marty humphrey assistant professor computer science department university of virginia
DESCRIPTION
Security Standards (…and Competing Standards … and Implementations … and Interoperability). Marty Humphrey Assistant Professor Computer Science Department University of Virginia. UK e-Science Core Programme Town Meeting Monday 11th April 2005. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Marty Humphrey Assistant Professor Computer Science Department University of Virginia](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56813afd550346895da392fa/html5/thumbnails/1.jpg)
Security Standards(…and Competing Standards
… and Implementations… and Interoperability)
Marty HumphreyAssistant Professor
Computer Science DepartmentUniversity of Virginia
UK e-Science Core Programme Town MeetingMonday 11th April 2005
![Page 2: Marty Humphrey Assistant Professor Computer Science Department University of Virginia](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56813afd550346895da392fa/html5/thumbnails/2.jpg)
“Security in a Web Services World” IBM/MS White Paper April 2002
This is a This is a composable composable ArchitectureArchitecture
““only use what only use what you need”you need”
SOAP FoundationSOAP Foundation
WS-SecurityWS-Security
WS-PolicyWS-Policy WS-TrustWS-Trust WS-PrivacyWS-Privacy
WS-SecureWS-SecureConversationConversation WS-FederationWS-Federation WS-AuthorizationWS-Authorization
tim
e
today
![Page 3: Marty Humphrey Assistant Professor Computer Science Department University of Virginia](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56813afd550346895da392fa/html5/thumbnails/3.jpg)
www.ggf.org
WS Security Roadmap exists, so why do we?(slide from GGF6, Oct 2002)
1. What if boxes never materialize?
2. What if boxes appear too late?
3. What if there are licensing issues with box(es)?
4. What if “their roadmap” has missing pieces?
5. What if Grid Computing != Web Services?
6. MS-IBM Roadmap is wire-oriented; we need to be wire-oriented AND service-oriented (i.e., portTypes)
How do we make our existing security services “fit” with OGSA Architecture?
![Page 4: Marty Humphrey Assistant Professor Computer Science Department University of Virginia](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56813afd550346895da392fa/html5/thumbnails/4.jpg)
Second Wave SpecificationsSecond Wave Specifications
Historical Timeline of Specifications
December2002
WS-SecurityAddendum
WS-Security
WS-Transaction
WS-PolicyAssertions
WS-Coordination
WS-Policy
WS-PolicyAttachment
WS-Trust
WS-SecureConversation
WS-SecurityPolicy
August2002
WS-Inspection
WS-Security Profile ForTokens
WS-Attachments
November2001
April2002
June2002
March2003
SecurityRoadmap
WS-ReliableMessaging
WS-Addressing
ReliableMessageRoadmap
June2003
WS-PolicyAssertions
v1.1
WS-Policyv1.1
WS-PolicyAttachment
v1.1
Infoset Addendum toSOAP MessagesWith Attachments
April2003
July2003
WS-Federation
FederationWhitepaper
Slide from Felipe Cabrera
![Page 5: Marty Humphrey Assistant Professor Computer Science Department University of Virginia](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56813afd550346895da392fa/html5/thumbnails/5.jpg)
Web Services Web Services Specifications ProcessSpecifications ProcessExample:Example: WS-SecurityWS-Security
Specification Specification PublishedPublished
Customer and Customer and Industry Industry
FeedbackFeedbackGatheredGathered
Publish Publish Addendum,Addendum,Deliver Dev Deliver Dev
ProductProduct
OASIS OASIS StandardizationStandardization
April April 20022002
April - August April - August
20022002
August August 20022002
September September 20022002
WS-IWS-IInteroperability Interoperability
ProfileProfile
April April 20032003
ThreeThreePartnersPartners
Over 30 Over 30 PartnersPartners
Over 100 Over 100 PartnersPartners
Slide from Felipe Cabrera
![Page 6: Marty Humphrey Assistant Professor Computer Science Department University of Virginia](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56813afd550346895da392fa/html5/thumbnails/6.jpg)
Today: Status of Specs
• WS-Security (“SOAP Message Security 1.0”)• OASIS Standard 15 Mar 2004
• WS-Policy (Dec 2002): • Updated Sept 2004 (6 companies) – royalty-free – not in standards body
• WS-SecureConversation (Dec 2002): • Updated Feb 2005 (13 companies) – royalty-free – not in standards body
• WS-Trust (Dec 2002):• Updated Feb 2005 (12 companies) – royalty-free (?) – not in standards body
• WS-Federation (Jul 2003):• No update since July 2003?
• WS-Privacy: ???• WS-Authorization: ???
