Web Services Security

1
Web Services Security

• Chen Yang
• imchy_at_is.pku.edu.cn
• 2005?10?21?

2
Web Services Security

• Customers, industry analysts, and the press
  identify a key area that needs to be addressed as
  Web services become more mainstream security.
• IBM and Microsoft, Security in a Web Services
  World A Proposed Architecture and Roadmap, April
  7, 2002
• This document proposes a technical strategy and
  roadmap whereby the industry can produce and
  implement a standards-based architecture that is
  comprehensive yet flexible enough to meet the Web
  services security needs of real businesses.

3
Web Services Security

• Web Services Security Model Principles
• Point-to-point configuration

4
Web Services Security

• Web Services Security Model Principles
• End-to-end configuration

5
Web Services Security

• The Web service security model enables us to
  achieve these goals by a process in which
• A Web service can require that an incoming
  message prove a set of claims (e.g., name, key,
  permission, capability, etc.). We refer to the
  set of required claims and related information as
  policy.
• A requester can send messages with proof of the
  required claims by associating security tokens
  with the messages.
• When a requester does not have the required
  claims, the requester or someone on its behalf
  can try to obtain the necessary claims by
  contacting other Web services. These other Web
  services, which we refer to as security token
  services, may in turn require their own set of
  claims.

6
Web Services Security

• Web Services Security Model Principles
• Security Token Service Model

7
Web Services Security

• Web Services Security Specifications

8
Web Services Security

• Initial Specifications
• WS-Security
• WS-Policy
• WS-Trust
• WS-Privacy
• Follow-On Specifications
• WS-SecureConversation
• WS-Federation
• WS-Authorization

9
Web Services Security

• WS-Security
• describes enhancements to SOAP messaging to
  provide quality of protection through message
  integrity and message confidentiality
• defines how to attach and include security tokens
  within SOAP messages
• a mechanism is provided for specifying binary
  encoded security tokens (e.g. X.509 certificates)

10
Web Services Security

• WS-Policy
• will describe how senders and receivers can
  specify their requirements and capabilities
• will define a generic SOAP policy format, which
  can support more than just security policies
• will also define a mechanism for attaching or
  associating service policies with SOAP messages

11
Web Services Security

• WS-Trust
• will describe the model for establishing both
  direct and brokered trust relationships
  (including third parties and intermediaries)
• will describe how existing direct trust
  relationships may be used as the basis for
  brokering trust through the creation of security
  token issuance services
• will describe how several existing trust
  mechanisms may be used in conjunction with this
  trust model
• explicitly allow for, but will not mandate,
  delegation and impersonation

12
Web Services Security

• WS-Privacy
• will describe a model for how a privacy language
  may be embedded into WS-Policy descriptions and
  how WS-Security may be used to associate privacy
  claims with a message
• will describe how WS-Trust mechanisms can be used
  to evaluate these privacy claims for both user
  preferences and organizational practice claims

13
Web Services Security

• WS-SecureConversation
• will describe how a Web service can authenticate
  requester messages, how requesters can
  authenticate services, and how to establish
  mutually authenticated security contexts
• will describe how to establish session keys,
  derived keys, and per-message keys
• will describe how a service can securely exchange
  context (collections of claims about security
  attributes and related data)

14
Web Services Security

• WS-Federation
• will define how to construct federated trust
  scenarios using the WS-Security, WS-Policy,
  WS-Trust, and WS-SecureConversation
  specifications (e.g., how to federate Kerberos
  and PKI infrastructures)
• a trust policy is introduced to indicate and
  constrain and identify the type of trust that is
  being brokered
• will define mechanisms for managing the trust
  relationships

15
Web Services Security

• WS-Authorization
• will describe how access policies for a Web
  service are specified and managed
• In particular it will describe how claims may be
  specified within security tokens and how these
  claims will be interpreted at the endpoint.
• will be designed to be flexible and extensible
  with respect to both authorization format and
  authorization language

16
Web Services Security

• Relating Web Services Security to Today's
  Security Models
• Transport Security Existing technologies such
  as secure sockets (SSL/TLS) can provide simple
  point-to-point integrity and confidentiality for
  a message.
• PKI Public Key Infrastructure
• Kerberos The Kerberos model relies on
  communication with the Key Distribution Center
  (KDC) to broker trust between parties.

17
Web Services Security

• Scenarios
• Direct Trust using Username/Password and
  Transport-Level Security
• use WS-Security, can use WS-Policy

18
Web Services Security

• Scenarios
• Direct Trust using Security Tokens
• use WS-Security and WS-Trust , can use WS-Policy

19
Web Services Security

• Scenarios
• Security Token Acquisition
• use WS-Security and WS-Trust , can use WS-Policy

20
Web Services Security

• Scenarios
• Firewall Processing
• use WS-Security and WS-Trust , can use WS-Policy

21
Web Services Security

• Scenarios
• Issued Security Token
• use WS-Security, WS-Trust, WS-Policy and
  WS-SecureConversation , can use WS-Federation

22
Web Services Security

• Scenarios
• Enforcing Business Policy
• use WS-Security, WS-Trust, WS-Policy and
  WS-SecureConversation , can use WS-Federation and
  WS-Authorization

23
Web Services Security

• Scenarios
• Privacy
• use WS-Security, WS-Policy and WS-Privacy

24
Web Services Security

• Scenarios
• Web Clients
• use WS-Security and security token format which
  supports delegation

25
Web Services Security

• Scenarios
• Mobile Clients

26
Web Services Security

• Scenarios
• Enabling Federation
• Alice at Adventure456 wants to use the Currency
  Web service at Business456. The Currency service
  will only process requests with a security token
  issued by Business456. Alice only has a security
  token with identity claims (i.e. an identity
  security token) issued by Adventure456.
• use WS-Security, WS-Trust, WS-Policy and
  WS-Federation, may use WS-SecureConversation

