Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

Web Service Security

advertisement 
Web Service Security
CSCI5931 Web Security
Instructor: Dr. T. Andrew Yang
Student: Jue Wang
Outline






Introduction
Web Services Security Model Terminology
Web Services Security Specification
Relating Web Services Security to Today’s Security Models
Scenarios
References
Introduction

What is web service security?
WS- Security is flexible and is designed to be used as the basis for the construction of a
wide variety of security models including PKI, Kerberos, and SSL.

What are the goals of web service security?
The goal of WS-Security is to enable applications to construct secure SOAP message
exchange.

What are the requirements of web service security?
•
•
•
•
Multiple security tokens for authentication or authorization
Multiple trust domains
Multiple encryption technologies
End-to-end message-level security and not just transport-level security
Web Services Security Model Terminology

Web service
Broadly applicable to a wide variety of network based application topologies.

Security Token
Define a security token as a representation of security-related information
(e.g.X.509 certificate, Kerberos tickes and authenticators, mobile device
security from SIM cards, username, etc.)

Signed Security Token
It contains a set of related claims cryptographically endorsed by an issuer.
Web Services Security Model Terminology

Claims
A statement about a subject either by the subject or by an relying party that
associates the subject with the claim.

Subject
The subject of the security token is a principal about which the claims
expressed in the security token apply.

Proof-of-Possession
To be information used in the process of proving ownership of a security tiken
or set of claims.
Web Service Security Model Terminology

Web Service Endpoint Policy
Web services have complete flexibility in specifying the claims they require in
order to process messages.

Claim Requirements
Whole messages or elements of messages,to all actions of a given type or to
actions only under certain circumstances.

Intermediaries
It perform actions such as routing the message or even modifying the message.

Actor
An intermediary or endpoint which is identified by a URI and which processes a
SOAP message.
Web Services Security Specifications

Today
The combination of security specifications, related activities, and
interoperability profiles will enable customers to easily build
interoperable secure Web services.
Figure. Web Services Security Specifications
WS-SecureConveration
WS-Federation
WS-Authorizatioon
WS-Policy
WS-Trust
WS-Privacy
WS-Security
SOAP Foundation
Relating WS-Security to Today’s Security Models

Transport Security
Existing technologies can provide simple point-to-point integrity and
confidentiality for a message.WS-Security to provide end-to-end integrity and
confidentiality in multiple transports, intermediaries, transmission protocols.

PKI
The PKI model involves certificate authorities issuing certificates with public
asymmetric keys. The WS-Security model supports security token services
issuing security tokens using public asymmetric keys.

Kerberos
The Kerberos model relies on communication with the Key Distribution
Center to broker trust between parties by issuing symmetric keys encrypted for
both parties. The web services model , builds upon the core model with
security token services brokering trust by issuing security tokens.
Scenarios

Scenarios supported by the proposed initial specifications
and associated deliverables:









Direct Trust using Username/Password and Transport-Level Security
Direct Trust using Security Tokens
Security Token Acquisition
Firewall Processing
Issued Security Token
Enforcing Business Policy
Privacy
Web Clients
Mobile Clients
Scenarios

These scenarios can be built on the current deliverables,
like WS-SecureConversation.
 Enabling Federation
 Validation Service
 Supporting Delegation
 Access Control
 Auditing
References
o
o
o
o
o
o
Web Services Security
[Kerberos] – J.Kohl and C. Neuman, “The Kerberos Network
Authentication Service(v5)”
[SOAP]-W3C Note, “SOAP: Simple Object Access Protocol 1.1”
[WS-Routing]-H. Nielsen, S. Thatte, “Web Services Routing Protocol”,
Microsoft
[X509]-S. Santesson, et al, “Internet X.509 public Key Infrastructure
Qualified Certificates Profile,”
[XML-Encrypt]-W3C Working Draft, “XML Encrypt Syntax and
Processing,”
Related documents
MANAGING YOUR CLASSROOM USING A TOKEN ECONOMY
MANAGING YOUR CLASSROOM USING A TOKEN ECONOMY
here
here
cpt
cpt
Introduction to Web Secure (Part II)
Introduction to Web Secure (Part II)
Evolution of IdM Architecture
Evolution of IdM Architecture
Incremental inference
Incremental inference
Behavior Change Sequence – Fact Sheet
Behavior Change Sequence – Fact Sheet
Token economy programme
Token economy programme
Fast Webpage classification using URL features
Fast Webpage classification using URL features
Lecture Note 2
Lecture Note 2
Data Link Layer
Data Link Layer
RSA SecureID Token FAQ - Indiana State University
RSA SecureID Token FAQ - Indiana State University
Kerberos Token Translator User Guide
Kerberos Token Translator User Guide
[#OPENAM-4784] OpenID Connect support for RS256 in
[#OPENAM-4784] OpenID Connect support for RS256 in
Document13135753 13135753
Document13135753 13135753
here
here
here
here
SEC-2015-0571-TR - FTP
SEC-2015-0571-TR - FTP
Improvement of DSG method
Improvement of DSG method
SDFS Report
SDFS Report
PPT - oasis pki
PPT - oasis pki
Document: DJ Secure: Using OTP and PKI Token for Mac
Document: DJ Secure: Using OTP and PKI Token for Mac
Download
advertisement