Web Services Security - PowerPoint PPT Presentation

1 / 56
About This Presentation
Title:

Web Services Security

Description:

will define a generic SOAP policy format, which can support more than just security policies ... The Currency service will only process requests with a security ... – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 57
Provided by: sun114
Category:

less

Transcript and Presenter's Notes

Title: Web Services Security


1
Web Services Security
  • Chen Yang
  • imchy_at_is.pku.edu.cn
  • 2005?10?21?

2
Web Services Security
  • Customers, industry analysts, and the press
    identify a key area that needs to be addressed as
    Web services become more mainstream security.
  • IBM and Microsoft, Security in a Web Services
    World A Proposed Architecture and Roadmap, April
    7, 2002
  • This document proposes a technical strategy and
    roadmap whereby the industry can produce and
    implement a standards-based architecture that is
    comprehensive yet flexible enough to meet the Web
    services security needs of real businesses.

3
Web Services Security
  • Web Services Security Model Principles
  • Point-to-point configuration

4
Web Services Security
  • Web Services Security Model Principles
  • End-to-end configuration

5
Web Services Security
  • The Web service security model enables us to
    achieve these goals by a process in which
  • A Web service can require that an incoming
    message prove a set of claims (e.g., name, key,
    permission, capability, etc.). We refer to the
    set of required claims and related information as
    policy.
  • A requester can send messages with proof of the
    required claims by associating security tokens
    with the messages.
  • When a requester does not have the required
    claims, the requester or someone on its behalf
    can try to obtain the necessary claims by
    contacting other Web services. These other Web
    services, which we refer to as security token
    services, may in turn require their own set of
    claims.

6
Web Services Security
  • Web Services Security Model Principles
  • Security Token Service Model

7
Web Services Security
  • Web Services Security Specifications

8
Web Services Security
  • Initial Specifications
  • WS-Security
  • WS-Policy
  • WS-Trust
  • WS-Privacy
  • Follow-On Specifications
  • WS-SecureConversation
  • WS-Federation
  • WS-Authorization

9
Web Services Security
  • WS-Security
  • describes enhancements to SOAP messaging to
    provide quality of protection through message
    integrity and message confidentiality
  • defines how to attach and include security tokens
    within SOAP messages
  • a mechanism is provided for specifying binary
    encoded security tokens (e.g. X.509 certificates)

10
Web Services Security
  • WS-Policy
  • will describe how senders and receivers can
    specify their requirements and capabilities
  • will define a generic SOAP policy format, which
    can support more than just security policies
  • will also define a mechanism for attaching or
    associating service policies with SOAP messages

11
Web Services Security
  • WS-Trust
  • will describe the model for establishing both
    direct and brokered trust relationships
    (including third parties and intermediaries)
  • will describe how existing direct trust
    relationships may be used as the basis for
    brokering trust through the creation of security
    token issuance services
  • will describe how several existing trust
    mechanisms may be used in conjunction with this
    trust model
  • explicitly allow for, but will not mandate,
    delegation and impersonation

12
Web Services Security
  • WS-Privacy
  • will describe a model for how a privacy language
    may be embedded into WS-Policy descriptions and
    how WS-Security may be used to associate privacy
    claims with a message
  • will describe how WS-Trust mechanisms can be used
    to evaluate these privacy claims for both user
    preferences and organizational practice claims

13
Web Services Security
  • WS-SecureConversation
  • will describe how a Web service can authenticate
    requester messages, how requesters can
    authenticate services, and how to establish
    mutually authenticated security contexts
  • will describe how to establish session keys,
    derived keys, and per-message keys
  • will describe how a service can securely exchange
    context (collections of claims about security
    attributes and related data)

14
Web Services Security
  • WS-Federation
  • will define how to construct federated trust
    scenarios using the WS-Security, WS-Policy,
    WS-Trust, and WS-SecureConversation
    specifications (e.g., how to federate Kerberos
    and PKI infrastructures)
  • a trust policy is introduced to indicate and
    constrain and identify the type of trust that is
    being brokered
  • will define mechanisms for managing the trust
    relationships

