1 / 17

Marty Humphrey Assistant Professor Computer Science Department University of Virginia

Security Standards (…and Competing Standards … and Implementations … and Interoperability). Marty Humphrey Assistant Professor Computer Science Department University of Virginia. UK e-Science Core Programme Town Meeting Monday 11th April 2005.

abel
Download Presentation

Marty Humphrey Assistant Professor Computer Science Department University of Virginia

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Standards(…and Competing Standards … and Implementations… and Interoperability) Marty Humphrey Assistant Professor Computer Science Department University of Virginia UK e-Science Core Programme Town Meeting Monday 11th April 2005

  2. “Security in a Web Services World” IBM/MS White Paper April 2002 This is a composable Architecture “only use what you need” WS-Secure Conversation WS-Federation WS-Authorization WS-Policy WS-Trust WS-Privacy today WS-Security time SOAP Foundation

  3. WS Security Roadmap exists, so why do we?(slide from GGF6, Oct 2002) • What if boxes never materialize? • What if boxes appear too late? • What if there are licensing issues with box(es)? • What if “their roadmap” has missing pieces? • What if Grid Computing != Web Services? • MS-IBM Roadmap is wire-oriented; we need to be wire-oriented AND service-oriented (i.e., portTypes) How do we make our existing security services “fit” with OGSA Architecture?

  4. Second Wave Specifications Slide from Felipe Cabrera

  5. Web Services Specifications Process Slide from Felipe Cabrera Example:WS-Security Specification Published Customer and Industry FeedbackGathered Publish Addendum,Deliver Dev Product OASIS Standardization WS-IInteroperability Profile April 2002 April - August 2002 August 2002 September 2002 April 2003 ThreePartners Over 30 Partners Over 100 Partners

  6. Today: Status of Specs • WS-Security (“SOAP Message Security 1.0”) • OASIS Standard 15 Mar 2004 • WS-Policy (Dec 2002): • Updated Sept 2004 (6 companies) – royalty-free – not in standards body • WS-SecureConversation (Dec 2002): • Updated Feb 2005 (13 companies) – royalty-free – not in standards body • WS-Trust (Dec 2002): • Updated Feb 2005 (12 companies) – royalty-free (?) – not in standards body • WS-Federation (Jul 2003): • No update since July 2003? • WS-Privacy: ??? • WS-Authorization: ???

  7. WS-I Basic Security Profile • Draft: Jan 20 2005 • How to use: • SSL/TLS • SOAP Message Security • Username Token Profile • X.509 Certificate Token Profile • XML-Signature • XML-Encryption

  8. Binding Protocol Request Security Access Markup Language (SAML)Framework — OASIS Standard • Assertions: Authentication, Attribute, Authorization Decision • Protocols: e.g., request from a SAML authority one or more assertions • Bindings: e.g., SAML SOAP binding • Profiles: constraints and/or extensions for a particular application (e.g., Web SSO Profile) Assertion Protocol Response Mary Alice

  9. eXtensible Access Control Markup Language (XACML) – OASIS Standard • V 2.0, 6 Dec 2004 (142 pages!) • Authors include Sun, BEA, CA, Entrust, Frank Siebenlist, and IBM • Capabilities • Access Control: who can do whatwhen • Queries about whether a particular access should be allowed (requests) and describes answers to those queries (responses) • XACML and SAML • XACML policy specifies what a provider should do when it receives a SAML Assertion • XACML-based attributes can be expressed in SAML • XACML v3.0 in the works

  10. Liberty Alliance • Industry consortium defining standards for federated identity (formed Sept 2001) • IBM recently joined • Web Service Framework (ID-WSF) • Authentication: Identity Federation Framework (ID-FF) uses SAML • Message protection: e.g., TLS, SAML Assertion in WS-Security • Service discovery and addressing • Policy • “Common data access protocols”: Liberty Data Services Template Specification

  11. Open Issues/Concerns • Privacy: SAML 2.0 Privacy Mechanisms? • XACML and WS-[Security]Policy overlap • XACML and SAML overlap • Both have protocols for requesting security information • WS-Federation and Liberty Alliance overlap • WS-* and ID-WSF overlap • Delegation • Service interface (WS-Delegation) • Protocol (X.509 Proxy Certs RFC 3820 and SAML Delegation)

  12. WS-Delegation • Led by Olle Mulmo • Standalone Web services portType • Based on WS-Trust (until recently – April 05?) • My group’s contribution • D. Del Vecchio, J. Basney, N. Nagaratnam, and M. Humphrey. “CredEx: User-Centric Credential Selection and Management for Grid and Web Services” • Long-term or short-term multiple per-user credential storage and exchange • Support for multiple platforms and languages (Java and .NET) • Multiple token types • Initially support for both password-to-X.509 and X.509-to-password exchanges • Potential support for more token types through WS-Security and WS-Trust specifications

  13. invokeMethod() X.509 Credential exchangeForCert() Username/Password X.509-based Grid Service (Java/GT3) Java Client X.509 Signature exchangeForPassword() CredentialService (Java/Tomcat/Axis) Username/Password invokeMethod() Username/Password Password-based Web Service (Java/.Net) .Net Client CredEx System Overview

  14. Please schedule my jobs Delegation request as a SAML request Delegation response as a SAML response Response Please send a disk request for Bob Request SAML assertion Please run my job SAML assertion Please save my file “Extending the Security Assertion Markup Language to Support Delegation for Web Services and Grid Services” (J. Wang, D. Del Vecchio, and M. Humphrey) Bob Superscheduler Broker

  15. Direct SAML Delegation with Web Service Security: Bob has Delegated to Superscheduler Soap header Assertion Superscheduler’s Key Delegation: Bob SAML Token Profile Right: Full Bob’s Signature Superscheduler’s Signature X509 Token Profile

  16. Indirect SAML Delegation with Web Service Security: Bob has Delegated to Brokerthrough Superscheduler Soap Header Assertion Broker’s Key Delegation: Bob SAML Token Profile Right: End Entity Superscheduler’s Signature Assertion Superscheduler’s Key Delegation: Bob SAML Token Profile Right: Full Bob’s Signature X509 Token Profile Broker’s Signature

  17. Summary • April 2002: Much optimism with “IBM/MS Security Roadmap” • Emergence of standardized boxes slower than expected • Community appears to be converging, but some aspects not clear • XACML/SAML, XACML/WS-SecurityPolicy, Delegation • Many challenges • Interop will not come directly from standards (see WS-I)

More Related