XML Security Standards Overview for the NonSpecialist

1
XML Security Standards Overview for the
Non-Specialist

• Hal Lockhart
• Office of the CTO
• BEA Systems

2
Topics

• Security Introduction
• Preliminary work at W3C
• SAML
• XACML
• Digital Signature Services
• WS-Security
• WS-SecureConversation, WS-Trust
  WS-SecurityPolicy
• Interdependencies

3
Information Security Definition

• Technologies and procedures intended to implement
  organizational policy in spite of human efforts
  to the contrary.
• Suggested by Authorization
• Applies to all security services
• Protection against accidents is incidental
• Suggests four areas of attention

4
Information Security Areas

• Policy determination
• Expression code, permissions, ACLs, Language
• Evaluation semantics, architecture, performance
• Policy enforcement
• Maintain integrity of Trusted Computing Base
  (TCB)
• Enforce variable policy

5
Security Services

• Authentication confirm asserted identity
• Authorization permit or deny a request
• Integrity prevent undetected modification of
  data
• Confidentiality prevent unauthorized reading of
  data
• Audit preserve evidence for accountability
• Administration control configuration
• Others

6
Topics

• Security Introduction
• Preliminary work at W3C
• SAML
• XACML
• Digital Signature Services
• WS-Security
• WS-SecureConversation, WS-Trust
  WS-SecurityPolicy
• Interdependencies

7
W3C Security Recommendations

• Widespread use of XML need for integrity
  confidentiality
• XML Digital Signature WG (1999 to 2002)
• Defines rules to sign XML and record parameters
  and signature value
• Support all technologies in common use
• Key problem Immaterial changes to XML documents
• Solution Canonicalization
• XML Encryption WG (2001 and 2002)
• Defines rules to encrypt XML and record
  parameters
• Support all technologies in common use
• Key problem Encrypted data not Schema-valid
• Solution None

8
Topics

• Security Introduction
• Preliminary work at W3C
• SAML
• XACML
• Digital Signature Services
• WS-Security
• WS-SecureConversation, WS-Trust
  WS-SecurityPolicy
• Interdependencies

9
SAML Background

• Web Single Signon
• Web is stateless
• Very inconvenient for security
• Use of Web Server Farms
• User inconvenience, performance and risk,
  multiple repositories
• Federated Identity
• Federation independent entities maintain user
  info
• The alternative is centralization impractical
• The way the world works
• Requires agreed formats and protocols (standards)

10
SAMLKey Ingredients for Standardization

• Web Access Management Vendors
• Already solved the problem using proprietary
  methods (multiple times)
• Broad agreement on requirements and solutions
• Marketplace
• Large scale projects would require standards
• Rising tide theory
• Willingness to standardize
• Random Factors
• XML becoming fashionable
• OASIS offered favorable environment
• (SAML became the first security-related TC at
  OASIS)

11
SAML Timeline
SAML 1.0 Completed May 2002 OASIS Standard
November 2002
Nov-2002 SAML wins PC Magazine Technology
Excellence Award
12
SAML assertions

• Assertions are declarations of fact, according to
  someone
• SAML assertions are compounds of one or more of
  three kinds of statement about subject (human
  or program)
• Authentication
• Attribute
• Authorization decision
• You can extend SAML to make your own kinds of
  assertions and statements
• Assertions can be digitally signed

13
SAML protocol for getting assertions
14
SAML Standards Dependencies

• Uses XML Signature to protect assertions from
  modification
• Uses XML Encryption to protect privacy when
  assertions are stored
• Uses SSL and WS-Security to protect assertions on
  the wire
• Is used by WS-Security to identify users and keys

15
Current Work

• Sticking with SAML 2.0 to drive adoption
• Profiles reviewed or under review
• Metadata Extension for Query Requesters
• Protocol Extensions for Third-Party Requests
• Attribute Sharing Profile for X.509
  Authentication Based Systems
• XPath Attribute Profile
• SAML V1.x Metadata Profile
• Shared Credentials Profiles
• Text-based Challenge Response
• HTTP POST SimpleSign Binding
• SAML 2.0 -gt ITU-T Recommendation X.1141

16
Topics

• Security Introduction
• Preliminary work at W3C
• SAML
• XACML
• Digital Signature Services
• WS-Security
• WS-SecureConversation, WS-Trust
  WS-SecurityPolicy
• Interdependencies

17
XACML TC Charter

• Define a core XML schema for representing
  authorization and entitlement policies
• Target - any object - referenced using XML
• Fine grained control, characteristics - access
  requestor, protocol, classes of activities, and
  content introspection
• Consistent with and building upon SAML

18
XACML TC History

• First Meeting 21 May 2001
• XACML 1.0 - OASIS Standard 6 February 2003
• XACML 1.1 Committee Specification 7 August
  2003
• XACML 2.0 OASIS Standard 1 February 2005
• XACML 2.0 ITU/T Recommendation X.1142

19
Policy Examples

• Anyone view their own 401K information, but
  nobody elses
• The print formatting service can access printers
  and temporary storage on behalf of any user with
  the print attribute
• The primary physician can have any of her
  patients medical records sent to a specialist in
  the same practice.
• Anyone can use web servers with the spare
  property between 1200 AM and 400 AM
• Salespeople can create orders, but if the total
  cost is greater that 1M, a supervisor must
  approve

