Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Similar presentations


Presentation on theme: "Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo."— Presentation transcript:

1 Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo

2 Contents Introduction Basic Security for Transmission over HTTP Web Services and Secure Sockets Layer (SSL) XML Signature and XML Encryption XML Key Management Specification (XKMS) Security Assertion Markup Language (SAML) Extensible Access Control Markup Language (XACML) Authentication and Authorization for Web Services Web Services and Network Security

3 Introduction Web services require end-to-end security for transactions that span multiple computers. Interoperability is fundamental to Web services security, because transmissions often occur across multiple platforms and must be secured at all times.

4 Basic Security for Transmission over HTTP Security methods outlined HTTP specification are weak (HTTP provides no process for encryption the body of message). For stronger security, HTTP security should be used with other security technologies, such as SSL and Kerberos.

5 Web Services and Secure Sockets Layer (SSL) SSL is considered the next step beyond basic security for Web services. SSL employs user credential and certificates, which are sometimes too large and disables the ability to record who initiated each step of transaction. Internet Layer Transport Layer SSL Application Layer

6 XML Signature and XML Encryption XML-based applications raise significant security concerns, in part because XML documents are encoded in plan-text, rather than in a binary form. Digital signatures solve this problem by verifying document integrity.

7 XML Signature and XML Encryption Plain-text document

8 XML Signature and XML Encryption XML Signature XML Signature : W3C Recommendation February 2002 … … …

9 XML Signature and XML Encryption XML Encryption XML Encryption : W3C Recommendation 2002.12

10 XML Key Management Specification (XKMS) XKMS is specification for registering and distributing encryption keys for Public Key Infrastructure (PKI) in Web services. XKMS was developed by Microsoft, VeriSign and webMethods, but now is a W3C initiative. XKMS was designed for use with XML Signature and XML Encryption.

11 XML Key Management Specification (XKMS) XKMS is comprised of two specification XML Key Information Service Specification (X-KISS) The set of protocols that process key Information (located in an XML signature ’ s Key-Info element). XML Key Registration Service Specification (X-KRSS) The set of certificate-management protocols that addresses the life of a digital certificate-from registration to revocation and recovery.

12 XML Key Management Specification (XKMS) XML Key Information Service Specification (X-KISS) … QR9432YZ5 Signature Processing Application Key Location Service Key Database X.509 Cert QR9432YZ5 MIICXTCCA.. QR9432YZ5

13 XML Key Management Specification (XKMS) XML Key Registration Service Specification (X-KRSS) Client Pair Generation X-KRSS Service Certificate Repository (HMAC [Name, PublicKey], Proof Of Possession) Registration Result : Success

14 Security Assertion Markup Language (SAML) SAML is an standard for transferring authentication, authorization and permissions information over the Internet. SAML is a form Permissions Management Infrastructure (PMI). The SAML protocol was developed by combining two computing XML security standard Securant Technologies ’ AuthXML Netegrity ’ s Security Services Markup Language (S2ML)

15 Security Assertion Markup Language (SAML) SAML also provides a method for single sign-on authentication and authorization SAML-based applications can provide single sign-on across disparate site and platforms.

16 Security Assertion Markup Language (SAML) Single sign-on example using SAML Login PIP Login Protected Present Login Information Create SAML assertion and token Authentication Previously established trust PEPPDP Enforcement point 1 2 3 4 5 6 BobsAppliances.com JoeFlooring.com

17 Extensible Access Control Markup Language (XACML) Developed by OASIS XACML is a markup language that allows organizations to communicate their policies for accessing online information. XACML defines which clients can access information, what information is available to clients, when clients can access the information and how client can gain access to information.

18 Authentication and Authorization for Web Services Basic authentication and authorization techniques are not sufficient to secure Web services transactions. The latest Web services products use a combination of security mechanisms, including Kerberos and single sign-on. Authentication and authorization systems designed for use with Web services Microsoft ’ s Passport Sun ’ s Liberty Alliance and AOL Time Warner ’ s Screen Name Services

19 Web Services and Network Security Networks typically authenticate users before allowing access to protected resources. However, Web services often are designed to use single sign-on, which allows access to applications on the basis of another source ’ s authentication credentials. Firewalls between Web services and internal resources prevents Web service user from accessing protected information.

20 Web Services and Network Security Web services security is an ongoing process, not a one-time solution. Thus, Administrator using Web services need to stay apprised of all security developments and update their systems regularly.


Download ppt "Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo."

Similar presentations


Ads by Google