6/28/20151 bringing semantic security to semantic web services b. ramamurthy
Post on 21-Dec-2015
216 views
TRANSCRIPT
![Page 1: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/1.jpg)
04/18/23 1
Bringing Semantic Security to Semantic
Web Services
B. Ramamurthy
![Page 2: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/2.jpg)
04/18/23 2
Introduction Humans can read web pages and understand them,
but their inherent meaning is not shown in a way that allows their interpretation by a computer (program).
One way to enable machine-to-machine exchange and automated processing is to provide the information in such as way that computers can understand it.
This is precisely the objective of the semantic web. The next generation of the Web will combine
existing Web technologies with knowledge representation formalisms.
![Page 3: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/3.jpg)
04/18/23 3
Semantic Web Services
Web Services
WWWSemantic
Web
SemanticWeb
Servicesdyna
mic
stat
ic
![Page 4: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/4.jpg)
04/18/23 4
RDF, OWL, WSDL-S
RDF is a standard for creating descriptions of information. RDF is for simple semantics.
OWL provides a language for defining structured web-based ontologies which allows a richer integration and interoperability of data among communities and domains.
WSDL-S establishes a mapping between WSDL descriptions and ontological concepts.
![Page 5: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/5.jpg)
04/18/23 5
WSDL-S Example
Semantics can be added to operations, messages, preconditions and efforts
xmlns:sm= http://dme.uma.pt/jcardoso/StudentMng.owl#
<interface name = “StudentmanagmentUMA”>
<operation name = “RegisterStudent” >
<action element = sm:RegisterStudent” />
..
<input messageLabel = “ID” element = “sm:studentID” />
<output messageLabel = “student” element = “sm:StudentInfo” />
..
</interface>
![Page 6: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/6.jpg)
04/18/23 6
Authoring Tool for WSDL-S
To create, represent, and manipulate WSDL-S documents WSDL4J can be used.
WSDL4J provides Java APIs for WSDL parsing and generation.
WSDL4J supports extensibility elements providing an easy mechanism to add new extensions.
![Page 7: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/7.jpg)
04/18/23 7
Web Services Security Background
Standards are proposed or accepted regarding authentication, encryption, and identity management.
RSA encryption, XML signatures , SAML – Security Assertion Markup Language
There are 5 fundamental areas to consider: Message level protection, Message privacy, parameter checking, authentication, and authorization.
This is application layer security (not network layer security).
![Page 8: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/8.jpg)
04/18/23 8
Application of RSA
Lets say a person in Atlanta wants to send a message M to a person in Buffalo:
Atlanta encrypts message using Buffalo’s public key B E(M,B)
Only Buffalo can read it using it private key b: E(b, E(M,B)) M
In other words for any public/private key pair determined as previously shown, the encrypting function holds two properties: E(p, E(M,P)) M E(P, E(M,p)) M
![Page 9: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/9.jpg)
04/18/23 9
How can you authenticate “sender”?
In real life you will use signatures: we will look at concept of digital signatures next.
Instead of sending just a simple message, Atlanta will send a signed message signed by Atlanta’s private key: E(B,E(M,a))
Buffalo will first decrypt using its private key and use Atlanta’s public key to decrypt the signed message: E(b, E(B,E(M,a)) E(M,a) E(A,E(M,a)) M
![Page 10: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/10.jpg)
04/18/23 10
Digital Signatures
Strong digital signatures are essential requirements of a secure system. These are needed to verify that a document is:
Authentic : source Not forged : not fake Non-repudiable : The signer cannot credibly deny
that the document was signed by them.
![Page 11: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/11.jpg)
04/18/23 11
Digest Functions
Are functions generated to serve a signatures. Also called secure hash functions.
It is message dependent. Only the Digest is encrypted using the private
key.
![Page 12: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/12.jpg)
04/18/23 12
Alice’s bank account certificate
1. Certificate type: Account number2. Name: Alice3. Account: 62626264. Certifying authority: Bob’s Bank5. Signature: {Digest(field 2 + field 3)}KBpriv
![Page 13: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/13.jpg)
04/18/23 13
Digital signatures with public keys
{h}Kpri
M
Signing
Verifying
E(Kpri , h)
128 bits
H(M) h
M
hH(doc)
D(Kpub ,{h}) {h}Kpri h'
h = h'?
M
signed doc
![Page 14: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/14.jpg)
04/18/23 14
Message Privacy
Deals with confidentiality of messages. Message header has token and signature. Typically WS are chained together to form a
complex service. In this situation we need end-to-end encryption
schemes. Scheme such as SSL will not suffice. Solution: XML encryption allows for encryption of
any combination of the message body, header, attachments, and sub-structures.
![Page 15: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/15.jpg)
04/18/23 15
XML Signature
Service requestor encrypts the message and the signature information in the header it may specify in the header that it used providers public key.
Private key of the provider is then used decrypt the XML request.
XML Encryption allows for multiple keys to be used for encrypting different sections thus allowing intermediaries to access parts of the message.
![Page 16: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/16.jpg)
04/18/23 16
Message level Protection Message level protection has to with message
integrity. How do assure that the message has not been modified?
