WS TRUST - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

WS TRUST

Description:

Requesting and obtaining security token. Managing trusts and establishing trust relationships ... Requesting and obtaining security tokens, Deriving Keys ... – PowerPoint PPT presentation

Number of Views:122
Avg rating:3.0/5.0
Slides: 24
Provided by: one124
Category:

less

Transcript and Presenter's Notes

Title: WS TRUST


1
WS - TRUST
  • by Bugrahan AKCAY

2
Goals
  • Enable applications to construct trusted message
    exchanges
  • Provide a flexible set of mechanisms that can be
    used to support a range of security protocols

3
Requirements
  • Requesting and obtaining security token
  • Managing trusts and establishing trust
    relationships
  • Establishing and assessing trust relationships
  • From Web Service Trust Language Version 1.1 May
    2004

4
WS-Trust
  • WS-Trust defines standard interfaces for
  • Security token creation, management and exchange
  • Dissemination of credentials within different
    trust domains
  • Specifically WS-Trust builds upon WS-Security to
    provide
  • Methods for issuing and exchanging security
    tokens,
  • Ways to establish and access the presence of
    trust relationships
  • Defined using WSDL

5
WS-Trust
  • Requesting and obtaining security tokens,
    Deriving Keys
  • The current specification defines three possible
    actions issue a new token, renew a token or
    validate a token
  • Managing trusts and establishing trust
    relationships

6
The position of WS-Trust
WS-Secure Conversation
WS-Authorization
WS-Federation
WS-Policy
WS-Trust
WS-Privacy
WS-Security
In progress
SOAP Foundation
proposed
promised
7
Terms
  • Trust - Trust is the characteristic that one
    entity is willing to rely upon a second entity to
    execute a set of actions
  • Direct Trust - Direct trust is when a relying
    party accepts as true all (or some subset of) the
    claims in the token sent by the requestor.
  • Direct Brokered Trust Direct Brokered Trust is
    when one party trusts a second party, who, in
    turn, trusts or vouches for, a third party.
  • Indirect Brokered Trust Indirect Brokered Trust
    is a variation on direct brokered trust where the
    second party negotiates with the third party, or
    additional parties, to assess the trust of the
    third party.

8
Trust Model
  • Messages MAY be required to prove a set of
    claims (e.g., name, key, permission, capability,
    etc.).
  • Messages without having the required proof of
    claims, SHOULD be ignored/rejected.
  • Requester MAY contact an appropriate authority
    (Security Token Service) which may require their
    own set of claims.
  • Security token services form the basis of trust.
  • A challenge response protocol MAY be required for
    freshness and proof-of-possession.

9
Trust Model Diagram
10
Security Token Issuance, Validation and Exchange
  • Requesting a Security Token
  • Basic elements for requesting specific token
    types
  • Scope Requirements
  • Key and Encryption Requirements
  • Delegation, Forwarding, and Proxy Requirements
  • Lifetime and Renewal Requirements
  • Policies
  • Returning Tokens
  • Basic element to determine specific token type
    retuned
  • Scope Requirements
  • Key and Encryption Requirements

11
Some Token Characteristics
  • WS-Trust allows various characteristics of the
    requested token to be specified in the request
  • A validity period or lifetime for a token can be
    specified as can information concerning key
    length, key types and token issuer information
    amongst other things.

12
Management of Trust Models
  • Fixed trust roots Simple fixed set of trust
    relationships between requestor and recipient.
  • Trust hierarchies Builds on fixed trust roots
    but allows hierarchies of trust between requestor
    and recipient.
  • Authentication service Essentially a fixed
    trust root where the recipient only trusts the
    authentication service.

13
Basic Trust Structure
  • I want to have secure communication with you
  • I ask the trust service for a token to allow me
    to talk to you
  • The trust service sends two copies of a secret
    key
  • One encrypted for me (proof token)
  • One encrypted for you (requested token)

14
Trust Engine/Security Token Service
  • A security token service is also, depicted, from
    which the sender Web Service will request a
    security token to be used for its interaction
    with the receiver Web service.

15
Request Structure
  • Request Header
  • Defines the type of security token requested
  • The action that is being requested
  • References tokens that are used to validate the
    authenticity of a request
  • References the supporting tokens used to
    authorize request

ltRequestSecurityTokengt
ltTokenTypegt...lt/TokenTypegt
ltRequestTypegt...lt/RequestTypegt
ltBasegt...lt/Basegt ltSupportinggt...lt/Supporti
nggt lt/RequestSecurityTokengt
16
Request Example
17
Response Structure
  • Response Header
  • Defines the type of security token requested
  • Specifies the type of key used in the token
  • Specifies the size of the key returned
  • Specifies the scope to which this security token
    applies
  • Requested security token
  • Proof-of-possession token

ltRequestSecurityTokenResponsegt
ltTokenTypegt...lt/TokenTypegt
ltKeyTypegt...lt/KeyTypegt ltKeySizegt...lt/KeySi
zegt ltwspAppliesTogt...lt/wspAppliesTogt
ltRequestedSecurityTokengt...
lt/RequestedSecurityTokengt
ltRequestedProofTokengt...
lt/RequestedProofTokengt lt/RequestSecurityTokenRespo
nsegt
The proof token contains information that the
receiver needs in order to prove it is able to
use the returned token.
18
Response Example
19
Example
1
Security Token Proof token
20
Brokered Example
  • Service and STS exchange shared secret.
  • Client make RST and signs according STS policy.
  • STS enforces policy
  • Creates token and encrypts with clients
    encryption key
  • Create proof token and encrypts with shared
    secret
  • Signs and returns RSTS
  • Client decrypts token
  • Client propagates proof token to service
  • Service decrypts proof token

STS (Security Token Service)
Client
Service
21
Challenges
  • In some cases, a security token service may
    choose to challenge the requestor of a security
    token.
  • This may occur if the security token service does
    not trust the nonce and timestamp (for example,
    the freshness) in the message.
  • The security token service may challenge the
    signature within the message

22
Challenges
  • Allows extensible/custom challenges and responses

23
Summary
  • Using these extensions, applications can engage
    in secure communication designed to work with
  • General Web Services framework including WSDL
  • UDDI businessServices
  • bindingTemplates
  • SOAP messages
  • The Web Services Enhancements Toolkit Version 2.0
    implements the latest version of the WS-Trust
    specification. (According to MS and it needs .NET
    Environment)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "WS TRUST" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!