Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.

Published byKory Daniels Modified over 8 years ago

Similar presentations

Presentation on theme: "Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework."— Presentation transcript:

1 Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework

2 06.03.2005 2  Security in the web services industry is of great importance and a deciding factor for many corporations when moving to a web services software architecture.  The WS-Framework was created by a collection of industry leaders to be the solution to this.  Our case study focuses on the security of the WS-Framework and its extensions to determine if they are indeed adequate. Why talk about security? Introduction WS-Framework Loan Bidding Scenario Security Requirements WS-Security WS-Policy WS-Trust WS-Secure Conversation Conclusions

3 06.03.2005 3  The Framework and it’s extensions were meant to enable two parties to securely communicate via SOAP messaging.  There are currently six extensions that reside on top of WS-Security and SOAP. Two of these have been defined but are not yet published.  We chose to focus on the WS-Security, WS-Trust, WS-Policy and WS-Secure Conversation modules. These we feel encompass most of the security areas within our scenario. WS-Framework Defined Introduction WS-Framework Loan Bidding Scenario Security Requirements WS-Security WS-Policy WS-Trust WS-Secure Conversation Conclusions

4 06.03.2005 4 WS-Framework Overview Soap Foundation XML Encryption XML Digital Signature Security Extensions WS-Security XKMSSAMLXACMLSPML WS-PolicyWS-TrustWS-Privacy WS- Secure Conversation WS- Federation WS- Authorization Introduction WS-Framework Loan Bidding Scenario Security Requirements WS-Security WS-Policy WS-Trust WS-Secure Conversation Conclusions

5 06.03.2005 5  A single client will send a request with a loan amount and time period to a loan bidding website.  The website will then iterate this query to all selected banks who will then formulate a response.  The website will gather all responses and display the corresponding interest rates to the user. Defining The Scenario Introduction WS-Framework Loan Bidding Scenario Security Requirements WS-Security WS-Policy WS-Trust WS-Secure Conversation Conclusions

6 06.03.2005 6 Module Interactions Client Loan Website Bank ABank ZBank Y Loan Services Commodity Trading Risk Management Partner Interface NYSE Trading Services Partner B Partner A Partner C Introduction WS-Framework Loan Bidding Scenario Security Requirements WS-Security WS-Policy WS-Trust WS-Secure Conversation Conclusions

7 06.03.2005 7 Security Interactions Client Loan Website Bank ABank ZBank Y Loan Services Commodity Trading Risk Management Security Module Partner Interface NYSE Trading Services Partner B Partner A Partner C Introduction WS-Framework Loan Bidding Scenario Security Requirements WS-Security WS-Policy WS-Trust WS-Secure Conversation Conclusions

8 06.03.2005 8  Identity Management: Each entity must be able to identity itself to the party it wants to communicate with  Policy Management: Each entity enforces policies with other entities. E.g. message format, who has access to what, what one needs to process.  Secure Messaging: authentication, confidentiality, integrity, non-repudiation Security Requirements Introduction WS-Framework Loan Bidding Scenario Security Requirements WS-Security WS-Policy WS-Trust WS-Secure Conversation Conclusions

9 06.03.2005 9  Goal: provide message-level security which addresses confidentiality, integrity, and single message authentication.  Non-Goals:  Establishing a security context that requires multiple exchanges  Key exchange and derived keys  How trust is established or determined  Two main parts – encrypted message and signature. WS-Security Introduction WS-Framework Loan Bidding Scenario Security Requirements WS-Security WS-Policy WS-Trust WS-Secure Conversation Conclusions

10 06.03.2005 10 ID=“MyToken” … … … Security Message Key used for the signature Key used to encrypt message Contains signature algorithm, key info, and signature value Introduction WS-Framework Loan Bidding Scenario Security Requirements WS-Security WS-Trust WS-Policy WS-Secure Conversation Conclusions

11 06.03.2005 11  WS-Security alone is not enough to address the security issues  Scenario: An eavesdropper is listening to the traffic of messages between two parties. After a while he or she may be able to crack the symmetric key and hijack the traffic.  Solution: This is handled by WS- SecureConversation. A Bad Example Introduction WS-Framework Loan Bidding Scenario Security Requirements WS-Security WS-Trust WS-Policy WS-Secure Conversation Conclusions

12 06.03.2005 12  A policy is comprised of a collection of policy alternatives.  Each policy alternative is a collection of policy assertions that represent an individual requirement, capability of other property of a behavior.  Example: Assertions “exactlyOne” Kerberosv5TGT or X509v3  Policy intersection (involves domain-specific processing!)  Assertions should be digitally signed. WS-Policy Introduction WS-Framework Loan Bidding Scenario Security Requirements WS-Security WS-Policy WS-Trust WS-Secure Conversation Conclusions

13 06.03.2005 13  Enables the issuance and dissemination of credentials within different trust domains  If a message arrives without having the required proof of claims, the service should ignore or reject the message. WS-Trust Introduction WS-Framework Loan Bidding Scenario Security Requirements WS-Security WS-Policy WS-Trust WS-Secure Conversation Conclusions Loan Website Bank A

14 06.03.2005 14  Token issuance  Token renewal  Token cancellation  Token validation Security Token Service Introduction WS-Framework Loan Bidding Scenario Security Requirements WS-Security WS-Policy WS-Trust WS-Secure Conversation Conclusions Loan Website 1. Loan Request 2. wst:RequestSecurityToken 3. wst:RequestSecurityTokenResponse with embedded challenge 4. wst:RequestSecurityTokenResponse with answer to the challenge 5. wst:RequestSecurityTokenResponse with issued security token Bank A

15 06.03.2005 15  The WS-SecureConversation extension defines two main additions, namely a security context and derived keys.  Establishing a security context is more beneficial for a series of messages between two parties because it is shared for the lifetime of the conversation.  Derived keys allows the involved parties to keep security fresh during interaction instead of relying on just one secret.  Possible need for further extensions… WS-SecureConversation Introduction WS-Framework Loan Bidding Scenario Security Requirements WS-Security WS-Policy WS-Trust WS-Secure Conversation Conclusions

16 06.03.2005 16  WS-Framework is adequate for our scenario but may be too flexible.  We feel the WS-Security framework should be more rigid by enforcing further rules that will govern which parts of each extension are to be used with one another.  WS-Security framework satisfies Identity Management, Policy Management, and Secure Messaging but may need extra extensions. Conclusions Introduction WS-Framework Loan Bidding Scenario Security Requirements WS-Security WS-Policy WS-Trust WS-Secure Conversation Conclusions

Download ppt "Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework."

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
WS – Security Policy Prabath Siriwardena Director, Security Architecture.

WS – Security Policy Prabath Siriwardena Director, Security Architecture.
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
Unissons nos Talents T O G E T H E RT A L E N T E D 1 Web Services Security – Challenges & Trends Magan Pal Singh Technical Architect, Sopra Group

Unissons nos Talents T O G E T H E RT A L E N T E D 1 Web Services Security – Challenges & Trends Magan Pal Singh Technical Architect, Sopra Group
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
A Successful RHIO Implementation

A Successful RHIO Implementation
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Core Web Service Security Patterns

Core Web Service Security Patterns
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Web services security I

Web services security I
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Similar presentations

Ads by Google