XKMS
Monday, August 10, 2009
Key Management
Key Management
Keeping the public and private keys, digital signatures, and digital certificates organized and ecure is one of the biggest challenges for deploying all these new encryption, digital signature, and authentication technologies. Hence the need for a methodology for the management of the security components has been raised. In this progression, the XML Key Management ecification (XKMS) is been an emerging effort under the backing of the W3C. The goal of XKMS is to rovide standardized XML-based transaction definitions for the management of uthentication, Cryption, and digital signature services. The previous section discussed about the XML Encryption and XML Digital Signature specifications. However, these specifications assume that the web service responsible for processing the XML exists in an environment where keys and certificates are kept safe and secure.
The assumption here is that the web service programmer is aware of which certificates and
keys to use. XKMS will provide a set of XML definitions to allow developers to contact a third party. They will be helpful in locating and providing the appropriate keys and certificates.
keys to use. XKMS will provide a set of XML definitions to allow developers to contact a third party. They will be helpful in locating and providing the appropriate keys and certificates.
The usefulness for allowing a third party to do this confidential job is to free the web service programmer from having to track the availability of keys or certificates and ensure their validity.
XML AND WEB SERVICES NOTES
In other words, XKMS will provide a standardized set of XML definitions to do the
following:
• Allowing developers to contact and use remote trusted third-party services
• The trusted third-party services will provide the following services:
encryption and decryption services
creation of keys
management of keys
authentication of keys and digital signatures
The specification standards specify a set of tags which is used to query external key anagement and signature validation services. For example, to know about the authentication of the ertificate, a client might ask a remote service to answer questions such as, “Is it a valid tificate?” or, “Provide the value of the key managed by you. ” Thus the facility to manage the keys is provided in XKMS.
XKMS was submitted to the W3C by Microsoft, VeriSign and web-Methods and is backed by a range of companies like HP, IBM Lenova etc. Thus XKMS is one of the three W3C specifications that define the XML security architecture.
XKMS Structure
XKMS Structure
On the whole the XKMS specifies the protocols for distributing and registering public keys. This is suitable for use in conjunction with the planned standard for XML signature and as an dditional standard for XML encryption.
The structure of XKMS contains two sections:
• XML Key Information Service Specification (X-KISS)
• XML Key Registration Service Specification (X-KRSS)
Let us explore the sections in detail.
XML Key Information Service Specification
XML Key Registration Service Specification
XML Key Information
XML Key Information Service Specification
X-KISS characterizes a protocol for a reliance service. It helps in managing the public-key information contained in documents that confirm to the XML signature specification. The basic objective of this protocol design is that relieving the XML programmers from the complex task of writing the code to process the XML signature ds:KeyInfo element. Essentially PKI may be ased upon a different specification such as X.509, the international standard for public-key certificates or Pretty Good Privacy (PGP), the widely available public key encryption system. Any trust policy can be utilized along with the XML signature specification.
When ever, a person is signing a document it is not necessary to specify any key information except that the value for the element
XML Key Registration
XML Key Registration Service Specification
The Registration of the public key information is done through the protocol X-KRSS specifies. Once the key is registered it can be used along with other web services. The same protocol may be also used for recovery of the private keys. Since the protocol provides for authentication of the applicant, the key pair public key and private key may be generated by the applicant. This is the proof of possession of the private key. A means of communicating the private key to the client is provided if the private key is generated by the registration service.
The following section explains the key retrieval, location service and validates service with some example XML documents:
Key retrieval
Location service
Validate Service
Key retrieval
If the client wants the decryption key from a remote source, XKMS provides a simple method. Using the tag inside the element which is available in the XML signature can be used for this. The following segment assumes that a service exists that can provide information about a given key.
"KeyInfo"
"RetrievalMethod
URI=”http://www.KeyFil.samp/ValidateKey”
Type=”http://www.w3.org/2009/01/xmldsig#X509Certificate”/"
"/KeyInfo"
This search for a key is very simple and does not require the service to enforce the
validity of the key it returns.
"KeyInfo"
"RetrievalMethod
URI=”http://www.KeyFil.samp/ValidateKey”
Type=”http://www.w3.org/2009/01/xmldsig#X509Certificate”/"
"/KeyInfo"
This search for a key is very simple and does not require the service to enforce the
validity of the key it returns.
Sunday, August 9, 2009
Location service
If the application client wants to query a service for public key information then there are some set of tags available in the location service. If a web service client wants to encrypt something based on the value of the recipient’s public key, then the web service client should know the key value. For this requirement, it has to contact the key location service to obtain that key.
