Download presentation
Presentation is loading. Please wait.
Published byAudra Hood Modified over 8 years ago
1
1 Achieving Data Privacy and Security Using Web Services Alfred C. Weaver Professor of Computer Science University of Virginia Charlottesville, Virginia, USA weaver@cs.virginia.edu http://www.cs.virginia.edu/~acw/security/
2
2 Outline Motivation for data security Security architecture Web services Trust Components of security Authentication Authorization Federation Research issues
3
3 Data Privacy and Security Plants Processes Databases Desktops Laptops PDAs Cell phones Global Internet
4
4 Virtual Factory
5
5
6
6 Risks Access by unauthorized individuals Access denied to authorized individuals Identity theft and impersonation Authentication techniques of varying reliability Mobile access devices Viruses and worms
7
7 Risk Mitigation Requirements Establish and maintain trust between data requestor and data provider Techniques must be applicable to both humans and software Trust decisions must be made without human intervention
8
8 Outline Motivation for data security Security architecture Web services Trust Components of security Authentication Authorization Federation Research issues
9
9
10
10 Outline Motivation for data security Security architecture Web services Trust Components of security Authentication Authorization Federation Research issues
11
11 Security Architecture Based upon web services useful functionality exposed on the WWW provide fundamental, standardized building blocks to support distributed computing over the internet applications communicate using XML documents that are computer-readable
12
12 Why Web Services? Internet provides a powerful, standardized, ubiquitous infrastructure whose benefits are impossible to ignore provided that access is reliable, dependable, and authentic World-wide acceptance preferential way to interconnect applications in a loosely-coupled, language- neutral, platform-independent way
13
13 Web Services Built on four primary technologies eXtensible Markup Language (XML) format to enable machine-readable text Simple Object Access Protocol (SOAP) specifies format and content of messages Web Services Description Language (WSDL) XML document that describes a set of SOAP messages and how they are exchanged Universal Description, Discovery, and Integration (UDDI) searchable "whitepage directory" of web services
14
14 SOAP Example xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> Alfred Weaver 22-342439 98-283843 100.00 USD TransferFunds (from, to, amount)
15
15 Outline Motivation for data security Security architecture Web services Trust Components of security Authentication Authorization Federation Research issues
16
16 Trust Who you are What you can do Authentication Privileges Credentials, attributes {Authentication, Credentials, Privileges} What you have
17
17 Outline Motivation for data security Security architecture Web services Trust Components of security Authentication Authorization Federation Research issues
18
18 Authentication Biometric based upon physical or behavioral characteristics answers “who are you?” Digital something you have or know Two-factor authentication biometric + digital
19
19 Identification vs. Verification Identification of all humans, which one are you? Verification does your biometric (bid sample) match a previously enrolled biometric template?
20
20 False Acceptance/Rejection False acceptance rate (FAR) incorrectly matches a bid sample to an enrolled template this is very bad FAR must be very, very low False rejection rate (FRR) fails to match a legitimate bid sample to an enrolled template this can be an annoyance or a denial of service FRR must be low if technique is to be used
21
21 Fingerprints 70 points of differentiation (loops, whirls, deltas, ridges) Even identical twins have differing fingerprint patterns False acceptance rate < 0.01% False rejection rate < 1.4% Can distinguish a live finger Fast to enroll Inexpensive (~$50-100)
22
22 Fingerprint Scanners HP IPAQDigital Persona U.are.U ProIBM Thinkpad T42
23
23 Iris Scans Iris has 266 degrees of freedom Identical twins have different iris patterns False acceptance rate < 0.01% False rejection rate < 0.01% Does take some time and controlled lighting to enroll Pattern is stored as a data template, not a picture Flash light to detect pupil dilation (prove live eye)
24
24 Physical Biometrics Fingerprint Iris Retina Hand geometry Finger geometry Face geometry Ear shape Palm print Smell Thermal face image Hand vein Fingernail bed DNA
25
25 Determining a Match Enrollment produces a template 011010101111011110000001...
26
26 Determining a Match Enrollment produces a template Bid sample produces another template 011010101111011110000001... 011010101100011110000111...
27
27 Determining a Match Enrollment produces a template Bid sample produces another template Hamming distance between them is the degree of difference 011010101111011110000001... 011010101100011110000111...
