web services security, identity management and liberty
TRANSCRIPT
-
8/14/2019 Web Services Security, Identity Management and Liberty
1/56
Web ServicesSecurity
Sang [email protected]
www.javapassion.com/ webservices
Java Technology EvangelistSun Microsystems, Inc.
Disclaimer & Acknowledgments Even though Sang Shin is a full-time employee of Sun
Microsystems, the contents here are created as hisown personal endeavor and thus does not reflect anyofficial stance of Sun Microsystems.
Sun Microsystems is not responsible for anyinaccuracies in the contents.
Acknowledgments Some slides are borrowed from Eve Maler (Sun) Some slides are borrowed from Rima Patel (Sun)
Revision History 02/01/2004: created (Sang Shin) Things to do
speaker notes need to be added Contents need some polishing
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
2/56
-
8/14/2019 Web Services Security, Identity Management and Liberty
3/56
9
? Point of int eraction i s more over the internet (as opposed to wi thi n an intranet )
? Interaction between partners wit h nopreviously established relationship
? Program t o program interaction (as opposedto human to program int eraction)
? More dynamic interaction (as opposed tostatic interaction)
? Larger number of services providers and users
Why More Stringent Security forWeb Services?
10
Issues with Current WebSecurity Schemes? SSL/ TLS/ HTTPS
Transport level security (as opposed to messagelevel security)
Point-to-point security only, does not handleend-to-end multi-hopped messaging security
Security only when data is on the wire , does notsecure data off the wire
HTTPS does not support non-repudiat ion HTTP might not be the only transport used No element-wise signing and encrypti on
Can todays web securitymodel handle web services?
? The practical maximum is HTTPS usingSS L Transient point-to-point encrypted communication
with known trusted parties: authentication of the
parties and confidentiality of the data in motion? Web services can and do use this, but its
insufficient in several ways Not granular enough: it encrypts everything Inflexible about routing; its just point-to-point No chance for auditing whats going on Cant avoid repudiation; its not signing the data
Web ServicesSecurity Requirements
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
4/56
13
Granularity, extensibility,and transparency in SOAP
Requester
Header C
SOAP body
Header B
Header A
Intermediary 1
Header C
SOAP body
Header B
Header A
Intermediary 2
Header C
SOAP body
Header A
Responder
SOAP body
Header A
Header D Header D
14
Simplescenario:
applying for abusiness loan
Businessin need of
cash
Creditreport
company
3. collectinventory data
as collateral
Bank
4. aggregate data andsend loan request
6. send response to loanrequest
5. log andtimestamp
loan request
1 .
r e q u e s
t
c r e
d i t
s c o r e
2 .
s e
n d
c
r e d
i t
s c o
r e
15
Requirements in this scenario? The business needs to prove its identity to the
credit report company and the bank(authentication)
? The credit report company needs to know thattheir paying customer wont back out maliciouslyafter sending the request (non-repudiation)
? The credit report company needs to prove itsupplied the credit score itself (authentication)
? All the message content needs to reach itsvarious destinations unchanged (integrity) and besafe from competitors eyes (confidentiality)
? The bank needs to record the receipt of theapplication (auditing)
16
Matching requirements to technologiesTechnologies:Requirement:
Various forms of logging, themselves secured to avoidtampering
Auditing
Application of policy, access control, digital rightsmanagement
Authorization
Message digest, itself authenticated wit h a digit alsignature
Integrity
Key-based digital signing and signature verification,message reliabilityNon-repudiation
Key-based digital signing and signature verificationTrust
Username/password, key-based digital signi ng andsignature verification, challenge-response, biometrics,smart cards, etc.
Authentication
Key-based digital encryption and decryptionConfidenti ality
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
5/56
17
New challenges? Inter-enterprise web services are dealing
wit h incompletely trusted cli ents RPC-style services have special needs: is the caller
authorized to ask for t his computer action?? End-to-end isnt just point-to-point
SOAP intermediaries: the original author wrotethe payload, but many int ermediate senders maytouch the message afterwards
Long-running choreographed conversations withmultiple requests, responses, and forks
18
New opportunities? The pace of application and service creation is
increasing How can we make it easier for developers to add high-quality
security features?? The web services security infrastructure can
take advantage of XMLs granularit y Encrypting or signing selected portions Acting on and rewrit ing individual headers Hardware appliances could accelerate these functions
? Securi ty-related applications can themselvesbecome web services Providers of security, identit y, and provisioning solut ions
can interoperate better
Web ServicesSecurity Frameworks
20
WUST security infrastructurestandards
SOAP, SwA
WS-Security
XML Signature XML Encrypt ion
SAMLKerberos X.509
XrML QOP?
WSDL
descriptionsof endpoint
securityrequirements
authenticated, confidentiality-protectedweb service messages with potential to be
authorized
WS-Coordination, WS-Transaction?
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
6/56
21
Where these technologiesare applied in our scenario
Businessin need of
cash
Creditreport
company
3. collectinventory dataas collateral
Bank
4. aggregate data andsend loan request
6. send response to loanrequest
5. log andtimestamp
loan request
1 .
r e q u e s
t
c r e
d i t
s c o r e
2 .
s e
n d
c r e
d i t
s c o
r e
22
Quick reference
Status:Venue:Standard:
Working draft stages; previous private spec; IPRissues
OASISXrML
1.0 in OASISStandard balloting; expected to passOASISSAML
Well established authenti cation technology usingpublic/ private keys
ITU, IETFX.509
Well established authenti cation technology usingsymmetric keys
IETFKerberos
Working drafts; previous private specs; mayultimat ely include Quality of Protection (QOP) workon top of WSDL
OASISWS-Secur it y
Recommendation , Candidate Rec stagesW3CXML Encryption
Recommendation stageW3C, IETFXML Signat ure
XML & Web ServicesSecurity Standards
S u n Te c hDa y sWeb Services Security
The standards ecosystem
Stability
WSPLWS-Policy
WSS
XCBFXKMS
XML Enc
XML SigC14N
SAML
XACML
ID-FF 1.1
Early Draft Mature Draft V1 Complete
W3C OASIS Liberty Private
ID-FF 1.2ID-WSF 1.0
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
7/56
25
? XML Digital Signature? XML Encryption? XKMS (XML Key Management Specificat ion)? XACML (eXtensible Access Control Markup
Language)? SAML (Secure Assertion Markup Language)? WS-Security? Identity Management & Liberty Project
XML & Web Services SecuritySchemes
XML Signature
27
What is XML Digital Signature ?? Authent ication, data int egrity (t amper-
proofing), non-repudiation? Joint W3C/ IETF eff ort
XML syntax for representi ng signature of webresources and portions thereof
Procedures for computing and verifying suchsignatures
Canonicalization of XML data Trust in key is out -of-scope
? Specs: W3C Recommendat ion, RFC 3075? JSR-105
28
Why XML Digital Signature?? Very flexible, thus can support diverse set
of internet transaction models Can sign individual i tems of a XML document Can sign mult iple i tems
Can sign both local and remote objects? All ows detached signatur e that apply to remote, URI-
referenced content Can sign both XML and non-XML content All ows mult ipl e levels of signing (different signing
semantics) to same content? Sign, co-sign, wi tness, notari ze, etc.
