Presentation is loading. Please wait.

Presentation is loading. Please wait.

WS-Security TC Christopher Kaler Kelvin Lawrence.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "WS-Security TC Christopher Kaler Kelvin Lawrence."— Presentation transcript:

1 WS-Security TC Christopher Kaler Kelvin Lawrence

2 2 Agenda Context for WS-Security Context for WS-Security WS-Security Elements and Example WS-Security Elements and Example TC Charter and Deliverables TC Charter and Deliverables

3 3 Web Service Security Issues Getting easier to build web services but who is sending the messages? Getting easier to build web services but who is sending the messages? Several approaches Several approaches  SSL with username and password  SSL with X509 client certificates  VPN with Kerberos  XrML, SAML, … Challenges Challenges  Computational cost  Inflexibility  Firewalls  Distributed management  Hop-to-hop vs. end-to-end Username/password Client certificates, Smart Cards, … VPN

4 4 Security and Web Services Security in a Web Services World Safer: no exposure at intermediaries Safer: no exposure at intermediaries Interoperable: broad vendor support Interoperable: broad vendor support  Leverages XML signature and XML encryption Flexible: builds on web infrastructure Flexible: builds on web infrastructure  Works with HTTP, SMTP, and transports  Works over firewall, through the DB, … Durable: security is available at the business request / application layer Durable: security is available at the business request / application layer Higher performance and scalability Higher performance and scalability  Supports both public and symmetric keys  Clients exchange security tokens and cache Easier: a simple common approach for manageable authentication, authorization, and permissions Easier: a simple common approach for manageable authentication, authorization, and permissions

5 5 A Typical Challenge CertificationPartner WebService Business Partners Company A 1. Run Application 3. Get Proof of Certification 2. Request Fails 5. Approve 5. Approve 4. Fax Certification

6 6 A WS-Security Solution CertificationPartner 1. Run Application 3. Request Succeeds 2. Get Proof of Certification WebService Business Partners Company A

7 How Does it Work? 1.Security tokens assert claims 2.Web services have policies 3.A security token service is just a web service that issues security tokens

8 8 Security Tokens X.509, Kerberos, XrML, SAML, … Security tokens assert claims IdentityKeys Privileges, rights, capabilities Custom…

9 9 Policies Policy Services have policies ? Does the request have the correct security tokens? Policies describe the required claims Security tokens assert the claims

10 10 Security Token Service Policy WebService Policy SecurityTokenService A security token service issues security tokens It is just a web service A solution may require multiple token services

11 11 Agenda Context for WS-Security Context for WS-Security WS-Security Elements and Example WS-Security Elements and Example TC Charter and Deliverables TC Charter and Deliverables

12 12 New SOAP Elements WS-Security New New  Header   Existing Existing  XML Signature  XML Encryption  Token formats (e.g., X.509, Kerberos, XrML, SAML)

13 13 <Security> SOAP:actor is optional SOAP:actor is optional One header per actor One header per actor All security information together All security information together Sub-elements are pre-pendend Sub-elements are pre-pendend Supports multiple signatures Supports multiple signatures...

14 14 Elements In Elements In Including and referencing security tokens Including and referencing security tokens   Signature Signature   Encryption Manifest Encryption Manifest   Encrypted Attachments Encrypted Attachments   Other… Other…

15 15 Simple Example Requesting a stock quote Requesting a stock quote Security token indicates username Security token indicates username Signature uses key generated from password Signature uses key generated from password

16 16 Simple Example (1 of 2) (001) (001) (002) (002) (003) (003) (004) (004) (005) http://fabrikam.org/getQuote (005) http://fabrikam.org/getQuote (006) http://fabrikam.org/stocks (006) http://fabrikam.org/stocks (007) uuid:84b9f5d0-33fb-4a81-b02b-5b760641c1d6 (007) uuid:84b9f5d0-33fb-4a81-b02b-5b760641c1d6 (008) (008) (009) (009) (010) (010) (011) Zoe (011) Zoe (012) (012) (013) (013) (014) (014) (015) (015) (016) (016)

17 17 Simple Example (2 of 2) (017) (017) (018) (018) (019) LyLsF0Pi4wPU... (019) LyLsF0Pi4wPU... (020) (020) (021) (021) (022) DJbchm5gK... (022) DJbchm5gK... (023) (023) (024) (024) (025) (025) (026) (026) (027) (027) (028) (028) (029) (029) (030) (030) (031) (031) (032) QQQ (032) QQQ (033) (033)

18 18 Agenda Context for WS-Security Context for WS-Security WS-Security Elements and Example WS-Security Elements and Example TC Charter and Deliverables TC Charter and Deliverables

19 19 WS-Security TC Charter Continue work on the Web service security foundations published in the WS-Security specification and under the context of the Web Services Security roadmap

20 20 WS-Security TC Scope Using XML signature to provide SOAP message integrity for Web services Using XML signature to provide SOAP message integrity for Web services Using XML encryption to provide SOAP message confidentiality for Web services Using XML encryption to provide SOAP message confidentiality for Web services Attaching and/or referencing security tokens in headers of SOAP messages Attaching and/or referencing security tokens in headers of SOAP messages Carrying security information for potentially multiple, designated actors Carrying security information for potentially multiple, designated actors Associating signatures with security tokens Associating signatures with security tokens Representing specific forms of binary security tokens as defined in WS-Security specification. Representing specific forms of binary security tokens as defined in WS-Security specification.

21 21 WS-Security TC Deliverables Accept as input the Web Services Security (WS- Security) Accept as input the Web Services Security (WS- Security) Produce as output a specification for Web Services Security. This specification will reflect refinements and changes made to the submitted version of WS- Security that are identified by the WSS TC members for additional functionality within the scope of the TC charter. Produce as output a specification for Web Services Security. This specification will reflect refinements and changes made to the submitted version of WS- Security that are identified by the WSS TC members for additional functionality within the scope of the TC charter. Liaise and/or forge relationships with other Web services efforts to assist in leveraging WS-Security as a part of their specifications or solutions. Liaise and/or forge relationships with other Web services efforts to assist in leveraging WS-Security as a part of their specifications or solutions. Coordinate with the chairs of the other OASIS security related groups via the Security Joint Coordination Committee. Coordinate with the chairs of the other OASIS security related groups via the Security Joint Coordination Committee. Oversee ongoing maintenance and errata of the WS- Security specification. Oversee ongoing maintenance and errata of the WS- Security specification.

22 22 Questions

Download ppt "WS-Security TC Christopher Kaler Kelvin Lawrence."

Similar presentations

WS – Security Policy Prabath Siriwardena Director, Security Architecture.

WS – Security Policy Prabath Siriwardena Director, Security Architecture.
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Core Web Service Security Patterns

Core Web Service Security Patterns
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.

Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Web services security I

Web services security I
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
1 Web Services Security XML Encryption, XML Signature and WS-Security.

1 Web Services Security XML Encryption, XML Signature and WS-Security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Service Standards, Security & Management Chris Peiris www.ChrisPeiris.com.

Web Service Standards, Security & Management Chris Peiris
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Presented at: Demonstrations and Prototypes TIM 7 Presented by: Dominic Timoteo / Shoeb Jafri SWIM Implementation Team May 04, 2011 Federal Aviation Administration.

Presented at: Demonstrations and Prototypes TIM 7 Presented by: Dominic Timoteo / Shoeb Jafri SWIM Implementation Team May 04, 2011 Federal Aviation Administration.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Similar presentations

Ads by Google