OTP-ValidationService John Linn, RSA Laboratories 11 May 2005.

Slides:

Advertisements

Similar presentations

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

Advertisements

OTP-ValidationService: Summary, Status, and Next Steps OTPS Workshop, February 2006.

SOAP & Security IEEE Computer Society Utah Chapter Hilarie Orman - Purple Streak Development Tolga Acar - Novell, Inc. October 24, 2002.

Web Service Security CS409 Application Services Even Semester 2007.

SOAP SOAP is a protocol for accessing a Web Service. SOAP stands for Simple Object Access Protocol * SOAP is a communication protocol * SOAP is for communication.

Topics Acronyms in Action SOAP 6 November 2008 CIS 340.

XML Encryption Prabath Siriwardena Director, Security Architecture.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Secure Socket Layer.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

Web services security I

Prashanth Kumar Muthoju

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

Digital Signature Technologies & Applications Ed Jensen Fall 2013.

Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.

Security using Encryption Security Features Message Origin Authentication - verifying that the sender is who he or she says they are Content Integrity.

X.509 Certificate management in.Net By, Vishnu Kamisetty

SOAP Tutorial Ching-Long Yeh 葉慶隆 Department of Computer Science and Engineering Tatung University

XML Signature Prabath Siriwardena Director, Security Architecture.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Module 14: WCF Send Adapters. Overview Lesson 1: Introduction to WCF Send Adapters Lesson 2: Consuming a Web Service Lesson 3: Consuming Services from.

Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.

Web Services (SOAP, WSDL, and UDDI)

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

James Holladay, Mario Sweeney, Vu Tran. Web Services Presentation Web Services Theory James Holladay Tools – Visual Studio Vu Tran Tools – Net Beans Mario.

Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.

©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.

OTP-WSS-Token John Linn, RSA Laboratories DRAFT: 24 May 2005.

DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.

Web Services Standards. Introduction A web service is a type of component that is available on the web and can be incorporated in applications or used.

XML Web Services Architecture Siddharth Ruchandani CS 6362 – SW Architecture & Design Summer /11/05.

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.

An XML based Security Assertion Markup Language

Slide 1 © 2004 Reactivity The Gap Between Reliability and Security Eric Gravengaard Reactivity.

Qusay H. Mahmoud CIS* CIS* Service-Oriented Computing Qusay H. Mahmoud, Ph.D.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

 A Web service is a method of communication between two electronic devices over World Wide Web.

What is Digital Signature Building confidentiality and trust into networked transactions. Kishankant Yadav

Copyright © 2013 Curt Hill SOAP Protocol for exchanging data and Enabling Web Services.

Simple Object Access Protocol. Web Services: SOAP2 Why Simple Object Access Protocol Light weight replacement for complicated distributed object technology.

Hypertext transfer family of protocols (HTTP, HTTPS, SOAP) CSE 870 Miniproject on Frameworks Advanced Software Engineering Contact: Dr. B. Cheng, chengb.

1 Normal executable Infected executable Sequence of program instructions Entry Original program Entry Jump Replication and payload Viruses.

EAP-POTP Magnus Nyström, RSA Security 23 May 2005.

Transport Protocols  SOAP is used to send a message over any kind of transport protocol. Some of the protocols are, 1.HTTP 2.TCP/IP 3.UDP 4.SMTP.

Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.

Task Force CoRD Meeting / XML Security for Statistical Data Exchange Gregory Farmakis Agilis SA.

1 G52IWS: Web Services Description Language (WSDL) Chris Greenhalgh

Web Services Security INFOSYS 290, Section 3 Web Services: Concepts, Design and Implementation Adam Blum

Portable Symmetric Key Container (PSKC) Mingliang Pei Philip Hoyer Dec. 3, th IETF, Vancouver.

Copyright 2004 MayneStay Consulting Group Ltd. - All Rights Reserved Jan-041 Security using Encryption Security Features Message Origin Authentication.

SOAP, Web Service, WSDL Week 14 Web site:

Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.

