Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Systems Research Group - FAU 1 A Trust Model for Web Services Ph.D Dissertation Progess Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.

Published byJoella Rebecca Casey Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Systems Research Group - FAU 1 A Trust Model for Web Services Ph.D Dissertation Progess Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez."— Presentation transcript:

1 Secure Systems Research Group - FAU 1 A Trust Model for Web Services Ph.D Dissertation Progess Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez Department of Computer Science and Engineering Florida Atlantic University, Boca Raton FL

2 Secure Systems Research Group - FAU 2 Introduction Dissertation’s goal: to develop a unified trust model for web services –Will indicate how it can be interfaced to existing access control model for web services –Will include trust management through trust policies, and dynamic aspects such as trust negotiation –Using UML and/or some mathematical formalism

3 Secure Systems Research Group - FAU 3 Agenda Existing Web services Access Control Models: –Patterns for XACML Future work –Patterns for the WS-* Family –Comparison

4 Secure Systems Research Group - FAU 4 Web services Access Control Models: Patterns for XACML The eXtensible Access Control Markup Language (XACML) has been defined by OASIS includes a policy and an access decision language. They define ways to express authorization rules and to enforce these rules The XACML profile for web services, also known as WSPL (Web Services Policy Language), is a language to declare authorization rules for protecting web services endpoints. We describe three patterns : –XACML Policy Language –XACML Access Control Evaluation –WSPL

5 Secure Systems Research Group - FAU 5 XACML Policy Language XACML enables an organization to represent authorization rules in a standard manner. Context: – A complex environment such as a large enterprise with many partners, contractors… Problem: –Resources are usually from various types and the enforcement mechanisms come in various forms –policies are implemented in many locations, using different syntaxes –Security policies in an organization are typically issued by different actors and and the policies they write may concern a wide and overlapping set of resources –  Defining these policies may be complex, and thus error prone.

6 Secure Systems Research Group - FAU 6 XACML Policy Language Problem: –How do we unify the definition of access policies throughout the organization, making the whole system simpler and less error-prone? Forces: –Policies may be expressed in different forms –Policies are constantly changing and they need to be constantly updated –An active entity accessing a resource can be represented in a variety of ways –Some policies can require a set of actions (or obligations) to be performed in conjunction with policy enforcement (auditing, notification…) –The environment in which the access is requested can also affect an access decision. For instance, an access may only be permitted at some hours of the day

7 Secure Systems Research Group - FAU 7 XACML Policy Language Solution: –Write all policies in a common language using a standard format. –This format is generic enough to implement some common high level policies or models (open/closed systems, extended access matrix, RBAC, multilevel). –In addition, define a way to compose policies so that when several policies apply to one access, it is possible to render one unique decision. The policies are defined with an embedded combining algorithm.

8 Secure Systems Research Group - FAU 8 XACML Policy Language

9 Secure Systems Research Group - FAU 9 XACML Policy Language Dynamics: Create a new policy

10 Secure Systems Research Group - FAU 10 XACML Policy Language Implementation: 1.Define semantics for the subject, the resource and the environment’s attributes. 2.Translate existing rules in the XACML format. 3.Define new rules and implement them as XACML rules and policies. 4.Add/Remove policies when needed.

11 Secure Systems Research Group - FAU 11 XACML Policy Language Consequences: –The organization’s policies to control access are easily defined using he constructs of the language. This makes the whole system less complex, and thus more secure. –A variety of policy types can be described, as the policy language includes the resource, the subject and the environment’ attributes. Moreover, these attributes can be from existing standards (LDAP attributes, SAML, …), and are extensible. –Similarly, a variety of subject types can be described. –Policies and rules can be easily combined. –A policy writer can specify complex conditions. –This pattern enables logging or other actions through the obligation concept

12 Secure Systems Research Group - FAU 12 XACML Policy Language Known Uses: –This pattern is used in several commercial products: Xtradyne's WS-DBC (an XML Firewall), DataPower's XS40 XML Security Gateway Parthenon Computing has produced a suite of Policy products based on XACML (Policy Tester, Policy Engine, Policy Server) Sun provides an open source implementation written in Java

13 Secure Systems Research Group - FAU 13 XACML Policy Language Related Patterns: –The policies are structured according the Composite Pattern [Gam95]. –The Role-Based Access Control pattern, a specialization of the authorization pattern, is applicable if the policies’ subjects attributes are defined in terms of roles [Fer01].

14 Secure Systems Research Group - FAU 14 XACML Access Control Evaluation XACML defines a standard request/response syntax for access control decisions. Context: – A complex environment such as a large enterprise with many partners, contractors… –These various actors are accessing the organization’s resources –These accesses are controlled at several enforcement points, according to security policies. Problem: –Resources are usually from various types and the enforcement mechanisms come in various forms  the organization has to write and maintain numerous authorization systems for its networks –How do we enforce the rules defined in the institution policies?

15 Secure Systems Research Group - FAU 15 XACML Access Control Evaluation Forces: –Enforcement points could be implemented in a variety of technologies (part of a Web Server, WAN, …). –Any type of security policy should be enforced. Solution: –Protect each resource by a PolicyEnforcementPoint. – All access requests are submitted to a unique PolicyDecisionPoint in a common format. –This PolicyDecisionPoint returns the access decision, based on the ApplicablePolicy corresponding to the access’s context.