15
Web Services Security
  • WS-Authorization
  • will describe how access policies for a Web
    service are specified and managed
  • In particular it will describe how claims may be
    specified within security tokens and how these
    claims will be interpreted at the endpoint.
  • will be designed to be flexible and extensible
    with respect to both authorization format and
    authorization language

16
Web Services Security
  • Relating Web Services Security to Today's
    Security Models
  • Transport Security Existing technologies such
    as secure sockets (SSL/TLS) can provide simple
    point-to-point integrity and confidentiality for
    a message.
  • PKI Public Key Infrastructure
  • Kerberos The Kerberos model relies on
    communication with the Key Distribution Center
    (KDC) to broker trust between parties.

17
Web Services Security
  • Scenarios
  • Direct Trust using Username/Password and
    Transport-Level Security
  • use WS-Security, can use WS-Policy

18
Web Services Security
  • Scenarios
  • Direct Trust using Security Tokens
  • use WS-Security and WS-Trust , can use WS-Policy

19
Web Services Security
  • Scenarios
  • Security Token Acquisition
  • use WS-Security and WS-Trust , can use WS-Policy

20
Web Services Security
  • Scenarios
  • Firewall Processing
  • use WS-Security and WS-Trust , can use WS-Policy

21
Web Services Security
  • Scenarios
  • Issued Security Token
  • use WS-Security, WS-Trust, WS-Policy and
    WS-SecureConversation , can use WS-Federation

22
Web Services Security
  • Scenarios
  • Enforcing Business Policy
  • use WS-Security, WS-Trust, WS-Policy and
    WS-SecureConversation , can use WS-Federation and
    WS-Authorization

23
Web Services Security
  • Scenarios
  • Privacy
  • use WS-Security, WS-Policy and WS-Privacy

24
Web Services Security
  • Scenarios
  • Web Clients
  • use WS-Security and security token format which
    supports delegation

25
Web Services Security
  • Scenarios
  • Mobile Clients

26
Web Services Security
  • Scenarios
  • Enabling Federation
  • Alice at Adventure456 wants to use the Currency
    Web service at Business456. The Currency service
    will only process requests with a security token
    issued by Business456. Alice only has a security
    token with identity claims (i.e. an identity
    security token) issued by Adventure456.
  • use WS-Security, WS-Trust, WS-Policy and
    WS-Federation, may use WS-SecureConversation

27
Web Services Security
  • Scenarios
  • Enabling Federation
  • Federation Using Security Token Exchange

28
Web Services Security
  • Scenarios
  • Enabling Federation
  • Federation Using Trust Chaining

29
Web Services Security
  • Scenarios
  • Enabling Federation
  • Federation Using Security Token Exchange (PKI ?
    Kerberos)

30
Web Services Security
  • Scenarios
  • Enabling Federation
  • Federation Using Security Token Exchange
    (Kerberos ? Security Token Service)

31
Web Services Security
  • Scenarios
  • Enabling Federation
  • Federation Using Credential Exchange (Kerberos ?
    Kerberos)

32
Web Services Security
  • Scenarios
  • Validation Service
  • use WS-Security, WS-Trust and WS-Federation , can
    use WS-Policy and WS-SecureConversation

33
Web Services Security
  • Scenarios
  • Supporting Delegation
  • use WS-Security, WS-Trust, WS-SecureConversation,
    WS-Federation, WS-Privacy and security token
    which supports delegation, can use WS-Policy

34
Web Services Security
  • Scenarios
  • Supporting Delegation

35
Web Services Security
  • Scenarios
  • Access Control

36
Web Services Security
  • Scenarios
  • Auditing
  • use WS-Security, Secure Communication and
    WS-Trust , can use WS-Federation

37
Web Services Security
  • The Web Services Security model is shaping up
    quite significantly. A new series of
    specifications explain how Web services security
    can be implemented in a platform-independent and
    loosely-coupled manner in terms of establishing
    secured communications, defining policies for how
    services interact, and defining rules of trust
    between domains of services.
  • IBM, Web Services Security Moving up the stack ,
    Dec 1, 2002

38
Web Services Security
  • The evolving WS-Security Roadmap

39
Web Services Security
  • WS-Policy has been further refined
  • A Policy Framework (WS-Policy) document that
    defines a grammar for expressing Web services
    policies.
  • A Policy Attachment (WS-Policy-Attachment)
    document that defines how to attach these
    policies to Web services.
  • A set of general policy assertions
    (WS-Policy-Assertions).
  • A set of security policy assertions (WS-Security
    Policy) .

