Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo."— Presentation transcript:

1 Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo

2 Contents Introduction Basic Security for Transmission over HTTP Web Services and Secure Sockets Layer (SSL) XML Signature and XML Encryption XML Key Management Specification (XKMS) Security Assertion Markup Language (SAML) Extensible Access Control Markup Language (XACML) Authentication and Authorization for Web Services Web Services and Network Security

3 Introduction Web services require end-to-end security for transactions that span multiple computers. Interoperability is fundamental to Web services security, because transmissions often occur across multiple platforms and must be secured at all times.

4 Basic Security for Transmission over HTTP Security methods outlined HTTP specification are weak (HTTP provides no process for encryption the body of message). For stronger security, HTTP security should be used with other security technologies, such as SSL and Kerberos.

5 Web Services and Secure Sockets Layer (SSL) SSL is considered the next step beyond basic security for Web services. SSL employs user credential and certificates, which are sometimes too large and disables the ability to record who initiated each step of transaction. Internet Layer Transport Layer SSL Application Layer

6 XML Signature and XML Encryption XML-based applications raise significant security concerns, in part because XML documents are encoded in plan-text, rather than in a binary form. Digital signatures solve this problem by verifying document integrity.

7 XML Signature and XML Encryption Plain-text document

8 XML Signature and XML Encryption XML Signature XML Signature : W3C Recommendation February 2002 … … …

9 XML Signature and XML Encryption XML Encryption XML Encryption : W3C Recommendation 2002.12

10 XML Key Management Specification (XKMS) XKMS is specification for registering and distributing encryption keys for Public Key Infrastructure (PKI) in Web services. XKMS was developed by Microsoft, VeriSign and webMethods, but now is a W3C initiative. XKMS was designed for use with XML Signature and XML Encryption.

11 XML Key Management Specification (XKMS) XKMS is comprised of two specification XML Key Information Service Specification (X-KISS) The set of protocols that process key Information (located in an XML signature ’ s Key-Info element). XML Key Registration Service Specification (X-KRSS) The set of certificate-management protocols that addresses the life of a digital certificate-from registration to revocation and recovery.

12 XML Key Management Specification (XKMS) XML Key Information Service Specification (X-KISS) … QR9432YZ5 Signature Processing Application Key Location Service Key Database X.509 Cert QR9432YZ5 MIICXTCCA.. QR9432YZ5

13 XML Key Management Specification (XKMS) XML Key Registration Service Specification (X-KRSS) Client Pair Generation X-KRSS Service Certificate Repository (HMAC [Name, PublicKey], Proof Of Possession) Registration Result : Success

14 Security Assertion Markup Language (SAML) SAML is an standard for transferring authentication, authorization and permissions information over the Internet. SAML is a form Permissions Management Infrastructure (PMI). The SAML protocol was developed by combining two computing XML security standard Securant Technologies ’ AuthXML Netegrity ’ s Security Services Markup Language (S2ML)

15 Security Assertion Markup Language (SAML) SAML also provides a method for single sign-on authentication and authorization SAML-based applications can provide single sign-on across disparate site and platforms.

16 Security Assertion Markup Language (SAML) Single sign-on example using SAML Login PIP Login Protected Present Login Information Create SAML assertion and token Authentication Previously established trust PEPPDP Enforcement point 1 2 3 4 5 6 BobsAppliances.com JoeFlooring.com

17 Extensible Access Control Markup Language (XACML) Developed by OASIS XACML is a markup language that allows organizations to communicate their policies for accessing online information. XACML defines which clients can access information, what information is available to clients, when clients can access the information and how client can gain access to information.

18 Authentication and Authorization for Web Services Basic authentication and authorization techniques are not sufficient to secure Web services transactions. The latest Web services products use a combination of security mechanisms, including Kerberos and single sign-on. Authentication and authorization systems designed for use with Web services Microsoft ’ s Passport Sun ’ s Liberty Alliance and AOL Time Warner ’ s Screen Name Services

19 Web Services and Network Security Networks typically authenticate users before allowing access to protected resources. However, Web services often are designed to use single sign-on, which allows access to applications on the basis of another source ’ s authentication credentials. Firewalls between Web services and internal resources prevents Web service user from accessing protected information.

20 Web Services and Network Security Web services security is an ongoing process, not a one-time solution. Thus, Administrator using Web services need to stay apprised of all security developments and update their systems regularly.

Download ppt "Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Authentication & Kerberos

Authentication & Kerberos
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.

Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Core Web Service Security Patterns

Core Web Service Security Patterns
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Dr. Sarbari Gupta Electrosoft Services Tel: (703)757-9096 Security Characteristics of Cryptographic.

Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.

Similar presentations

Ads by Google