0 valutazioniIl 0% ha trovato utile questo documento (0 voti)
18 visualizzazioni4 pagine
XML digital signatures provide authentication,integrity and non repudiation. - Allows signing remote object, and binary data too. - Uses Public key cryptography Allows individual elements to be signed in a message, cosigned,witnessed,notarized or even cascaded signing.
XML digital signatures provide authentication,integrity and non repudiation. - Allows signing remote object, and binary data too. - Uses Public key cryptography Allows individual elements to be signed in a message, cosigned,witnessed,notarized or even cascaded signing.
Copyright:
Attribution Non-Commercial (BY-NC)
Formati disponibili
Scarica in formato PDF, TXT o leggi online su Scribd
XML digital signatures provide authentication,integrity and non repudiation. - Allows signing remote object, and binary data too. - Uses Public key cryptography Allows individual elements to be signed in a message, cosigned,witnessed,notarized or even cascaded signing.
Copyright:
Attribution Non-Commercial (BY-NC)
Formati disponibili
Scarica in formato PDF, TXT o leggi online su Scribd
Different Standards & Features - Comparison Vishnu Paturi G00508233 Contribution Detailed study of different standards Feature listing Application domain Comparison Study the upcoming standards of future Make readers aware, where to use what. Web services - What & Why? ts a middleware used for application & cross platform integration. (Any software, any vendor.) Uses SOAP (Service Oriented Architecture Protocol) Based on XML, defines data & interpretation of data. Can integrate different technologies to communicate seamlessly without vendor dependency. Used commonly in B2B interactions. eg:Deal 2buy.com , cheapair.com , amazon.com etc Save T infrastructure cost and time between partners, suppliers and customers. Uses standard HTTP, firewall safe. Why to secure web services? B2B communication involves sensitive info and should be protected from sniffing & theft. Some services should be available only to certain class of customers/partner. To avoid various attacks (eg: Message integrity, replay attacks, mainly should provide non-repudiation, avoid leaching.) Although it uses nternet, information is not intended for public users. (nternal data) SSL and web services security SSL is point to point security but we require end to end security in web services. SSL is transport layer encryption, we require message level. SSL cannot provide non repudiation. SSL cannot encrypt just a particular element in a SOAP message. Proposed SoIutions XML digital signatures. XML encryption. XKMS (XML Key Management Specification) SAML (Secure Assertion Markup Language) WS-Security (Web Services Security) ebXML Message Service
XML digitaI signatures
Provides authentication,integrity and non repudiation. - Uses Public key cryptography Allows individual elements to be signed in a message, cosigned,witnessed,notarized or even cascaded signing. (X.509 certificate attached) Allows signing remote object, and binary data too. (UR should be present for the object) Canonicalizes XML documents such that, documents with same syntactic and semantic meaning produces same signature. Source: http://www.xml.com/pub/a/2001/08/08/xmldsig.html XML Encryption Encrypts only private information in a message. (eg: Creditcard number, SSN) Can use both secret and public cryptography. Contains cipher data, its author (key author) and algorithm used. The encrypted key is exchanged by ciphering the encrypting key with receivers public key. Keys exchange takes places using xml messages. Problem with lack of trust on source. <purchaseOrder> <Order> <tem>book</tem> <d>123-958-74598</d> <Quantity>12</Quantity> </Order> <Payment> <Cardd>123654-8988889-9996874</Cardd> <CardName>visa</CardName> <ValidDate>12-10-2004</ValidDate> </Payment> </purchaseOrder> ExampIe: <PurchaseOrder> <Order> <tem>book</tem> <d>123-958-74598</d> <Quantity>12</Quantity> </Order> <Payment> <Cardd> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Content''> <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData></Cardd> <CardName>visa</CardName> <ValidDate>12-10-2004</CardName> </Payment> </PurchaseOrder> Encrypted message: XKMS (XML Key Management Specification) Makes implementation of PK possible. ntroduces XKMS servers which does complex cryptos, locates key, validates, revokes. Everything done using XML messaging. Client & Server shares a XKMS service to validate each other. No infrastructure needed on client, just xml messaging capability. Everything is done by XKMS server. 3 Source:www.networkworld.com/news/tech/2003/0908techupdate.html $(Security Assertions Markup Language) Helps exchanging authentication & authorization information among partners. (FD) Doesn't really authenticate. Assertions Authentication assertion (users identity) Attribute assertion (user specific info. Eg: credit card,SSN) Authorization decision assertion (what user can do) Request response protocol (presently SOAP on HTTP) Bindings (SOAP message mapping information on HTTP) Profiles ( how SAML should be transported in communication systems) Source : http://www.javaworld.com/javaworld/jw-03-2003/jw-0321-wssecurity- p2.html WS Security (Web Services Security) Provides End to End message security. Ensures confidentiality,integrity and non repudiation. (Signs and encrypts messages) Based on XML signature and XML encryption Supports multiple security model.(Certificate based, user- password based, SMcard based.) Supports PK,Kerberos, X.509,SAML etc Complete protection from most of the attacks Very comprehensive, widely used today. Does not provide guarantee for security. WS-Security specification WS-PoIicy defines the methods in which the capabilities and constraints of security policies can be expressed. $%7:89 is a model for establishing both direct and brokered trust relationships. WS-Privacy is a specification that addresses how privacy practices can be stated and implemented by Web Services. WS-Secure Conversation describes how message exchanges can be securely managed. t also deals with security context exchange and establishing and deriving session keys. WS-Federation relates to managing and brokering trust relationships in a heterogeneous distributed environment. t also includes support for distributed computing. Finally, WS-Authorization, is a standard for authorization data and policy management for Web Services. ebXML (E business XML) Developed as an Open standard in competition with Microsoft Biztalk. Aims at enabling secure electronic business transactions. Uses a central registry to store Business Processes Collaborative profile Business service interface Core library Future partners query the registry to match suitable partners to work with. 4 http://www-128.ibm.com/developerworks/xml/library/x-ebxml/ How does it aII work? n a typical e-commerce transaction. An SAML assertion of the transaction is generated on client side for the user. Client digitally signs it, and encrypts it. Registers the public key used to sign and encrypt, in XKMS server (client and application server can validate each other using XKMS server) Transmits the Purchase order document using WS- Security. Where to use what? Small application, needs trust for communication to transmit public data. Use XML digital signature (good performance,key problem) Use XKMS if possible. Need to transmit private or sensitive data. Use XML encryption Large distributed application, need complete security and use user authentication (Real e-commerce application) Use WS Security Already companies issuing Certificates use XKMS. Future of Web services Lot of emerging technologies. Many standards proposed. Business strategies play an important role. Liberty alliance project. ebXML etc WS Security has good chance of survival. Can be easily incorporated into future technologies. Remember!! Web service is a middleware. What Technology you use to secure really matters, eg: Key length, algorithm etc. #010703.08 http://www.webopedia.com/DidYouKnow/Com puter_Science/2005/web_services.asp http://java.sun.com/developer/technicalArticles /WebServices/security/ http://www.webservicesarchitect.com/content/ articles/apshankar04.asp http://www.rassoc.com/gregr/weblog/stories/2 002/06/09/webServicesSecurity.html http://www.xml.com/pub/a/2001/08/08/xmldsig .html http://www.networkworld.com/news/tech/2003/ 0908techupdate.html Thank You!! Question??