Presentation is loading. Please wait.

Presentation is loading. Please wait.

W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.

Published byMarvin Gibson Modified over 8 years ago

Similar presentations

Presentation on theme: "W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks."— Presentation transcript:

1 W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. abbieb@nortelnetworks.com Nortel Networks

2 1 Agenda Web Services Security RequirementsWeb Services Security Requirements Brief Review of Web Services Security WorkBrief Review of Web Services Security Work DiscussionDiscussion Next StepsNext Steps

3 2 Web Services Security Requirements Authentication to verify identity Authorization to access resources Confidentiality such that information is accessible only to intended parties Data integrity of transactions and communications Non-repudiation so that party to a transaction cannot deny the transaction Controlled access to systems and their components Integrate with Enterprise Security policies End-to-end integrity and confidentiality of messages QOS, Reliability, Scalability, and Manageability

4 3 Web Services in a Nutshell Transport (TCP/IP, UDP,…) Transfer (HTTP, SMTP, …. ) XML + Namespaces + Information Set SOAP WS Routing WS Referral WS Security XML SchemaRDF?, DAML?... Subscribe Search Register WSCI BPEL4WS WSDL WS messagingWS descriptionsWS discovery Envelope (MIME, DIME, BEEP, …. ) Canonical XML XML Encryption XML Signature WS Coordination WS Transaction UDDI WS-Inspection SAML WS License

5 4 TLS/SSL Protocol Provides the following properties: Authentication One-way authentication (in general) Privacy Data encryption, Integrity Connection is reliable (Message integrity check) Point to point based, not application specific Can be used behind firewalls Out of band operations Customers Suppliers Sellers Security Context Audit Trail End to End Security SOAP Requires Security in the MessageSOAP Requires Security in the Message SSL

6 5 Web Services Security Resources Security Assertion Markup Language (SAML) An XML based framework for exchanging security information –Enables disparate security services systems to interoperate A set of specifications that define its components: –Assertions and request/response protocols –An assertion is a declaration of fact about a subject user, based on an assertion issuer –SAML has three kinds, all related to security: –Authentication ; Attribute ; Authorization decision –Assertions can be digitally signed

7 6 SAML: Single Sign On (SSO) Authentication Server 1 1 1 1 4 4 4 4 3 3 3 3 Web Services Server 2 2 LDAP Directory 2 2 LDAP Directory Requestor SAML: How It Works 1.User accesses authentication server Authentication server asks for user ID and password 2.End user enters ID and password Authentication server checks with LDAP directory and authenticates user 3.End user requests a resource from destination/Web services server Authentication server opens a session with destination server 4.Authentication server sends uniform resource identifier (URI) to end user End user browser is redirected to URI, that connects him to Web service

8 7 Web Services Security Resources XML Key Management Specification (XKMS) Integrating PKI with Web Services Shield applications from the complexity of PKI –Delegate details of digital certificate processing to a separate Web service. Protocols for distributing and registering public keys XML Key Information Service Specification (X-KISS) –Application delegates, to a service, the processing of Key Information associated with an XML signature, XML encryption, or other public key XML Key Registration Service Specification (X-KRSS) –Protocol for registration of a key pair by a key pair holder, with the intent that the key pair subsequently is usable in conjunction with X-KISS.

9 8 XACML: Communicating Policy Information XML Access Control Markup Language (XACML) Closely related to SAML How policy information related to access control is expressed and transferred Rules that defines what Web services can exercise or what it can access –Privileges for which XML documents For example, a healthcare provider can specify which portions of a patient’s Medical record could be exposed to appropriate parties Web Services Security Resources

10 9 Message Integrity and Confidentiality XML-Signature / XML-Encryption Provide mechanisms for handling whole or partial documents Address varying requirements for access authority, confidentiality and data integrity within one document Need XML Canonical Form Web Services Security Resources

11 10 Some thoughts about SOAP SOAP is an intrinsically complex specification SOAP can easily pass through firewalls Moves security issues and protocol developments into the hands of the software developers –May not have the proper training or background Firewalls may need to do XML parsing to recognize SOAP –Cannot easily do pattern recognition –Example, various ways of encoding binary data Any method could be a read method or a write method –Harder to track actions or do action filtering In Web Services a single URI can be a SOAP endpoint that is used for many resources

12 11 WS-Security Securing SOAPSecuring SOAP Work in progressWork in progress OASIS basedOASIS based Supported by major playersSupported by major players Ensures InteroperabilityEnsures Interoperability Web Services Security Resources XML Encryption Multiple Parties Document parts Confidentiality SOAP Message WS-Security: Signature, Encryption SAML Token: Authentication, Authorization XML Signature: Integrity X.509 Certificate: Encryption, Signature verification XML Schema Validation

13 12 Discussion 1.WSA architecture and WSS 2.Need to see how other requirements such as Reliability, QoS effects security 3.Need to incorporate any requirements on security as a result from WSA work 4.Need to decide how to go about them W3C or OASIS or What

Download ppt "W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks."

Similar presentations

Siebel Web Services Siebel Web Services March, From

Siebel Web Services Siebel Web Services March, From
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.

SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma

Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.

Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
CS 522 WebServices -Sujeeth Narayan -Ankur Patwa.

CS 522 WebServices -Sujeeth Narayan -Ankur Patwa.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Web services security I

Web services security I
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Similar presentations

Ads by Google