1 / 20

Web Services Security

Web Services Security. Multimedia Information Engineering Lab. Yoon-Sik Yoo. Contents. Introduction Basic Security for Transmission over HTTP Web Services and Secure Sockets Layer (SSL) XML Signature and XML Encryption XML Key Management Specification (XKMS)

teague
Download Presentation

Web Services Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo

  2. Contents • Introduction • Basic Security for Transmission over HTTP • Web Services and Secure Sockets Layer (SSL) • XML Signature and XML Encryption • XML Key Management Specification (XKMS) • Security Assertion Markup Language (SAML) • Extensible Access Control Markup Language (XACML) • Authentication and Authorization for Web Services • Web Services and Network Security

  3. Introduction • Web services require end-to-end security for transactions that span multiple computers. • Interoperability is fundamental to Web services security, because transmissions often occur across multiple platforms and must be secured at all times.

  4. Basic Security for Transmission over HTTP • Security methods outlined HTTP specification are weak (HTTP provides no process for encryption the body of message). • For stronger security, HTTP security should be used with other security technologies, such as SSL and Kerberos.

  5. Application Layer SSL Transport Layer Internet Layer Web Services and Secure Sockets Layer (SSL) • SSL is considered the next step beyond basic security for Web services. • SSL employs user credential and certificates, which are sometimes too large and disables the ability to record who initiated each step of transaction.

  6. XML Signature and XML Encryption • XML-based applications raise significant security concerns, in part because XML documents are encoded in plan-text, rather than in a binary form. • Digital signatures solve this problem by verifying document integrity.

  7. XML Signature and XML Encryption Plain-text document

  8. XML Signature and XML Encryption XML Signature: W3C Recommendation February 2002 <?xml?> … <Personal> … … </Personal> …

  9. XML Signature and XML Encryption XML Encryption: W3C Recommendation 2002.12

  10. XML Key Management Specification (XKMS) • XKMS is specification for registering and distributing encryption keys for Public Key Infrastructure (PKI) in Web services. • XKMS was developed by Microsoft, VeriSign and webMethods, but now is a W3C initiative. • XKMS was designed for use with XML Signature and XML Encryption.

  11. XML Key Management Specification (XKMS) • XKMS is comprised of two specification • XML Key Information Service Specification (X-KISS) The set of protocols that process key Information (located in an XML signature’s Key-Info element). • XML Key Registration Service Specification (X-KRSS) The set of certificate-management protocols that addresses the life of a digital certificate-from registration to revocation and recovery.

  12. XML Key Management Specification (XKMS) XML Key Information Service Specification (X-KISS) <KeyName> QR9432YZ5 </KeyName> <Signature> … <KeyInfo> <KeyName> QR9432YZ5 </KeyName> </KeyInfo> </Signature> Key Location Service Signature Processing Application <X509Data> <X509Certificate> MIICXTCCA.. </X509Certificate> </X509Data> X.509 Cert QR9432YZ5 Key Database

  13. (HMAC [Name, PublicKey], Proof Of Possession) Client Pair Generation X-KRSS Service Registration Result : Success Certificate Repository XML Key Management Specification (XKMS) XML Key Registration Service Specification (X-KRSS)

  14. Security Assertion Markup Language (SAML) • SAML is an standard for transferring authentication, authorization and permissions information over the Internet. • SAML is a form Permissions Management Infrastructure (PMI). • The SAML protocol was developed by combining two computing XML security standard • Securant Technologies’ AuthXML • Netegrity’s Security Services Markup Language (S2ML)

  15. Security Assertion Markup Language (SAML) • SAML also provides a method for single sign-on authentication and authorization • SAML-based applications can provide single sign-on across disparate site and platforms.

  16. JoeFlooring.com BobsAppliances.com Protected 6 5 Login Create SAML assertion and token Authentication Present Login Information Previously established trust 4 PEP 3 PDP PIP Login 2 Enforcement point 1 Security Assertion Markup Language (SAML) Single sign-on example using SAML

  17. Extensible Access Control Markup Language (XACML) • Developed by OASIS • XACML is a markup language that allows organizations to communicate their policies for accessing online information. • XACML defines which clients can access information, what information is available to clients, when clients can access the information and how client can gain access to information.

  18. Authentication and Authorization for Web Services • Basic authentication and authorization techniques are not sufficient to secure Web services transactions. • The latest Web services products use a combination of security mechanisms, including Kerberos and single sign-on. • Authentication and authorization systems designed for use with Web services • Microsoft’s Passport • Sun’s Liberty Alliance and AOL Time • Warner’s Screen Name Services

  19. Web Services and Network Security • Networks typically authenticate users before allowing access to protected resources. • However, Web services often are designed to use single sign-on, which allows access to applications on the basis of another source’s authentication credentials. • Firewalls between Web services and internal resources prevents Web service user from accessing protected information.

  20. Web Services and Network Security • Web services security is an ongoing process, not a one-time solution. • Thus, Administrator using Web services need to stay apprised of all security developments and update their systems regularly.

More Related