Title: WEB SERVICE SECURITY
1WEB SERVICE SECURITY
- Lecturer Tr?n Th? Qu? Nguy?t
- Students
- Tr?n Trúc Giang
- Nguy?n Th? Hòa Bình
2Outline
- Web Service Introduction
- XACML
- SAML
- Shibboleth
3Web Service Introduction
4Web Service Introduction
- Service-Oriented architecture (SOA)
- Web service definition
- Web Service Description Language (WSDL)
- Simple Object Access Protocol (SOAP)
- Universal Description, Discovery and Integration
(UDDI)
5Service-Oriented architecture (SOA)
- W3school.com
- SOA is a mechanism that enables organizations to
facilitate communication between the systems
running on multiple platforms - SOA is a collection of well-defined services,
each individual service can be modified
independently of other services to help respond
to the ever-evolving market conditions of a
business - SOA presents the big picture of what you can do
with web services
6SOAs Components
7What are Web Services?
- W3Cs Definition a software system designed to
support interoperable machine-to-machine
interaction over a network. - Web services
- application components
- communicate using open protocols
- self-contained and self-describing
- can be discovered using UDDI
- can be used by other applications
- XML is the basis for Web services
8Web services platform elements
- SOAP (Simple Object Access Protocol)
- UDDI (Universal Description, Discovery and
Integration) - WSDL (Web Services Description Language)
9SOAP (Simple Object Access Protocol)
- SOAP is an XML-based protocol to let applications
exchange information over HTTP. - Or more simple SOAP is a protocol for accessing
a Web Service.
10WSDL (Web Services Description Language)
- WSDL is an XML-based language for locating and
describing Web services. - WSDL file
lt?xml version"1.0" encoding"utf-8" ?gt -
ltdefinitions xmlnss"http//www.w3.org/2001/XMLSc
hema ..... xmlns"http//schemas.xmlsoap.org/wsdl
/"gt lttypesgt ltmessage nameaddSoapIn"gt
ltmessage nameaddSoapOut"gt ltportType
nameTestWSSoap"gt ltbinding nameTestWSSoap"
typeTestWSSoap"gt ltservice name"TestWS"gt lt/def
initionsgt
11UDDI (Universal Description, Discovery and
Integration)
- UDDI is a directory service where companies can
register and search for Web services
12(No Transcript)
13Security Requirements for SOAP-based Web Services
14Security Requirements for SOAP-based Web Services
15Security Requirements for SOAP-based Web Services
16XML Security for Web Services
- The XML Signature specification is a joint effort
of W3C and IETF. It aims to provide data
integrity and authentication (both message and
signer authentication) features, wrapped inside
XML format. - W3C's XML Encryption specification addresses the
issue of data confidentiality using encryption
techniques. Encrypted data is wrapped inside XML
tags defined by the XML Encryption specification.
- WS-Security from OASIS defines the mechanism for
including integrity, confidentiality, and single
message authentication features within a SOAP
message. WS-Security makes use of the XML
Signature and XML Encryption specifications and
defines how to include digital signatures,
message digests, and encrypted data in a SOAP
message.
17XML Security for Web Services
- Security Assertion Markup Language (SAML)
- eXtensible Access Control Markup Language (XACML)
18Outline
- Web Service Introduction
- XACML
- SAML
- Shibboleth
19The eXtensible Access Control Markup Language
(XACML)
20XACML
- The eXtensible Access Control Markup Language
(XACML) is an XML vocabulary for expressing
access control policies. - Access control consists of deciding if a
requested resource access should be allowed and
enforcing that decision. - Access control policies are the criteria for
making access control decisions. - The XACML core specification defines the syntax
of the language and the rules for evaluating
policies.
21Preferred terms
22Preferred terms
23Preferred terms
- Resource Data, service or system component.
- Subject An actor whose attributes may be
referenced by a predicate. - Action
- An operation on a resource.
- Four kinds of actions read, write, create, and
delete. - Environment The set of attributes that are
relevant to an authorization decision and are
independent of a particular subject, resource or
action.
24Preferred terms
- Attribute Characteristic of a subject, resource,
action or environment that may be referenced in a
predicate or target. - Context The canonical representation of a
decision request and an authorization decision. - Context handler The system entity that converts
decision requests in the native request format to
the XACML canonical form and converts
authorization decisions in the XACML canonical
form to the native response format.
