Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Achieving Data Privacy and Security Using Web Services Alfred C. Weaver Professor of Computer Science University of Virginia Charlottesville, Virginia,

Published byAudra Hood Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Achieving Data Privacy and Security Using Web Services Alfred C. Weaver Professor of Computer Science University of Virginia Charlottesville, Virginia,"— Presentation transcript:

1 1 Achieving Data Privacy and Security Using Web Services Alfred C. Weaver Professor of Computer Science University of Virginia Charlottesville, Virginia, USA weaver@cs.virginia.edu http://www.cs.virginia.edu/~acw/security/

2 2 Outline Motivation for data security Security architecture Web services Trust Components of security Authentication Authorization Federation Research issues

3 3 Data Privacy and Security Plants Processes Databases Desktops Laptops PDAs Cell phones Global Internet

4 4 Virtual Factory

5 5

6 6 Risks Access by unauthorized individuals Access denied to authorized individuals Identity theft and impersonation Authentication techniques of varying reliability Mobile access devices Viruses and worms

7 7 Risk Mitigation Requirements Establish and maintain trust between data requestor and data provider Techniques must be applicable to both humans and software Trust decisions must be made without human intervention

8 8 Outline Motivation for data security Security architecture Web services Trust Components of security Authentication Authorization Federation Research issues

9 9

10 10 Outline Motivation for data security Security architecture Web services Trust Components of security Authentication Authorization Federation Research issues

11 11 Security Architecture Based upon web services useful functionality exposed on the WWW provide fundamental, standardized building blocks to support distributed computing over the internet applications communicate using XML documents that are computer-readable

12 12 Why Web Services? Internet provides a powerful, standardized, ubiquitous infrastructure whose benefits are impossible to ignore provided that access is reliable, dependable, and authentic World-wide acceptance preferential way to interconnect applications in a loosely-coupled, language- neutral, platform-independent way

13 13 Web Services Built on four primary technologies eXtensible Markup Language (XML) format to enable machine-readable text Simple Object Access Protocol (SOAP) specifies format and content of messages Web Services Description Language (WSDL) XML document that describes a set of SOAP messages and how they are exchanged Universal Description, Discovery, and Integration (UDDI) searchable "whitepage directory" of web services

14 14 SOAP Example xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> Alfred Weaver 22-342439 98-283843 100.00 USD TransferFunds (from, to, amount)

15 15 Outline Motivation for data security Security architecture Web services Trust Components of security Authentication Authorization Federation Research issues

16 16 Trust Who you are What you can do Authentication Privileges Credentials, attributes {Authentication, Credentials, Privileges} What you have

17 17 Outline Motivation for data security Security architecture Web services Trust Components of security Authentication Authorization Federation Research issues

18 18 Authentication Biometric based upon physical or behavioral characteristics answers “who are you?” Digital something you have or know Two-factor authentication biometric + digital

19 19 Identification vs. Verification Identification of all humans, which one are you? Verification does your biometric (bid sample) match a previously enrolled biometric template?

20 20 False Acceptance/Rejection False acceptance rate (FAR) incorrectly matches a bid sample to an enrolled template this is very bad FAR must be very, very low False rejection rate (FRR) fails to match a legitimate bid sample to an enrolled template this can be an annoyance or a denial of service FRR must be low if technique is to be used

21 21 Fingerprints 70 points of differentiation (loops, whirls, deltas, ridges) Even identical twins have differing fingerprint patterns False acceptance rate < 0.01% False rejection rate < 1.4% Can distinguish a live finger Fast to enroll Inexpensive (~$50-100)

22 22 Fingerprint Scanners HP IPAQDigital Persona U.are.U ProIBM Thinkpad T42

23 23 Iris Scans Iris has 266 degrees of freedom Identical twins have different iris patterns False acceptance rate < 0.01% False rejection rate < 0.01% Does take some time and controlled lighting to enroll Pattern is stored as a data template, not a picture Flash light to detect pupil dilation (prove live eye)

24 24 Physical Biometrics Fingerprint Iris Retina Hand geometry Finger geometry Face geometry Ear shape Palm print Smell Thermal face image Hand vein Fingernail bed DNA

25 25 Determining a Match Enrollment produces a template 011010101111011110000001...

26 26 Determining a Match Enrollment produces a template Bid sample produces another template 011010101111011110000001... 011010101100011110000111...

27 27 Determining a Match Enrollment produces a template Bid sample produces another template Hamming distance between them is the degree of difference 011010101111011110000001... 011010101100011110000111...

28 28 Behavioral Biometrics Signature Voice Keyboard dynamics Alfred C. Weaver

29 29 Digital Techniques PINs and passwords E-tokens Smart cards RFID X.509 certificates

30 30 eToken Stores credentials such as passwords, digital signatures and certificates, and private keys Some can support on- board authentication and digital signing

31 31 Smartcard Size of a credit card Microprocessor and memory All data movements encrypted

32 32 RFID IC with antenna Works with a variety of transponders No power supply Supplies identity information Susceptible to theft and replay attacks

33 33 Authentication Token 2005-09-20T08:30:00.0000000-04:00 2005-09-21T08:30:00.0000000-04:00 385739601 http://cs.virginia.edu/TrustSTS.asmx http://cs.virginia.edu/TrustAuthority.asmx

34 34 Authentication Token 2005-09-20T08:30:00.0000000-04:00 2005-09-21T08:30:00.0000000-04:00 385739601 Fingerprint Digital Persona U.are.U http://cs.virginia.edu/TrustSTS.asmx http://cs.virginia.edu/TrustAuthority.asmx

35 35 X.509 Certificates Certificate issued by a trusted Certificate Authority (e.g., VeriSign) Contains name serial number expiration dates certificate holder’s public key (used for encrypting/decrypting messages and digital signatures) digital signature of the Certificate Authority (so recipient knows that the certificate is valid) Recipient may confirm identity of the sender with the Certificate Authority

36 36 Outline Motivation for data security Security architecture Web services Trust Components of security Authentication Authorization Federation Research issues

37 37 Security Assertion Markup Language (SAML) Interoperable exchange of security information enables web single sign-on distributed authorization services securing electronic transactions Transcends the local security domain

38 38 SAML Assertions Assertion is a declaration of facts Three types of security assertions authentication attribute authorization decision

39 39 SAML Conceptual Model

40 40 Authentication Assertion An issuing authority asserts that subject S was authenticated by means M at time T Example subject “Alfred C. Weaver” was authenticated by “password” at time “2005-12-14T10:02:00Z”

41 41 Example Authentication Assertion AssertionID=“128.9.167.32.12345678” Issuer=“Robotics Corporation” IssueInstant=“2005-12-14T10:02:00Z”> AuthenticationMethod=“password” AuthenticationInstant=“2005-12-14T10:02:00Z”>

42 42 Attribute Assertion An issuing authority asserts that subject S is associated with attributes 1, 2, 3 … with attribute values a, b, c... Example: “ Alfred C. Weaver ” in domain “ robotics.com ” is associated with attribute “ Position ” with value “ Plant Manager ”

43 43 Example Attribute Assertion Plant Manager

44 44 Authorization Decision Assertion An issuing authority decides whether to grant the request: by subject S for access type A to resource R given evidence E Decision is permit or deny

45 45 Example Authorization Decision Assertion Decision=“Permit” Resource=“http://www.robotics.com/production.html”>

46 46 SAML Conceptual Model

47 47 Outline Motivation for data security Security architecture Web services Trust Components of security Authentication Authorization Federation Research issues

48 48 Federation How can identity, once legitimately established in one trust domain, be reliably and securely shared with another trust domain?

49 49 Federated ATM Network Account Number and PIN Home Bank Network Visiting Bank Network FundsNetwork of Trust

50 50 Yes Administrative Decision Admin Get identity token 1 Requestor IP/STS Administrator decides on per request basis 2 3 Resource

51 51 Basic Federation Direct Trust Token ExchangeTrust Get identity token Get access token 1 3 2 IP/STS Requestor Resource

52 52 Indirect Trust Trust Trust C trusts B which vouches for A who vouches for client 1 3 C B A IP/STS Requestor Resource 2

53 53 System Design

54 54 Outline Motivation for data security Proposed security architecture Web services Trust Components of security Authentication Authorization Federation Research issues

55 55 Research Challenges Authentication tokens SAML permits enumeration, but not substitution, of acceptable tokens Trustworthiness varies even within a technology, but SAML does not capture this distinction Our TrustLevel concept is just a beginning; trust is more complicated than a number

56 56 Research Challenges Authorization rules Human organizations are complex, and so are their rules Role delegation Human/computer interface

57 57 Research Challenges Federation Currently an infant science Many issues surround trust management establishment representation exchange enforcement storage negotiation

58 58 Research Challenges Tools and techniques how to specify access policies locate policy inconsistencies human/computer interface Formalisms need formal methods to structure our thoughts, processes and implementations need proofs of correctness

59 59 Achieving Data Privacy and Security Using Web Services Alfred C. Weaver Professor of Computer Science University of Virginia Charlottesville, Virginia, USA weaver@cs.virginia.edu http://www.cs.virginia.edu/~acw/security/

Download ppt "1 Achieving Data Privacy and Security Using Web Services Alfred C. Weaver Professor of Computer Science University of Virginia Charlottesville, Virginia,"

Similar presentations

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
BIOMETRICS By Lt Cdr V Pravin 05IT6019. BIOMETRICS  Forget passwords...  Forget pin numbers...  Forget all your security concerns...

BIOMETRICS By Lt Cdr V Pravin 05IT6019. BIOMETRICS  Forget passwords...  Forget pin numbers...  Forget all your security concerns...
Authentication & Kerberos

Authentication & Kerberos
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.

SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
By: Monika Achury and Shuchita Singh

By: Monika Achury and Shuchita Singh
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.

BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.
FIT3105 Biometric based authentication and identity management

FIT3105 Biometric based authentication and identity management
GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.

GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
1 Federated, Secure Trust Networks for Distributed Healthcare IT Services Alfred Weaver Samuel Dwyer Andrew Snyder Jim Van Dyke Tim Mulholland James Hu.

1 Federated, Secure Trust Networks for Distributed Healthcare IT Services Alfred Weaver Samuel Dwyer Andrew Snyder Jim Van Dyke Tim Mulholland James Hu.
Biometrics and Authentication Shivani Kirubanandan.

Biometrics and Authentication Shivani Kirubanandan.
Marjie Rodrigues 411154.

Marjie Rodrigues
Security-Authentication

Security-Authentication
Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.

Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.
1J. M. Kizza - Ethical And Social Issues Module 16: Biometrics Introduction and Definitions Introduction and Definitions The Biometrics Authentication.

1J. M. Kizza - Ethical And Social Issues Module 16: Biometrics Introduction and Definitions Introduction and Definitions The Biometrics Authentication.
Module 14: Biometrics Introduction and Definitions The Biometrics Authentication Process Biometric System Components The Future of Biometrics J. M. Kizza.

Module 14: Biometrics Introduction and Definitions The Biometrics Authentication Process Biometric System Components The Future of Biometrics J. M. Kizza.
Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.

Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.

Similar presentations

Ads by Google