This is done by creating a message digest. Digest is a cryptographic checksum of an octet
stream which is created using an algorithm, say, SHA-1 algorithm.
Provider gets the message, its digest as signature and type of algorithm used to create the digest. It creates the digest and compares with the one from the sender and verifies the integrity of the messages.
![Page 17: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/17.jpg)
04/18/23 17
Message validity
Message validity is ensuring that the contents of a message are appropriate to the service and that they are well formed.
You check the types used and operations used are valid.
SQL injection is a common malicious code. Typical identification method is to look for “;’ (semicolon) that allows for SQL commands to follow.
![Page 18: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/18.jpg)
04/18/23 18
Authentication
Authentication is verifying that the requester is who he/she claims to be.
In a typically closed environment: user name / password
If the sender previously unknown: send credential to verify oneself.
Trusted authorities issues certificates that can be used as credential. (Verified by Verisign)
![Page 19: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/19.jpg)
04/18/23 19
Authorization
In any organization, data located may have levels of sensitivity. Ex: grades and student personal information in a university: Infosource at UB.
Authorization is granting of rights which includes the granting of access based on access rights.
This typically takes place after authentication. Three most common access control
implementations: Access matrix Access Control List (ACL) Role Based Access Control (RBAC)
![Page 20: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/20.jpg)
04/18/23 20
Access Matrix A general model of access control as exercised by a
file or database management system is that of an access matrix.
Basic elements of the model are: Subject: An entity capable of accessing objects. The
concept of subject equates that of a process. Object: Anything to which access is controlled. Ex: files,
programs, segments of memory. Access right: The way in which an object is accesses by
the subject. Examples: read, write, and execute.
![Page 21: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/21.jpg)
04/18/23 21
Access Matrix (contd.)
userA
userB
userC
File 1 File 2File 3 File 4 Acct1 Acct2 Printer1
OwnR, W
Own
R, WOwn
R, W Own
R, W
R
R,W R
W R
InquiryCredit
Inquiry
Credit
InquiryDebit
InquiryDebit
P
![Page 22: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/22.jpg)
04/18/23 22
Access Matrix Details
Row index corresponds to subjects and column index the objects.
Entries in the cell represent the access privileges/rights.
In practice, access matrix is quite sparse and is implemented as either access control lists (ACLs) or capability tickets.
![Page 23: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/23.jpg)
04/18/23 23
ACLs
Access matrix can be decomposed by columns, yielding access control lists.
For each object access control list lists the users and their permitted access rights.
The access control list may also have a default or public entry to covers subjects that are not explicitly listed in the list.
Elements of the list may include individual as well group of users.
![Page 24: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/24.jpg)
04/18/23 24
WS Security
Access Control Scheme name/password access token associated with each process object
indicating privileges associated with a user security descriptor
access control list used to compare with access control list for object
![Page 25: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/25.jpg)
04/18/23 25
Access Token (per user/subject)
Security ID (SID)
Group SIDs
Privileges
Default Owner
Default ACL
![Page 26: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/26.jpg)
04/18/23 26
Security Descriptor (per Object)
Flags
Owner
System Access Control List(SACL)
Discretionary Access ControlList (DACL)
![Page 27: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/27.jpg)
04/18/23 27
Access Control List
ACL Header
ACE Header
Access Mask
SID
ACE Header
Access Mask
SID
.
.
.
![Page 28: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/28.jpg)
04/18/23 28
Access Mask
Generic AllGeneric ExecuteGeneric WriteGeneric Read
Access System Security
Maximum allowed
DeleteRead Control
Write DACWrite OwnerSynchronizeGeneric
Access Types
StandardAccess Types
Specific Access Types
![Page 29: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/29.jpg)
04/18/23 29
Access Control Using ACLs
When a process attempts to access an object, the object manager in security executive reads the SID and group SIDs from the access token and scans down the object’s DACL.
If a match is found in SID, then the corresponding ACE Access Mask provides the access rights available to the process.
![Page 30: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/30.jpg)
04/18/23 30
RBAC
In 2004 the National Institute of Standards and Technology (NIST) published a standard for defining the features of the Role Based Access Control (RBAC).
Two parts: (i) Reference model and (ii) System and Administrative functions.
Reference model: objects, operations, permissions, roles and users (in-band artifacts)
Administrative model: system functionality, administrative operations and reviews.
![Page 31: 6/28/20151 Bringing Semantic Security to Semantic Web Services B. Ramamurthy](https://reader035.vdocuments.site/reader035/viewer/2022062714/56649d645503460f94a46bdc/html5/thumbnails/31.jpg)
04/18/23 31
RBAC Details RBAC starts with Permission sets. Permission express a privilege to access a
resource. Examples of permission: “create a file”, “access
grades information” (ublearns) Next steps is defines Roles and assigning
permissions to Roles. Examples of roles: “Physician”, “Reviewer” Scenario driven approach is typically used to
connect roles to permissions. Upper level ontology in SWS should map Users,
Roles, Groups etc. to the ontology.