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
8/56
XML SignatureTypes of XML Signature
XML Signature Forms
? Enveloped? Enveloping? Detached
XML Signature Enveloped< d o c I d = " my I D" >
< my E l e me n t >. . .
< / my E l e me n t >
< S i g n a t u r e >
. . .< Re f e r e n c e URI = " # my I D"/ >
. . .< / S i g n a t u r e >
< / d o c >
isenvelopedwithin thecontent beensigned
XML Signature Enveloping< S i g n a t u r e >
. . .
< Re f e r e n c e URI = " # my Re f Ob j e c t I D" >. . .
< d o c >< my E l e me n t >
. . .< / my E l e me n t >
. . .< / d o c >
< / Ob j e c t >< / S i g n a t u r e >
envelopes thecontents to besigned
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
9/56
XML Signature Detached< S i g n a t u r e >
. . .
< Re f e r e n c e URI =" h t t p : / / www. b u y . c o m/ b o o k s / p u r c h a s e WS "/ >
. . .
< / S i g n a t u r e >
isexternal to thecontent that issigned
XML SignatureStructure of XML
Signature
S u n T e c hDa y sXML Signature Structure
XML Signature Structure< S i g n a t u r e >
< S i g n e d I n f o >< Ca n o n i c a l i z a t i o n Me t h o d / >< S i g n a t u r e Me t h o d / >< Re f e r e n c e >
< Tr a n s f o r ms >< Tr a n s f o r m/ >
< Tr a n s f o r m/ >< / Tr a n s f o r ms >< Di g e s t Me t h o d / >< Di g e s t Va l u e / >
< / Re f e r e n c e >< / S i g n e d I n f o >< S i g n a t u r e Va l u e / >< Ke y I n f o / >
< / S i g n a t u r e > SignatureElement
SignedDigested
Applied toreferencedcontent
Key relatedinformation
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
10/56
37
Example of Signed Purchase Order
qZk+nkcGcWq6piVxeFdcbJzQ2JO=
IWijxQjUrcXBYc0ei4QxjWo9Kg8Dep9tlWoT4SdeRT87GH03dgh
CN=Alice Smith, STREET=742 Park Avenue,L=New York, ST=NY, C=US
element Parent element of XML Signature
structure Contains
element Consists of specification of the
information that is signed Contains
(one or more)
element Specifies the algorithm (identified
through a URI) used for Canonicalization of XML
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
11/56
element
?
Specifies the algorithm (identifiedthrough a URI) used for? generation and validation of signatures
? For e.g. http://www.w3.org/2000/09/xmldsig#dsa-sha1 specifies the DSA (Digital SignatureAlgorithm)
element References the actual data stream
(through a URI), that would be signed This data stream would be hashed
(digested) after applying appropriatetransformations (if any)
Contains
element Specifies all the transformations that
would be applied on the to-be signedcontent
The input to first transformation is the result of dereferencing the URI attributeof element
element (Contd.)
The output of last transformation is then digested
Contains A list of elements
Transformation examples Base64 encoding (MIME) Canonicalization (XML-C14N) XSLT
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
12/56
element Specifies
transformation algorithm in use content parameters for the given algorithm, if
any For e.g. Some transformations may require
explicit MIME type or charset (IANA, f or instance)or other such information concerning the datathey receive from an earlier
element (Contd.) Application specific transformation
algorithm is also allowed For e.g. A compression routine implemented
as Java class specified by a base64 encodedcontent parameter
element Contains the base64 encoded value of
the digital signature
element Allows specifying trust information
either Explicitly, by specifying
a raw public key or an X.509 certificate Implicitly, by specifying
URI of a remotely located public key via element
Optional element
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
13/56
element (Contd.) Very important element
Leveraged by rest of the securityspecifications i.e.
XML Encryption XML Key Management Services Security Assertions Markup Language
element (Contd.) Contains
A text identifier
RSA or DSA public key, in base64
Remotely references the public key via a URI
X.509 certificates related data
element (Contd.)
PGP related data
SPKI certificates related data
Key Negotiation algorithms related parameterssuch as Diffie-Hellman
A note on Following are out of scope of XML
Signature Trust in the key information specified by
Verification of key information specified by
Although, this can be delegated to an XKMS Trust
Service as we will see later
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
14/56
Canonicalization Canonicalization presents a method
for testing logical equivalence of XMLdocuments
It generates physical form a.k.a.Canonical form, of an XML documentsuch that
If two XML documents can be reduced to thesame canonical form, they are consideredlogically equivalent within the given context
Canonicalization (Contd.)
< Re s e r v a t i o n T y p e = " Ho t e l "I d = " 1 2 3 4 5 " >< Re s e r v a t i o n I d = " 1 2 3 4 5 "T y p e = " Ho t e l " >
Proving logical equivalence is important
for application areas such as Checksums Digital Signatures
Consider XML fragements below:
They are logically equivalent, however will failequivalence test in byte comparison.