Multi-party Authentication in Web Services

Advanced Computer Networks

Electronic Payment Security Technologies

Presentation transcript:

OTP-ValidationService John Linn, RSA Laboratories 11 May 2005

OTP-ValidationService (OTP-VS) Overview OTP-VS uses XML Schema, defines a web service request/response protocol to validate OTP credentials Using OTP-VS, a relying party (RP) can ask an authentication service (AS) whether OTP data that it has received successfully authenticates a claimant —OTP-VS uses OTP-WSS-Token to represent OTP data —Supports ancillary OTP-related functions (obtaining challenges, PIN management, resynchronization) —Validation transactions can be secured "in band" within OTP-VS protocol (using XML Signature, XML Encryption), externally (e.g., SSL/TLS, IPsec, WSS:SMS), or by relying on security properties of environment Generic service can be profiled to support the needs of particular OTP methods

OTP-VS Usage Scenario ClaimantRPAS Application Request with OTP OTP-VS User OTP-VS operates in a web service environment; claimant-RP protocol can be arbitrary

OTP-VS Premises and Assumptions RP has prior knowledge of the set of OTP methods that the AS supports Depending on method and situation, an OTP-VS transaction may span one or more request-response round trips —For example, could request and obtain challenge, then provide an OTPToken based on the challenge to be validated —For another example, PIN change, then authenticate using the new PIN SOAP binding defined, other bindings possible

OTP-VS Transaction Identifiers and Sequencing RequestID and SessionID identify the transaction to which messages belong —Client generates new RequestID for initial request —If more than single round-trip, server provides SessionID and client uses that value in subsequent RequestIDs SequenceID protects sequence integrity of multi-round transactions —Initialized by server, incremented for subsequent roundtrips

OTP-VS Status Framework Outer level: String codes with enumerated values (e.g., "Continue", "Complete", "Abort", "AccessDenied", others) —Any value except "Continue" or "Complete" terminates transaction Inner level: CredentialStatus —Generic StatusCodes: "OK", "Unknown", "Failed" — code, defined for method and/or environment — string, typically describing value

OTP-VS Signatures The element is of type ds:SignatureType from XML Signature and must be present when optional “native” OTP-ValidationService RP authentication is being used. The URI attribute of the element of the child element of the shall reference the complete element instance by being the NULL ("") reference (i.e., when present, the signature shall be made over a complete element, excluding the element itself; this is the transform defined in XML Signature). Before performing the signature calculation, the RP must canonicalize all elements the signature shall be made over, in accordance with Exclusive XML Canonicalization. The child element of the element SHALL identify the signing key. The AS must verify that the signing key is associated with the identified RP and must verify the signature before performing any security-related processing of the request.

OTP-VS Encryption A validation request or response may optionally be encrypted. In this case, a sender shall form an ordinary (i.e. plaintext) validation request or response, encrypt its content using the XML Encryption “Content” type, and then replace the contents of the plaintext validation request or response with an or element that carries the encrypted data in its element. In a reciprocal fashion, a recipient of a validation request or response carrying an or element shall decrypt the child of this element and replace the content of the received validation request or response (i.e. the or element itself) with the decrypted data, before processing the content of the request. When applying both encryption and signature, signatures are applied first (on plaintext data) Note: Encryption approach does not protect top-level message attributes

OTP-VS Selected Basic Types

OTP-VS Status Codes

OTP-VS Payload and DataRequest

OTP-VS NewPIN

OTP-VS ValidationRequest Message sent to Validation service to initiate or continue validation of OTP credentials.

OTP-VS ValidationResponse Message sent from Validation service responding to a validation request. <element name="credentialStatus" type="otps-vs:CredentialStatus" minOccurs=”0”/>

OTP-VS SOAP Binding Aspects OTP-VS requests and responses carried within SOAP bodies —Single unencoded request or response carried in a body SOAP faults generated only for messages that cannot be processed at OTP-ValidationService layer —Other errors reported within OTP-VS status framework SOAPAction value defined for optional HTTP header use, other HTTP headers unconstrained —Cache-Control should be set to disable caching

OTP-VS Security Service Requirements Authentication —Generally AS to RP, sometimes RP to AS as well Confidentiality —Generally when carrying OTP or PIN values, other needs vary Integrity —Generally, at per-message and transaction sequence levels Non-repudiation —May be needed for some accountability scenarios

OTP-VS Possible Futures Schema changes —Adopt UpperCamelCase naming convention —Alignment with OTP-WSS-Token identifiers —XML Schema namespace qualification? Other methods or extended facilities —Profile to carry EAP within OTP-VS web service transaction?

OTP-VS Next Steps Agreement and stabilization of document content Consideration of added features or new methods —Methods can be specified separately from base document Possible future contribution of document?