Security for Web Services and Service-Oriented Architectures (eBook)

Elisa Bertino is professor of Computer Science and Electrical and Computer Engineering, and research director of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University. She has carried out extensive research on various security topics, such as foundations of access control systems, security for location-based applications, security for web services, digital identity management, data privacy, security and privacy for healthcare applications and for GIS; and has given numerous presentations and tutorials on these topics in scientific conferences. Recently, she recently received the IEEE Computer Society 2005 Kanai award for her research in security for distributed systems. She has also served as a member of the Microsoft Trustworthy Computing Academic Advisory Board.Lorenzo D. Martino is visiting assistant professor at the Computer and Information Technology (C&IT) department of Purdue University and at the Cyber Center of the Purdue University. He has carried out research on trust negotiation techniques and security for web services. Federica Maria Francesca Paci is a PhD Student at the University of Milan, Italy. Her main research interests include the development of access control models for constraint workflow systems, Web services access control models and secure distribution of XML documents. She has published several refereed journal and conference papers in these areas. Anna Squicciarini is a post doctoral research associate in the Computer Science Department of Purdue University. She conducts research on security for distributed systems, with particular focus on trust management, identity management and access control for grids and Web Services. She has published several refereed journal and conference papers in these areas. She has been the main architect of the Trust-X system, an innovative system supporting trust negotiation in distributed open systems.

Preface 6
Contents 8
Introduction 12
Security for Web Services and Security Goals 12
Privacy 14
Goals and Scope of the Book and its Intended Audience 15
An Overview of the Book's Content 16
Web Service Technologies, Principles, Architectures, and Standards 20
SOA and Web Services Principles 21
Web Services Architecture 24
Web Services Technologies and Standards 24
SOAP 26
Web Services Description Language (WSDL) 27
Service Discovery: Universal Description, Discovery and Integration (UDDI) 29
Considerations 32
Web Services Infrastructure 33
Web Services Threats, Vulnerabilities, and Countermeasures 35
Threats and Vulnerabilities Concept Definition 36
Threat Modeling 38
Vulnerability Categorizations and Catalogs 46
Threat and Vulnerabilities Metrics 50
Standards for Web Services Security 55
The Concept of Standard 57
Web Services Security Standards Framework 58
An Overview of Current Standards 59
``Near the wire'' security standards 59
XML Data Security 61
Security Assertions Markup Language (SAML) 63
SOAP Message Security 66
Key and Trust Management standards 70
Standards for Policy Specification 74
Access Control Policy Standards 77
Implementations of Web Services Security Standards 83
Standards-related Issues 84
Digital Identity Management and Trust Negotiation 88
Overview of Digital Identity Management 89
Overview of Existing Proposals 91
Liberty Alliance 92
WS-Federation 95
Comparison of Liberty Alliance and WS-Framework 98
Other Digital Identity Management Initiatives 99
Discussion on Security of Identity Management Systems 102
Business Processes 104
Deploying Multifactor Authentication for Business Processes 105
Architecture 106
Digital Identity Management in Grid Systems 106
The Trust Negotiation Paradigm and its Deployment using SOA 109
Trust Negotiation and Digital Identity Management 110
Automated Trust Negotiation and Digital Identity Management Systems: Differences and Similarities 111
Integrating Identity Management and Trust Negotiations 114
Architecture of a SP in FAMTN 116
An Example of a Use Case: FSP in Liberty Web Services Framework 117
Negotiations in an FAMTN Federation 118
Ticketing system in an FAMTN Federation 118
Implementing Trust Tickets Through Cookies 119
Negotiation in Identity Federated Systems 121
Bibliographic Notes 122
Access Control for Web Services 124
Approaches to Enforce Access Control for Web Services 125
WS-AC1: An Adaptive Access Control Model for Stateless Web Services 127
The WS-AC1 Model 129
WS-AC1 Identity Attribute Negotiation 134
WS-AC1 Parameter Negotiation 137
An Access Control Framework for Conversation-Based Web services 141
Conversation-Based Access Control 142
Access Control and Credentials 143
k-Trust Levels and Policies 144
Access Control Enforcement 145
K-Trustworthiness Levels Computation 147
Architecture of the Enforcement System 154
Secure Publishing Techniques 156
The Merkle Signatures 157
Merkle Signatures for Trees 157
Merkle Signatures for XML Documents 158
Merkle Hash Verification for Documents with Partially Hidden Contents 159
Application of the Merkle Signature to UDDI Registries 161
Merkle Signature Representation 161
Merkle Hash Path Representation 162
A Comparison of Merkle Signatures with XML Signatures 163
Bibliographic Notes 166
Access Control for Business Processes 167
Access Control for Workflows and Business Processes 169
Web Services Business Process Execution Language (WS-BPEL) 172
RBAC-WS-BPEL: An Authorization Model for WS-BPEL Business Processes 174
RBAC XACML: Authorization Schema 178
Business Process Constraint Language 178
RBAC-WS-BPEL Authorization Specification 179
RBAC-WS-BPEL Enforcement 180
RBAC-WS-BPEL System Architecture 182
Handling < HumanActivity>
Emerging Research Trends 186
Security as a Service 186
Motivations 187
Reference Framework for Security Services 188
Authentication Service 189
Privacy for Web Services 193
P3P and the Privacy-Aware RBAC Model 194
Privacy-Preserving Data Management Techniques 199
W3C Privacy Requirements for Web Services and Research Issues 200
Semantic Web Security 201
Concluding Remarks 202
Access Control 203
Basic Notions 203
The Protection Matrix Model 204
Access Control Lists and Capability Lists 205
Negative Authorizations 205
Role-Based Access Control 206
Concluding Remarks 210
References 211
Index 228