25Data-flow Diagram
26Data-flow diagram
27Data-flow diagram
28Data-flow diagram
29Data-flow diagram
30Data-flow diagram
31Data-flow diagram
32Data-flow diagram
33Data-flow diagram
34Data-flow diagram
35Data-flow diagram
36Data-flow diagram
37Data-flow diagram
38Data-flow diagram
39Data-flow diagram
40XACML - Advantages
- According to Sun, XACML has a number of
advantages over other access-control policy
languages - One standard access control policy language can
replace dozens of application-specific languages - Administrators save time and money because they
don't need to rewrite their policies in many
different languages - Developers save time and money because they don't
have to invent new policy languages and write
code to support them. They can reuse existing
code
41XACML - Advantages
- Good tools for writing and managing XACML
policies will be developed, since they can be
used with many applications - XACML is flexible enough to accommodate most
access control policy needs and extensible so
that new requirements can be supported. - One XACML policy can cover many resources. This
helps avoid inconsistent policies on different
resources. - XACML allows one policy to refer to another. This
is important for large organizations. For
instance, a site-specific policy may refer to a
company-wide policy and a country-specific policy.
42XACML - Limitations
- XACML is verbose and complex in some ways.
- Interactions involving PAP, PIP, etc., are not
standardized. - Policy administration, policy versioning, etc.,
are not standardized.
43SAML
- Security Assertions Markup Language
44Single Sign-on (SSO)
- SSO is a property of access control of multiple,
related, but independent software systems. - With this property a user
- logs in once
- gains access to all systems without being
prompted to log in again at each of them.
45(No Transcript)
46Why choose single sign-on?
- User needs to remember multiple usernames and
passwords to access different applications on a
network. - This poses a huge cost for the administration and
support departments. - Authentication is a horizontal requirement across
multiple applications, platforms, and
infrastructures.
47Why choose single sign-on?
- The objective of SSO
- Allow users access to all applications from one
logon. - Provide a unified mechanism to manage the
authentication of users and implement business
rules determining user access to applications and
data. - Benefits include the following
- Improved user productivity.
- Improved developer productivity.
- Simplified administration.
48Implementing SSO requires
- Identity Provider (IdP) The system, or
administrative domain, that asserts information
about a subject. - Service Provider (SP) The system, or
administrative domain, that relies on information
supplied to it by the Identity Provider. It is up
to the Service Provider as to whether it trusts
the assertions provided to it. - Exchanges of authentication and authorization
data between an IdP and an SP are effected by
means of an XML standard called the Security
Assertion Markup Language (SAML).
49SAML - Introduction
- The Security Assertion Markup Language (SAML)
standard defines a framework for exchanging
security information between online business
partners. - As stated in the SSTC charter, the purpose of the
Technical Committee is - to define, enhance, and maintain a standard
XML-based framework - for creating and exchanging authentication and
authorization information.
50SAML Use case
- There are four drivers behind the creation of
the SAML standard - Limitations of Browser cookies
- SSO Interoperability
- Web Services
- Federation
51Single Sign-On Use Case
52Federation Use Case
53SAML Components
- Assertions SAML allows for one party to assert
characteristics and attributes of an entity. - Protocols SAML defines a number of
request/response protocols. The protocol is
encoded in an XML schema as a set of
request-response pairs. - Bindings This details exactly how the SAML
protocol maps onto the transport protocols. For
instance, the SAML specification provides a
binding of how SAML request/responses are carried
with SOAP exchange messages. - Profiles The core of the SAML specification
defines how the SAML requests and responses are
transported, however, a number of use cases have
been developed that require the formulation of
Profiles that define how the SAML assertions,
protocols and bindings are combined.
54SAML Components
55SAML - Structure
- Assertions An assertion consists of one or more
statements. - For SSO, typically a SAML assertion will contain
- a single authentication statement
- a single attribute statement.
56SAML - Structure
57SAML - Structure
- SOAP over HTTP Binding In environments where the
two communicating end points are SOAP enabled,
then the SOAP over HTTP binding can be used to
exchange SAML request/query and response protocol
messages.
