1 / 16

WS-Security and its use for AA(AA) services Overview and issues for discussion

WS-Security and its use for AA(AA) services Overview and issues for discussion. 1 st TF-AACE Meeting, Limerick June 2, 2002 Yuri Demchenko <demch@terena.nl>. Outlines. XML Web Services - concept Web Services Security Architecture WS-Security specification Issues to discuss.

hsalmons
Download Presentation

WS-Security and its use for AA(AA) services Overview and issues for discussion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WS-Security and its use for AA(AA) services Overview and issues for discussion 1st TF-AACE Meeting, LimerickJune 2, 2002 Yuri Demchenko <demch@terena.nl>

  2. Outlines • XML Web Services - concept • Web Services Security Architecture • WS-Security specification • Issues to discuss WS-Security: Overview and AA(AA) issues

  3. XML Web Services - concept • Web services define • Technique for describingsoftware components to be accessed • Methods for accessing these components and binding of service descriptions to interoperable network protocols • Discovery methods that enable the identification of relevant service providers • Programming language-, programming model-, and system software-neutral • Standard based: XML/SOAP foundation, - by W3C, OASIS, industry associations • SOAP, WSDL, and WS-Inspection - initial basis for the Web Services • Industry initiatives (and development platforms) • Microsoft .NET (Visual Studio .NET) • IBM Dynamic e-Business (AlphaWorks) • Sun SunONE/J2EE (SunONE Studio) WS-Security: Overview and AA(AA) issues

  4. WS-SecureConversation WS-Federation WS-Authorisation WS-Policy WS-Trust WS-Privacy WS Security SOAP Foundation Web Services Security Architecture • WS-Security: describes how to attach signature and encryption headers to SOAP messages. In addition, it describes how to attach security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/securitywhitepaper.asp WS-Security: Overview and AA(AA) issues

  5. Web Service Security – others specifications • WS-Policy: will describe the capabilities and constraints of the security (and other business) policies on intermediaries and endpoints (e.g. required security tokens, supported encryption algorithms, privacy rules) • WS-Trust: will describe a framework for trust models that enables Web services to securely interoperate • WS-Privacy: will describe a model for how Web services and requesters state privacy preferences and organizational privacy practice statements • WS-SecureConversation: will describe how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys • WS-Federation: will describe how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities • WS-Authorization: will describe how to manage authorization data and authorization policies WS-Security: Overview and AA(AA) issues

  6. Web Services Security Model - General • Point-to-point (host-to-host) security • SSL/TLS, IPSec • Authentication, data integrity, data confidentiality • End-to-end security • Multihop topology with intermediaries • Firewall/DMZ traversal WS-Security: Overview and AA(AA) issues

  7. Web Services Security Model • end2end process requirements • A Web service can require that an incoming message prove a set of claims (e.g., name, key, permission, capability, etc.). If a message arrives without having the required claims, the service may ignore or reject the message. • Set of required claims and related information is referred as a Policy. • A requester can send messages with proof of the required claims by associating security tokens with the messages. Messages both demand a specific action and prove that their sender has the claim to demand the action. • When a requester does not have the required claims, the requester or someone on its behalf can try to obtain the necessary claims by contacting other Web services. These other Web services, which are referred as security token services, may in turn require their own set of claims. • Security token services broker trust between different trust domains by issuing security tokens. WS-Security: Overview and AA(AA) issues

  8. Web Services Security Model WS-Security: Overview and AA(AA) issues

  9. Security token Unsigned Security Token - Username • Signed Security Token • X.509 Certificates • Kerberos tickets Security Tokens and other definitions • There many useful definitions in WS Security documents (at higher platform independent abstraction level) • Security token, signed security token • Claim, claim requirements • Proof-of -possession • Intermediaries WS-Security: Overview and AA(AA) issues

  10. WS Security Scenarios • All are built on SOAP based security tokens exchange • Direct Trust using username/password (using SSL/TLS) • Direct Trust using security token • Security token acquisition • Issued security token • Enforcing business policy • Web clients • Mobile clients (gateway services) • Enabling Federations • Using trust chaining, security token exchange, credentials exchange • Supporting delegation • Access control • Auditing WS-Security: Overview and AA(AA) issues

  11. Web Services Security (WS-Security) Specification • WS-Security describes enhancement to SOAP to provide quality of protection through message integrity, message confidentiality and single message authentication • Provides a general purpose mechanism for associating security tokens with messages • Describes how to encode binary security tokens • Build upon SOAP foundation (extensibility, messaging) • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/html/ws-security.asp WS-Security: Overview and AA(AA) issues

  12. WS Security Language - requirements • WSSL must support a wide variety of security models. • Key driving requirements for the specification: • Multiple security tokens for authentication or authorization • Multiple trust domains • Multiple encryption technologies • End-to-end message-level security and not just transport-level security WS-Security: Overview and AA(AA) issues

  13. WSSL Message Security Model • Describe abstract message security model in terms of security tokens combined with digital signatures as proof of possession of the security token (key). • Security token asserts claims and signatures provide mechanism for proving the sender’s knowledge of key • A claim can be either endorsed or unendorsed by a trusted authority • An X.509 Cert, claiming the binding between one’s identity and public key, is an example of a endorsed/signed security token • An unendorsed claim can be trusted if there is trust relations between the sender and the receiver (usually based on historical relations/communications context) • Proof-of-Possession (e.g. username/password) – special type of unendorsed claim WS-Security: Overview and AA(AA) issues

  14. WSSL message protection • Primary security concerns • Protection against interception – confidentiality • XML Encryption • Protection against illegal modification – integrity • XML Signature WS-Security: Overview and AA(AA) issues

  15. SOAP Header SOAP Routing Security token Digital signature DigSignature description:Normalisaqtion Signed elements Reference to dsign value DigSignature value Ref to Dsign Sec token SOAP Message payload WSSL extended SOAP message structure • URI: http://schemas.xmlsoap.org/ws/2002/04/secext • Namespaces used in WSSL: • SOAP S http://www.w3.org/2001/12/soap-envelope • XML Digital Sign ds http://www.w3.org/2000/09/xmldsig# • XML Encryption xenc http://www.w3.org/2001/04/xmlenc# • XML/SOAP Routing m http://schemas.xmlsoap.org/rp • WSSL wsse • http://schemas.xmlsoap.org/ws/2002/04/secext • Security element • Header block targets specific receiver SOAP Actor • Multiple header blocks are allowed targeted at different Actors • New header block are added/appended to existing ones WS-Security: Overview and AA(AA) issues

  16. WS-Security issues to discuss • WS-Security is built on SOAP foundation and SOAP messaging environment targeting end-to-end message security • What’s the benefit comparing to SSL/TLS or IPSec? • What additional SW/services should be enabled in current/traditional network infrastructure? • WS-Security in context of OGSA and Grid technologies • WS-Security vs GTK GSI/TLS • WS-Security vs PAPI WS-Security: Overview and AA(AA) issues

More Related