W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.

Slides:



Advertisements
Similar presentations
Siebel Web Services Siebel Web Services March, From
Advertisements

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Web Service Security CS409 Application Services Even Semester 2007.
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
Lecture 23 Internet Authentication Applications
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
CS 522 WebServices -Sujeeth Narayan -Ankur Patwa.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Web services security I
Prashanth Kumar Muthoju
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
Security COMP6017 Topics on Web Services Dr Nicholas Gibbins –
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Service Standards, Security & Management Chris Peiris
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
1 Core Web Services Standards. 2 (Simplified) Web Service Architecture Registry 1. Service Registers PUBLISH 3. Client calls Service BIND 2. Client Request.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
Identifying Web Service Integration Challenges Frank Goethals SAP-Research Chair on ‘Extended Enterprise Infrastructures’ K.U.Leuven – Belgium
Web Services Standards. Introduction A web service is a type of component that is available on the web and can be incorporated in applications or used.
XML Web Services Architecture Siddharth Ruchandani CS 6362 – SW Architecture & Design Summer /11/05.
An XML based Security Assertion Markup Language
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
January 19, 2005 Andrew Nash Chief Technology Officer, Reactivity xmlCoP Interoperable Trust Networks.
Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Semantic Web Technologies Research Topics and Projects discussion Brief Readings Discussion Research Presentations.
Web Services Presented By : Noam Ben Haim. Agenda Introduction What is a web service Basic Architecture Extended Architecture WS Stacks.
Copyright © 2013 Curt Hill SOAP Protocol for exchanging data and Enabling Web Services.
Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.
Kemal Baykal Rasim Ismayilov
Secure Web Services Arvind Easwaran CIS/TCOM 551 Spring 2004 Slide Set 7.
1 G52IWS: Web Services Chris Greenhalgh. 2 Contents The World Wide Web Web Services example scenario Motivations Basic Operational Model Supporting standards.
Task Force CoRD Meeting / XML Security for Statistical Data Exchange Gregory Farmakis Agilis SA.
BEA position on W3C ‘Web Services’ Standards Jags Ramnarayan 11th April 2001.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Web Services Security Standards Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc.
Web Services Security Mike Shaw Architectural Engineer.
Presented by: Sonali Pagade Nibha Dhagat paper1.pdf.
Access Policy - Federation March 23, 2016
Introduction to Web Services
Sabri Kızanlık Ural Emekçi
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Tim Bornholtz Director of Technology Services
InfiNET Solutions 5/21/
Electronic Payment Security Technologies
Presentation transcript:

W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks

1 Agenda Web Services Security RequirementsWeb Services Security Requirements Brief Review of Web Services Security WorkBrief Review of Web Services Security Work DiscussionDiscussion Next StepsNext Steps

2 Web Services Security Requirements Authentication to verify identity Authorization to access resources Confidentiality such that information is accessible only to intended parties Data integrity of transactions and communications Non-repudiation so that party to a transaction cannot deny the transaction Controlled access to systems and their components Integrate with Enterprise Security policies End-to-end integrity and confidentiality of messages QOS, Reliability, Scalability, and Manageability

3 Web Services in a Nutshell Transport (TCP/IP, UDP,…) Transfer (HTTP, SMTP, …. ) XML + Namespaces + Information Set SOAP WS Routing WS Referral WS Security XML SchemaRDF?, DAML?... Subscribe Search Register WSCI BPEL4WS WSDL WS messagingWS descriptionsWS discovery Envelope (MIME, DIME, BEEP, …. ) Canonical XML XML Encryption XML Signature WS Coordination WS Transaction UDDI WS-Inspection SAML WS License

4 TLS/SSL Protocol Provides the following properties: Authentication One-way authentication (in general) Privacy Data encryption, Integrity Connection is reliable (Message integrity check) Point to point based, not application specific Can be used behind firewalls Out of band operations Customers Suppliers Sellers Security Context Audit Trail End to End Security SOAP Requires Security in the MessageSOAP Requires Security in the Message SSL

5 Web Services Security Resources Security Assertion Markup Language (SAML) An XML based framework for exchanging security information –Enables disparate security services systems to interoperate A set of specifications that define its components: –Assertions and request/response protocols –An assertion is a declaration of fact about a subject user, based on an assertion issuer –SAML has three kinds, all related to security: –Authentication ; Attribute ; Authorization decision –Assertions can be digitally signed

6 SAML: Single Sign On (SSO) Authentication Server Web Services Server 2 2 LDAP Directory 2 2 LDAP Directory Requestor SAML: How It Works 1.User accesses authentication server Authentication server asks for user ID and password 2.End user enters ID and password Authentication server checks with LDAP directory and authenticates user 3.End user requests a resource from destination/Web services server Authentication server opens a session with destination server 4.Authentication server sends uniform resource identifier (URI) to end user End user browser is redirected to URI, that connects him to Web service

7 Web Services Security Resources XML Key Management Specification (XKMS) Integrating PKI with Web Services Shield applications from the complexity of PKI –Delegate details of digital certificate processing to a separate Web service. Protocols for distributing and registering public keys XML Key Information Service Specification (X-KISS) –Application delegates, to a service, the processing of Key Information associated with an XML signature, XML encryption, or other public key XML Key Registration Service Specification (X-KRSS) –Protocol for registration of a key pair by a key pair holder, with the intent that the key pair subsequently is usable in conjunction with X-KISS.

8 XACML: Communicating Policy Information XML Access Control Markup Language (XACML) Closely related to SAML How policy information related to access control is expressed and transferred Rules that defines what Web services can exercise or what it can access –Privileges for which XML documents For example, a healthcare provider can specify which portions of a patient’s Medical record could be exposed to appropriate parties Web Services Security Resources

9 Message Integrity and Confidentiality XML-Signature / XML-Encryption Provide mechanisms for handling whole or partial documents Address varying requirements for access authority, confidentiality and data integrity within one document Need XML Canonical Form Web Services Security Resources

10 Some thoughts about SOAP SOAP is an intrinsically complex specification SOAP can easily pass through firewalls Moves security issues and protocol developments into the hands of the software developers –May not have the proper training or background Firewalls may need to do XML parsing to recognize SOAP –Cannot easily do pattern recognition –Example, various ways of encoding binary data Any method could be a read method or a write method –Harder to track actions or do action filtering In Web Services a single URI can be a SOAP endpoint that is used for many resources

11 WS-Security Securing SOAPSecuring SOAP Work in progressWork in progress OASIS basedOASIS based Supported by major playersSupported by major players Ensures InteroperabilityEnsures Interoperability Web Services Security Resources XML Encryption Multiple Parties Document parts Confidentiality SOAP Message WS-Security: Signature, Encryption SAML Token: Authentication, Authorization XML Signature: Integrity X.509 Certificate: Encryption, Signature verification XML Schema Validation

12 Discussion 1.WSA architecture and WSS 2.Need to see how other requirements such as Reliability, QoS effects security 3.Need to incorporate any requirements on security as a result from WSA work 4.Need to decide how to go about them W3C or OASIS or What

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.