Академический Документы
Профессиональный Документы
Культура Документы
Security Survey
Lili Sun
sun@usq.edu.au
Outline
• Introduction
• What is security?
• XML-based Web services security
standards
XML signatures,
XML encryption,
XML Key Management Specification,
Extensible Access Control Markup Language,
Security Assertion Markup Language,
WS-Security.
• How they work together
• Conclusion
20/06/09 2
Introduction
• Meeting security requirements for privacy, confidentiality
and integrity is essential in order to move business
online.
• XML has been widely used in e-services, M-services.
• XML has emerged as a prevalent standard for document
representation and exchange on the Web.
• The following example shows a credit card message
from a bank in XML document that can be accessed by
anyone if there is no protective security.
<?xml version="1.0" encoding="ISO-8859-1"?>
<PaymentInfo xmlns=“http://example.org/paymentv2>
<name>John Smith</name>
<CreditCard Limit=‘$5000’>
<Number>1234 5678 9012</Number>
<Issuer> Bank </Issuer>
<Expiration>11/07</Expiration>
</CreditCard>
< /PaymentInfo>
20/06/09 3
• Current security technologies provide several
specifications for web service applications. Such
as SSL, TLS
20/06/09 4
What is Security
Concrete Forms of Security:
• Confidentiality: can prying eyes see it?
• Authentication: are you who you say you are?
• Trust: have I agreed to work with you?
• Non-repudiation: can you claim you didn’t send
it even if you really did?
• Integrity: was it changed before I got it?
• Authorization: are you allowed to have it?
20/06/09 5
Issues with Current Web Security
Schemes
SSL/TLS/HTTPS
20/06/09 6
New opportunities
20/06/09 7
XML &Web Services Security
Standards
XML Digital Signature
XML Encryption
XKMS( XML Key Management Specification)
XACML (eXtensible Access Control Markup
Language)
SAML (Security Assertion Markup Language)
WS-Security
20/06/09 8
Standards Framework
20/06/09 9
XML Signature
• Digital signatures are an important
element in electronic security because
they can be used to ensure the integrity,
authentication, and non-repudiation of
data.
- XML syntax for representing signature of web
20/06/09 11
XML Signature Types
There are three types of XML Signature:
Enveloped: The XML Signature is included in the XML document. It is
a child element of the XML document.
For example, <document>
<signature> ….</signature>
</document>
Signed Document
Signature
SignedInfo
Reference
20/06/09 12
XML Signature Types
SignedInfo
Reference
Object
Signed Data
20/06/09 13
XML Signature Types
Detached: The XML Signature is included in a separate document
from the signed document.
For example, <signature>…</signature>
Signed Data
Signature
SignedInfo
Reference
Reference
20/06/09 15
Example XML Signature
20/06/09 16
XML Encryption
What is XML Encryption
The XML Encryption Syntax and Processing specification
defines an XML vocabulary and processing rules for
protecting confidentiality of XML document.
Defines:
– XML syntax for encrypted data
– Encrypting/decrypting such data
– Can encrypt only certain parts of document
20/06/09 17
XML Encryption and SSL
– SSL encrypts all the data transmitted
through an SSL channel
– XML Encryption can encrypt the portions
of data selectively
for example: A specific element within an XML
document
20/06/09 18
XML Encryption Structure
<EncryptedData> Encryption Element
<EncryptionMethod> Encryption algorithm
20/06/09 19
Example of Encryption
In this example only encrypts the elements of <CreditCard> element
20/06/09 20
XKMS(XML Key Management
Specification)
What is XKMS?
– XKMS defines protocol between XKMS client and XKMS
server for performing public-key infrastructure (PKI)
operations.
public key registration
public key validation
public key discovery
public key revocation
– XKMS server provides trust service in the form of a Web
service
– Used along with XML digital signing and encryption
20/06/09 21
Why XKMS?
20/06/09 22
XKMS Specifications
20/06/09 23
XACML (eXtensible Access Control
Markup Language)
• XACML is an XML specification for
expressing fine-grained information
access policies in XML documents or any
other electronic resources
• Access control lists in XACML are 4-
tuples: subjects, target objects, permitted
action, provision
20/06/09 24
Why XACML?
Standardize access control language in
XML
- Extensible language with flexible semantics
Lower costs
- No need to write policy in several languages
Simpler
- Admins only need to understand one language
Policy composition
- Policies written by different parties can be combined
20/06/09 25
XACML Use Case
2. A patient has patient record including mental
problem notes.
3. The patient grants access right to mental
problem notes only to primary care doctor.
4. The primary care doctor grants access to
patient record to associate doctor with
access restriction so that associate doctor
has no access to mental problem notes.
20/06/09 26
SAML (Security Assertion Markup
Language)
What SAML?
- SAML defines an XML framework for exchanging
authentication and authorization information.
20/06/09 27
Why SAML?
20/06/09 28
SAML Use case
20/06/09 29
WS-Security
WS-Security Specification
• Defines new SOAP extensions to provide
pre-message authentication, as well as
end-to-end message confidentiality using
XML Encryption and end-to-end message
integrity using XML Digital Signature in a
Web services environment.
20/06/09 30
How they work together
SAML and Other Standards
• SAML and XML digital signature
– XML Digital signature is used to sign and canonical SAML
assertions
• SAML and XML Encryption
– XML Encryption is used for encrypting and decrypting SAML
assertions
• SAML AND XKMS
– SAML could be secured by XKMS-based PKI
20/06/09 31
SAML and Other Standards
• SAML and XACML
– XACML could be used to define access control /policy as a basis for
handling SAML assertion request
20/06/09 32
Conclusion
• This topic has presented a brief introduction to
XML and Web services security standards and
how they work together.
20/06/09 33