Upload
kelley-franklin
View
217
Download
3
Embed Size (px)
Citation preview
WS Security Roadmap
Dave Tran
CSCI5931 Web Security
WS Security Roadmap Proposed by IBM and Microsoft
WS Security Roadmap
What is a Web Service?
“… application components whose functionality and interfaces are exposed to potential users through the application of existing and emerging Web technology standards including XML, SOAP, WSDL, and HTTP.”
Why? Loosely-coupled Language-neutral Platform-independent
WS Security Roadmap
Bottlenecks?
securitySSL/TLS not enough?
Point-to-point (2 parties involve) WS is end-to-end (more than 3 parties involve)
WS Security Roadmap
WS Security Roadmap
WS Security Roadmap
Initial Specifications provide the foundation to establish secure
interoperable Web services across trust domains.
Message Layer WS-Security - message security model
Policy Layer WS-Policy - Web service endpoint policy WS-Trust - a trust model WS-Privacy - privacy model
WS Security Roadmap
Follow-on Specifications Federation Layer
WS-SecureConversation – secure conversations WS-Federation – federated trust WS-Authorization - authorization
WS Security Roadmap
WS-Security Enhance SOAP messaging by providing quality of
protection through message integrity and message confidentiality.
Authentication with Security tokens – username and passwords, Kerberos tickets, X.509 certificate
Message integrity – XML Signature with security tokens
Message confidentiality – XML Encryption with security tokens
WS Security Roadmap
WS-Policy Defines the policy rules on how services interact Includes 4 specs
A Policy Framework(WS-Policy) - defines a grammar for expressing WS policies
A Policy Attachment (WS-Policy-Attachment) - defines how to attach these policies to WS
A set of general policy assertions (WS-Policy-Assertions) A set of security policy assertions (WS-Security Policy)
WS Security Roadmap
WS-Trust The trust between a service requester and a service
provider is established through the exchange of information between the two parties in an expected and understood manner
WS-Security already defines the basic mechanisms to securely exchange messages using security tokens
Builds on top of WS-Security and defines how the security tokens are issued and exchanged
Defines a set of interfaces that a secure token service may provide for the issuance, exchange, and validation of security tokens
WS Security Roadmap
WS-Privacy
defines how privacy of information is maintained
WS Security Roadmap
WS-SecureConversation Builds on the concept of trust based on security
tokens Defines how to establish a secured session
between services for exchanging data using the rules defined in WS-Policy, WS-Trust, and WS-Privacy
Defines how to create a context for a particular conversation with a Web Service and how to create keys that can be used in that context
WS Security Roadmap
WS-Federation Describes how to manage and broker trust relationships
(trust of identities, attributes, and authentication) in a heterogeneous federated environment (among Web Services) leading Single Sign-On.
Comprise of the following: WS-Federation: Active Requestor Profile - defines
mechanisms for requesting, exchanging, and issuing security tokens within the context of active requestors (an application capable of issuing WS messages).
WS-Federation (Language) - defines how federation works in the WS-Security stack.
WS-Federation: Passive Requestor Profile (HTTP browser) - defines a system for passive mechanisms to work seamlessly with a single or simplified sign-on to the WS-Federation system.
WS Security Roadmap
WS-Authorization Describes how access policies for a Web Service
are specified and managed. Describes how claims may be specified within
security tokens and how these claims will be interpreted at the endpoint.
WS Security Roadmap
July 2003 VeriSign/IBM/Microsoft/RSA/BEA WS-Federation Specification VeriSign/IBM/Microsoft/RSA/BEA WS-Federation Active Client Profile VeriSign/IBM/Microsoft/RSA/BEA WS-Federation Passive Client Profile
December 2002 VeriSign/IBM/Microsoft/RSA WS-SecurityPolicy Specification VeriSign/IBM/Microsoft/RSA WS-Trust Specification VeriSign/IBM/Microsoft/RSA WS-SecureConversation Specification
Related Specifications IBM/Microsoft/BEA/SAP WS-Policy IBM/Microsoft/BEA/SAP WS-PolicyAttachment IBM/Microsoft/BEA/SAP WS-PolicyAssertions
August 2002 VeriSign/IBM/Microsoft WS-Security Addendum
April 2002 VeriSign/IBM/Microsoft WS-Security Specification IBM-Microsoft Web Services Roadmap
WS Security Roadmap
Referenceswww.verisign.com/wss
http://www-106.ibm.com/developerworks/library/ws-secmap/
http://www-106.ibm.com/developerworks/library/ws-secroad/