Web Services and the
Open Discussion Session
Web Services are a way of implementing service-
Supposed to be Internet-based
More than just connecting web pages
• Must be structure behind them
• Self-contained (i.e. self-describing)
What was the original intention of it?
How do they treat the security issues in service-
Helps to resolve contradicting standards among
WS security as enhancements to SOAP
messaging to provide message integrity and
Multiple security token formats
Multiple trust domains
Multiple signature formats
Multiple encryption technologies
End-to-end message content security and not
just transport-level security
Policy Definition Location
Provide a way for the recipients to verify
the integrity of the message
Sign the important parts of the message
To verify if the policies of a security token
apply to the sender
Is the security policy specified only once?
R: No. Security policy can be targeted for
the destination as well as for any
intermediary therefore can be present a
number of times in the SOAP message once
for each target (multiple headers).
Can you have multiple signatures attached
to a message?
R: Yes. Multiple signatures can reference
different or overlapping parts of the
message, reason being in distributed
applications messages usually go through
multiple processing stages (workflow).
Can you see the issues involved with
multiple processing stages?
R: There are issues with the signatures
for important parts of the message that
need to be legitimately altered during
the various stages of processing.
Can encrypt header blocks, body blocks,
or part of them
Common symmetric key shared by the
sender and the receiver
Encrypted symmetric key inside the
Can you have overlapping encryption
for parts of message? Why? In which
order should they be encrypted?
R: Yes. Because the decryption might
be done in the different stages of
processing. The order has to be
predefined by prior agreement.
Can you think what “freshness” of
security semantics means?
R: If security semantics are “old”, they
might be ignored by the receiver. Need
to specify time references but the
specification does not provide a
mechanism for synchronizing time.
Where would you specify the time
R: XML Schema (web services are
Security Assertion Markup Language
Designed to provide a single point of
Aims to „solve the web single sign-on‟ problem
One identity provider in group allows access
Public/Private Key Foundation
Global Login System (Open Source)
Three main components (from
Assertions: SAML has three kinds of assertions.
Authentication assertions are those in which the user has
proven his identity. Attribute assertions contain specific
information about the user, such as his spending limits.
Authorization decision assertions identify what the user can
do, for example, whether he can buy an item.
Protocol: This defines the way that SAML asks for and
gets assertions, for example, using SOAP over HTTP for
now, although using other methods in the future.
Binding: This details exactly how SAML message
exchanges are mapped into SOAP exchanges.
Do you think SOAP is an
efficient platform for security?
Are you comfortable knowing
that part of your security
implementation was written by
the community? (Open-source)
How do you think we should
handle multiple system types
across a network? Do you think
we need a new protocol to
address this, or should SAML
be expanded? (Federations)
How do we deal with older
systems that don‟t support this
protocol with those that do?
• No Caching
• Text-based transfer
• Does not specify encryption (policies may be compromisable)
• Binary must be encoded in Base64
• Must be implemented over HTTP protocol via SOAP
• Sun developed large amount of it (via OpenSAML)
• Claims it will not assert ownership
• What happens if they do?
• Authentication protcols not specified
• Multiple domains are an issue
• SAML 2.0 supposed to address this; will it be at the cost of becoming
• Very expensive to retro-fit
eXtensible Access Control Markup
Highlights (from OASIS):
Combines multiple rules into a single policy
Permit multiple users to have different roles
Provide separation between policy writing and
Ultimately standardizes access control
Users interact with resources
Every resource is protected by an entity
known as a Policy Enforcement Point (PEP)
This is where the language is actually used
Does not actually determine access
PEP sends it‟s request to a Policy Decision
Policies may or may not be actually stored here
Makes the final say on access
Decision is relayed to PEP, which then
grants or denies access
Do you think a system is more secure
or less secure when it is distributed
across multiple computers? What
about a single system responsible for
How would you feel if you were using
work that a corporation gave on it‟s
word on alone that it would never
assert the rights to it?
Should policies be self-contained, or is
it OK for them to reference each other?
Is cross-PDP communication safe?
• What happens when the PEP is responsible for multiple objects?
• What happens when we can compromise the PDP or spoof it‟s
• How do we guarantee that we reference the right object?
• While the system is distributed, a policy is still in only one location
• Contributors like Sun have again done work in this area
• Same as with SAML
• One policy may access another
• Typical issues arrise as with inheritance and unions/intersections of
• How do we deal with conflicts?
Sun‟s XACML Documentation:
Wikipedia‟s Entry on SAML: