Security Standards(…and Competing Standards

… and Implementations… and Interoperability)

Marty HumphreyAssistant Professor

Computer Science DepartmentUniversity of Virginia

UK e-Science Core Programme Town MeetingMonday 11th April 2005

“Security in a Web Services World” IBM/MS White Paper April 2002

This is a This is a composable composable ArchitectureArchitecture

““only use what only use what you need”you need”

SOAP FoundationSOAP Foundation

WS-SecurityWS-Security

WS-PolicyWS-Policy WS-TrustWS-Trust WS-PrivacyWS-Privacy

WS-SecureWS-SecureConversationConversation WS-FederationWS-Federation WS-AuthorizationWS-Authorization

tim

e

today

www.ggf.org

WS Security Roadmap exists, so why do we?(slide from GGF6, Oct 2002)

1. What if boxes never materialize?

2. What if boxes appear too late?

3. What if there are licensing issues with box(es)?

4. What if “their roadmap” has missing pieces?

5. What if Grid Computing != Web Services?

6. MS-IBM Roadmap is wire-oriented; we need to be wire-oriented AND service-oriented (i.e., portTypes)

How do we make our existing security services “fit” with OGSA Architecture?

Second Wave SpecificationsSecond Wave Specifications

Historical Timeline of Specifications

December2002

WS-SecurityAddendum

WS-Security

WS-Transaction

WS-PolicyAssertions

WS-Coordination

WS-Policy

WS-PolicyAttachment

WS-Trust

WS-SecureConversation

WS-SecurityPolicy

August2002

WS-Inspection

WS-Security Profile ForTokens

WS-Attachments

November2001

April2002

June2002

March2003

SecurityRoadmap

WS-ReliableMessaging

WS-Addressing

ReliableMessageRoadmap

June2003

WS-PolicyAssertions

v1.1

WS-Policyv1.1

WS-PolicyAttachment

v1.1

Infoset Addendum toSOAP MessagesWith Attachments

April2003

July2003

WS-Federation

FederationWhitepaper

Slide from Felipe Cabrera

Web Services Web Services Specifications ProcessSpecifications ProcessExample:Example: WS-SecurityWS-Security

Specification Specification PublishedPublished

Customer and Customer and Industry Industry

FeedbackFeedbackGatheredGathered

Publish Publish Addendum,Addendum,Deliver Dev Deliver Dev

ProductProduct

OASIS OASIS StandardizationStandardization

April April 20022002

April - August April - August

20022002

August August 20022002

September September 20022002

WS-IWS-IInteroperability Interoperability

ProfileProfile

April April 20032003

ThreeThreePartnersPartners

Over 30 Over 30 PartnersPartners

Over 100 Over 100 PartnersPartners

Slide from Felipe Cabrera

Today: Status of Specs

• WS-Security (“SOAP Message Security 1.0”)• OASIS Standard 15 Mar 2004

• WS-Policy (Dec 2002): • Updated Sept 2004 (6 companies) – royalty-free – not in standards body

• WS-SecureConversation (Dec 2002): • Updated Feb 2005 (13 companies) – royalty-free – not in standards body

• WS-Trust (Dec 2002):• Updated Feb 2005 (12 companies) – royalty-free (?) – not in standards body

• WS-Federation (Jul 2003):• No update since July 2003?

• WS-Privacy: ???• WS-Authorization: ???

WS-I Basic Security Profile

• Draft: Jan 20 2005• How to use:

• SSL/TLS• SOAP Message Security• Username Token Profile• X.509 Certificate Token Profile• XML-Signature• XML-Encryption

Security Access Markup Language (SAML)Framework — OASIS Standard

• Assertions: Authentication, Attribute, Authorization Decision• Protocols: e.g., request from a SAML authority one or more assertions• Bindings: e.g., SAML SOAP binding• Profiles: constraints and/or extensions for a particular application (e.g.,

Web SSO Profile)

Protocol Response

Assertion

Protocol Request

Binding

eXtensible Access Control Markup Language (XACML) – OASIS Standard

• V 2.0, 6 Dec 2004 (142 pages!)• Authors include Sun, BEA, CA, Entrust, Frank Siebenlist, and IBM

• Capabilities• Access Control: who can do what when• Queries about whether a particular access should be allowed

(requests) and describes answers to those queries (responses)

• XACML and SAML • XACML policy specifies what a provider should do when it receives a

SAML Assertion• XACML-based attributes can be expressed in SAML

• XACML v3.0 in the works

Liberty Alliance

• Industry consortium defining standards for federated identity (formed Sept 2001)• IBM recently joined

• Web Service Framework (ID-WSF)• Authentication: Identity Federation Framework (ID-FF) uses SAML• Message protection: e.g., TLS, SAML Assertion in WS-Security• Service discovery and addressing• Policy• “Common data access protocols”: Liberty Data Services Template

Specification

Open Issues/Concerns

• Privacy: SAML 2.0 Privacy Mechanisms? • XACML and WS-[Security]Policy overlap• XACML and SAML overlap

• Both have protocols for requesting security information• WS-Federation and Liberty Alliance overlap

• WS-* and ID-WSF overlap• Delegation

• Service interface (WS-Delegation)• Protocol (X.509 Proxy Certs RFC 3820 and SAML

Delegation)

WS-Delegation

• Led by Olle Mulmo• Standalone Web services portType• Based on WS-Trust (until recently – April 05?)

• My group’s contribution• D. Del Vecchio, J. Basney, N. Nagaratnam, and M. Humphrey.

“CredEx: User-Centric Credential Selection and Management for Grid and Web Services”

• Long-term or short-term multiple per-user credential storage and exchange• Support for multiple platforms and languages (Java and .NET)• Multiple token types

• Initially support for both password-to-X.509 and X.509-to-password exchanges• Potential support for more token types through WS-Security and WS-Trust

specifications

Java Client

exchangeForPassword()

X.509 Signature

CredEx System Overview

.Net Client

exchangeForCert()

Username/Password

Username/Passw

ord

invokeMethod()

Username/Password

invokeMethod()

X.509 Credential

Password-based Web Service

(Java/.Net)

X.509-based Grid Service

(Java/GT3)

CredentialService(Java/Tomcat/Axis)

“Extending the Security Assertion Markup Language to Support Delegation for Web Services and Grid Services” (J. Wang, D. Del

Vecchio, and M. Humphrey)

Delegation request as a SAML request

Delegation response as a SAML response

Request

Response

Please schedule my jobs

SAML assertion

Please run my job

SAML assertion

Please save my file

Please send a disk request for Bob

Direct SAML Delegation with Web Service Security: Bob has Delegated to Superscheduler

Soap header

Assertion

Superscheduler’s Key

Delegation: Bob

Right: Full

Bob’s Signature

Superscheduler’s Signature

SAML Token Profile

X509 Token Profile

Indirect SAML Delegation with Web Service Security: Bob has Delegated to Broker through Superscheduler

Soap Header

AssertionBroker’s Key

Delegation: Bob

Right: End Entity

Superscheduler’s Signature

AssertionSuperscheduler’s Key

Delegation: Bob

Right: Full

Bob’s Signature

Broker’s Signature

SAML Token Profile

SAML Token Profile

X509 Token Profile

Summary

• April 2002: Much optimism with “IBM/MS Security Roadmap”

• Emergence of standardized boxes slower than expected

• Community appears to be converging, but some aspects not clear• XACML/SAML, XACML/WS-SecurityPolicy, Delegation

• Many challenges• Interop will not come directly from standards (see WS-I)