58SAML - Structure
59Use of SAML in other Frameworks - XACML
- SAML Assertions provide a means to distribute
security-related information that may be used for
a number of purposes. One of the most important
of these purposes is as input to Access Control
decisions. - The eXtensible Access Control Markup Language
(XACML) is an OASIS Standard that defines the
syntax and semantics of a language for expressing
and evaluating access control policies. - The work to define XACML was started slightly
after SAML began.
60Preferred terms
61Use of SAML in other Frameworks -XACML
- Using SAML and XACML in combination would
typically involve the following steps. - 1. An XACML Policy Enforcement Point (PEP)
receives a request to access some resource. - 2. The PEP obtains SAML Assertions containing
information about the parties to the request,
such as the requester, the receiver (if
different) or intermediaries. These Assertions
might accompany the request or be obtained
directly from a SAML Authority, depending on the
SAML profile used. - 3. The PEP obtains other information relevant to
the request, such as time, date, location, and
properties of the resource. - 4. The PEP presents all the information to a
Policy Decision Point (PDP) to decide if the
access should be allowed. - 5. The PDP obtains all the policies relevant to
the request and evaluates them, combining
conflicting results if necessary. - 6. The PDP informs the PEP of the decision
result. - 7. The PEP enforces the decision, by either
allowing the requested access or indicating that
access is not allowed.
62Use of SAML in other Frameworks -XACML
63Use of SAML in other Frameworks - XACML
64Use of SAML in other Frameworks - XACML
65Use of SAML in other Frameworks - XACML
66Use of SAML in other Frameworks - XACML
67Use of SAML in other Frameworks - XACML
68Use of SAML in other Frameworks -XACML
69Use of SAML in other Frameworks -XACML
70SHIBBOLETH
71Introduction
Many resources
Many people
Many locations
hard to manage access to resources
federations
federated identity
authenticate provide user attributes
Identity Providers Service Providers
SSO system
form federations
72Definition
- Shibboleth is an Internet2 Middleware Initiative
project that has created an architecture and
open-source implementation for federated
identity-based authentication and authorization
infrastructure based on Security Assertion Markup
Language (SAML). Federated identity allows for
information about users in one security domain to
be provided to other organizations in a
federation. - This allows for cross-domain SSO and removes the
need for content providers to maintain usernames
and passwords. - Identity providers (IdPs) supply user information
- service providers (SPs) consume this information
and get access to secure content.
73How it works?
- Interrealm Attribute-based Authorization for Web
Services - An initiative to develop
- An architecture
- Policy framework
- Practical technologies to support
inter-institutional sharing of resources - Based on a federated administration trust
framework. - Provides the secure exchange of interoperable
attributes in access control decisions. - Controlled dissemination of attribute
information, based on administrative defaults and
user preferences. - Shifts the model from passive privacy towards
active privacy. - Developed with vendor participation - IBM/Tivoli.
- Standards Alignment - OASIS/SAML.
- Open solution.
74Federation
- Group of institutions
- agree
- set of policies - practices - standards
- For
- Authentication
- security of components/ exchange use
- population of user attributes
- Trust model to work between institutions
- SPs will accept attributes from any IdP in the
Federation
75Federated Administration
Leverage local authentication mechanisms
- Browser User
- Need to know the name users origin domain
- Create specific attribute release policies
- Origin Site
- Must have joined AC
- Create default ARP
- Identification and registration of users
- Managing attributes
- Authenticating users prior to resource access
- Target Resource Manager
- Must have joined the appropriate communities
- Manage policies governing access to the resource
76Technical Components
77Components
1.In a web browser, the user attempts to access a
resource protected by the SP.
2.The user is not authenticated so the user is
redirected to the WAYF service.
3.The WAYF service asks the user to choose an
institution (IdP) to authenticate at.
4. The user chooses an institution (IdP).
5.The user is redirected to the Handle Service of
the chosen IdP.
6.The Handle Service works with the local SSO
system to ask the user to authenticate.
7. The user supplies credentials to authenticate
(e.g. username and password).
If the credentials are valid the Handle Service
generates a handle for the user and supplies it
to the ACS of the SP.
The ACS validates the handle, creates a session
and transfers the handle to the AR.
10.The AR request attributes from the AA of the
IdP using the handle.
11.The AR request attributes from the AA supplies
attributes in the form of assertions.
12.The attributes are used by the SP to determine
whether to permit access to the resource.
13. If permission has been granted the user is
able to access the resource.
