Glossary

 
Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Glossary

patterns & practices Developer Center

Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0

Microsoft Corporation

patterns & practices Developer Center
Web Service Security: Home
December 2005

DownloadDownload this guide in PDF format
CommunityWeb Service Security Community Workspace [Content link no longer available, original URL:http://go.microsoft.com/fwlink/?LinkId=57044]

This section contains a brief summary of key terms and definitions that appear in Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements 3.0. This glossary is not intended to be an authoritative or comprehensive security glossary for this guide because many such resources already exist. The numbers at the end of the definition indicate where terms are directly cited from one of the resources in the "References" section.

authentication
The process of identifying an individual using the credentials of that individual. For example, a bank teller may be required to authenticate who you are by examining your driver's license. Authentication typically occurs immediately after identification.

authorization
The process of determining whether an authenticated subject is allowed to access a resource or perform a task within a security domain. Authorization uses information about a client's identity and/or roles to determine the resources or tasks that a client can perform.

Brokered authentication
A type of authentication where a trusted authority is used to broker authentication services between a client and a service. An example is shown in the Figure 1.

Ff649023.appx_glossary_f01(en-us,PandP.10).gif

Figure 1. Using a broker to perform authentication when a client and service do not share a trust relationship

claim
A claim is a declaration made by an entity. Examples include name, identity, key, group, privilege, and capability. [2]

client
The client accesses the Web service. The client provides credentials for authentication during the request to the Web service.

confidentiality
A process by which data is protected so that only authorized actors or security token owners can view the data.

credentials
A set of claims used to prove the identity of a client. They contain an identifier for the client and a proof of the client's identity, such as a password. They may also include information, such as a signature, to indicate that the issuer certifies the claims in the credential.

data confidentiality
The encrypting of message data so that unauthorized entities cannot view the contents of the message.

data integrity
The verification that a message has not changed in transit.

Data origin authentication
Data origin authentication takes data integrity a step further by supporting the ability to identify and validate the origin of a message.

data encryption
Encryption is the process of converting data (plaintext) into something that appears to be random and meaningless (ciphertext), which is difficult to decode without a secret key. Encryption is used to provide message confidentiality.

delegation
A process where the service account is allowed to access a remote resource on behalf of another Windows account, which is typically the client accessing a service.

digital signature
This is an asymmetric signature that is created with the private key of a client. Digital signatures can be used to support non-repudiation requirements.

Direct authentication
A type of authentication where the service validates credentials directly with an identity store, such as a database or directory service. When both the client and service participate in a trust relationship that allows them to exchange and validate credentials including passwords, direct authentication can be performed, as shown in Figure 2.

Ff649023.appx_glossary_f02(en-us,PandP.10).gif

Figure 2. Direct authentication when a client and service share a trust relationship

identification
Represents the use of an identifier that allows a system to recognize a particular subject and distinguish it from other users of the system.

impersonation
Impersonation is the act of assuming a different identity on a temporary basis so that a different security context or set of credentials can be used to access a resource.

impersonation/delegation model
A resource access model that flows the security context of the original caller through successive application tiers and onto back-end resource managers. This allows resource managers to implement authorization decisions based on the identity of the original caller. This is in contrast to the trusted subsystem model. [1]

message layer security
Message layer security represents an approach where all the information that is related to security is encapsulated in the message. In other words, with message layer security, the credentials are passed in the message.

mutual authentication
Mutual authentication is a form of authentication where the client authenticates the server in addition to the server that authenticates the client. [1]

proof-of-possession
A value that a client presents to demonstrate knowledge of either a shared secret or a private key to support client authentication. Proof-of-possession that uses a shared secret can be established using the actual shared secret, such as a user's password, or a password equivalent, such as a digest of the shared secret, which is typically created with a hash of the shared secret and a salt value. Proof-of-possession can also be established using the XML signature within a SOAP message where the XML signature is generated symmetrically based on the shared secret or asymmetrically based on the sender's private key.

protection scope
This term describes the scope of protection for a Web service message. Protection scope refers to the extent the message will be protected, whether it is for its entire message lifetime or only while it is in transit between servers.

protocol transition
Protocol transition is a process where the service account transitions an identity that was authenticated using a non-Windows protocol into a Windows security context.

public-private key encryption
Public-private key encryption is an asymmetric form of encryption that relies on a cryptographically generated public/private key pair. Data encrypted with a private key can only be decrypted with the corresponding public key (and vice-versa).

security context
A generic term used to refer to the collection of security settings that affect the security-related behavior of a process or thread. The attributes from a process logon session and an access token combine to form the security context of the process. [1]

security context token (SCT)
A lightweight token that can be established for multiple message exchanges between two endpoints using the protocol defined in the WS-SecureConversation specification. [4]

security token
A set of claims used to prove the identity of a client. They contain an identifier for the client and a proof of the client's identity, such as a password. They may also include information, such as a signature, to indicate that the issuer certifies the claims in the credential. Most security tokens will also contain additional information that is specific to the authentication broker that issued the token.

security token service (STS)
A Web service that issues security tokens (see WS-Security). An STS makes assertions based on evidence that it trusts, to whomever trusts it (or to specific recipients). To communicate trust, a service requires proof, such as a signature to prove knowledge of a security token or set of security tokens. An STS can generate tokens or it can rely on a separate STS to issue a security token with its own trust statement. (Note that for some security token formats, this can be nothing more than a re-issuance or co-signature). This process forms the basis of trust brokering. [3]

service account
This is the Windows account that the operating system process uses when it hosts a service. Web services are usually hosted in a process managed by an application server, such as Internet Information Services (IIS) that performs operations using the identity of a service account.

signed security token
A signed security token is a security token that is asserted and cryptographically signed by a specific authority, such as an X.409 certificate or a Kerberos ticket. [2]

service
A service is a Web service that requires authentication.

transport layer security
Transport layer security represents an approach where security protection is enforced by lower level network communication protocols.

trust
Trust is the characteristic that one entity is willing to rely upon a second entity to execute a set of actions and/or to make a set of assertions about a set of subjects and/or scopes. [2]

trusted subsystem
This is a process where a trusted business identity is used to access a resource on behalf of the client. The identity could belong to a service account or it could be the identity of an application account created specifically for access to remote resources.

References

For more security glossary information, see the following resources:

  1. "Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication" on MSDN.
  2. "Web Services Security: SOAP Message Security 1.0 (WS-Security 2003)" on the Oasis Web site.
  3. "Web Services Trust Language (WS-Trust)" on MSDN.
  4. "Managing Security Context Tokens in a Web Farm" on MSDN.

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Show: