This document discusses several standards for web service security including XML encryption, XML digital signatures, SAML, WS-Security, WS-Trust, WS-SecureConversation, and XACML. It provides examples of how XML encryption can encrypt elements in an XML document, how XML signatures bind a sender's identity to a document, and how SAML can be used for single sign-on, distributing attributes, and authorization. It also summarizes the purpose and key aspects of standards like WS-Security, WS-Trust, and XACML.

1. Web service security

2. XML digital signature ( IETF and W3C)XML Encryption ( W3C)SAML (Secure Assertion Markup Language) ( OASIS)WS-Security (Web Services Security) (OASIS)WS-SecureConversationWS-FederationWS-PolicyWS-TrustWS-PrivacyXACML (Extensible Access Control Markup Language) (OASIS)Web service security standards

3. When encrypting an XML element or element content the EncryptedData element replaces the element or content (respectively) in the encrypted version of the XML document <EncryptedDataId Type MimeType Encoding> <EncryptionMethod/> <ds:KeyInfo> <EncryptedKey> <AgreementMethod> <ds:KeyName> <ds:RetrievalMethod> <ds:*> </ds:KeyInfo> <CipherData> <CipherValue> <CipherReferenceURI> </CipherData> <EncryptionProperties> </EncryptedData>XML Encryption

4. <?xml version='1.0'?><PaymentInfoxmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <Number>4019 2445 0277 5567</Number> <Issuer>Example Bank</Issuer> <Expiration>04/02</Expiration> </CreditCard> </PaymentInfo>XML Encryption example<?xml version='1.0'?> <PaymentInfoxmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <Number> <EncryptedDataxmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Content'> <CipherData> <CipherValue>A23B45C56</CipherValue> </CipherData> </EncryptedData> </Number> <Issuer>Example Bank</Issuer> <Expiration>04/02</Expiration> </CreditCard> </PaymentInfo>

5. Data integrity, authenticityBinds the sender’s identity (or “signing entity”) to an XML documentSignature verification can be done using asymmetric or symmetric keysEnsures non-repudiation of the signing entityProves that messages have not been altered since they were signedXML Signature

6. XML digital signatures are represented by the Signature element <Signature ID?> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> (<Reference URI > <Transforms> <DigestMethod> <DigestValue> </Reference>)+ </SignedInfo> <SignatureValue> <KeyInfo> <Object ID> </Signature>Signature Element

7. Signature Example<Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> <Transforms> <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK.../DigestValue> </Reference> </SignedInfo> <SignatureValue>...</SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> <P>...</P><Q>...</Q><G>...</G><Y>...</Y> </DSAKeyValue> </KeyValue> </KeyInfo> </Signature>

8. Developed by OASISAn XML framework for exchanging authentication and authorization informationSAML assertions: (Assertion is declaration of a fact)authenticationattributeAuthorizationSAML is forSingle sign-on (SSO)Distributed transactionAuthorization serviceSAML

9. Used for SSO<saml:Assertion …> <saml:AuthenticationStatementAuthenticationMethod=“password”AuthenticationInstant=“2010-02-03”> <saml:Subject> <saml:NameIdentifierSecurityDomain=“myCompany.com” Name=“ABCD” /> <saml:ConfirmationMethod> http://… </saml:ConfirmationMethod> </saml:Subject> </saml:AuthenticationStatement></saml:Assertion>An issuing authority asserts thatsubject S was authenticatedby means Mat time TAuthentication statement

10. Used for distributed transactions<saml:Assertion …> <saml:AttributeStatement> <saml:Subject>..Sang..</saml:Subject> <saml:AttributeAttributeName=“PaymentStatus” AttributeNamespace=“http://myshop.com”> <saml:AttributeValue> PaidUp </saml:AttributeValue> </saml:Attribute> <saml:AttributeAttributeName=“CreditLimit” AttributeNamespace=“http://myshop.com”> <saml:AttributeValue>500.00</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement></saml:Assertion>An issuing authority asserts thatsubject S is associated withAttributes A,B,… with values ‘a’, ‘b’,…Attribute statement

11. Used for authorization service<saml:Assertion …> <saml:AuthorizationStatementDecision=“Allow”Resource=http://mycompany.com/empdetails> <saml:Subject>…</saml:Subject> <saml:ActionsActionNamespace=“http://…”> <saml:Action>Read</saml:Action> </saml:Actions> </saml:AuthorizationStatement></saml:Assertion>An issuing authority decidesWhether to grant the request by subject Sfor access type A to resource Rgiven evidence EAuthorization statement

12. Extension to SOAP to apply security to Web servicesDefines how to attach XML Signature and XML Encryption headers to SOAP messagesWS Security specification allowsX.509 certificates Kerberos tickets UserID/Password credentials SAML-Assertion Custom defined token WS Security

13. WS Security with SAML example<SOAP-ENV:Envelope> <SOAP-ENV:Header> <wsse:Security> <saml:Assertion> - - - </saml:Assertion> </wsse:Security> </SOAP-ENV:Header> <SOAP-ENV:Body> - - - </SOAP-ENV:Body></SOAP-ENV:Envelope>

14. Framework forIssuing, renewing, and validating security tokensBrokering trust relationships within different trust domainsWS Trust

15. 1.WSIT client runtime requests security meta-data from the service provider (transparent to the application)2. The service indicates that the client needs a security token from a particular STS3. The client requests security meta-data from the STS4. The STS responds with type of security token to be used for further communication5. The client requests security token from STS6. The client receives security token issued by STS7. The client invokes the service using the issued token8. The service provider verifies token and performs the serviceWS-Trust: Security Token Service

16. WS-SecureConversation defines the creation and sharing of security contexts between communicating parties The <SecurityContextToken> (SCT) element supports the requirements of security contextsAn SCT involves a shared secret used to sign and/or encrypt messagesDerived keys are used for signing and encrypting messages associated with the security contextWS-SecureConversation defines how derived keys are computed and passedWS-SecureConversation

17. It is a declarative access control policy language implemented in XML and a processing model, describing how to interpret the policies.Policies are defined with a collection of RulesXACMLAccess control ruleAllow access to resource with attribute WebService if subject is Employee and action is read or write.Administration control ruleAllow delegation of access control rule #1 to subjects with attribute Consultant.Conditions: delegation must expire within 6 months, resource must not have attribute StrictlyInternal

18. One standard access control policy language can replace dozens of application-specific languages Administrators save time and money because they don't need to rewrite their policies in many different languages XACML is flexible enough to accommodate most access control policy needs and extensible so that new requirements can be supported. One XACML policy can cover many resources. This helps avoid inconsistent policies on different resources. XACML allows one policy to refer to another. This is important for large organizations. For instance, a site-specific policy may refer to a company-wide policy and a country-specific policy. XACML benefits