web services security standards overview for the non-specialist hal lockhart office of the cto bea...
TRANSCRIPT
![Page 1: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/1.jpg)
Web Services Security Standards
Overview for the Non-Specialist
Hal LockhartOffice of the CTOBEA Systems
![Page 2: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/2.jpg)
Topics
Web Services Security Introduction Preliminary work at W3C WS-Security SAML WS-Trust WS-SecureConversation WS-SecurityPolicy WS-Federation Interdependencies
![Page 3: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/3.jpg)
Information Security Definition
Technologies and procedures intended to implement organizational policy in spite of human efforts to the
contrary.
Suggested by Authorization Applies to all security services Protection against accidents is incidental Suggests four areas of attention
![Page 4: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/4.jpg)
Information Security Areas
Policy determination Expression: code, permissions, ACLs, Language Evaluation: semantics, architecture, performance
Policy enforcement Maintain integrity of Trusted Computing Base (TCB) Enforce variable policy
![Page 5: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/5.jpg)
Security Services
Authentication – confirm asserted identity Authorization – permit or deny a request Integrity – prevent undetected modification of
data Confidentiality – prevent unauthorized reading
of data Audit – preserve evidence for accountability Administration – control configuration Others …
![Page 6: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/6.jpg)
Web Services Security Standards for Interoperability
Between systems, not internal behavior Authentication, Integrity, Confidentiality, Key
Exchange Consistent with XML, SOAP, WSDL, WS-Policy Authentication methods already exist Need to support multiple infrastructure types
Passwords, X.509, Kerberos, SAML, etc. Most of WSS is not about stronger security Better scaling, easier deployment
![Page 7: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/7.jpg)
W3C Security Recommendations Widespread use of XML – need for integrity &
confidentiality XML Digital Signature WG (1999 to 2002)
Defines rules to sign XML and record parameters and signature value
Support all technologies in common use Key problem: Immaterial changes to XML documents Solution: Canonicalization
XML Encryption WG (2001 and 2002) Defines rules to encrypt XML and record parameters Support all technologies in common use Key problem: Encrypted data not Schema-valid Solution: None
Follow-on work currently at W3C
![Page 8: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/8.jpg)
WS-Security Overview
Basic SOAP Message Protection Signatures, Encryption, Timestamps Multiple token types
Username, X.509, Kerberos, SAML, REL Token References
![Page 9: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/9.jpg)
Security Tokens
Abstraction of the common elements of information objects which represent identities
Claims, Key, Issuer, Validity etc. In some cases, Tokens can be utilized w/o
knowledge of specific Token format Doesn’t work in all cases
Passwords are not the same as keys Generally WSS uses Tokens to indicate keys Claims are passed along for Authorization
![Page 10: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/10.jpg)
WS-Security General Approach
Security element in SOAP header Can contain Tokens, Token References,
Timestamp, Signatures, Encryptions Physical order of elements determines
processing order of signatures and encryptions
Signed and encrypted data can appear anywhere in envelope
A toolkit, not a protocol
![Page 11: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/11.jpg)
SAML in Web Services Security
SAML provides a very flexible, XML token Use of browser profiles not required SAML Assertions may or may not contain
Keys Real world names or pseudonyms Attributes
Viewed as easy and cheap to generate
![Page 12: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/12.jpg)
WS-Trust
Defines generic Security Token Service (STS) Issue, renew, cancel, validate Tokens Support for many different configurations and
trust relationships Only defines generic elements Other specifications intended to extend and
specify the details, WS-SecureConversation, WS-Federation
![Page 13: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/13.jpg)
WS-Secure Conversation Builds on WS-Security and WS-Trust Allows establishment of secure session More efficient and secure than using long term
secrets directly Like SSL/TLS except at SOAP layer Useful in conjunction with reliable messaging Adds two new Token types
Security Context Token (holds session info, including keys)
Derived Key Token (enables key derivation) Two party and three party flows Also a toolkit, but less so
![Page 14: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/14.jpg)
Key Agreement Scenarios
Unilateral Mutual
Third Party
![Page 15: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/15.jpg)
WS-Security Policy Allows Web Service to express Security Policies
What needs to be protected What tokens to use Algorithms, reference types, etc.
Builds on WS-Policy Uses nested policy to provide scope
Defines various groups of policy assertions Correspond to features of WSS, Secure Conversation, Trust,
etc. Expressed in WSDL per WS-PolicyAttachment Constrains content and layout of security header Defines a number of Assertion types
![Page 16: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/16.jpg)
WS-SecurityPolicy Assertion Types Protection assertions
What parts of msgs need to be protected – Confidentiality, Integrity
Token assertions Types of tokens, in band or out of band
Binding assertions Transport, Symmetric, Asymmetric Bindings Can apply to response as well as request
Supporting Token assertions Additional signatures, e.g. Endorsements
Protocol assertions Other properties, e.g. Algorithms, Timestamps, Reference
types
![Page 17: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/17.jpg)
WS-Federation
Builds on WS-Trust Web SSO alternative to SAML profiles Uses WS-Trust to issue tokens, including
SAML More generic, less access to SAML-specific
features Federation Metadata Reference Tokens Authorization Tokens Extends WS-SecurityPolicy
![Page 18: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/18.jpg)
Related Standards
Web Single Signon and Signoff SAML Web Browser Profiles WS-Federation (passive requestors)
Authorization Policy – XACML Digital Signature Services (DSS)
Create & verify signatures, signed timestamps
![Page 19: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/19.jpg)
Key OASIS Technical Committees Security Services (2001-present)
SAML WS-Security (2003-2006)
Core spec + Token Profiles Now Closed
WS-SX (2006-present) WS-Trust, WS-SecureConversation, WS-SecurityPolicy
WS-Federation (2007) XACML (2001-present) DSS (closed) DS-SX (2007)
Digital Signature Services
![Page 20: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/20.jpg)
Security Standards Interdependencies
XML EncryptionXML Digital Signature
DSSXACML
SAML
WSS
WS-Trust
WS-SecureConversation
WS-SecurityPolicyWS-Federation
![Page 21: Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems](https://reader034.vdocuments.site/reader034/viewer/2022051820/56649e9e5503460f94b9f77c/html5/thumbnails/21.jpg)
Questions?