Canonicalization and XMLSignature Digital Signature over Canonical form
of an XML document or documentsubset
Allows signature digest to be oblivious tochanges in the original document's physicalrepresentation
Provided changes are defined to be logicallyequivalent by XML 1.0 or Namespaces inXML
Canonical XML Defines an algorithm that generates
canonical form of a given XML document or document
subset Effort hosted by XML Signature
Working Group of W3C Started in 1999
http://www.ietf.org/rfc/rfc3076.txt
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
15/56
Example of Canonical XML< ? x ml v e r s i o n = " 1 . 0 " ? >
< ? x ml - s t y l e s h e e t h r e f = " d o c . x s l "t y p e = " t e x t / x s l " ? >
< ! DOCT YP E d o c S YS T E M " d o c . d t d " >
< d o c > He l l o , wo r l d ! < ! - - Co mme n t 1 - - > < / d o c >
< ? p i - w i t h o u t - d a t a ? >
< ! - - Co mme n t 2 - - >
< ! - - Co mme n t 3 - - >
Example of Canonical XML(Contd.) The Canonical form of the given XML
would Loose XML declaration Loose DTD Loose whitespace
Between PI target and its data Comment removal from uncommented
canonical form
Example of Canonical XML(Contd.)
< ? x ml - s t y l e s h e e t h r e f = " d o c . x s l "t y p e = " t e x t / x s l " ? >< d o c > He l l o , wo r l d ! < / d o c >< ? p i - wi t h o u t - d a t a ? >
< ? x ml - s t y l e s h e e t h r e f = " d o c . x s l "t y p e = " t e x t / x s l " ? >< d o c > He l l o , wo r l d ! < ! - - Co mme n t 1 - - > < / d o c >< ? p i - wi t h o u t - d a t a ? >< ! - - Co mme n t 2 - - >< ! - - Co mme n t 3 - - >
Canonical form with all thecomments removed.
Canonical form with all thecomments.
Process of signing Generate references by
Applying transforms () to datato be signed, if needed
Calculating digest Generate signature by
Placing element into
Calculating over
Placing into
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
16/56
Process of Validation Validate references by
Applying transforms to datasource
Calculating digest and then comparing it to
Validate signature by Retrieving key from or other
source of key information Validating
XML SignatureJSR 105
JSR 105 XML Signatures in Java? Important JSR 105 APIs? XMLSignatureFactory
? Abstract factory used to create XML Signatures fromscratch
?
Implementations support a specific XML mechanism (ex:DOM)? XMLSignature
? Contains methods for signing and validating? XMLSignContext? XMLValidateContext
S u n Te c hDa y s
JSR 105 XML Signatures in Java
// First, create a DOM XMLSignatureFactoryXMLSignatureFactory fac = XMLSignatureFactory.getInstance(DOM);
// Specify the algorithms for various things such as CanonicalizationDigestMethod dm =
fac.newDigestMethod (DigestMethod.SHA1_URI,null);
CanonicalizationMethod cm = fac.newCanonicalizationMethod(CanonicalizationMethod.WITH_COMMENTS_URI, null);
SignatureMethod sm = fac.newSignatureMethod(SignatureMethod.RSA_SHA1_URI, null);
Transform tm = fac.newTransform(Transform.ENVELOPED_URI, null);
// Create a Reference pointing to the document to be signedReference ref = fac.newReference(, dm, Collections.singletonList(tm), null, null);
// Create a DOM KeyInfoFactoryKeyInfoFactory kifac = fac.getKeyInfoFactory();
Example of Enveloped Signature Generation (1)
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
17/56
S u n Te c hDa y s
JSR 105 XML Signatures in Java
// Create X509Data KeyInfo type & insert X.509 certificationX509Data xd = kifac.newX509Data(Collections.singletonList(myX509Cert));
// Create KeyInfoKeyInfo ki = kifac.newKeyInfo(Collections.singletonList(xd));
// Create SignedInfoSignedInfo si =fac.newSignedInfo (cm, sm,Collections.singletonList(ref));
// Create XMLSignatureXMLSignature signature = fac.newXMLSignature(si, ki);
// C reate XMLSignContextXMLSignContext dsc =new DOMSignContext(privateKey, doc.getDocumentElement());
// Generate the XMLSignaturesignature.sign(dsc);
Example of Enveloped Signature Generation (2)
S u n Te c hDa y sJSR 105 XML Signatures in Java
// Create DOM XMLSignatureFactoryXMLSignatureFactory fac = XMLSignatureFactory.getInstance
(DOM);
// Create an XMLValidateContextXMLValidateContext dvc =new DOMValidateContext (myX509Cert.getPublicKey(),
sigElement);
// Unmarshal XMLSignatureXMLSignature signature = fac.unmarshalXMLSignature(dvc);
// Validate XMLSignature boolean coreValidity = signature.validate(dvc);
Example of Enveloped Signature Validation
XML SignatureStatus
68
Status? W3C Recommendation (Feb. 2002)? At least 10 vendor implementations
are available Java WSDP Apache Open source implementation Most J2EE vendors will support this even
though it is not mandated in J2EE 1.4? JSR-105 work in progress
Public review in progress (06/2003)
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
18/56
XMLEncryption
70
What is XML Encryption?? Data privacy (Confidentiality)?
Defines XML syntax for encrypted dat a Encrypting/ decrypting such data Can encrypt only certain parts of document
? W3C Recommendation now? JSR 106
XML Encryption and SSL SSL encrypts all the data transmitted
through an SSL channel XML Encryption can encrypt the
portions of data selectively For e.g. A specific element within an XML
document
Examples of using XMLEncryption I
Nile.com
John
John Smith's Credit Info: John Smith's Purchase Info:1 Book titled...
Encryption of credit card infosent from user to Nile.com
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
19/56
Examples of using XMLEncryption II
Nile.comEncryption of credit cardinfo sent from Nile.com tocreditcardprocessing.comsuch that -
Later can only decryptcredit card info and not thepurchase information Creditcardprocessing.com
John Smith's Credit Info: John Smith's Purchase Info:
XML EncryptionStructure of XML
Encryption
75
Example of Encryption (Only creditcard element is encrypted)
Alice Smith ...
