1 / 22

WS-Security TC

WS-Security TC. Christopher Kaler Kelvin Lawrence. Agenda. Context for WS-Security WS-Security Elements and Example TC Charter and Deliverables. Getting easier to build web services but who is sending the messages ? Several approaches SSL with username and password

linore
Download Presentation

WS-Security TC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WS-Security TC Christopher Kaler Kelvin Lawrence

  2. Agenda • Context for WS-Security • WS-Security Elements and Example • TC Charter and Deliverables

  3. Getting easier to build web services but who is sending the messages? Several approaches SSL with username and password SSL with X509 client certificates VPN with Kerberos XrML, SAML, … Challenges Computational cost Inflexibility Firewalls Distributed management Hop-to-hop vs. end-to-end Web Service Security Issues Username/password Client certificates, Smart Cards, … VPN

  4. Security and Web Services Security in a Web Services World • Safer: no exposure at intermediaries • Interoperable: broad vendor support • Leverages XML signature and XML encryption • Flexible: builds on web infrastructure • Works with HTTP, SMTP, and transports • Works over firewall, through the DB, … • Durable: security is available at the business request / application layer • Higher performance and scalability • Supports both public and symmetric keys • Clients exchange security tokens and cache • Easier: a simple common approach for manageable authentication, authorization, and permissions

  5. 3. Get Proof of Certification 1. Run Application 2. Request Fails 4. Fax Certification 5. Approve A Typical Challenge Certification Partner Business Partners Web Service Company A

  6. 2. Get Proof of Certification 1. Run Application 3. Request Succeeds A WS-Security Solution Certification Partner Business Partners Web Service Company A

  7. How Does it Work? Security tokens assert claims Web services have policies A security token service is just a web service that issues security tokens

  8. Security Tokens Security tokens assert claims X.509, Kerberos, XrML, SAML, … Identity Keys Privileges, rights, capabilities Custom …

  9. Policies Services have policies • Policies describe the required claims • Security tokens assert the claims Policy Does the request havethe correct security tokens? ?

  10. Security Token Service A security token service issues security tokens Security Token Service Policy Web Service • It is just a web service • A solution may require multiple token services Policy

  11. Agenda • Context for WS-Security • WS-Security Elements and Example • TC Charter and Deliverables

  12. New SOAP ElementsWS-Security • New • <Security> Header • <UsernameToken> • <SecurityTokenReference> • <BinarySecurityToken> • Existing • XML Signature • XML Encryption • Token formats (e.g., X.509, Kerberos, XrML, SAML)

  13. <Security> <Security SOAP:actor="..."> ... </Security> • SOAP:actor is optional • One header per actor • All security information together • Sub-elements are pre-pendend • Supports multiple signatures

  14. Elements In <Security> • Including and referencing security tokens • <UsernameToken> • <BinarySecurityToken> • <SecurityTokenReference> • <ds:KeyInfo> • <xenc:EncryptedKey> • Signature • <ds:Signature> • Encryption Manifest • <xenc:ReferenceList> • Encrypted Attachments • <xenc:EncryptedData> • Other…

  15. Simple Example • Requesting a stock quote • Security token indicates username • Signature uses key generated from password

  16. Simple Example (1 of 2) (001) <?xml version="1.0" encoding="utf-8"?> (002) <S:Envelope xmlns:S=“.../soap-envelope“ xmlns:ds=“…/xmldsig#"> (003) <S:Header> (004) <m:path xmlns:m="http://schemas.xmlsoap.org/rp/"> (005) <m:action>http://fabrikam.org/getQuote</m:action> (006) <m:to>http://fabrikam.org/stocks</m:to> (007) <m:id>uuid:84b9f5d0-33fb-4a81-b02b-5b760641c1d6</m:id> (008) </m:path> (009) <wsse:Security xmlns:wsse=“…/secext"> (010) <wsse:UsernameToken Id="MyID"> (011) <wsse:Username>Zoe</wsse:Username> (012) </wsse:UsernameToken> (013) <ds:Signature> (014) <ds:SignedInfo> (015) <ds:CanonicalizationMethod Algorithm=".../xml-exc-c14n#"/> (016) <ds:SignatureMethod Algorithm=".../xmldsig#hmac-sha1"/>

  17. Simple Example (2 of 2) (017) <ds:Reference URI="#MsgBody"> (018) <ds:DigestMethod Algorithm="http://.../xmldsig#sha1"/> (019) <ds:DigestValue>LyLsF0Pi4wPU...</ds:DigestValue> (020) </ds:Reference> (021) </ds:SignedInfo> (022) <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue> (023) <ds:KeyInfo> (024) <wsse:SecurityTokenReference> (025) <wsse:Reference URI="#MyID"/> (026) </wsse:SecurityTokenReference> (027) </ds:KeyInfo> (028) </ds:Signature> (029) </wsse:Security> (030) </S:Header> (031) <S:Body Id="MsgBody"> (032) <tru:StockSymbol xmlns:tru=“…">QQQ</tru:StockSymbol> (033) </S:Body>

  18. Agenda • Context for WS-Security • WS-Security Elements and Example • TC Charter and Deliverables

  19. WS-Security TC Charter Continue work on the Web service security foundations published in the WS-Security specification and under the context of the Web Services Security roadmap

  20. WS-Security TC Scope • Using XML signature to provide SOAP message integrity for Web services • Using XML encryption to provide SOAP message confidentiality for Web services • Attaching and/or referencing security tokens in headers of SOAP messages • Carrying security information for potentially multiple, designated actors • Associating signatures with security tokens • Representing specific forms of binary security tokens as defined in WS-Security specification.

  21. WS-Security TC Deliverables • Accept as input the Web Services Security (WS-Security) • Produce as output a specification for Web Services Security. This specification will reflect refinements and changes made to the submitted version of WS-Security that are identified by the WSS TC members for additional functionality within the scope of the TC charter. • Liaise and/or forge relationships with other Web services efforts to assist in leveraging WS-Security as a part of their specifications or solutions. • Coordinate with the chairs of the other OASIS security related groups via the Security Joint Coordination Committee. • Oversee ongoing maintenance and errata of the WS-Security specification.

  22. Questions

More Related