Tải bản đầy đủ

[Tài liệu cũ] XML Web Services Security

XML Web Services Security
March 27, 2003
IIDS Group, Vrije Universiteit
Yuri Demchenko, NLnet Labs
<demch@NLnetLabs.nl>
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_2
Outlines

Historical

XML Security

Web Services Security

OGSA Security


XML Web Services technology for IIDS - Discussion
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_3
Historical: How all this started (quoting Tim Berners-Lee)

Initial idea to create resource description language

Existing technologies: SGML + WAIS, Gopher + Library Catalogues

Problems: hyperlinks reference and semantic meaning binding

Past steps:

WWW and HTML

RDF and Metadata

XML and XML Signature

Next step: Semantic Web

Ongoing development:
Computer Grids -> Information Grids -> Semantic Grids
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_4
XML Basics: DTD, Schema, XML Protocol, etc.
DTD is document-oriented

Like HTML


Schema is data-oriented

XML Signature

SAML
Basic XML Protocol(s)

XML-RPC

SOAP
XForms, XLink, XML Query, XPath, XPointer, XSL and XSLT, Legal XML
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_5
XML Security vs Traditional (Network) security
Traditional Security:

Host-to-host or point-to-point security

Client/server oriented

Connection or connectionless oriented

Generically single/common trust domain/association
XML Security

Document oriented approach

Security tokens/assertions and policies can be associated with the document or its
parts

Intended to be cross-domain

Potentially for virtual and dynamic trust domains (security associations)
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_6
XML Security - Components

XML Signature

XML Encryption

Security Assertion

SAML (Security Assertion Mark-up Language)

XrML (XML Right Mark-up Language)

XACML (XML Access Control Mark-up Language)

XKMS (XML Key Management Specification)
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_7
XML Signature: Features
Fundamental feature: the ability to sign only specific portions of the XML tree
rather than the whole document.

XML document may have a long history when different component are authored
by different parties at different times

Different parties may want to sign only those elements relevant to them

Important when keeping integrity of certain parts of an XML document is
essential while leaving the possibility for other parts to be changed

Allows carrying security tokens/assertions on document/data rather than on
user/client

Provides security features for XML based protocols

Provides basic functionality for state assertions
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_8
XML Signature structure
<Signature ID?>
<SignedInfo>
<CanonicalizationMethod/>
<SignatureMethod/>
(<Reference URI? >
(<Transforms>)?
<DigestMethod>
<DigestValue>
</Reference>)+
</SignedInfo>
<SignatureValue>
(<KeyInfo>)?
(<Object ID?>)*
</Signature>
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_9
XML Web Services
A Web Service is a software system identified by URI, whose public interfaces and
bindings are defied and described by XML. Other software systems may discover
and interact with the Web Service in a manner prescribed by its definition, using
XML based messages conveyed by Internet protocols.

Service oriented architecture for application-to-application interaction

Describing Web services – WSDL

Exchanging messages – SOAP extensions

Publishing and Discovering WS descriptions - UDDI

Programming language-, programming model-, and system software-neutral

Standard based: XML/SOAP foundation

Industry initiatives (and development platforms)

Sun SunONE/J2EE (SunONE Studio)

Microsoft .NET (Visual Studio .NET)

IBM Dynamic e-Business (AlphaWorks)

XML Spy by Altova
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_10
XML WS - Service Oriented Architecture
• WSDL based Service
Description
• SOAP based messaging
over HTTP, SMTP,
TCP, etc.
• UDDI based
Publishing/Discovery
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_11
Web services features – three stacks
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_12
Web Service Description Language (WSDL)

WSDL is an XML document format
for describing Web service as a set of
endpoints operating on messages
containing either document-oriented
or procedure-oriented (RPC)
messages.

The operations and messages are
described abstractly and then bound to
a concrete network protocol and
message format to define an endpoint
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_13
WSDL Example – TimeService.wsdl
http://www.Nanonull.com/TimeService/
http://www.Nanonull.com/TimeService/#message(getUTCTimeSoapIn)
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_14
Web Services Security Model
WS-Security model provides end-to-end security (as contrary to point-to-point)
allowing intermediaries

A Web service can require that an incoming message prove a set of claims (e.g.,
name, key, permission, capability, etc.).

Set of required claims and related information is referred as a Policy.

A requester can send messages with proof of the required claims by associating
security tokens with the messages.

Messages both demand a specific action and prove that their sender has the claim to
demand the action.

When a requester does not have the required claims, the requester or someone on
its behalf can try to obtain the necessary claims by contacting other Web
services.

Security token services broker trust between different trust domains by issuing
security tokens.
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_15
Web Services Security Model
Security token types

Username/password

X.509 PKC

SAML

XrML

XCBF
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_16
WS Security Scenarios
All are built on SOAP based security tokens exchange

Direct Trust using username/password (using SSL/TLS)

Direct Trust using security token

Security token acquisition

Issued security token

Enforcing business policy

Web clients

Mobile clients (gateway services)

Enabling Federations

Using trust chaining, security token exchange, credentials exchange

Supporting delegation

Access control

Auditing
March 27, 2003
. Vrije Univer
siteit, Amster
dam
XML Web Services Secu
rity
Slide2_17
Web Services Security Architecture
WS-Security: describes how to attach signature and encryption headers to SOAP messages. In
addition, it describes how to attach security tokens, including binary security tokens such as
X.509 certificates, SAML, Kerberos tickets and others, to messages.
Core Specification - Web Services Security: SOAP Message Security
http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf
WS-Policy
SOAP Foundation
WS Security
WS-
SecureConversation
WS-Trust WS-Privacy
WS-AuthorisationWS-Federation

Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay

×