ABCD
SharedKey
A23B45C56
8a32gh199081
XML Encryption Structure< En c r y p t e d Da t a >
< En c r y p t i o n Me t h o d >< d s : Ke y I n f o >
< En c r y p t e d Ke y >< Ag r e e me n t Me t h o d >< d s : Ke y Na me >< d s : R e t r i e v a l Me t h o d >
< / d s : Ke y I n f o >< Ci p h e r Da t a >< Ci p h e r Va l u e >< Ci p h e r Re f e r e n c e >
< / Ci p h e r Da t a >< En c r y p t i o n P r o p e r t i e s >
< / En c r y p t i o n Da t a > Encryption Element
Encryptionalgorithm
Rawencrypted data
Keyinformation
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
20/56
element Core element in the syntax
Replaces the encrypted data in an XMLdocument or Serves as a new document root
Contains
element Optional element Specifies encryption algorithm applied
to cipher data If absent, encryption algorithm must
be known to recipient Else decryption will fail
element
Semantics as defined by XMLSignature specification
Can contain additional elements
defined by XML Encryption syntax i.e.
element Transports encryption keys to known
recipient Can be placed either
As a standalone XML document Within an application XML document Inside element
As a child of element
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
21/56
element
Can be used by originator to identifykeys and computational proceduresused to obtain shared encryption key
Carries an Algorithm attribute tospecify Key Agreement algorithm
For e.g. Diffie-Hellman
element(Contd.)
XML Encryption does not provide anonline key agreement negotiationprotocol
If agreed key is being used to wrap akey rather than data then
appears inside inside element
Keying information fordecryption of cipher data
Can be provided in 3 ways or
specifying the keying info by
A detached elementspecifying via or via
The keying material is automaticallydetermined by recipient
based on the application context
element Provides cipher data either
In the form of base64 encoded text of element or
By providing a reference to an externallocation containing the encrypted octetsequence specified by element
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
22/56
element It identifies source (via URI)
Which can yield encrypted octet sequence Contains
An optional sequence of Data resulting from dereferencing the URI is
transformed as specified in order to yieldintended cipher value
Syntax of similar to XML Signaturesyntax
element
Carries additional information concerning the generation of
or element
For e.g. Serial number of cryptographichardware used during encryption
Contains
Encryption Granularity Encryption can be carried out at
following levels Encrypting an XML element Encrypting XML Elements containing other
elements Encrypting XML Element containing
character data Encrypting arbitrary data and XML
documents Encrypting EncryptedData (Super
Encryption)
Example XML Document< ? x ml v e r s i o n = ' 1 . 0 ' ? >
< P a y me n t I n f ox ml n s = ' h t t p : / / e x a mp l e . o r g / p a y me n t v 2 ' >
< Na me > J o h n S mi t h < / Na me >< Cr e d i t Ca r d L i mi t = ' 5 , 0 0 0 ' Cu r r e n c y = ' US D' >
< Nu mb e r > 4 0 1 9 2 4 4 5 0 2 7 7 5 5 6 7 < / N u mb e r >< I s s u e r > E x a mp l e Ba n k < / I s s u e r >< E x p i r a t i o n > 0 4 / 0 2 < / E x p i r a t i o n >
< / Cr e d i t Ca r d >< / P a y me n t I n f o >
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
23/56
Encrypting XML Element< ? x ml v e r s i o n = ' 1 . 0 ' ? >
< P a y me n t I n f ox ml n s = ' h t t p : / / e x a mp l e . o r g / p a y me n t v 2 ' >
< Na me > J o h n S mi t h < / Na me >< E n c r y p t e d Da t a T y p e =' h t t p : / / www. w3 . o r g / 2 0 0 1 / 0 4 / x ml e n c # E l e me n t 'x ml n s = ' h t t p : / / www. w 3 . o r g / 2 0 0 1 / 0 4 / x ml e n c # ' >
< Ci p h e r Da t a >< Ci p h e r Va l u e > A2 3 B4 5 C5 6 < / Ci p h e r Va l u e >
< / Ci p h e r Da t a >< / E n c r y p t e d Da t a >
< / P a y me n t I n f o >
Encrypting entire element
Encrypting XML ElementContents (Elements)
< ? x ml v e r s i o n = ' 1 . 0 ' ? >< P a y me n t I n f o x ml n s = ' h t t p : / / e x a mp l e . o r g / p a y me n t v 2 ' >
< Na me > J o h n S mi t h < / Na me >< Cr e d i t Ca r d L i mi t = ' 5 , 0 0 0 ' Cu r r e n c y = ' US D' >
< E n c r y p t e d Da t ax ml n s = ' h t t p : / / www. w3 . o r g / 2 0 0 1 / 0 4 / x ml e n c # 'T y p e = ' h t t p : / / w ww. w3 . o r g / 2 0 0 1 / 0 4 / x ml e n c# Co n t e n t ' >
< Ci p h e r Da t a >< Ci p h e r Va l u e > A2 3 B4 5 C5 6 < / C i p h e r Va l u e >
< / Ci p h e r Da t a >< / E n c r y p t e d Da t a >
< / Cr e d i t Ca r d >< / P a y me n t I n f o >
Only encrypts theelements of element
Encrypts XML ElementContents (Character Data)
< ? x ml v e r s i o n = ' 1 . 0 ' ? >< P a y me n t I n f ox ml n s = ' h t t p : / / e x a mp l e . o r g / p a y me n t v 2 ' >
< Na me > J o h n S mi t h < / Na me >< Cr e d i t Ca r d L i mi t = ' 5 , 0 0 0 ' Cu r r e n c y = ' US D' >
< Nu mb e r >< E n c r y p t e d Da t ax ml n s = ' h t t p : / / www. w 3 . o r g / 2 0 0 1 / 0 4 / x ml e n c # ' T y p e = ' h t t p : / / www. w3 . o r g / 2 0 0 1 / 0 4 / x ml e n c # Co n t e n t ' >
< Ci p h e r Da t a >< Ci p h e r Va l u e >
A2 3 B4 5 C5 6< / Ci p h e r Va l u e >
< / Ci p h e r Da t a >< / E n c r y p t e d Da t a >
Only encrypts creditcard number
Encrypts XML ElementContents (Character Data)
< / Nu mb e r >< I s s u e r > E x a mp l e Ba n k < / I s s u e r >< E x p i r a t i o n > 0 4 / 0 2 < / E x p i r a t i o n >
< / C r e d i t Ca r d >< / P a y me n t I n f o >
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
24/56
Encrypting Arbitrary Data andXML Documents
< ? x ml v e r s i o n = ' 1 . 0 ' ? >< E n c r y p t e d Da t ax ml n s = ' h t t p : / / www. w3 . o r g / 2 0 0 1 / 0 4 / x ml e n c # 'Mi me T y p e = ' t e x t / x ml ' >
< Ci p h e r Da t a >< Ci p h e r Va l u e > A2 3 B4 5 C5 6 < / Ci p h e r Va l u e >
< / Ci p h e r Da t a >< / E n c r y p t e d Da t a >
If the application scenario requires allinformation to be encrypted, the wholedocument is encrypted as an octet sequence.This applies to arbitrary data as well as XMLdocuments.