27
Web Services Security

• Scenarios
• Enabling Federation
• Federation Using Security Token Exchange

28
Web Services Security

• Scenarios
• Enabling Federation
• Federation Using Trust Chaining

29
Web Services Security

• Scenarios
• Enabling Federation
• Federation Using Security Token Exchange (PKI ?
  Kerberos)

30
Web Services Security

• Scenarios
• Enabling Federation
• Federation Using Security Token Exchange
  (Kerberos ? Security Token Service)

31
Web Services Security

• Scenarios
• Enabling Federation
• Federation Using Credential Exchange (Kerberos ?
  Kerberos)

32
Web Services Security

• Scenarios
• Validation Service
• use WS-Security, WS-Trust and WS-Federation , can
  use WS-Policy and WS-SecureConversation

33
Web Services Security

• Scenarios
• Supporting Delegation
• use WS-Security, WS-Trust, WS-SecureConversation,
  WS-Federation, WS-Privacy and security token
  which supports delegation, can use WS-Policy

34
Web Services Security

• Scenarios
• Supporting Delegation

35
Web Services Security

• Scenarios
• Access Control

36
Web Services Security

• Scenarios
• Auditing
• use WS-Security, Secure Communication and
  WS-Trust , can use WS-Federation

37
Web Services Security

• The Web Services Security model is shaping up
  quite significantly. A new series of
  specifications explain how Web services security
  can be implemented in a platform-independent and
  loosely-coupled manner in terms of establishing
  secured communications, defining policies for how
  services interact, and defining rules of trust
  between domains of services.
• IBM, Web Services Security Moving up the stack ,
  Dec 1, 2002

38
Web Services Security

• The evolving WS-Security Roadmap

39
Web Services Security

• WS-Policy has been further refined
• A Policy Framework (WS-Policy) document that
  defines a grammar for expressing Web services
  policies.
• A Policy Attachment (WS-Policy-Attachment)
  document that defines how to attach these
  policies to Web services.
• A set of general policy assertions
  (WS-Policy-Assertions).
• A set of security policy assertions (WS-Security
  Policy) .

40
Web Services Security

• Web Services Security (WS-Security)
• IBM, MS and VeriSign, April 5, 2002, 1.0
• OASIS, Web Services Security SOAP Message
  Security 1.0 (WS-Security 2004), OASIS Standard
  200401, March 2004

41
Web Services Security
42
Web Services Security
43
Web Services Security

• IBM and Microsoft, December 18, 2002, 1.0
• Web Services Policy Framework (WS-Policy)
• Web Services Policy Attachment (WS-PolicyAttachmen
  t)
• Web Services Policy Assertions Language
  (WS-PolicyAssertions)
• Web Services Security Policy Language
  (WS-SecurityPolicy)
• Web Services Secure Conversation Language
  (WS-SecureConversation)
• Web Services Trust Language (WS-Trust)

44
Web Services Security

• May 28, 2003, 1.1
• Web Services Policy Assertions Language
  (WS-PolicyAssertions)
• September 2004, 1.1
• Web Services Policy Framework (WS-Policy)
• Web Services Policy Attachment (WS-PolicyAttachmen
  t)
• February 2005
• Web Services Secure Conversation Language
  (WS-SecureConversation)
• Web Services Trust Language (WS-Trust)
• July 2005, 1.1
• Web Services Security Policy Language
  (WS-SecurityPolicy)

45
Web Services Security

• WS-Policy

46
Web Services Security

• WS-PolicyAttachment
• Policy Attachment Mechanisms
• XML Element Attachment
• External Policy Attachment
• Attaching Policies
• Using WSDL 1.1
• Using UDDI

47
Web Services Security

• WS-PolicyAssertions

48
Web Services Security

• WS-SecurityPolicy

49
Web Services Security

• WS-Trust
• Web Services Trust Model

50
Web Services Security

• WS-Trust

51
Web Services Security

• WS-SecureConversation

52
Web Services Security

• WS-SecureConversation

53
Web Services Security

• References
• IBM and Microsoft, Security in a Web Services
  World A Proposed Architecture and Roadmap, April
  7, 2002
• IBM, Web Services Security - Moving up the stack,
  2002
• IBM, MS and VeriSign, Web Services Security
  (WS-Security), April 5, 2002
• OASIS, Web Services Security - SOAP Message
  Security 1.0 (WS-Security 2004), 2004

54
Web Services Security

• References
• IBM etc., Web Services Policy Framework
  (WS-Policy), 2004
• IBM etc., Web Services Policy Attachment
  (WS-PolicyAttachment), 2004
• IBM etc., Web Services Policy Assertions Language
  (WS-PolicyAssertions), 2003
• IBM etc., Web Services Security Policy Language
  (WS-SecurityPolicy), 2005

55
Web Services Security

• References
• IBM etc., Web Services Trust Language (WS-Trust),
  2005
• IBM etc., Web Services Secure Conversation
  Language (WS-SecureConversation), 2005
• Sun., Securing Web Services Concepts,
  Standards, and Requirements, White Paper, 2003

56
Web Services Security

• References
• W3C Note, Simple Object Access Protocol (SOAP)
  1.1, May 8, 2000
• W3C Note, SOAP Messages with Attachments, Dec.
  11, 2000
• W3C Note, SOAP Security Extensions - Digital
  Signature, Feb. 6, 2001
• W3C Recommendation, SOAP Version 1.2 Part 0 -
  Primer, June 24, 2003
• W3C Recommendation, SOAP Version 1.2 Part 1 -
  Messaging Framework, June 24, 2003