78Components
Authentication Phase
Authorization Phase
Success!
Target Web Server
Attribute Server
Pass Privileges for Authz Decision
Ask For Privileges
Browser
Second Access - Authenticated
Web Login Server
Authentication
Pass content if user is allowed
Redirect User to Campus for Authn
First Access - Unauthenticated
HS
WAYF
Target Site
Origin Site
79Identity Provider(IdP)
- IdP allows the user to authenticate stores
information about the user as attributes. - When a user authenticates, the IdP creates a
privacy-preserving handle for the user which can
be used by service providers to request user
attributes.
80Service Provider
Acts as a guardian of a Web resource
Service Provider
Y
N
81Indexical Reference Establisher(SHIRE)
- SP responsible for context/session establishment.
- Session establishment will commonly rely on
traditional techniques. - With no session in place, the SHIRE knows nothing
about the user, so must - Ask directly (SHIREWAYF)
- Redirect the user to a location that will ask on
its behalf (SHIRE!WAYF) - The SHIRE accepts and validates an assertion from
a HS. - Associates the incoming handle with the session
it creates. - Passes control to the SHAR.
82Where are You From?
- The WAYF service provides the user with a list of
institutions (IdPs) and allows them to choose at
which one they wish to authenticate. - Then, the WAYF redirects the user to the chosen
IdP.
83Handle Server
- Works with AA and local Web ISO system
(authentication) to associate a query handle with
an authenticated browser user and generate a
signed assertion. - Performs its work in response to an Attribute
Query HR. - Triggers local campus authentication system.
- Generates a Handle.
- Remembers mapping from Handle to specific user.
- Sends Assertion with Handle to SHIRE.
84Attribute Requester
- Attribute authenticate stores information about
the user. - A SHAR makes attribute requests using the handle
given it by the SHIRE. - Upon receiving a response (AQR)
- Authenticates the response
- The attribute assertion contains the name of the
origin site. - Extracts the attributes.
- Checks attribute acceptance.
85Attribute Authority
- Receives Attribute Query Messages (AQM) from
SHAR ? Returns Attribute Response Message (ARM). - Finds ARPs matching target.
- Determines which attributes and values to
release. - Provides UI for specification and management of
Attribute Release Policies (ARPs). - Works with institutional directories and
databases to aggregate and export attributes in a
controlled fashion.
86Management of Attribute Release Policies(ARP)
- The AA provides ARP management tools/interfaces.
- Different ARPs for different targets.
- Each ARP Specifies attributes - values.
- Institutional ARPs (default)
- Administrative default policies / attributes.
- Site can force include and exclude.
- User ARPs managed via MyAA web interface.
- Release set determined by combining Default /
User ARP for the specified resource.
87Resource Manager
- Accepts Attributes from the SHAR
- Compares supplied Attributes against Policy
associated with requested resource - Grants/Denies access
88advantage
- End User Authentication
- Unified authentication mechanism, more scalable,
less integration work - Access Control
- Ability to implement fine-grained access control
by attributes, control usage costs. - Leading Edge
- Ability to market yourself as being at the fore
front of compelling new technology adoption. - ROI - Vendor
- The incremental cost of adding new customers is
relatively minimal. - ROI - Customer
- support inter-institutional applications,
leveraging something already in place. - A matter of managing attributes/The installation
is relatively easy. - Joint Procurement
- Opportunity to offer joint procurement services
- Providing economies of scale
89References
- http//www.w3schools.com/
- http//www.xml.com/pub/a/ws/2003/03/04/security.ht
ml?page2 - http//xml.coverpages.org/xacml.html
- http//www.oasis-open.org/committees/tc_home.php?w
g_abbrevxacmlINTEROPS - http//sunxacml.sourceforge.net/
- http//en.wikipedia.org/wiki/Security_Assertion_Ma
rkup_Language - http//www.oasis-open.org/committees/tc_home.php?w
g_abbrevwss - http//www.oasis-open.org/committees/download.php/
3412/sstc-saml-diff-1.1-draft-01.pdf - http//www.oasis-open.org/committees/security
- http//projects.staffs.ac.uk/suniwe/project/shibbo
leth.html - http//middleware.internet2.edu/shibboleth
- http//www.internet2.edu/members/html/intellectual
property.html
90QA
