Web Service Security note for teaching.ppt
firehiwot8
7 views
12 slides
Oct 29, 2025
Slide 1 of 12
1
2
3
4
5
6
7
8
9
10
11
12
About This Presentation
web security
Slide Content
Web Service SecurityWeb Service Security
CSCI5931 Web Security
Instructor: Dr. T. Andrew Yang
Student: Jue Wang
CSCI5931 Web Security
Instructor: Dr. T. Andrew Yang
Student: Jue Wang
OutlineOutline
Introduction
Web Services Security Model Terminology
Web Services Security Specification
Relating Web Services Security to Today’s Security Models
Scenarios
References
Introduction
Web Services Security Model Terminology
Web Services Security Specification
Relating Web Services Security to Today’s Security Models
Scenarios
References
IntroductionIntroduction
What is web service security?
WS- Security is flexible and is designed to be used as the basis for the construction of a
wide variety of security models including PKI, Kerberos, and SSL.
What are the goals of web service security?
The goal of WS-Security is to enable applications to construct secure SOAP message
exchange.
What are the requirements of web service security?
• Multiple security tokens for authentication or authorization
• Multiple trust domains
• Multiple encryption technologies
• End-to-end message-level security and not just transport-level security
What is web service security?
WS- Security is flexible and is designed to be used as the basis for the construction of a
wide variety of security models including PKI, Kerberos, and SSL.
What are the goals of web service security?
The goal of WS-Security is to enable applications to construct secure SOAP message
exchange.
What are the requirements of web service security?
• Multiple security tokens for authentication or authorization
• Multiple trust domains
• Multiple encryption technologies
• End-to-end message-level security and not just transport-level security
Web Services Security Model TerminologyWeb Services Security Model Terminology
Web service
Broadly applicable to a wide variety of network based application topologies.
Security Token
Define a security token as a representation of security-related information
(e.g.X.509 certificate, Kerberos tickes and authenticators, mobile device
security from SIM cards, username, etc.)
Signed Security Token
It contains a set of related claims cryptographically endorsed by an issuer.
Web service
Broadly applicable to a wide variety of network based application topologies.
Security Token
Define a security token as a representation of security-related information
(e.g.X.509 certificate, Kerberos tickes and authenticators, mobile device
security from SIM cards, username, etc.)
Signed Security Token
It contains a set of related claims cryptographically endorsed by an issuer.
Web Services Security Model TerminologyWeb Services Security Model Terminology
Claims
A statement about a subject either by the subject or by an relying party that
associates the subject with the claim.
Subject
The subject of the security token is a principal about which the claims
expressed in the security token apply.
Proof-of-Possession
To be information used in the process of proving ownership of a security tiken
or set of claims.
Claims
A statement about a subject either by the subject or by an relying party that
associates the subject with the claim.
Subject
The subject of the security token is a principal about which the claims
expressed in the security token apply.
Proof-of-Possession
To be information used in the process of proving ownership of a security tiken
or set of claims.
Web Service Security Model TerminologyWeb Service Security Model Terminology
Web Service Endpoint Policy
Web services have complete flexibility in specifying the claims they require in
order to process messages.
Claim Requirements
Whole messages or elements of messages,to all actions of a given type or to
actions only under certain circumstances.
Intermediaries
It perform actions such as routing the message or even modifying the message.
Actor
An intermediary or endpoint which is identified by a URI and which processes a
SOAP message.
Web Service Endpoint Policy
Web services have complete flexibility in specifying the claims they require in
order to process messages.
Claim Requirements
Whole messages or elements of messages,to all actions of a given type or to
actions only under certain circumstances.
Intermediaries
It perform actions such as routing the message or even modifying the message.
Actor
An intermediary or endpoint which is identified by a URI and which processes a
SOAP message.
Web Services Security SpecificationsWeb Services Security Specifications
The combination of security specifications, related activities, and
interoperability profiles will enable customers to easily build
interoperable secure Web services.
