Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.

Slides:

Advertisements

Similar presentations

Public Key Infrastructure and Applications

Advertisements

0 McLean, VA August 8, 2006 SOA, Semantics and Security.

Copyright © 2003 Jorgen Thelin / Cape Clear Software Identity, Security and XML Web Services Jorgen Thelin Chief Scientist Cape Clear Software Inc.

Web Service Security CS409 Application Services Even Semester 2007.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

Confidentiality and Privacy Controls

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

Grid Security. Typical Grid Scenario Users Resources.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Core Web Service Security Patterns

© 2007 Charteris plc20 June Extending Web Service Security with WS-* Presented by Chris Seary MVP Charteris plc, Bartholomew Close, London.

Security Jonathan Calazan December 12, 2005.

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Web services security I

Prashanth Kumar Muthoju

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Security using Encryption Security Features Message Origin Authentication - verifying that the sender is who he or she says they are Content Integrity.

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Security COMP6017 Topics on Web Services Dr Nicholas Gibbins –

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Web Service Standards, Security & Management Chris Peiris

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.

Web Services Security. Introduction Developing standards for Web Services security – XML Key Management Specification (XKMS) – XML Signature – XML Encryption.

Web Services Quality Model V2.0 Business Value Quality Group Business Value Quality Cost Suitability Effect Service Measurement Quality Group Service Level.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.

Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

Web Security : Secure Socket Layer Secure Electronic Transaction.

Chapter 21 Distributed System Security Copyright © 2008.

Introduction to Implementing XML web services authentication John Messing Law-on-Line, Inc. Prepared for Maricopa County ICJIS May 17, 2006.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.

Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 Customization Using Interceptors Using an interceptor-based framework for providing customized client-side.

Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

CS453: Introduction to Information Security for E-Commerce Prof. Tom Horton.

Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

1 Thuy, Le Huu | Pentalog VN Web Services Security.

Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.

Web Services Security INFOSYS 290, Section 3 Web Services: Concepts, Design and Implementation Adam Blum

Copyright 2004 MayneStay Consulting Group Ltd. - All Rights Reserved Jan-041 Security using Encryption Security Features Message Origin Authentication.

Lifecycle Metadata for Digital Objects October 9, 2002 Transfer / Authenticity Metadata.

Web Services Security Standards Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc.

Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.

Security in OPC Unified Architecture (UA) Dick Oyen IndustrialSysDev, Inc.

Unit 3 Section 6.4: Internet Security

Computer Communication & Networks

Secure Sockets Layer (SSL)

Pooja programmer,cse department

Technical Approach Chris Louden Enspier

Electronic Payment Security Technologies

Presentation transcript:

Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.

Copyright © 2003 Jorgen Thelin / Cape Clear Software 2 4 Main Concerns of a Security Framework Authentication – identity Who is the caller? How do we prove they are who they say they are? Authorization – access control What is the caller authorized to do? Is the caller permitted by perform the operation it is requesting? Confidentiality – encryption How do we prevent snoopers viewing our messages and data? Integrity – tamper-proofing How do we prevent messages being tampered with between sender and receiver?

Copyright © 2003 Jorgen Thelin / Cape Clear Software 3 Non-Repudiation This is ultimately the major business requirement for a security framework Can a trading partner possibly claim that: They didn't send a message They sent a different message from the one you received Requires framework support for: Authentication – we know who sent the message Integrity – the message did not change in transit Audit record storage – we can prove what happened

Copyright © 2003 Jorgen Thelin / Cape Clear Software 4 Security Challenges Confidentiality Can prying eyes see it? Authentication Are you who you say you are? Trust Have I agreed to work with you? Non-repudiation Can you claim that you didn't send or receive it even if you did? Integrity Was it altered before I got it? Authorization Are you allowed to have it? Auditing Can I prove what happened?

Copyright © 2003 Jorgen Thelin / Cape Clear Software 5 Security Technology to Address Challenges Confidentiality Key-based digital encryption and decryption. Authentication Username/password, key-based digital signing and signature verification, challenge-response, biometrics, smart cards, etc. Trust Key-based digital signing and signature verification. Non-repudiation Key-based digital signing and signature verification, message reliability Integrity Message Digest, itself authenticated with a digital signature. Authorization Application of policy, access control, digital rights management. Auditing Various forms of logging, themselves secured to avoid tampering.

Copyright © 2003 Jorgen Thelin / Cape Clear Software 6 Web Service Interaction Levels

Copyright © 2003 Jorgen Thelin / Cape Clear Software 7 Transport Level Security Uses existing Web tier technology such as HTTP and SSL Authentication HTTP authentication schemes – Basic or Digest SSL client side certificates Authorization URL access control policies in the web tier J2EE Servlet declarative security constraints Confidentiality SSL encrypted connections Integrity Point-to-point SSL encryption to avoid data interception

Copyright © 2003 Jorgen Thelin / Cape Clear Software 8 Message level security Security data built in to the XML message text – usually as additional SOAP header fields Authentication SSO (single sign-on) header tokens SAML authentication assertions Authorization SSO session details SAML attribute assertions Confidentiality XML Encryption specification Integrity XML Digital Signatures specification

Copyright © 2003 Jorgen Thelin / Cape Clear Software 9 Application level security A Web Service application handles its own security scheme – for example, UDDI Authentication App specific authentication messages App specific credential headers in other messages App maintains its own security domain Authorization App performs its own access control checks Confidentially App can apply an encryption scheme to some or all data fields Integrity XML Digital Signature can be used for tamper detection App specific integrity data such as MD5 hash can be sent for some or all data fields

Copyright © 2003 Jorgen Thelin / Cape Clear Software 10 Conclusions – Key Issues A Web Services security framework must support existing security products Must be an end-to-end framework to avoid any security gaps New XML security specifications are not yet stabilized or proven Use existing proven Web tier security infrastructure until XML security specifications and infrastructure is validated WS-I Basic Security Profile will deliver a standardized XML security infrastructure over time