The following listing shows the
"Locate ",
"Query", and
"Response " tags used in the request:
Validate Service
The correspondence between the key and an attribute should be validated. Here the Validate Service facility available through a trusted third party can be used to get the job done. That third party validates the binding between a key and an attribute. For instance, look into the following query:
Key recovery
Key registration
How to register your key information with a third-party KMS?
Key revocation
How to send a request to the third-party KMS to tell it that you no longer want it to
manage the key on your behalf?
Key recovery
If you forgot your private key, then what to do? XKMS gives some solutions to this.
It describes how to send a request to obtain the private key and what the response looks
like. The specification does not state the rules under which the private key should be
returned. For example, it may be the policy of the service to cancel the old key and issue
a new one after certain period. However, that decision is up to the policy of the individual
provider.
Verisign is one of the primary drivers of XKMS. They have already released a Java
toolkit that supports XKMS development.
How to register your key information with a third-party KMS?
Key revocation
How to send a request to the third-party KMS to tell it that you no longer want it to
manage the key on your behalf?
Key recovery
If you forgot your private key, then what to do? XKMS gives some solutions to this.
It describes how to send a request to obtain the private key and what the response looks
like. The specification does not state the rules under which the private key should be
returned. For example, it may be the policy of the service to cancel the old key and issue
a new one after certain period. However, that decision is up to the policy of the individual
provider.
Verisign is one of the primary drivers of XKMS. They have already released a Java
toolkit that supports XKMS development.
Key revocation
Key registration
How to register your key information with a third-party KMS?
Key revocation
How to send a request to the third-party KMS to tell it that you no longer want it to
manage the key on your behalf?
Key recovery
If you forgot your private key, then what to do? XKMS gives some solutions to this.
It describes how to send a request to obtain the private key and what the response looks
like. The specification does not state the rules under which the private key should be
returned. For example, it may be the policy of the service to cancel the old key and issue
a new one after certain period. However, that decision is up to the policy of the individual
provider.
Verisign is one of the primary drivers of XKMS. They have already released a Java
toolkit that supports XKMS development.
Key registration
Key registration
How to register your key information with a third-party KMS?
Key revocation
How to send a request to the third-party KMS to tell it that you no longer want it to
manage the key on your behalf?
Key recovery
If you forgot your private key, then what to do? XKMS gives some solutions to this.
It describes how to send a request to obtain the private key and what the response looks
like. The specification does not state the rules under which the private key should be
returned. For example, it may be the policy of the service to cancel the old key and issue
a new one after certain period. However, that decision is up to the policy of the individual
provider.
Verisign is one of the primary drivers of XKMS. They have already released a Java
toolkit that supports XKMS development.
How to register your key information with a third-party KMS?
Key revocation
How to send a request to the third-party KMS to tell it that you no longer want it to
manage the key on your behalf?
Key recovery
If you forgot your private key, then what to do? XKMS gives some solutions to this.
It describes how to send a request to obtain the private key and what the response looks
like. The specification does not state the rules under which the private key should be
returned. For example, it may be the policy of the service to cancel the old key and issue
a new one after certain period. However, that decision is up to the policy of the individual
provider.
Verisign is one of the primary drivers of XKMS. They have already released a Java
toolkit that supports XKMS development.
Java Toolkits
IBM XML Security Suite and the Phaos XML Toolkit are some of the JAVA Toolkits
for XML security available. The toolkits use Xerces and Xalan to parse the XML data.
The assembly of signatures is done by using their own APIs. The same is used for encrypting
the data. The Phaos sample simply used parser APIs such as
doc.getElementsByTagName(tagName) to access the element to be encrypted, as shown
in the following listing:
// Copyright © Phaos Technologies
public class XEncryptTest
{
public static void main (String[] args) throws Exception
{
... // usage, command line args...
// get the XML file and retrieve the XML Element to be encrypted
File xmlFile = new File(inputFileName);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.parse(xmlFile);
Element inputElement = null;
NodeList list = doc.getElementsByTagName(tagName);
if (list.getLength() != 0)
inputElement = (Element) list.item(0);
else
{
System.err.println(“XML element with tagName “ + tagName + “ unidentified.”);
System.exit(1);
}
// Create a new XEEncryptedData instance with the owner
// Document of the input xml file,the data type URI and
// the Id “ED” for this EncryptedData element.
