Patterns%20for%20Web%20Services%20Security%20Standards - PowerPoint PPT Presentation

About This Presentation
Title:

Patterns%20for%20Web%20Services%20Security%20Standards

Description:

WS-Federation: Active Requestor Profile. WS-Federation: Passive Requestor Profile. WS-Signature ... OASIS Specification. Latest Version: WS-Security 1.1 ... – PowerPoint PPT presentation

Number of Views:67
Avg rating:3.0/5.0
Slides: 22
Provided by: Kei37
Learn more at: https://www.cse.fau.edu
Category:

less

Transcript and Presenter's Notes

Title: Patterns%20for%20Web%20Services%20Security%20Standards


1
Patterns for Web Services Security Standards
  • Presented by Keiko Hashizume

2
Outline
  • Introduction
  • Patterns for Web Services Security Standards
  • WS-Security
  • Conclusions

3
Introduction
  • Web services standards are confusing which makes
    it difficult for vendors to develop products that
    comply with standards and for users to decide
    what product to use.
  • That is why we need to develop patterns for these
    standards.
  • Patterns embody the knowledge and experience of
    software developers about a recurrent problem. A
    pattern solves a specific problem in a given
    context and can be tailored to fit different
    situations.

4
Existing Patterns for WS Security Standards
  • XACML (eXtensible Access Control Markup Language)
    Policy Language
  • XACML Access Control Evaluation
  • WSPL (Web Service Policy Language)
  • WS-Policy
  • SAML (Security Assertion Markup Language)

5
Web Services Security Standards without Patterns
  • WS- Authorization
  • WS-Encryption
  • WS-Federation Language
  • WS-Federation Active Requestor Profile
  • WS-Federation Passive Requestor Profile
  • WS-Signature
  • WS-Privacy
  • WS-SecureConversation
  • WS-Security Kerberos Binding
  • WS-SecurityPolicy
  • WS-Trust 1.3
  • SPML (Service Provisioning Markup Language)
  • WS-Security
  • XML digital signature
  • XML encryption
  • XKMS (XML Key Management Specification)
  • XrML (Extensible Rights Management Language)
  • XCBF(XML Common Biometric Format)

6
WS-Security Standard
  • Originally developed by IBM, Microsoft, VeriSign,
    and Forum Systems.
  • OASIS Specification
  • Latest Version WS-Security 1.1
  • Approved on February 2006

7
WS-Security Standard
  • Security Header
  • The ltwsseSecuritygt header block provides a
    mechanism for attaching security-related message
    information.

8
WS-Security Standard
  • WS-Security Specification provides three main
    mechanisms
  • The ability to send security tokens as part of a
    message
  • Message integrity is provided by XML Signature
  • Message confidentiality is provided by XML
    Encryption

9
Security Tokens
  • WS-Security defines how security tokens are
    attached to messages.
  • There are different types of security tokens
  • UsernameToken
  • Binary Security Tokens
  • XML Tokens

10
UsernameToken Profile
  • The UsernameToken propagates a username and a
    password (optional)

11
Binary Security Tokens
  • WS-Security provides a ltwsseBinarySecurityTokengt
    element that can be included in the
    ltwsseSecuritygt header block.
  • The following is an overview of the syntax
  • Examples
  • X.509 certificates
  • Kerberos tickets

12
XML Tokens
  • XML Tokens are offered in two formats
  • Security Assertion Markup Language (SAML)
  • Extensible rights Markup Language (XrML)
  • Example of a WS Security with a SAML assertion
    Token

13
Signatures
  • Digital signatures provide message integrity and
    authentication.
  • WS-Security builds on XML Signature.
  • This specification describes
  • Signing Messages
  • Signing Tokens

14
Signing Messages
  • To add signature to a ltwsseSecuritygt block, a
    ltdsSignaturegt element conforming to the XML
    Signature specification must be present in the
    header block.

15
Signing Tokens
  • WS-Security allows different tokens to have their
    own unique reference.

16
Encryption
  • WS-Security allows encryption of the body and
    header blocks by either a common symmetric key
    shared by the producer and the recipient or a
    symmetric key carried in the message in an
    encrypted form.
  • WS-Security leverages the XML Encryption
    standard.
  • This specification describes how the two elements
    ltxencReferenceListgt and ltxencEncryptedKeygt can
    be used within the ltwsseSecuritygt header block.

17
Encryption
  • The element that needs to be encrypted must be
    replaced by a corresponding ltxencEncryptedDatagt.

18
Encryption
  • When the encryption involves encrypting element
    contents within a SOAP envelope with a symmetric
    key, that is encrypted and embedded in the
    message, ltxencEncryptedKeygt may be used for
    carrying such an encrypted key.

19
Encryption
20
Class Diagram for WS-Security
21
Conclusion
  • We need to develop more patterns for web services
    security standards.
  • A good catalog of patterns is needed.
  • We also need pattern classification and selection
    approaches, e.g. pattern map, policy to pattern
    mapping .
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Patterns%20for%20Web%20Services%20Security%20Standards" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!