Security of Distributed Systems Part I Elisa Bertino CERIAS and CS ECE Departments Purdue University Elisa Bertino Pag 1 Purdue University Topics Overview XACML and SAML Federated Digital Identity Management Liberty Alliance Case study Shibboleth Trust Negotiation Systems Elisa Bertino Pag 2 Purdue University Overview Security for distributed systems has been widely investigated we can distinguish Network security Middleware security World wide web security Elisa Bertino Pag 3 Purdue University Middleware security Past work Kerberos CORBA Common Object Request Broker Architecture Current work Federated Digital Identity Management Access Control and Authorization XACML SAML Core Security Standards XML Digital Signature XML Encryption Advanced Security Web services WS security Elisa Bertino Pag 4 Purdue University Middleware Relevant Standards Bodies W3C XML SOAP WSDL XML Encryption XML Digital Signature XKMS OASIS UDDI SAML XACML WS Security WSPolicy WS Trust WS Authorization WSSecureConversation WS Federation WS WS standards developed by MS IBM and submitted to OASIS for standardization Elisa Bertino Pag 5 Purdue University World wide web security The WWW has changed the nature of distributed computing The separation of program and data is once more abolished Content providers embed executable content applets in documents to create interactive web pages that can process user input Computation is moved to the client It is thus now the client who needs protection from rogue content providers Mobile code moves from machine to machine collecting information from different places or looking from spare computer resources Clients need protection from mobile code mobile code may need protection from the clients it is running on Users are forced to become system administrators and policy makers Elisa Bertino Pag 6 Purdue University World wide web security Relevant work Security for Java Security for mobile agents Intellectual property protection Watermarking and fingerprinting techniques Elisa Bertino Pag 7 Purdue University Background Notions XML eXtensible Markup Language W3C Recommendation third edition http www w3 org TR REC xml A restricted form of SGML an ISO standard Allows delivery of custom data Focuses on what data is not what data looks like e g HTML Use a Document Type Definition DTD or XML Schema http www w3 org TR xmlschema 0 to describe new syntax Elisa Bertino Pag 8 Purdue University Simple XML Example xml version 1 1 note date 2004 11 10 date to Adam to from Kody from heading Hungry heading body Feed me dad body note Elisa Bertino Pag 9 Purdue University Background Notions XML with DTD xml version 1 1 DOCTYPE note ELEMENT note date to from heading body ELEMENT date PCDATA ELEMENT to PCDATA ELEMENT from PCDATA ELEMENT heading PCDATA ELEMENT body PCDATA note date 2004 10 11 date to Adam to from Jasmine from heading Bone heading body Kody stole my bone body note Elisa Bertino Pag 10 Purdue University Schema Example xml version 1 0 xs schema xmlns xs http www w3 org 2001 XMLSchema targetNamespace http www w3schools com xmlns http www w3schools com elementFormDefault qualified xs element name note xs complexType xs sequence xs element name date type xs date xs element name to type xs string xs element name from type xs string xs element name heading type xs string xs element name body type xs string xs sequence xs complexType xs element xs schema Elisa Bertino Pag 11 Purdue University Background Notions DOM Document Object Model http www w3 org DOM Internal representation of an XML document as a tree Allows one to specify an element and all the data inside it as a subtree Also allows one to specify a search pattern over the document e g XPath Elisa Bertino Pag 14 Purdue University Background Notions SOAP Simple Object Access Protocol http www w3 org TR soap SOAP provides the definition of the XML based information which can be used for exchanging structured and typed information between peers in a decentralized distributed environment SOAP is a stateless one way message paradigm Extensible messaging framework Issues such as security not part of specification addressed as extensions Elisa Bertino Pag 15 Purdue University Background Notions The Stack SOAP SOAP XML XML HTTP HTTP Usually Usually but butnot notalways always Elisa Bertino Pag 16 Purdue University Background Notions SOAP Messages Two main parts to the message Header Contains message meta information Body Contains the main message SOAP Envelope SOAP Header optional SOAP Body Elisa Bertino Pag 17 Purdue University Background Notions SOAP Example env Envelope xmlns env http www w3 org 2003 05 soap envelope env Header n alertcontrol xmlns n http example org alertcontrol n priority 1 n priority n expires 2001 06 22T14 00 00 05 00 n expires n alertcontrol env Header env Body m alert xmlns m http example org alert m msg Pay the electric bill today m msg m alert env Body env Envelope Elisa Bertino Pag 18 Purdue University Access Control and Authorization Elisa Bertino Pag 19 Purdue University SAML Security Assertion Markup Language http xml coverpages org SAML TechOverview20v0311511 pdf The goal of SAML is to define enhance and maintain a standard XML based framework for creating and exchanging authentication and authorization information Allows an organization to make assertions about security properties of a subject Authentication Attributes Authorization decisions Elisa Bertino Pag 20 Purdue University SAML SAML is different from other security systems due to its approach of expressing assertions about a subject that other applications within a network can trust The following two concepts are important in SAML Identity Provider IdP The system or administrative domain that asserts information about a subject For instance the Identity Provider asserts that this user has been authenticated and has given associated attributes For example This user is John Doe he has an email address of john doe acompany com and he was authenticated into this system using a password mechanism In SAML Identity Providers are also known as SAML authorities and Asserting Parties Service Provider SP The system or administrative domain that relies on information supplied to it by the Identity Provider It is up to the Service Provider as to whether it trusts the assertions provided to it SAML defines a number of mechanisms that enable the Service Provider to trust the assertions provided to it It should be noted that although a Service Provider can
View Full Document
Unlocking...