XEEncryptedData encData = XEEncryptedData.newInstance(doc, “ED”, dataType);
... // determine encryption algorithm
// set up the EncryptionMethod child element
XEEncryptionMethod encMethod = encData.createEncryptionMethod(algURI);
encData.setEncryptionMethod(encMethod);
// set up the symmetric key to be used in encryption
SymmetricKey key = null;
File keyFile = new File(keyFileName);
... // File stuff
// set up the ds:KeyInfo child element with the keyName
XSKeyInfo keyInfo = encData.createKeyInfo( );
keyInfo.addKeyInfoData(encData.createKeyName(keyName));
encData.setKeyInfo(keyInfo);
// set a nonce value to be prepended to the plain text
byte[] nonce = new byte[16];
encData.setNonce(RandomBitsSource.getDefault().randomBytes(nonce));
// encrypt the XML element and replace it with the
// newly generated EncryptedData element
System.out.print(“Encrypting the XML data ... “);
XEEncryptedData newEncData = XML AND WEB SERVICES NOTES
XEEncryptedData.encryptAndReplace(inputElement, key, encData);
System.out.println(“done”);
// output the XML Document with the new EncryptedData element to a
// file
}
}
The Phaos toolkit was much easier to set up and run than the IBM toolkit. This piece
of makes a call to encryptAndReplace( ). This method takes the element that we’ve given
it, encrypts it by using the given key, and replaces the original element with the appropriately
tagged, encrypted element.
As a whole, it can be said that Web services security is still an emerging area and proper
handling of this portion has to be done by researchers and vendors together.
Single-sign-on
What is this Single-sign-on? It is nothing but the ability for an end user or application
to access other applications within a secure environment. It has to be done without needing
to be validated by each application. The most common example of single-sign-on technology
is in web-based corporate intranet applications.
What is the use of this environment? In this setting, the users may want to use various
applications that allow access to their timetable, Project schedule, expense reports and
health benefits. If each user of the application need to be authenticated individually then the
following may occur such as in convenienence, slow, and limiting the value of the intranet
site. The single sign on is one of the solution which allows access to all applications without
additional intervention after the initial sign on, using a profile that defines what the user is
allowed to do.
Many companies provide products for web-based, single-sign-on authentication and
authorization, including companies such as Netegrity, Securant (now a part of RSA), Oblix,
and Verisign. These products with the help of an intermediary process which controls and
manages the passing of user credentials from one application to another. Users are assigned
a permit that carries their rights information and simultaneously allows them to access
many applications without the need to authenticate each one. This permit allows applications
within the secure environment to shift the burden of authentication and authorization to a
trusted third party, leaving the application free to focus on implementation of business
logic.
The single-sign-on concept is easily extended to web services. Web services can be
given a permit (placed in an XML/SOAP message) that can be used to validate the service
with other web services. However, the secure use of web services will depend on the
ability to exchange user credentials on a scale never seen before. Individual services will
reside in a variety of protected environments, each using various security products and
technologies. Providing a way to integrate these environments and enable their interoperability
is critical for the secure and effective use of these services.
Based on XML, the Security Assertion Markup Language (SAML) is an almost
complete specification proposed by the Organization for the Advancement of Structured
Information Standards (OASIS). The primary goal of SAML is to enable interoperability
between different systems that provide security services. The SAML specification does
not define new technology or approaches for authentication or authorization. Rather, it
defines a common XML language that describes the information or outputs generated by
these systems.
Guidelines for signing XML documents
Signing of XML documents needs care, since any change in the document like
introduction of white space, change of case tend to change the signature.
The following two points to be kept in mind when going for signing the document:
1. Content Presentation techniques may introduce changes
2. Transformation may alter the content
XML relies on transformations and substitutions during the processing of XML
documents. For example, if an XML document includes an embedded style sheet or
references to an external style sheet, the transformed document should be represented to
the user rather than the document without the style sheet. In this case, the signer should be
careful to sign not only the original XML but also the other information that may affect the
presentation.
documents. For example, if an XML document includes an embedded style sheet or
references to an external style sheet, the transformed document should be represented to
the user rather than the document without the style sheet. In this case, the signer should be
careful to sign not only the original XML but also the other information that may affect the
presentation.
While due consideration is not been given for handling the original and transformed
document, it will return a different result than intended. As in any security infrastructure,
the security of an overall system will depend on the security and integrity of procedures
and personnel as well as procedural enforcement.
Subscribe to:
Posts (Atom)
