Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Services Security Standards Forum Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc.

Published byTracy Chappell Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Services Security Standards Forum Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc."— Presentation transcript:

1 Web Services Security Standards Forum Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc.

2 Web Services Security Standards For ‘Um For ‘um: Meeting to tell people that everyone agrees on an issue Walk the Walk or just Talk the Talk?

3 VeriSign is For ‘um Provider of Web Services –XKMS Service live over 1 year –Trust Service Integration Kit User of Web Services –Integrate multiple IT infrastructures VeriSign Signio Network Solutions Illuminet HO Systems

4 Why Everyone is For’um Web Services like email Anyone can talk to everyone Not like Power Cord  Different Mains Adapter for Every Device  $600 service fee to repair broken connector

5 And Security? Don’t want our Power Cords [Web Services] to catch Fire

6 Why Are We All For’um? Standards Benefits –Interoperability –Vendor Independence –Clearly Defined Intellectual Property Constraints Standards should be enablers, not limiters –Don’t complain if companies don’t wait for standards to catch up

7 Why Web Services Security is a Challenge Theory: This thing has 4 wheel drive But we only take it to the Mall Practice: In this environment we need 4 wheel drive

8 Why Security Is Needed Without Trust and Security… Web Services are Dead on Arrival

9 Web Services Security Groups SAML XACML XrML XKMS XML Encryption XML Signature BiometricsWS-Security Provisioning W3C Architecture OASIS Joint Security

10 And Don’t Forget… Web Services Institute –Standards are great Interoperability is better Need Profiles, Testing, etc. UDDI –Protocol specification now in OASIS www.XMLTrustCenter.org –Web Services Security Community Internet Engineering Task Force –Mainly focused on lower protocol stack layers

11 What Parts of Web Services Security Should Be Infrastructure? Operating System Subroutine Application Remote Subroutine Application Web Services Revolution

12 What Parts of Web Services Security Should Be Infrastructure? Replicate security context provided by O/S –Protected Memory Prevents modification of process state Prevents interception of function calls Prevent disclosure –Access Control Authentication Authorization Auditing

13 Problem Space Infrastructure Security Infrastructure Services Applications Confidentiality Integrity Access Control Policy Conversation Authentication Authorization Attributes TrustFunds Transfer Payroll Inventory Purchasing

14 Solution Space Applications Web Services Security Infrastructure Security Conversation Access Control Rights Management Privacy Credential Management Policy XML & Web Services Foundation XML Signature XML Encryption WSDL Description SOAP

15 Part I – XML Infrastructure

16 XML Signature & Encryption Allow node level security enhancements –Sign parts of a document –Enveloped signature is inside signed node –Detached signature signs referenced content –Detached encryption data Operate on the XML InfoSet –Not just a stream of bits

17 XML Signature Operates on the InfoSet not Just Bits Source XML Parser Application Code XML Encoded BitsXML Infoset Traditional PKCS#7 XML Signature

18 Part II – Web Services Security Infrastructure

19 Is SSL Enough? For some applications –Yes As Infrastructure –No SSL Only supports data in transit, not in storage SSL does not support multi-party transactions SSL is all or nothing –Messages are opaque to firewalls SSL does not support non-Repudiation

20 WS-Security SOAP Message Level Security –Confidentiality –Integrity –Authentication Builds on XML Standards –XML Signature & Encryption

21 Completing the Picture Request / Response Correlation –Prevent Message Substitution Attacks Response Modification Response Replay Request Replay Denial of Service

22 Part III Web Services Infrastructure Security Applications Key Management –XKMS –Key Agreement TBA Distributed Access Control –SAML –XACML –XrML Ancillary –Provisioning [SPML] –Biometrics [XCBF] –Privacy Profile [P3P]

23 XML Key Management Specification (XKMS) Management of Public Keys –Because all you need to know to communicate securely with anyone is their public key –Registration Alice registers her email signature public key –[Alice might later request reissue, revocation, recovery] –Information Bob looks up the key for alice@somecorp.com Bob checks to see if it is valid Core Objective: –Shield the client from the complexity of PKI

24 Distributed Access Control Authorization Decision –Can ‘Alice’ access the general ledger? Authentication –Is ‘Alice’ the real Alice? Attributes –Alice is a Finance department employee Authorization Policy –Finance department employees may access the general ledger.

25 Distributed Access Control Authentication UserApplication User Attributes Authorization Policy Password Biometric Smartcard etc. Single Mechanism Request Authorization Decision Permit or Deny

26 SAML Authentication UserApplication User Attributes Authorization Policy Password Biometric Smartcard etc. Single Mechanism Request Authorization Decision Permit or Deny

27 SAML Authentication Statements Authentication Authority Member Site I really am Alice Connect as Alice Authentication Assertion

28 SAML Authorization Decision and Attribute Statements Authorization Authority Attribute Authority Service Should Alice Do X? Is Alice Creditworthy ? X

29 Why Standardize Authorization Policy? Support common Authorization Policy API Move policy with controlled object –Privacy Applications Healthcare (HIPPA) EU Privacy Directive –Digital Rights Management

30 XML Access Control Markup Language Allows Access Control Policy to be expressed –Encode in XML rules such as: 1.A person may read any record for which he or she is the designated patient. 2.A person may read any record for which he or she is the designated parent or guardian, and for which the patient is under 16 years of age. 3.A physician may write any medical element for which he or she is the designated primary care physician, provided an email is sent to the patient, 4.An administrator shall not be permitted to read or write medical elements of a patient record. –Chief standards issue is naming How to identify ‘patient’, ‘record’, ‘guardian’ etc.

31 XrML Allows Digital Rights Policy to be expressed at each level in the value chain –Encode in XML rules such as: Consumer can view film 6 times within 6 months Consumer can view any content in super subscription plan for 1 month Consumer can listen to audio track X on the devices P, Q, R. Content Owner can define distributors and their respective rights on the content Chief standards issue is naming –How to identify content, constraints etc.

32 Part IV Futures Proposals on or near the table to address: –Support for Direct Trust –WSDL Description of Security Enhancements Why not now? –Need to standardize dependencies first –Maintain focus, momentum on existing work

33 Support for Direct Trust It can’t be turtles all the way down. XKMS Application Must be a static mechanism

34 WSDL Description of Security Enhancements We know what to do –WSDL description of security enhancements I support WS-Security with AES Encryption The authentication key of my service is X I always authenticate responses with Y You must perform key agreement with Z Specification is dependent on: –WSDL specification –Web Services Security Specifications

35 Conclusions Without Security and Trust: Web Services are Dead On Arrival Considerable progress has already been made –Industry wide consensus on value of standards –Basic Infrastructure is in place or in development –There is considerable consensus on the roadmap –Security need not be the show stopper

36 Web Services Security Standards Time to Say: I’m For ‘um

Download ppt "Web Services Security Standards Forum Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc."

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
0 McLean, VA August 8, 2006 SOA, Semantics and Security.

0 McLean, VA August 8, 2006 SOA, Semantics and Security.
Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.

Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.

Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Web services security I

Web services security I
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Similar presentations

Ads by Google