Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.

Published byEverett Adams Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc."— Presentation transcript:

1 Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.

2 Copyright © 2003 Jorgen Thelin / Cape Clear Software 2 4 Main Concerns of a Security Framework Authentication – identity Who is the caller? How do we prove they are who they say they are? Authorization – access control What is the caller authorized to do? Is the caller permitted by perform the operation it is requesting? Confidentiality – encryption How do we prevent snoopers viewing our messages and data? Integrity – tamper-proofing How do we prevent messages being tampered with between sender and receiver?

3 Copyright © 2003 Jorgen Thelin / Cape Clear Software 3 Non-Repudiation This is ultimately the major business requirement for a security framework Can a trading partner possibly claim that: They didn't send a message They sent a different message from the one you received Requires framework support for: Authentication – we know who sent the message Integrity – the message did not change in transit Audit record storage – we can prove what happened

4 Copyright © 2003 Jorgen Thelin / Cape Clear Software 4 Security Challenges Confidentiality Can prying eyes see it? Authentication Are you who you say you are? Trust Have I agreed to work with you? Non-repudiation Can you claim that you didn't send or receive it even if you did? Integrity Was it altered before I got it? Authorization Are you allowed to have it? Auditing Can I prove what happened?

5 Copyright © 2003 Jorgen Thelin / Cape Clear Software 5 Security Technology to Address Challenges Confidentiality Key-based digital encryption and decryption. Authentication Username/password, key-based digital signing and signature verification, challenge-response, biometrics, smart cards, etc. Trust Key-based digital signing and signature verification. Non-repudiation Key-based digital signing and signature verification, message reliability Integrity Message Digest, itself authenticated with a digital signature. Authorization Application of policy, access control, digital rights management. Auditing Various forms of logging, themselves secured to avoid tampering.

6 Copyright © 2003 Jorgen Thelin / Cape Clear Software 6 Web Service Interaction Levels

7 Copyright © 2003 Jorgen Thelin / Cape Clear Software 7 Transport Level Security Uses existing Web tier technology such as HTTP and SSL Authentication HTTP authentication schemes – Basic or Digest SSL client side certificates Authorization URL access control policies in the web tier J2EE Servlet declarative security constraints Confidentiality SSL encrypted connections Integrity Point-to-point SSL encryption to avoid data interception

8 Copyright © 2003 Jorgen Thelin / Cape Clear Software 8 Message level security Security data built in to the XML message text – usually as additional SOAP header fields Authentication SSO (single sign-on) header tokens SAML authentication assertions Authorization SSO session details SAML attribute assertions Confidentiality XML Encryption specification Integrity XML Digital Signatures specification

9 Copyright © 2003 Jorgen Thelin / Cape Clear Software 9 Application level security A Web Service application handles its own security scheme – for example, UDDI Authentication App specific authentication messages App specific credential headers in other messages App maintains its own security domain Authorization App performs its own access control checks Confidentially App can apply an encryption scheme to some or all data fields Integrity XML Digital Signature can be used for tamper detection App specific integrity data such as MD5 hash can be sent for some or all data fields

10 Copyright © 2003 Jorgen Thelin / Cape Clear Software 10 Conclusions – Key Issues A Web Services security framework must support existing security products Must be an end-to-end framework to avoid any security gaps New XML security specifications are not yet stabilized or proven Use existing proven Web tier security infrastructure until XML security specifications and infrastructure is validated WS-I Basic Security Profile will deliver a standardized XML security infrastructure over time

Download ppt "Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc."

Similar presentations

Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
0 McLean, VA August 8, 2006 SOA, Semantics and Security.

0 McLean, VA August 8, 2006 SOA, Semantics and Security.
Copyright © 2003 Jorgen Thelin / Cape Clear Software Identity, Security and XML Web Services Jorgen Thelin Chief Scientist Cape Clear Software Inc. E-mail:

Copyright © 2003 Jorgen Thelin / Cape Clear Software Identity, Security and XML Web Services Jorgen Thelin Chief Scientist Cape Clear Software Inc.
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
Confidentiality and Privacy Controls

Confidentiality and Privacy Controls
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Core Web Service Security Patterns

Core Web Service Security Patterns
© 2007 Charteris plc20 June 2015 1 1 Extending Web Service Security with WS-* Presented by Chris Seary MVP Charteris plc, 39-40 Bartholomew Close, London.

© 2007 Charteris plc20 June Extending Web Service Security with WS-* Presented by Chris Seary MVP Charteris plc, Bartholomew Close, London.
Email Security Jonathan Calazan December 12, 2005.

Security Jonathan Calazan December 12, 2005.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Web services security I

Web services security I
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju

Similar presentations

Ads by Google