Kerberos, SAML, etc. • Most of WSS is not about stronger security • Better scaling, easier deployment

  7. W3C Security Recommendations Widespread use of XML – need for integrity & confidentiality XML Digital Signature WG (1999 to 2002) Defines rules to sign XML and record parameters and signature value Support all technologies in common use Key problem: Immaterial changes to XML documents Solution: Canonicalization XML Encryption WG (2001 and 2002) Defines rules to encrypt XML and record parameters Support all technologies in common use Key problem: Encrypted data not Schema-valid Solution: None Follow-on work currently at W3C

  8. WS-Security Overview • Basic SOAP Message Protection • Signatures, Encryption, Timestamps • Multiple token types • Username, X.509, Kerberos, SAML, REL • Token References

  9. Security Tokens • Abstraction of the common elements of information objects which represent identities • Claims, Key, Issuer, Validity etc. • In some cases, Tokens can be utilized w/o knowledge of specific Token format • Doesn’t work in all cases • Passwords are not the same as keys • Generally WSS uses Tokens to indicate keys • Claims are passed along for Authorization

  10. WS-Security General Approach • Security element in SOAP header • Can contain Tokens, Token References, Timestamp, Signatures, Encryptions • Physical order of elements determines processing order of signatures and encryptions • Signed and encrypted data can appear anywhere in envelope • A toolkit, not a protocol

  11. SAML in Web Services Security • SAML provides a very flexible, XML token • Use of browser profiles not required • SAML Assertions may or may not contain • Keys • Real world names or pseudonyms • Attributes • Viewed as easy and cheap to generate

  12. WS-Trust • Defines generic Security Token Service (STS) • Issue, renew, cancel, validate Tokens • Support for many different configurations and trust relationships • Only defines generic elements • Other specifications intended to extend and specify the details, • WS-SecureConversation, WS-Federation

  13. WS-Secure Conversation • Builds on WS-Security and WS-Trust • Allows establishment of secure session • More efficient and secure than using long term secrets directly • Like SSL/TLS except at SOAP layer • Useful in conjunction with reliable messaging • Adds two new Token types • Security Context Token (holds session info, including keys) • Derived Key Token (enables key derivation) • Two party and three party flows • Also a toolkit, but less so

  14. Key Agreement Scenarios Unilateral Mutual Third Party

  15. WS-Security Policy • Allows Web Service to express Security Policies • What needs to be protected • What tokens to use • Algorithms, reference types, etc. • Builds on WS-Policy • Uses nested policy to provide scope • Defines various groups of policy assertions • Correspond to features of WSS, Secure Conversation, Trust, etc. • Expressed in WSDL per WS-PolicyAttachment • Constrains content and layout of security header • Defines a number of Assertion types

  16. WS-SecurityPolicy Assertion Types • Protection assertions • What parts of msgs need to be protected – Confidentiality, Integrity • Token assertions • Types of tokens, in band or out of band • Binding assertions • Transport, Symmetric, Asymmetric Bindings • Can apply to response as well as request • Supporting Token assertions • Additional signatures, e.g. Endorsements • Protocol assertions • Other properties, e.g. Algorithms, Timestamps, Reference types

  17. WS-Federation • Builds on WS-Trust • Web SSO alternative to SAML profiles • Uses WS-Trust to issue tokens, including SAML • More generic, less access to SAML-specific features • Federation Metadata • Reference Tokens • Authorization Tokens • Extends WS-SecurityPolicy

  18. Related Standards • Web Single Signon and Signoff • SAML Web Browser Profiles • WS-Federation (passive requestors) • Authorization Policy – XACML • Digital Signature Services (DSS) • Create & verify signatures, signed timestamps

  19. Key OASIS Technical Committees • Security Services (2001-present) • SAML • WS-Security (2003-2006) • Core spec + Token Profiles • Now Closed • WS-SX (2006-present) • WS-Trust, WS-SecureConversation, WS-SecurityPolicy • WS-Federation (2007) • XACML (2001-present) • DSS (closed) DS-SX (2007) • Digital Signature Services

  20. Security Standards Interdependencies WS-Federation WS-SecurityPolicy WS-SecureConversation WS-Trust WSS DSS XACML SAML XML Digital Signature XML Encryption

  21. Questions?

More Related