Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems Topics Web Services Security Introduction Preliminary work at W3C WS-Security SAML WS-Trust WS-SecureConversation WS-SecurityPolicy WS-Federation Interdependencies Information Security Definition Technologies and procedures intended to implement organizational policy in spite of human efforts to the contrary. Suggested by Authorization Applies to all security services Protection against accidents is incidental Suggests four areas of attention Information Security Areas Policy determination Expression: code, permissions, ACLs, Language Evaluation: semantics, architecture, performance Policy enforcement Maintain integrity of Trusted Computing Base (TCB) Enforce variable policy Security Services Authentication – confirm asserted identity Authorization – permit or deny a request Integrity – prevent undetected modification of data Confidentiality – prevent unauthorized reading of data Audit – preserve evidence for accountability Administration – control configuration Others … Web Services Security Standards for Interoperability Between systems, not internal behavior Authentication, Integrity, Confidentiality, Key Exchange Consistent with XML, SOAP, WSDL, WS-Policy Authentication methods already exist Need to support multiple infrastructure types Passwords, X.509, Kerberos, SAML, etc. Most of WSS is not about stronger security Better scaling, easier deployment W3C Security Recommendations Widespread use of XML – need for integrity & confidentiality XML Digital Signature WG (1999 to 2002) Defines rules to sign XML and record parameters and signature value Support all technologies in common use Key problem: Immaterial changes to XML documents Solution: Canonicalization XML Encryption WG (2001 and 2002) Defines rules to encrypt XML and record parameters Support all technologies in common use Key problem: Encrypted data not Schema-valid Solution: None Follow-on work currently at W3C WS-Security Overview Basic SOAP Message Protection Signatures, Encryption, Timestamps Multiple token types Username, X.509, Kerberos, SAML, REL Token References Security Tokens Abstraction of the common elements of information objects which represent identities Claims, Key, Issuer, Validity etc. In some cases, Tokens can be utilized w/o knowledge of specific Token format Doesn’t work in all cases Passwords are not the same as keys Generally WSS uses Tokens to indicate keys Claims are passed along for Authorization WS-Security General Approach Security element in SOAP header Can contain Tokens, Token References, Timestamp, Signatures, Encryptions Physical order of elements determines processing order of signatures and encryptions Signed and encrypted data can appear anywhere in envelope A toolkit, not a protocol SAML in Web Services Security SAML provides a very flexible, XML token Use of browser profiles not required SAML Assertions may or may not contain Keys Real world names or pseudonyms Attributes Viewed as easy and cheap to generate WS-Trust Defines generic Security Token Service (STS) Issue, renew, cancel, validate Tokens Support for many different configurations and trust relationships Only defines generic elements Other specifications intended to extend and specify the details, WS-SecureConversation, WS-Federation WS-Secure Conversation Builds on WS-Security and WS-Trust Allows establishment of secure session More efficient and secure than using long term secrets directly Like SSL/TLS except at SOAP layer Useful in conjunction with reliable messaging Adds two new Token types Security Context Token (holds session info, including keys) Derived Key Token (enables key derivation) Two party and three party flows Also a toolkit, but less so Key Agreement Scenarios Unilateral Mutual Third Party WS-Security Policy Allows Web Service to express Security Policies What needs to be protected What tokens to use Algorithms, reference types, etc. Builds on WS-Policy Uses nested policy to provide scope Defines various groups of policy assertions Correspond to features of WSS, Secure Conversation, Trust, etc. Expressed in WSDL per WS-PolicyAttachment Constrains content and layout of security header Defines a number of Assertion types WS-SecurityPolicy Assertion Types Protection assertions What parts of msgs need to be protected – Confidentiality, Integrity Token assertions Types of tokens, in band or out of band Binding assertions Transport, Symmetric, Asymmetric Bindings Can apply to response as well as request Supporting Token assertions Additional signatures, e.g. Endorsements Protocol assertions Other properties, e.g. Algorithms, Timestamps, Reference types WS-Federation Builds on WS-Trust Web SSO alternative to SAML profiles Uses WS-Trust to issue tokens, including SAML More generic, less access to SAML-specific features Federation Metadata Reference Tokens Authorization Tokens Extends WS-SecurityPolicy Related Standards Web Single Signon and Signoff SAML Web Browser Profiles WS-Federation (passive requestors) Authorization Policy – XACML Digital Signature Services (DSS) Create & verify signatures, signed timestamps Key OASIS Technical Committees Security Services (2001-present) SAML WS-Security (2003-2006) Core spec + Token Profiles Now Closed WS-SX (2006-present) WS-Trust, WS-SecureConversation, WS-SecurityPolicy WS-Federation (2007) XACML (2001-present) DSS (closed) DS-SX (2007) Digital Signature Services Security Standards Interdependencies WS-Federation WS-SecurityPolicy WS-SecureConversation WS-Trust WSS DSS XACML SAML XML Digital Signature XML Encryption Questions?
Pages to are hidden for
"Web Services Security Standards Overview for the Non-Specialist"Please download to view full document