28
28 Behavioral Biometrics Signature Voice Keyboard dynamics Alfred C. Weaver
29
29 Digital Techniques PINs and passwords E-tokens Smart cards RFID X.509 certificates
30
30 eToken Stores credentials such as passwords, digital signatures and certificates, and private keys Some can support on- board authentication and digital signing
31
31 Smartcard Size of a credit card Microprocessor and memory All data movements encrypted
32
32 RFID IC with antenna Works with a variety of transponders No power supply Supplies identity information Susceptible to theft and replay attacks
33
33 Authentication Token 2005-09-20T08:30:00.0000000-04:00 2005-09-21T08:30:00.0000000-04:00 385739601 http://cs.virginia.edu/TrustSTS.asmx http://cs.virginia.edu/TrustAuthority.asmx
34
34 Authentication Token 2005-09-20T08:30:00.0000000-04:00 2005-09-21T08:30:00.0000000-04:00 385739601 Fingerprint Digital Persona U.are.U http://cs.virginia.edu/TrustSTS.asmx http://cs.virginia.edu/TrustAuthority.asmx
35
35 X.509 Certificates Certificate issued by a trusted Certificate Authority (e.g., VeriSign) Contains name serial number expiration dates certificate holder’s public key (used for encrypting/decrypting messages and digital signatures) digital signature of the Certificate Authority (so recipient knows that the certificate is valid) Recipient may confirm identity of the sender with the Certificate Authority
36
36 Outline Motivation for data security Security architecture Web services Trust Components of security Authentication Authorization Federation Research issues
37
37 Security Assertion Markup Language (SAML) Interoperable exchange of security information enables web single sign-on distributed authorization services securing electronic transactions Transcends the local security domain
38
38 SAML Assertions Assertion is a declaration of facts Three types of security assertions authentication attribute authorization decision
39
39 SAML Conceptual Model
40
40 Authentication Assertion An issuing authority asserts that subject S was authenticated by means M at time T Example subject “Alfred C. Weaver” was authenticated by “password” at time “2005-12-14T10:02:00Z”
41
41 Example Authentication Assertion AssertionID=“128.9.167.32.12345678” Issuer=“Robotics Corporation” IssueInstant=“2005-12-14T10:02:00Z”> AuthenticationMethod=“password” AuthenticationInstant=“2005-12-14T10:02:00Z”>
42
42 Attribute Assertion An issuing authority asserts that subject S is associated with attributes 1, 2, 3 … with attribute values a, b, c... Example: “ Alfred C. Weaver ” in domain “ robotics.com ” is associated with attribute “ Position ” with value “ Plant Manager ”
43
43 Example Attribute Assertion Plant Manager
44
44 Authorization Decision Assertion An issuing authority decides whether to grant the request: by subject S for access type A to resource R given evidence E Decision is permit or deny
45
45 Example Authorization Decision Assertion Decision=“Permit” Resource=“http://www.robotics.com/production.html”>
46
46 SAML Conceptual Model
47
47 Outline Motivation for data security Security architecture Web services Trust Components of security Authentication Authorization Federation Research issues
48
48 Federation How can identity, once legitimately established in one trust domain, be reliably and securely shared with another trust domain?
49
49 Federated ATM Network Account Number and PIN Home Bank Network Visiting Bank Network FundsNetwork of Trust
50
50 Yes Administrative Decision Admin Get identity token 1 Requestor IP/STS Administrator decides on per request basis 2 3 Resource
51
51 Basic Federation Direct Trust Token ExchangeTrust Get identity token Get access token 1 3 2 IP/STS Requestor Resource
52
52 Indirect Trust Trust Trust C trusts B which vouches for A who vouches for client 1 3 C B A IP/STS Requestor Resource 2
53
53 System Design
54
54 Outline Motivation for data security Proposed security architecture Web services Trust Components of security Authentication Authorization Federation Research issues
55
55 Research Challenges Authentication tokens SAML permits enumeration, but not substitution, of acceptable tokens Trustworthiness varies even within a technology, but SAML does not capture this distinction Our TrustLevel concept is just a beginning; trust is more complicated than a number
56
56 Research Challenges Authorization rules Human organizations are complex, and so are their rules Role delegation Human/computer interface
57
57 Research Challenges Federation Currently an infant science Many issues surround trust management establishment representation exchange enforcement storage negotiation
58
58 Research Challenges Tools and techniques how to specify access policies locate policy inconsistencies human/computer interface Formalisms need formal methods to structure our thoughts, processes and implementations need proofs of correctness
59
59 Achieving Data Privacy and Security Using Web Services Alfred C. Weaver Professor of Computer Science University of Virginia Charlottesville, Virginia, USA weaver@cs.virginia.edu http://www.cs.virginia.edu/~acw/security/
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.