Encrypting Super Encryption
< p a y : P a y me n t I n f ox ml n s : p a y = ' h t t p : / / e x a mp l e . o r g / p a y me n t v 2 ' >
< En c r y p t e d Da t a I d = ' ED1 'x ml n s = ' h t t p : / / www. w3 . o r g / 2 0 0 1 / 0 4 / x ml e n c # 'Ty p e = ' h t t p : / / www. w3 . o r g / 2 0 0 1 / 0 4 / x ml e n c # El e me n t ' >
< Ci p h e r Da t a >< Ci p h e r Va l u e >
o r i g i n a l En c r y p t e d Da t a< / Ci p h e r Va l u e >
< / Ci p h e r Da t a >< / En c r y p t e d Da t a >
< / p a y : P a y me n t I n f o >
A valid super encryption of ED1 is shown onnext slide ->
Encrypting Super Encryption
< p a y : P a y me n t I n f ox ml n s : p a y = ' h t t p : / / e x a mp l e . o r g / p a y me n t v 2 ' >
< En c r y p t e d Da t a I d = ' ED2 'x ml n s = ' h t t p : / / www. w3 . o r g / 2 0 0 1 / 0 4 / x ml e n c # 'Ty p e = ' h t t p : / / www. w3 . o r g / 2 0 0 1 / 0 4 / x ml e n c # El e me n t ' >
< Ci p h e r Da t a >
< Ci p h e r Va l u e >n e wEn c r y p t e d Da t a
< / Ci p h e r Va l u e >< / Ci p h e r Da t a >
< / En c r y p t e d Da t a >< / p a y : P a y me n t I n f o >
Here 'newEncryptedData' is thebase64 encoding of theencrypted octet sequenceresulting from encrypting th elementwith ID='ED1'
XML EncryptionJSR 106
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
25/56
JSR 106 XML Encryption inJava
? Standard Java API for W3C XMLEncryption standard
? Programming model similar to JSR 105? Important JSR 106 APIs
? XMLEncryptionFactory? EncryptedData? EncryptedKey? XMLEncryptContext? XMLDecryptContext
XML SignatureStatus
99
Status and Resources (XMLEncryption)? W3C Note status on XML Encryption
Requirements? Implementat ions are not yet widely
available? JSR-106 work in progress? W3C XML Encryption home page
www.w3.org/ Encryption/
XKMS(XML Key
Management Spec.)
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
26/56
S u n Te c hDa y s
What is XKMS?? Defines protocol between XKMS
client and XKMS server forperforming PKI operations
? public key registration? public key validation? public key discovery? public key revocation
? XKMS server provides trust service inthe form of a Web service
? Used along with XML digital signingand encryption
S u n Te c hDa y s
Why XKMS?
? PKI is very important to Web services &E-commerce
? PKI operations are too expensive tosmall devices? XKMS reduces the processing burden by
moving it to a XKMS server? PKI operations are too complex to
many applications? XKMS eases the integration of PKI by moving
the complexity of PKI operation to a XKMSserver
S u n T e c hDa y sXKMS Specifications
? XKISS: XML Key Information ServiceSpec.? Defines a protocol for validation of public
keys? XKRSS: XML Key Registration Service
Spec.? Defines a protocol for registration,
revocation, recovery of public keys
X-KISS Protocol: Public KeyBinding Validation Request< Va l i d a t e >
< Qu e r y >< S t a t u s > Va l i d < / S t a t u s >< d s : Ke y I n f o >
< d s : Ke y Na me > . . . < / d s : Ke y Na me >< d s : Ke y Va l u e > . . . < / d s : Ke y Va l u e >
< / d s : Ke y I n f o >< / Qu e r y >< Re s p o n d >
< s t r i n g > Ke y Na me < / s t r i n g >< s t r i n g > Ke y Va l u e < / s t r i n g >
< / Re s p o n d >< / Va l i d a t e >
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
27/56
X-KISS Protocol: Public KeyBinding Validation Response
< Va l i d a t e Re s u l t >< Re s u l t > S u c c e s s < / R e s u l t >< An s we r >
< Ke y Bi n d i n g > < S t a t u s > Va l i d < / S t a t u s >
< Ke y I D> h t t p : / / www. x ml t r u s t c e n t e r . o r g / a s s e r t / 2 0 0 1 0 1 2 0 - 3 9< / Ke y I D>
< d s : Ke y I n f o >< d s : Ke y Na me > . . . < / d s : Ke y Na me >< d s : Ke y Va l u e > . . . < / d s : Ke y Va l u e >
< / d s : Ke y I n f o > < Va l i d i t y I n t e r v a l >
< No t Be f o r e > 2 0 0 0 - 0 9 - 2 0 T1 2 : 0 0 : 0 0 < / No t B e f o r e >< No t Af t e r > 2 0 0 0 - 1 0 - 2 0 T1 2 : 0 0 : 0 0 < / No t Af t e r >
< / Va l i d i t y I n t e r v a l >< / Ke y Bi n d i n g >
< / An s we r >< / Va l i d a t e Re s u l t >
106
Status and Resources (XKMS)? W3C is making good progress? JSR-104 work in progress? W3C XKMS Home page
htt p:/ / www.w3.org/ TR/ xkms/
107
Java Implementations XKMS? Verisign: Trust Services Integration Kit
www.xmltrustcenter.org/ developer/ verisign/ tsik/ ? Entrust: XKMS toolkit
xkms.entrust.com/ xkms/ ? Phaos
www.phaos.com/ products/ xkms/ xkms.html
XACML(eXtensible Access Control
Markup Language)
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
28/56
109
What is XACML?? Define core schema and namespace for
authorizati on poli cies in XML: Used against XML elements in XML document Extensible
? Closely ali gned with SAML effort Pol icy Decision Poin ts (PDPs) involved in SAML
might consult poli cies encoded in XACML todetermine whether access wil l be granted to aresource
110
Why XACML?? Standardize access control language in XML
Extensibl e language with fl exible semantics? Lower costs
No need to develop app-specifi c languages No need to writ e policy in several l anguages
? Simpler Admins only need to understand one language
? Policy composition Policies writ ten by di fferent parties can be
combined
111
? A patient has pati ent record includingpsychiat ric notes
? The patient grants access right topsychiat ric notes only to primary care
doctor? The primary care doctor grants access to
patient record to covering doctor, wi thaccess restriction following thetransmitted documents so that coveringdoctor has no access to psychiatric notes
XACML Use Case
112
Status and Resources (XACML)? OASIS Standard (Feb. 2003)? Java-based open source implementat ion
avail able (donated fr om Sun) htt p:/ / sunxacml.sourceforge.net/
? No JSR effort yet
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
29/56
SAML(Security AssertionMarkup Language)
What is SAML?? Define an XML framework for
exchanging authentication andauthorization information
Various XML security assertions : credentials,authentication, attribute, authorization, etc...