16 Secure Systems Research Group - FAU 16 XACML Access Control Evaluation

17 Secure Systems Research Group - FAU 17 XACML Access Control Evaluation Dynamics: Controlling an access request for a resource

18 Secure Systems Research Group - FAU 18

19 Secure Systems Research Group - FAU 19 XACML Access Control Evaluation Implementation: 1.Implement a ContextHandler for applications that already have a PolicyEnforcementPoint that use another access decision language 2.Implement an XACML PolicyEnforcementPoint for those applications that do not implement access control 3.Add the translated existing authorization rules to the PolicyAdministrationPoint 4.Add the new authorization rules to the PolicyAdministrationPoint

20 Secure Systems Research Group - FAU 20 XACML Access Control Evaluation Consequences: –Advantages: Since the access decisions are requested in a standard format, an access decision becomes independent from its enforcement. A broad variety of enforcement mechanisms could be supported and can evolve separately from the PolicyDecisionPoint. This pattern can support the access matrix, RBAC, multilevel models. –(possible) liabilities: It is intrusive for existing applications that already have security, since they require the implementation of a ContextHandler. It could affect the performance of the protected system as XML is a verbose language.

21 Secure Systems Research Group - FAU 21 XACML Access Control Evaluation Related Patterns: –The Authorization pattern [Fer01] defines the security model for this pattern. – It can also implement the Metadata-based Access control Model [Pri04]. –The Application Firewall pattern [Del04] could be implemented according to the XACML patterns. –The PolicyEnforcementPoint is a special case of a Reference Monitor [Fer01].

22 Secure Systems Research Group - FAU 22 XACML Access Control Evaluation Related Patterns:

23 Secure Systems Research Group - FAU 23 WSPL WSPL enables an organization to represent access control policies to its web services in a standard manner and a web services consumer to express its requirements in a standard manner. Context: –Web services endpoints invoking each other. – Providers have security policies to control access to their web services, –consumers have requirements for a web service invocation

24 Secure Systems Research Group - FAU 24 WSPL Problem: –Web services are self-describing through WSDL and can be automatically discovered using UDDI  using various syntaxes for their policy description would reduce these two properties of a web service. –security policies are typically issued by different actors from its departments and the policies they write may concern a wide and overlapping set of web services. –How do we describe policies to control web services invocations?

25 Secure Systems Research Group - FAU 25 WSPL Solution: –Write web services policies in the XACML language: Bind each WSDL web service component to an XACML component. Besides, define combination rules for such policies.

26 Secure Systems Research Group - FAU 26 WSPL

27 Secure Systems Research Group - FAU 27 WSPL Consequences: –Advantage: Consumers and Providers ‘s policies can be combined to decide how a service invocation should occur. –(possible) liabilities: It is intrusive for existing web services that already implement security, since their require the implementation of a ContextHandler. It could affect the performance of the protected system as XML is a verbose language.

28 Secure Systems Research Group - FAU 28 WSPL Known Uses: –OpenWSPL is an open source implementation of the Web-Service Policy language, written in Java Related Patterns: –This pattern is a specialization of the XACML Policy Language pattern. It can implement the Metadata-based Access control Model [Pri04]. –The XML firewall [Del04] could be implemented using this pattern.

29 Secure Systems Research Group - FAU 29 Future work: Patterns for the WS-* Family

Download ppt "Secure Systems Research Group - FAU 1 A Trust Model for Web Services Ph.D Dissertation Progess Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez."

Similar presentations

0 McLean, VA August 8, 2006 SOA, Semantics and Security.

0 McLean, VA August 8, 2006 SOA, Semantics and Security.
Overview of Web Services

Overview of Web Services
NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
Tuesday, June 10, 2003 Web Services Brief Overview & Security Assertion Coordinator Pattern by Mohammad Abushadi & Riaz Ahmed for Security Group CSE -

Tuesday, June 10, 2003 Web Services Brief Overview & Security Assertion Coordinator Pattern by Mohammad Abushadi & Riaz Ahmed for Security Group CSE -
Web Services Nasrullah. Motivation about web service There are number of programms over the internet that need to communicate with other programms over.

Web Services Nasrullah. Motivation about web service There are number of programms over the internet that need to communicate with other programms over.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
 Copyright 2005 Digital Enterprise Research Institute. All rights reserved. www.deri.org Workflow utilization in composition of complex applications based.

 Copyright 2005 Digital Enterprise Research Institute. All rights reserved. Workflow utilization in composition of complex applications based.
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Secure Systems Research Group - FAU Security patterns Eduardo B. Fernandez Dept. of Computer Science and Engineering Florida Atlantic University Boca Raton,

Secure Systems Research Group - FAU Security patterns Eduardo B. Fernandez Dept. of Computer Science and Engineering Florida Atlantic University Boca Raton,
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.

Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.
Web Service Architecture Part I- Overview and Models (based on W3C Working Group Note Frank.

Web Service Architecture Part I- Overview and Models (based on W3C Working Group Note Frank.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

Similar presentations

Ads by Google