2. XML digital signature ( IETF and W3C) XML Encryption ( W3C) SAML (Secure Assertion Markup Language) ( OASIS) WS-Security (Web Services Security) (OASIS) WS-SecureConversation WS-Federation WS-Policy WS-Trust WS-Privacy XACML (Extensible Access Control Markup Language) (OASIS) Web service security standards
3. When encrypting an XML element or element content the EncryptedData element replaces the element or content (respectively) in the encrypted version of the XML document <EncryptedDataId Type MimeType Encoding> <EncryptionMethod/> <ds:KeyInfo> <EncryptedKey> <AgreementMethod> <ds:KeyName> <ds:RetrievalMethod> <ds:*> </ds:KeyInfo> <CipherData> <CipherValue> <CipherReferenceURI> </CipherData> <EncryptionProperties> </EncryptedData> XML Encryption
5. Data integrity, authenticity Binds the sender’s identity (or “signing entity”) to an XML document Signature verification can be done using asymmetric or symmetric keys Ensures non-repudiation of the signing entity Proves that messages have not been altered since they were signed XML Signature
6. XML digital signatures are represented by the Signature element <Signature ID?> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> (<Reference URI > <Transforms> <DigestMethod> <DigestValue> </Reference>)+ </SignedInfo> <SignatureValue> <KeyInfo> <Object ID> </Signature> Signature Element
8. Developed by OASIS An XML framework for exchanging authentication and authorization information SAML assertions: (Assertion is declaration of a fact) authentication attribute Authorization SAML is for Single sign-on (SSO) Distributed transaction Authorization service SAML
9. Used for SSO <saml:Assertion …> <saml:AuthenticationStatement AuthenticationMethod=“password” AuthenticationInstant=“2010-02-03”> <saml:Subject> <saml:NameIdentifier SecurityDomain=“myCompany.com” Name=“ABCD” /> <saml:ConfirmationMethod> http://… </saml:ConfirmationMethod> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion> An issuing authority asserts that subject S was authenticated by means M at time T Authentication statement
10. Used for distributed transactions <saml:Assertion …> <saml:AttributeStatement> <saml:Subject>..Sang..</saml:Subject> <saml:Attribute AttributeName=“PaymentStatus” AttributeNamespace=“http://myshop.com”> <saml:AttributeValue> PaidUp </saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName=“CreditLimit” AttributeNamespace=“http://myshop.com”> <saml:AttributeValue>500.00</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> An issuing authority asserts that subject S is associated with Attributes A,B,… with values ‘a’, ‘b’,… Attribute statement
11. Used for authorization service <saml:Assertion …> <saml:AuthorizationStatement Decision=“Allow” Resource=http://mycompany.com/empdetails> <saml:Subject>…</saml:Subject> <saml:Actions ActionNamespace=“http://…”> <saml:Action>Read</saml:Action> </saml:Actions> </saml:AuthorizationStatement> </saml:Assertion> An issuing authority decides Whether to grant the request by subject S for access type A to resource R given evidence E Authorization statement
12. Extension to SOAP to apply security to Web services Defines how to attach XML Signature and XML Encryption headers to SOAP messages WS Security specification allows X.509 certificates Kerberos tickets UserID/Password credentials SAML-Assertion Custom defined token WS Security
14. Framework for Issuing, renewing, and validating security tokens Brokering trust relationships within different trust domains WS Trust
15. 1.WSIT client runtime requests security meta-data from the service provider (transparent to the application) 2. The service indicates that the client needs a security token from a particular STS 3. The client requests security meta-data from the STS 4. The STS responds with type of security token to be used for further communication 5. The client requests security token from STS 6. The client receives security token issued by STS 7. The client invokes the service using the issued token 8. The service provider verifies token and performs the service WS-Trust: Security Token Service
16. WS-SecureConversation defines the creation and sharing of security contexts between communicating parties The <SecurityContextToken> (SCT) element supports the requirements of security contexts An SCT involves a shared secret used to sign and/or encrypt messages Derived keys are used for signing and encrypting messages associated with the security context WS-SecureConversation defines how derived keys are computed and passed WS-SecureConversation
17. It is a declarative access control policy language implemented in XML and a processing model, describing how to interpret the policies. Policies are defined with a collection of Rules XACML Access control rule Allow access to resource with attribute WebService if subject is Employee and action is read or write. Administration control rule Allow delegation of access control rule #1 to subjects with attribute Consultant. Conditions: delegation must expire within 6 months, resource must not have attribute StrictlyInternal
18. One standard access control policy language can replace dozens of application-specific languages Administrators save time and money because they don't need to rewrite their policies in many different languages XACML is flexible enough to accommodate most access control policy needs and extensible so that new requirements can be supported. One XACML policy can cover many resources. This helps avoid inconsistent policies on different resources. XACML allows one policy to refer to another. This is important for large organizations. For instance, a site-specific policy may refer to a company-wide policy and a country-specific policy. XACML benefits