Request & response protocol? Enables Single Sign-On (SSO) ? OASIS Standard? JSR-155
Why SAML?? Standards are emerging for many
facets of collaborative e-commerce,such as:
Business transactions (e.g., ebXML)
Software interactions (e.g., SOAP)? But communicating security
properties of these interactions isntwell standardized
Low interoperability between PMI solutions Tight coupling within components
Use cases for sharing securityinformation thru SAML
SAML developed three use cases todrive its requirements and design: Single sign-on (SSO)
Distributed transaction Authorization service
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
30/56
#1 Single Sign On (SSO)? Logged-in (authenticated) users of Smith.com
are allowed to access to sister site Johns.com
without relogin
Smith.com
Johns.com
Authenticate
SAMLAsserti onResponse
Use securedresource without re-login
SAMLAsserti onRequest
#2 Distributed Transaction? A car buyer also purchases an auto insurance
from insurance.com which is affiliated with
cars.comcars.com
insurance.com
SAMLAssertionResponse
Buy a car
Buy insurance
SAMLAssertionRequest
#3 Authorization Service? An employ of Works.com orders office supplies
directly from Office.com , which performs its ownauthorization
Works.com
Office.com
SAMLAssertionResponse
Employee ofWorks.com
SAMLAssertionRequest
SAML in a nutshell? Its an XML-based framework for
exchanging security information XML-encoded security assertions XML-encoded request/response protocol Rules on using assertions with standard
transport and messaging frameworks
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
31/56
SAML Assertions Assertions are declarations of fact,
according to someone SAML assertions are compounds of one
or more of three kinds of statement about subject (human or program) Authentication Attribute Authorization
Authentication statement? An issuing authority asserts that
subject S was authenticated by means M at time T
? Targeted towards Single Sign On uses
Example assertion withauthentication statement
(At time T) (Subject S)
http://core-25/sender-vouches
Attribute statement? An issuing authority asserts that
Subject S is associated with attributes A, B, with values a, b, c
?
Useful for distributed transactions andauthorization services
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
32/56
Example assertion with twoattribute statements
..Sang..
(with value a) PaidUp
(with value b) 500.00
Authorization statement
? An issuing authority decides whether to grant the request by subject S for access type A to resource R given evidence E
? The subject could be a human or aprogram
? The resource could be a web page ora web service, for example
Example assertion withauthorization statement
(for res. R) (by Subject S)
Read (for access type A)
Protocol for Requesting &Receiving Assertions
Asserting Party (Issuing Party)
Relying Party (Requesting Party)
SAML AssertionRequest
SAML AssertionResponse
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
33/56
WS-Security
130
WS-Security Specification Set of SOAP ext ensions for end-to-end SOAP
messaging security Security schemes at message level
Signing and encrypt ing SOAP messages byattaching securit y tokens to SOAP messages Any combinat ion of message parts: Header blocks,
body, att achments
131
WS-Security Mult iple security models
username/ password certificate
Multiple security technologies Kerberos PKI
Multiple types of security tokens Kerberos t icket X509 certificate SAML assertions
How They Worktogether
03/29/ 2004
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
34/56
SAML and Other Standards SAML and XML DSig
XML DSig is used for digitally signing andcanonicalizing SAML assertions Authenticating, tamper-proofing (integrity),
non-repudiating SAML assertions SAML and XML Encryption
XML Encryption is used for encrypting anddecrypting SMAL assertions
Enforcing privacy (confidentiality) of SAMLassertions
SAML and Other Standards
SAML and XKMS SAML traffic could be secured by XKMS-
based PKI (or by other PKI implementation,or by other means entirely)
SAML and XACML XACML could be used to define access
control/policy as a basis for handling SAMLassertion request
SAML and Other Standards
SAML and WS-Security SAML Assertions can be carried as security
tokens defined in WS-Security
SAML and Liberty Project SAML is used as security information
exchange protocol among Libertyparticipants
03/29/ 2004
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
35/56
Resources
138
Resources? W3C XML Digital Signature
www.w3.org/ Signatur e/ ? W3C XML Encrypt ion
www.w3.org/ Encryption/ ? XKMS
www.w3.org/ TR/ xkms/ ? XACML
www.oasis-open.org/ commit tees/ xacml/ ? SAML
oasis-open.org/ committ ees/ securit y
139
Resources? WS-Security
www.oasisopen.org/ commit tees/ wss/ ? ebXML Message Services
www.ebxml.org?
Liberty Project www.projectliberty.org Thank You!
