Security Standards
(…and Competing Standards
… and Implementations
… and Interoperability)
Marty Humphrey
Assistant Professor
Computer Science Department
University of Virginia
UK e-Science Core Programme Town Meeting
Monday 11th April 2005
“Security in a Web Services World”
IBM/MS White Paper April 2002
WS-Secure
Conversation
WS-Federation
WS-Authorization
This is a
composable
Architecture
WS-Policy
WS-Trust
WS-Privacy
“only use what
you need”
SOAP Foundation
time
WS-Security
today
WS Security Roadmap exists, so why do we?
(slide from GGF6, Oct 2002)
1.
2.
3.
4.
5.
6.
What if boxes never materialize?
What if boxes appear too late?
What if there are licensing issues with box(es)?
What if “their roadmap” has missing pieces?
What if Grid Computing != Web Services?
MS-IBM Roadmap is wire-oriented; we need to be wireoriented AND service-oriented (i.e., portTypes)
How do we make our existing security services “fit” with OGSA
Architecture?
www.ggf.org
Second Wave Specifications
Slide from Felipe Cabrera
Web Services
Specifications Process
Slide from Felipe Cabrera
Example: WS-Security
Specification
Published
Customer and
Industry
Feedback
Gathered
Publish
Addendum,
Deliver Dev
Product
April
2002
April - August
2002
August
2002
Three
Partners
OASIS
Standardization
WS-I
Interoperability
Profile
September
2002
April
2003
Over 30
Partners
Over 100
Partners
Today: Status of Specs
•
WS-Security (“SOAP Message Security 1.0”)
• OASIS Standard 15 Mar 2004
•
WS-Policy (Dec 2002):
• Updated Sept 2004 (6 companies) – royalty-free – not in standards body
•
WS-SecureConversation (Dec 2002):
• Updated Feb 2005 (13 companies) – royalty-free – not in standards body
•
WS-Trust (Dec 2002):
• Updated Feb 2005 (12 companies) – royalty-free (?) – not in standards body
•
WS-Federation (Jul 2003):
• No update since July 2003?
•
•
WS-Privacy: ???
WS-Authorization: ???
WS-I Basic Security Profile
• Draft: Jan 20 2005
• How to use:
•
•
•
•
•
•
SSL/TLS
SOAP Message Security
Username Token Profile
X.509 Certificate Token Profile
XML-Signature
XML-Encryption
Security Access Markup Language (SAML)
Framework — OASIS Standard
•
•
•
•
Assertions: Authentication, Attribute, Authorization Decision
Protocols: e.g., request from a SAML authority one or more assertions
Bindings: e.g., SAML SOAP binding
Profiles: constraints and/or extensions for a particular application (e.g.,
Web SSO Profile)
Assertion
Binding
Protocol Request
Protocol Response
eXtensible Access Control Markup
Language (XACML) – OASIS Standard
• V 2.0, 6 Dec 2004 (142 pages!)
• Authors include Sun, BEA, CA, Entrust, Frank Siebenlist, and IBM
• Capabilities
• Access Control: who can do what when
• Queries about whether a particular access should be allowed
(requests) and describes answers to those queries (responses)
• XACML and SAML
• XACML policy specifies what a provider should do when it receives a
SAML Assertion
• XACML-based attributes can be expressed in SAML
• XACML v3.0 in the works
Liberty Alliance
• Industry consortium defining standards for federated
identity (formed Sept 2001)
• IBM recently joined
• Web Service Framework (ID-WSF)
•
•
•
•
•
Authentication: Identity Federation Framework (ID-FF) uses SAML
Message protection: e.g., TLS, SAML Assertion in WS-Security
Service discovery and addressing
Policy
“Common data access protocols”: Liberty Data Services Template
Specification
Open Issues/Concerns
• Privacy: SAML 2.0 Privacy Mechanisms?
• XACML and WS-[Security]Policy overlap
• XACML and SAML overlap
• Both have protocols for requesting security information
• WS-Federation and Liberty Alliance overlap
• WS-* and ID-WSF overlap
• Delegation
• Service interface (WS-Delegation)
• Protocol (X.509 Proxy Certs RFC 3820 and SAML
Delegation)
WS-Delegation
• Led by Olle Mulmo
• Standalone Web services portType
• Based on WS-Trust (until recently – April 05?)
• My group’s contribution
• D. Del Vecchio, J. Basney, N. Nagaratnam, and M. Humphrey.
“CredEx: User-Centric Credential Selection and Management for Grid
and Web Services”
• Long-term or short-term multiple per-user credential storage and exchange
• Support for multiple platforms and languages (Java and .NET)
• Multiple token types
• Initially support for both password-to-X.509 and X.509-to-password exchanges
• Potential support for more token types through WS-Security and WS-Trust
specifications
CredEx System Overview
ex
ch
a
invokeMethod()
ng
eF
Us
er
na
m
e/
P
X.509 Credential
or
Ce
rt(
as
)
sw
or
d
X.509-based
Grid Service
Java Client
(Java/GT3)
)
rd(
o
w
ass
h
exc
P
For
e
re
g
atu
an
Us
Sig
09
5
.
X
e
m
a
n
er
n
o
sw
s
a
/P
rd
CredentialService
(Java/Tomcat/Axis)
invokeMethod()
Username/Password
.Net Client
Password-based
Web Service
(Java/.Net)
“Extending the Security Assertion Markup Language to Support
Delegation for Web Services and Grid Services” (J. Wang, D. Del
Vecchio, and M. Humphrey)
Please schedule my jobs
Delegation request as a SAML request
Delegation response as a SAML response
SAML assertion
Please run my job
SAML assertion
Please save my file
R
e
s
p
o
n
s
e
R
e
q
u
e
s
t
Please
send a
disk
request
for Bob
Direct SAML Delegation with Web Service
Security: Bob has Delegated to Superscheduler
Soap header
Assertion
Superscheduler’s Key
Delegation: Bob
SAML Token Profile
Right: Full
Bob’s Signature
Superscheduler’s Signature
X509 Token Profile
Indirect SAML Delegation with Web Service Security:
Bob has Delegated to Broker through Superscheduler
Soap Header
Assertion
Broker’s Key
Delegation: Bob
SAML Token Profile
Right: End Entity
Superscheduler’s Signature
Assertion
Superscheduler’s Key
Delegation: Bob
SAML Token Profile
Right: Full
Bob’s Signature
Broker’s Signature
X509 Token Profile
Summary
• April 2002: Much optimism with “IBM/MS
Security Roadmap”
• Emergence of standardized boxes slower than
expected
• Community appears to be converging, but some
aspects not clear
• XACML/SAML, XACML/WS-SecurityPolicy, Delegation
• Many challenges
• Interop will not come directly from standards (see WS-I)