![Page 7: Marty Humphrey Assistant Professor Computer Science Department University of Virginia](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56813afd550346895da392fa/html5/thumbnails/7.jpg)
WS-I Basic Security Profile
• Draft: Jan 20 2005• How to use:
• SSL/TLS• SOAP Message Security• Username Token Profile• X.509 Certificate Token Profile• XML-Signature• XML-Encryption
![Page 8: Marty Humphrey Assistant Professor Computer Science Department University of Virginia](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56813afd550346895da392fa/html5/thumbnails/8.jpg)
Security Access Markup Language (SAML)Framework — OASIS Standard
• Assertions: Authentication, Attribute, Authorization Decision• Protocols: e.g., request from a SAML authority one or more assertions• Bindings: e.g., SAML SOAP binding• Profiles: constraints and/or extensions for a particular application (e.g.,
Web SSO Profile)
Protocol Response
Assertion
Protocol Request
Binding
![Page 9: Marty Humphrey Assistant Professor Computer Science Department University of Virginia](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56813afd550346895da392fa/html5/thumbnails/9.jpg)
eXtensible Access Control Markup Language (XACML) – OASIS Standard
• V 2.0, 6 Dec 2004 (142 pages!)• Authors include Sun, BEA, CA, Entrust, Frank Siebenlist, and IBM
• Capabilities• Access Control: who can do what when• Queries about whether a particular access should be allowed
(requests) and describes answers to those queries (responses)
• XACML and SAML • XACML policy specifies what a provider should do when it receives a
SAML Assertion• XACML-based attributes can be expressed in SAML
• XACML v3.0 in the works
![Page 10: Marty Humphrey Assistant Professor Computer Science Department University of Virginia](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56813afd550346895da392fa/html5/thumbnails/10.jpg)
Liberty Alliance
• Industry consortium defining standards for federated identity (formed Sept 2001)• IBM recently joined
• Web Service Framework (ID-WSF)• Authentication: Identity Federation Framework (ID-FF) uses SAML• Message protection: e.g., TLS, SAML Assertion in WS-Security• Service discovery and addressing• Policy• “Common data access protocols”: Liberty Data Services Template
Specification
![Page 11: Marty Humphrey Assistant Professor Computer Science Department University of Virginia](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56813afd550346895da392fa/html5/thumbnails/11.jpg)
Open Issues/Concerns
• Privacy: SAML 2.0 Privacy Mechanisms? • XACML and WS-[Security]Policy overlap• XACML and SAML overlap
• Both have protocols for requesting security information• WS-Federation and Liberty Alliance overlap
• WS-* and ID-WSF overlap• Delegation
• Service interface (WS-Delegation)• Protocol (X.509 Proxy Certs RFC 3820 and SAML
Delegation)
![Page 12: Marty Humphrey Assistant Professor Computer Science Department University of Virginia](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56813afd550346895da392fa/html5/thumbnails/12.jpg)
WS-Delegation
• Led by Olle Mulmo• Standalone Web services portType• Based on WS-Trust (until recently – April 05?)
• My group’s contribution• D. Del Vecchio, J. Basney, N. Nagaratnam, and M. Humphrey.
“CredEx: User-Centric Credential Selection and Management for Grid and Web Services”
• Long-term or short-term multiple per-user credential storage and exchange• Support for multiple platforms and languages (Java and .NET)• Multiple token types
• Initially support for both password-to-X.509 and X.509-to-password exchanges• Potential support for more token types through WS-Security and WS-Trust
specifications
![Page 13: Marty Humphrey Assistant Professor Computer Science Department University of Virginia](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56813afd550346895da392fa/html5/thumbnails/13.jpg)
Java Client
exchangeForPassword()
X.509 Signature
CredEx System Overview
.Net Client
exchangeForCert()
Username/Password
Username/Passw
ord
invokeMethod()
Username/Password
invokeMethod()
X.509 Credential
Password-based Web Service
(Java/.Net)
X.509-based Grid Service
(Java/GT3)
CredentialService(Java/Tomcat/Axis)
![Page 14: Marty Humphrey Assistant Professor Computer Science Department University of Virginia](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56813afd550346895da392fa/html5/thumbnails/14.jpg)
“Extending the Security Assertion Markup Language to Support Delegation for Web Services and Grid Services” (J. Wang, D. Del
Vecchio, and M. Humphrey)
Delegation request as a SAML request
Delegation response as a SAML response
Request
Response
Please schedule my jobs
SAML assertion
Please run my job
SAML assertion
Please save my file
Please send a disk request for Bob
![Page 15: Marty Humphrey Assistant Professor Computer Science Department University of Virginia](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56813afd550346895da392fa/html5/thumbnails/15.jpg)
Direct SAML Delegation with Web Service Security: Bob has Delegated to Superscheduler
Soap header
Assertion
Superscheduler’s Key
Delegation: Bob
Right: Full
Bob’s Signature
Superscheduler’s Signature
SAML Token Profile
X509 Token Profile
![Page 16: Marty Humphrey Assistant Professor Computer Science Department University of Virginia](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56813afd550346895da392fa/html5/thumbnails/16.jpg)
Indirect SAML Delegation with Web Service Security: Bob has Delegated to Broker through Superscheduler
Soap Header
AssertionBroker’s Key
Delegation: Bob
Right: End Entity
Superscheduler’s Signature
AssertionSuperscheduler’s Key
Delegation: Bob
Right: Full
Bob’s Signature
Broker’s Signature
SAML Token Profile
SAML Token Profile
X509 Token Profile
![Page 17: Marty Humphrey Assistant Professor Computer Science Department University of Virginia](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56813afd550346895da392fa/html5/thumbnails/17.jpg)
Summary
• April 2002: Much optimism with “IBM/MS Security Roadmap”
• Emergence of standardized boxes slower than expected
• Community appears to be converging, but some aspects not clear• XACML/SAML, XACML/WS-SecurityPolicy, Delegation
• Many challenges• Interop will not come directly from standards (see WS-I)