Figure. Web Services Security Specifications
WS-SecureConverationWS-Federation WS-Authorizatioon
WS-Policy WS-Trust WS-Privacy
WS-Security
SOAP Foundation
Today
The combination of security specifications, related activities, and
interoperability profiles will enable customers to easily build
interoperable secure Web services.
Figure. Web Services Security Specifications
WS-SecureConverationWS-Federation WS-Authorizatioon
WS-Policy WS-Trust WS-Privacy
WS-Security
SOAP Foundation
Today
Relating WS-Security to Today’s Security ModelsRelating WS-Security to Today’s Security Models
Transport Security
Existing technologies can provide simple point-to-point integrity and
confidentiality for a message.WS-Security to provide end-to-end integrity and
confidentiality in multiple transports, intermediaries, transmission protocols.
PKI
The PKI model involves certificate authorities issuing certificates with public
asymmetric keys. The WS-Security model supports security token services
issuing security tokens using public asymmetric keys.
Kerberos
The Kerberos model relies on communication with the Key Distribution
Center to broker trust between parties by issuing symmetric keys encrypted for
both parties. The web services model , builds upon the core model with
security token services brokering trust by issuing security tokens.
Transport Security
Existing technologies can provide simple point-to-point integrity and
confidentiality for a message.WS-Security to provide end-to-end integrity and
confidentiality in multiple transports, intermediaries, transmission protocols.
PKI
The PKI model involves certificate authorities issuing certificates with public
asymmetric keys. The WS-Security model supports security token services
issuing security tokens using public asymmetric keys.
Kerberos
The Kerberos model relies on communication with the Key Distribution
Center to broker trust between parties by issuing symmetric keys encrypted for
both parties. The web services model , builds upon the core model with
security token services brokering trust by issuing security tokens.
ScenariosScenarios
Scenarios supported by the proposed initial specifications
and associated deliverables:
Direct Trust using Username/Password and Transport-Level Security
Direct Trust using Security Tokens
Security Token Acquisition
Firewall Processing
Issued Security Token
Enforcing Business Policy
Privacy
Web Clients
Mobile Clients
Scenarios supported by the proposed initial specifications
and associated deliverables:
Direct Trust using Username/Password and Transport-Level Security
Direct Trust using Security Tokens
Security Token Acquisition
Firewall Processing
Issued Security Token
Enforcing Business Policy
Privacy
Web Clients
Mobile Clients
ScenariosScenarios
These scenarios can be built on the current deliverables,
like WS-SecureConversation.
Enabling Federation
Validation Service
Supporting Delegation
Access Control
Auditing
These scenarios can be built on the current deliverables,
like WS-SecureConversation.
Enabling Federation
Validation Service
Supporting Delegation
Access Control
Auditing
ReferencesReferences
oWeb Services Security
o[Kerberos] – J.Kohl and C. Neuman, “The Kerberos Network
Authentication Service(v5)”
o[SOAP]-W3C Note, “SOAP: Simple Object Access Protocol 1.1”
o[WS-Routing]-H. Nielsen, S. Thatte, “Web Services Routing Protocol”,
Microsoft
o[X509]-S. Santesson, et al, “Internet X.509 public Key Infrastructure
Qualified Certificates Profile,”
o[XML-Encrypt]-W3C Working Draft, “XML Encrypt Syntax and
Processing,”
oWeb Services Security
o[Kerberos] – J.Kohl and C. Neuman, “The Kerberos Network
Authentication Service(v5)”
o[SOAP]-W3C Note, “SOAP: Simple Object Access Protocol 1.1”
o[WS-Routing]-H. Nielsen, S. Thatte, “Web Services Routing Protocol”,
Microsoft
o[X509]-S. Santesson, et al, “Internet X.509 public Key Infrastructure
Qualified Certificates Profile,”
o[XML-Encrypt]-W3C Working Draft, “XML Encrypt Syntax and
Processing,”
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 7
- Slides 12
- Age 35 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
35 views
21
Know for Certain
DaveSinNM
22 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views