20
XACML Objectives

• Ability to locate policies in distributed
  environment
• Ability to federate administration of policies
  about the same resource
• Base decisions on wide range of inputs
• Multiple subjects, resource properties
• Decision expressions of unlimited complexity
• Ability to do policy-based delegation
• Usable in many different environments
• Types of Resources, Subjects, Actions
• Policy location and combination

21
Novel XACML Features

• Large Scale Environment
• Subjects, Resources, Attributes, etc. not
  necessarily exist or be known at Policy Creation
  time
• Multiple Administrators - potentially
  conflicting policy results
• Combining algorithms
• Request centric
• Use any information available at access request
  time
• Zero, one or more Subjects
• No invented concepts (privilege, role, etc.)
• Dynamically bound to request
• Not limited to Resource binding
• Only tell what policies apply in context of
  Request
• Two stage evaluation

22
Request and Response Context
23
XACML Profiles

• Digital Signature
• Integrity protection of Policies
• Hierarchical Resources
• Using XACML to protect files, directory entries,
  web pages
• Privacy
• Determine purpose of access
• RBAC
• Support ANSI RBAC Profile with XACML
• SAML Integration
• XACML-based decision request
• Fetch applicable policies
• Attribute alignment

24
XACML Standards Dependencies

• XACML uses SAML assertions structure and
  protocols to protect and distribute policies
• therefore it
• Uses XML Signature to protect assertions from
  modification
• Uses XML Encryption to protect privacy when
  assertions are stored
• Uses SSL and WS-Security to protect assertions on
  the wire
• XACML is also referenced by a number of other
  specifications as the access control mechanism

25
XACML Version 3.0

• Administrative policies
• HR-Admins can create policies concerning the
  Payroll servers
• Policy delegation
• Jack can approve expenses while Mary is on
  vacation
• Policy provisioning
• Enhanced Obligation processing
• Policy queries
• Revocation

26
Topics

• Security Introduction
• Preliminary work at W3C
• SAML
• XACML
• Digital Signature Services
• WS-Security
• WS-SecureConversation, WS-Trust
  WS-SecurityPolicy
• Interdependencies

27
Digital Signature Services (DSS)
www.oasis-open.org

• Web Service to create / verify signatures
  timestamps on behalf of users
• Complexities security issues of key management
  etc taken from user
• Supports range of signature formats including
• W3C XML Signatures
• CMS (RFC 3852) Signatures
• RFC 3161 Timestamps
• Intended primarily where signatures have lasting
  significance
• Electronic Commerce
• Aligned with legal requirements in various venues

28
DSS Specifications

• Core
• Generic protocol and core features
• Profiles
• Selects options from Core and extends if
  necessary
• Current DSS profiles
• Time-stamping
• Asynchronous operation
• Code signing
• Entity seal
• Electronic Post Mark
• German signature law
• Advanced electronic signature
• Signature gateway

29
DSS Status

• Core at 3rd CD takes into account
• Interoperability trials
• Feedback from implementers within outside group
• Profiles updated to align with 3rd CD
• Currently in public review
• To be followed by OASIS Std Vote

30
Topics

• Security Introduction
• Preliminary work at W3C
• SAML
• XACML
• Digital Signature Services
• WS-Security
• WS-SecureConversation, WS-Trust
  WS-SecurityPolicy
• Interdependencies

31
WS-Security Overview

• Basic SOAP Message Protection
• Signatures, Encryption, Timestamps
• Multiple token types
• Username, X.509, Kerberos, SAML, REL
• Token References

32
Web Services Security History

• Submitted to OASIS September 2002
• Interoperability testing began Summer 2003
• OASIS Standard - April 2004
• Core Specification Username and X.509 Profiles
• SAML REL Profiles OASIS Standard - December
  2004
• Public Interoperability Demo April 2005
• WSS 1.1 OASIS Standard February 2006
• Includes Attachments Kerberos
• Formal WSS 1.1 Errata approved November 2006
• Vote to Close TC
• WS-I Basic Security Profile 1.0 1.1

33
Topics

• Security Introduction
• Preliminary work at W3C
• SAML
• XACML
• Digital Signature Services
• WS-Security
• WS-SecureConversation, WS-Trust
  WS-SecurityPolicy
• Interdependencies

34
WS-SX Overview

• Three new security specifications building on
  WS-Security
• WS-Trust
• Mechanisms to issue tokens and associated keys
• WS-SecureConversation
• Allows establishment of secure session (think SSL
  for SOAP)
• WS-SecurityPolicy
• Allows Web Service to express Security Policies

35
WS-SX TC History

• New TC formed December 2005
• Under new IPR policy (RF-RAND)
• Privately published specifications
• Substantial interop review of WS-SC WS-Trust
  prior to TC start
• WS-SP is much less mature

36
WS-SX Currently

• Charter goal complete in 18 months
• 2nd F2F Meeting held in April 2006
• Weekly con calls
• Interop testing of WS-SecCon WS-Trust over
  summer
• 60 day Public Review complete Dec 2
• Interop of WS-SecurityPolicy underway
• Public review this winter
• Submission to OASIS for vote as a Standard
• Security Policy Usecases also under development

37
Topics

• Security Introduction
• Preliminary work at W3C
• SAML
• XACML
• Digital Signature Services
• WS-Security
• WS-SecureConversation, WS-Trust
  WS-SecurityPolicy
• Interdependencies

38
Security Standards Interdependencies
WS-SecurityPolicy
WS-SecureConversation
WS-Trust
WSS
DSS
XACML
SAML
XML Encryption
XML Digital Signature
39
Questions?