1. Trang chủ
  2. » Giáo án - Bài giảng

[Tài liệu cũ] XML Web Services Security

44 546 4
Tài liệu đã được kiểm tra trùng lặp

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 44
Dung lượng 343 KB

Nội dung

XML Web Services Security March 27, 2003 IIDS Group, Vrije Universiteit Yuri Demchenko, NLnet Labs <demch@NLnetLabs.nl> March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_2 Outlines • Historical • XML SecurityWeb Services Security • OGSA SecurityXML Web Services technology for IIDS - Discussion March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_3 Historical: How all this started (quoting Tim Berners-Lee) • Initial idea to create resource description language ◆ Existing technologies: SGML + WAIS, Gopher + Library Catalogues ◆ Problems: hyperlinks reference and semantic meaning binding • Past steps: ◆ WWW and HTML ◆ RDF and Metadata ◆ XML and XML Signature • Next step: Semantic Web • Ongoing development: Computer Grids -> Information Grids -> Semantic Grids March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_4 XML Basics: DTD, Schema, XML Protocol, etc. DTD is document-oriented • Like HTML Schema is data-oriented • XML Signature • SAML Basic XML Protocol(s) • XML-RPC • SOAP XForms, XLink, XML Query, XPath, XPointer, XSL and XSLT, Legal XML March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_5 XML Security vs Traditional (Network) security Traditional Security: • Host-to-host or point-to-point security • Client/server oriented • Connection or connectionless oriented • Generically single/common trust domain/association XML Security • Document oriented approach ◆ Security tokens/assertions and policies can be associated with the document or its parts • Intended to be cross-domain • Potentially for virtual and dynamic trust domains (security associations) March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_6 XML Security - Components • XML Signature • XML Encryption • Security Assertion ◆ SAML (Security Assertion Mark-up Language) ◆ XrML (XML Right Mark-up Language) ◆ XACML (XML Access Control Mark-up Language) • XKMS (XML Key Management Specification) March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_7 XML Signature: Features Fundamental feature: the ability to sign only specific portions of the XML tree rather than the whole document. • XML document may have a long history when different component are authored by different parties at different times • Different parties may want to sign only those elements relevant to them • Important when keeping integrity of certain parts of an XML document is essential while leaving the possibility for other parts to be changed • Allows carrying security tokens/assertions on document/data rather than on user/client • Provides security features for XML based protocols ◆ Provides basic functionality for state assertions March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_8 XML Signature structure <Signature ID?> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> (<Reference URI? > (<Transforms>)? <DigestMethod> <DigestValue> </Reference>)+ </SignedInfo> <SignatureValue> (<KeyInfo>)? (<Object ID?>)* </Signature> March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_9 XML Web Services A Web Service is a software system identified by URI, whose public interfaces and bindings are defied and described by XML. Other software systems may discover and interact with the Web Service in a manner prescribed by its definition, using XML based messages conveyed by Internet protocols. • Service oriented architecture for application-to-application interaction ◆ Describing Web services – WSDL ◆ Exchanging messages – SOAP extensions ◆ Publishing and Discovering WS descriptions - UDDI • Programming language-, programming model-, and system software-neutral • Standard based: XML/SOAP foundation • Industry initiatives (and development platforms) ◆ Sun SunONE/J2EE (SunONE Studio) ◆ Microsoft .NET (Visual Studio .NET) ◆ IBM Dynamic e-Business (AlphaWorks) ◆ XML Spy by Altova March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu rity Slide2_10 XML WS - Service Oriented Architecture • WSDL based Service Description • SOAP based messaging over HTTP, SMTP, TCP, etc. • UDDI based Publishing/Discovery [...]... 27, 2003 XML Web Services Secu Slide2_14 Web Services Security Model Security token types •Username/password •X.509 PKC •SAML •XrML •XCBF March 27, 2003 XML Web Services Secu Slide2_15 WS Security Scenarios All are built on SOAP based security tokens exchange • • • • • • • • Direct Trust using username/password (using SSL/TLS) Direct Trust using security token Security token acquisition Issued security. .. format to define an endpoint XML Web Services Secu Slide2_12 WSDL Example – TimeService.wsdl http://www.Nanonull.com/TimeService/ http://www.Nanonull.com/TimeService/#message(getUTCTimeSoapIn) March 27, 2003 XML Web Services Secu Slide2_13 Web Services Security Model WS -Security model provides end-to-end security (as contrary to point-to-point) allowing intermediaries • A Web service can require that... addition, it describes how to attach security tokens, including binary security tokens such as X.509 certificates, SAML, Kerberos tickets and others, to messages Core Specification - Web Services Security: SOAP Message Security http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf March 27, 2003 XML Web Services Secu Slide2_17 Web Service Security – others specifications... business policy Web clients Mobile clients (gateway services) Enabling Federations x x Using trust chaining, security token exchange, credentials exchange Supporting delegation • Access control • Auditing March 27, 2003 XML Web Services Secu Slide2_16 Web Services Security Architecture WSSecureConversation WS-Federation WS-Authorisation WS-Policy WS-Trust WS-Privacy WS Security SOAP Foundation WS -Security: ... modification – integrity x XML Signature • Security consideration – Auditing x x Timestamping and message expiration Sequence number and Messages correlation March 27, 2003 XML Web Services Secu Slide2_19 SOAP Message Security Model Describe abstract message security model in terms of security tokens combined with digital signatures as proof of possession of the security token (key) • Security token asserts... • Open Grid Services Architecture was boosted by developing XML Web Services – 2002 • Commercial Grids are starting March 27, 2003 XML Web Services Secu Slide2_23 Open Grid Services Architecture (OGSA) • WSDL extensions to describe specifics of Grid Services x x x x Defines new portType - GridService Provides mechanism to create Virtual Organisation Provides mechanism to create transient services -... Systems March 27, 2003 XML Web Services Secu Slide2_29 OGSA Security Built upon WS Security March 27, 2003 XML Web Services Secu Slide2_30 OGSA Security Roadmap - Specifications (1) Naming • • • • OGSA Identity Specification OGSA Target/Action Naming Specification OGSA Attribute and Group Naming Specification Transient Service Identity Acquisition Specification Translating between Security Realms • •... http://www.w3.org/2001/12/soapenvelope XML Digital Sign ds http://www.w3.org/2000/09/xmldsig# XML Encryption xenc http://www.w3.org/2001/04/xmlenc# XML/ SOAP Routing m http://schemas.xmlsoap.org/rp WSSL wsse http://schemas.xmlsoap.org/ws/2002/04/secext Security token Digital signature DigSignature description: Normalisation Transformation Signed elements DigSignature value Ref to DSign Sec token SOAP Message payload March 27, 2003 Security. .. New header block are added/appended to existing ones XML Web Services Secu Slide2_21 SecurityTokenReference Model Usage and processing models for the element • Local Reference – A security token, that is included in the message in the header, is associated with an XML Signature • Remote Reference – A security token, that is not included in the message but.. .Web services features – three stacks March 27, 2003 XML Web Services Secu Slide2_11 Web Service Description Language (WSDL) • • March 27, 2003 WSDL is an XML document format for describing Web service as a set of endpoints operating on messages containing either document-oriented or procedure-oriented . siteit, Amster dam XML Web Services Secu rity Slide2_2 Outlines • Historical • XML Security • Web Services Security • OGSA Security • XML Web Services technology. Amster dam XML Web Services Secu rity Slide2_11 Web services features – three stacks March 27, 2003 . Vrije Univer siteit, Amster dam XML Web Services Secu

Ngày đăng: 08/07/2013, 01:27

TỪ KHÓA LIÊN QUAN

w