03/29/ 2004
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
36/56
S u n T e c hDa y s
JAX-RPC Message-Level SecuritySang Shin
Technology Evangelist
03/29/ 2004
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
37/56
S u n T e c hDa y sJAX-RPC Message Level Security
Implementation in Java WSDP 1.3
? Implements portions of OASIS Web ServicesSecurity
? Implements only XML Signature? no encryption? runs over plain HTTP
? Signing and verification are implemented asSOAP message handlers at both client and server
? Only programmatic security is supported? no declarative support (via deployment descriptor)
03/29/ 2004
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
38/56
S u n T e c hDa y s
Transport Level
Transport vs. Message Level Security
Uses SSL Point-to-Point :
Protects the pipe Does not work with
Intermediaries
Ubiquitous
Does not use SSL
Data Chunks areprotected
Intended to work withIntermediaries
Standards still underdevelopment
MessageLevel
SOAP based communications intr oduces the notionof Message-level secur ity
03/29/ 2004
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
39/56
S u n T e c hDa y s
Sample Applications
?
dump? prints out both the client and server request and response
SOAP messages? sign
? the response is signed by the server and verified by the client? sign2
? the client signs the request, the message is dumped out, themessage travels over the network, the server verifies thesignature, the business method is called, the server signs theresponse, the message travels back over the network, andthe client verifies the response
? retrieves calling client identity
03/29/ 2004
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
40/56
S u n T e c hDa y s
Steps of Signing (at the Client)
?
Get client proxy object? Create ClientHelper object and bind it with the
client proxy object? Use the createFor() static factory method to create an
instance of a ClientHelper? Configure the ClientHelper for the actions you
want to take?
SOAP message handlers are configured? Sign client request? Verify server response
? Call business methods
03/29/ 2004
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
41/56
S u n T e c hDa y s
ClientHelper Class
? There could be several kinds of ClientHelper's
depending on the kind of credentials the clientuses? A ClientHelper has no credentials associated
with it, while a CertificateClientHelper carriesX509 certificate credentials
03/29/ 2004
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
42/56
S u n T e c hDa y s
JAX-RPC Client Side (from sign2)
public class StaticHelloClient {public static void main(String[] args) throws Exception {
Remote proxy = (Remote) createProxy();
// Create a CertificateClientHelper for a client-side stub/proxyCertificateClientHelper cch = CertificateClientHelper.createFor(proxy);
// Sign the request and then dump the message for debuggingcch.addSignRequest().addDumpRequest();
// Verify the response which was signed by the servercch.addVerifyResponse();
// Call the business methodHelloIF hello = (HelloIF) proxy;System.out.println(hello.sayHello("to Duke!"));
}
private static Stub createProxy() {// Note: MyHello_Impl is implementation-specific.Stub stub = (Stub) (new Hello_Impl().getHelloIFPort());return stub;
}}
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
43/56
S u n T e c hDa y s
Steps of Verification (at the Server)
?
On the server side, there is only one kind ofcredential, an X509 Certificate credential, whichmeans that there is only one ServerHelper class
? Create ServerHelper object and bind it with theendpoint? Usually done inside of init() method of ServiceLifeCycle
interface which is implemented by the endpoint?
Configure the ServerHelper object with securityconfiguration? Verify client request? Sign response
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
44/56
S u n T e c hDa y s
JAX-RPC Secure Endpoint (sign2)
public class HelloImpl implements HelloIF, ServiceLifecycle{
private ServerHelper sh; public String sayHello (String s){
...}
public void init (Object context)throws ServiceException{
// Create ServerHelper object and bind it// with endpointsh = ServerHelper.createFor(context);
// Config server security actions - verify client// request and sign responsesh.addVerifyRequest().addSignResponse();
}}
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
45/56
S u n T e c hDa y s
Extracting Client Principal
? Once client is authenticated, client's Subjectand Principal's are set
? Subject identifies the source of request? Subject has multiple Principals
03/29/ 2004
-
8/14/2019 Web Services Security, Identity Management and Liberty
46/56
S u n T e c hDa y s
Extracting Client Principal (sign2)
public class HelloImpl implements HelloIF, ServiceLifecycle{
private ServerHelper sh;
public String sayHello (String s){return (prompt + s + " and also to " +
sh.getClientPrincipal() );
}
public void init (Object context)throws ServiceException{
...}
}
-
8/14/2019 Web Services Security, Identity Management and Liberty
47/56
SunNetwork SM Conference 2002
Identity Management &Liberty Project
Sang [email protected]
Java Technology Evangel istSun Microsystems, Inc.
Disclaimer & Acknowledgments Even though Sang Shin is a full-time employee
of Sun Microsystems, the contents here arecreated as his own personal endeavor andthus does not reflect any official stance of SunMicrosystems.
Sun Microsystems is not responsible for anyinaccuracies in the contents.
Revision History 02/01/2004: created (Sang Shin) Things to do
speaker notes need to be added Contents need some polishment
-
8/14/2019 Web Services Security, Identity Management and Liberty
48/56
SunNetwork SM Conference 2002
Agenda What is and Why Identity Management? Identity Management architectural options Liberty project Identity Management evolution Java Technology and Identity
Management Status of Liberty project
What is & WhyIdentity Management?
What Is Identity?
The set ofattributes thatdescribeprofile(s) of anindividual orbusiness entityor program
Customer Name John SmithEmail alias [email protected] ID [email protected] card number
Social security numberDrivers licensePassportRetinal ScanDNA
Entertainment preferencesNotification preferencesEmployee AuthorizationBusiness CalendarDinning preferencesAffinity programFriends and associatesEducation HistoryMedical HistoryFinancial Assets
Why Identity Management?
Policy-Based Trusted Network
Identity is the foundation for the nextgeneration of highly personalized web services
Context-Sensit ive Authentication,Attributes, and Authorization
Employees Customers BusinessPartners
Devices
Technology
-
8/14/2019 Web Services Security, Identity Management and Liberty
49/56
SunNetwork SM Conference 2002Network Identity Components
AUTHENTICATION:
AUTHORIZATION:
A level of securityguaranteeing t he
validity of an identit yrepresentation
Govt issued (Drivers license,social security, Passport)
Biometric (Fingerprint, RetinalScan, DNA)
Self-selected (PIN number, secretpassword)
The provisioning ofservices or
activit ies basedupon an
authenticatedidentity
Services based on attributes (e.g,.Travel, entertainment, dining)
Transaction consummation Gradient levels of service (e.g.,
based on employee level)
COMPONENT DEFINITION EXAMPLEATTRIBUTES: Traits, profiles,
preferences of anidentit y, device, or
business part ner
Personal consumer preferences(e.g., travel, entertainment,dining)
Identity-specific histories (e.g.,purchases, medical records, etc.)
Device capabilit ies informati on(e.g., text-only, video, etc.)