40
Web Services Security
  • Web Services Security (WS-Security)
  • IBM, MS and VeriSign, April 5, 2002, 1.0
  • OASIS, Web Services Security SOAP Message
    Security 1.0 (WS-Security 2004), OASIS Standard
    200401, March 2004

41
Web Services Security
42
Web Services Security
43
Web Services Security
  • IBM and Microsoft, December 18, 2002, 1.0
  • Web Services Policy Framework (WS-Policy)
  • Web Services Policy Attachment (WS-PolicyAttachmen
    t)
  • Web Services Policy Assertions Language
    (WS-PolicyAssertions)
  • Web Services Security Policy Language
    (WS-SecurityPolicy)
  • Web Services Secure Conversation Language
    (WS-SecureConversation)
  • Web Services Trust Language (WS-Trust)

44
Web Services Security
  • May 28, 2003, 1.1
  • Web Services Policy Assertions Language
    (WS-PolicyAssertions)
  • September 2004, 1.1
  • Web Services Policy Framework (WS-Policy)
  • Web Services Policy Attachment (WS-PolicyAttachmen
    t)
  • February 2005
  • Web Services Secure Conversation Language
    (WS-SecureConversation)
  • Web Services Trust Language (WS-Trust)
  • July 2005, 1.1
  • Web Services Security Policy Language
    (WS-SecurityPolicy)

45
Web Services Security
  • WS-Policy

46
Web Services Security
  • WS-PolicyAttachment
  • Policy Attachment Mechanisms
  • XML Element Attachment
  • External Policy Attachment
  • Attaching Policies
  • Using WSDL 1.1
  • Using UDDI

47
Web Services Security
  • WS-PolicyAssertions

48
Web Services Security
  • WS-SecurityPolicy

49
Web Services Security
  • WS-Trust
  • Web Services Trust Model

50
Web Services Security
  • WS-Trust

51
Web Services Security
  • WS-SecureConversation

52
Web Services Security
  • WS-SecureConversation

53
Web Services Security
  • References
  • IBM and Microsoft, Security in a Web Services
    World A Proposed Architecture and Roadmap, April
    7, 2002
  • IBM, Web Services Security - Moving up the stack,
    2002
  • IBM, MS and VeriSign, Web Services Security
    (WS-Security), April 5, 2002
  • OASIS, Web Services Security - SOAP Message
    Security 1.0 (WS-Security 2004), 2004

54
Web Services Security
  • References
  • IBM etc., Web Services Policy Framework
    (WS-Policy), 2004
  • IBM etc., Web Services Policy Attachment
    (WS-PolicyAttachment), 2004
  • IBM etc., Web Services Policy Assertions Language
    (WS-PolicyAssertions), 2003
  • IBM etc., Web Services Security Policy Language
    (WS-SecurityPolicy), 2005

55
Web Services Security
  • References
  • IBM etc., Web Services Trust Language (WS-Trust),
    2005
  • IBM etc., Web Services Secure Conversation
    Language (WS-SecureConversation), 2005
  • Sun., Securing Web Services Concepts,
    Standards, and Requirements, White Paper, 2003

56
Web Services Security
  • References
  • W3C Note, Simple Object Access Protocol (SOAP)
    1.1, May 8, 2000
  • W3C Note, SOAP Messages with Attachments, Dec.
    11, 2000
  • W3C Note, SOAP Security Extensions - Digital
    Signature, Feb. 6, 2001
  • W3C Recommendation, SOAP Version 1.2 Part 0 -
    Primer, June 24, 2003
  • W3C Recommendation, SOAP Version 1.2 Part 1 -
    Messaging Framework, June 24, 2003
Write a Comment
User Comments (0)
About PowerShow.com