WS-Security.ppt

WS-Security Anders Smestad The Web Services Why Web Services? loosley-coupled language-neutral platform-independent Really: PR It is so easy! (Want a demo?) It can run on port 80 But it isn’t secure… Transport Layer Security (TLS) can provide point-to-point security, but not end-to-end, problem with proxies Want: Message integrity Message confidentiality The WS-Security solution ~ two years after Web Services was introduced, IBM, Microsoft and VeriSign addressed the security issue. In April 2002 they released the proposed specification for WS-Security From SOAP-Security, WS-Security, WS-License April 2004: The standard was released as WS-Security 1.0 by Oasis-Open February 2006: Oasis-Open released “Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)” or WS-Security Core Specification 1.1 WS-Security 1.1 From the spec: Enhancements to SOAP to provide integrity and confidentiality “Web Services Security: SOAP Message Security” or “WSS: SOAP Message Security” Accommodates a wide variety of security models and encryption technologies Provides a mechanism for associating security tokens with message content Of course extensible: Supports multiple security token formats, can define different formats for different parts of the message Disclaimer Provides flexible set of mechanisms to construct a range of security protocols Does not describe explicit fixed security protocols This means: It is up to you to design your non-vulnerable protocol Goals of the specification Multiple security token formats Multiple trust domains Multiple signature formats Multiple encryption technologies End-to-end message content security (Terminology) Confidentiality – the property that data is not made available to unauthorized individuals, entities, or processes (encryption) Integrity – the property that data has not been modified (signature) Claim – a declaration made by an entity (e.g. name, identity, key, group, privilege, capability, etc). Claim Confirmation – the proc