Network Identity Is The FoundationUpon Which Web Services Are Built
Business policy: liability, assurance for transactionsRelationships between people, groups, and organizations
Presentation/Personalization: What the User SeesDefining relationships through quality of experience
Authenticated Identity(person, application, group, organization)
Source: Burton Group
Applications and services: Access and AuthorizationRelationships between identities and information
Web Services
Network Identity
Identity CrisisSilos of Identity Why Identity Is Important
It should b e availableon anything attachedto the Internet
Single sign-on should bean accelerant for Internetcommerce, not abottleneck or toll booth
-
8/14/2019 Web Services Security, Identity Management and Liberty
50/56
SunNetwork SM Conference 2002
Enterprise Identity Challenges? Many incompatible identity
standards? Same for authentication? No standard for policy based
provisioning of services? Building your on-line directory
before your competitors do it foryou
? Mining your directory? Privacy, public policy, regulation? Interoperability within and
between enterprises
What Individuals Care About
Security andsafety Comfort Convenience and
ubiquity
Identity Value Chain
APIsSchemaSW PlatformDevice SpecificSecurityTools
Creation Promotion Content &Delivery
ServiceManagement
BusinessFactors
HostingPortalIngredientBrand
FinancialServicesBusiness ServicesSupply ChainServicesEntertainment AggregationCommunicationNotification
PreferencesHistory AccessRewards Authentication
BillingUsageDiscountsPayments Authorization
Identity ManagementArchitectural Options
-
8/14/2019 Web Services Security, Identity Management and Liberty
51/56
SunNetwork SM Conference 2002
Possible Identity Solutions
Single IdentityOperator
Centralized
Model Financial SvcsCustomerCommunity
OnlineCommunity
TelecommunicationsCommunity
TravelCommunityEntertainmentCommunity
RetailCommunity
WirelessCommunity
Open Federated Model
Centralized Architecture Single IdentityOperatorSingle IdentityOperatorSingle IdentityOperator Overview
User & Nodes enroll with ID operator ID operator issues (GUID) global unique identifier User can access all operator sites
Pros Single source of control/auditability
Cons Security/Privacy controlled by one operator Operator controls some profile data Profile sharing/tracking possible without permission Single point of security failure Danger for "Tollgateng"
Federated Architecture RETAILERINSURANCE
PORTALYOU
AIRLINE
TELCOM
BANK
Overview Account chaining based User & Nodes need explicit linking No common GUID
Pros User has complete control on who/what to share Businesses have complete on user profile data Incremental profile sharing possible Creates market opportunity for identity service
providers Cons
Expensive to do without standards Profile data inconsistency possible
Liberty Project
-
8/14/2019 Web Services Security, Identity Management and Liberty
52/56
SunNetwork SM Conference 2002
Liberty Project Create an open standard for identity ,
authentication and authorization Objective: lower costs, accelerate commercialopportunit ies, and increase customer satisfaction
Federated standard will enable everybusiness to: Maintain their own customer/ employee/ device
data Tie data to an individuals or businesss identit y Share data with partners according to it s business
objectives , and customers preferences
Liberty Alliance*
* today. And growing.
Views of Federated IdentityServices
Providers thatare equal and
interoperable
Control overownership
and disclosure
Manage privacyand preferences
Multiple
IdentityProviders
Multiple
Service
Providers
Individualswith Multiple
Profiles
Federated Identity Premises Distributed identity data stays with rightful
owner Multiple authenticators (Identity providers)
They compete for consumer trust
Delineation between authentication (identityproviders) and authorization (merchants) Merchants retain control of transaction requirements
Consumer is in control of who can accessinformation Multiple modes: Always, Within group, per transaction,
Gradient levels of authentication within network
-
8/14/2019 Web Services Security, Identity Management and Liberty
53/56
SunNetwork SM Conference 2002
Identi ty ManagementEvolution
Circles of Trust
PrimaryTrustAuthority
(my company)
AcctsPayable
App
PrimaryTrust
Authority(e.g., my bank)
Calendar
NIEnabled
Merchants
NIEnabledServices
SupplyChain
Aggregator
NIService
Aggregator
Name:
ID
Preferences:
.
Name:
ID
Preferences:
.
WorkProfile
HomeProfile
SupplierA
SupplierB
SupplierC
NewsSource
NewsSource
NewsSource
Employee Circle of Trust
Consumer Circles of Trust
ExternalServices
ExternalServices
ExternalServices
ExternalServices
ExternalServices
ExternalServices
SecondaryTrust
Authority(e.g., my airline)
Friends &Family
Notification
Network Identity Organic Evolution Evolution of Identity Networks
Separate loginfor each site
Separate loginfor each network
Seamless loginacross networks
-
8/14/2019 Web Services Security, Identity Management and Liberty
54/56
SunNetwork SM Conference 2002
Analogous to ATM Networks
Separate cardfor each bank
Separate card foreach network
Seamless accessacross networks
Java Technology &Identity Management
Java Platform and Liberty J2EE
New Liberty JSR Inclusion in Java Web Services Developer Pack Tracked for J2EE 1.5
J2SE Liberty digital signing via Java Web start
J2ME Liberty digital signing via MIDP
JavaCard Liberty certificates stored in Java Card
Status ofLiberty Project
-
8/14/2019 Web Services Security, Identity Management and Liberty
55/56
SunNetwork SM Conference 2002
Status of Liberty Project Liberty version 1.0 specification was
released in July, 2002 First Liberty-enabled products are
expected to be available by the end of2002
Liberty version 2.0 work has been alreadystarted
More than x members right now
Liberty Project ConceptDemo
Key Points of the Demo? Signing into a portal for the first t ime?
Opting-in t o a federated identi ty network? Providing that identi ty network withadditional data and preferences
? Performing context-sensitive online banking? A sophisticated airline affinity program? Online web service notification? How one's personal identi ty follows them
across multiple devices
Resources
-
8/14/2019 Web Services Security, Identity Management and Liberty
56/56
SunNetwork SM Conference 2002
Resources? W3C XML Digit al Signature
http:/ / www.w3.org/ Signature/ ? W3C XML Encrypt ion
www.w3.org/ Encryption/ ? XKMS and it s relatives (now at W3C)
www.w3.org/TR/ xkms/ ? XACML
www.oasis-open.org/ commit tees/ xacml/ ? Liberty Alliance
www.projectliberty.org
Passion!