exchange network key management services a security component february 28, 2005 the exchange network...
Post on 18-Dec-2015
225 views
TRANSCRIPT
Exchange Network Key Management Services
A Security Component
February 28, 2005
The Exchange NetworkNode Mentoring Workshop
2
Topics
• Security Requirements
• Public Key Infrastructure (PKI) Challenge
• What is XML Key Management Services (XKMS)
• XKMS Basic Services (Advantages, PKI Essentials)
• XML Signature using XKMS
• XML Encryption using XKMS
• Authentication using XKMS
• Interaction with XKMS
• Conclusion
3
Security Requirements
• Secure Authentication Requirement: Password-based authentication is weak, costly, and difficult to manage
• Message Security: Message-level confidentiality and non-repudiation needed
• Payload Security: Confidential business information (CBI) may require submissions to be signed and encrypted
4
Public Key Infrastructure (PKI) Challenge
• Very complicated technology with some proprietary implementations
• Non-standard interface, difficult to use, deploy, and maintain
• Very high cost of acquisition, support, and operation
• Very low interoperability (No PKI standard interfaces)
• Certificate validation is very challenging
5
What is XKMS
• A World Wide Web Consortium (W3C) standard, XKMS 2.0, is finalized
• A central key depository with Web service interface to PKI
• Vendor-neutral PKI solution for public key and certificate management
• A very simple access model
• Foundation for secure Web services (XML signature, XML encryption, XKMS)
• XKMS will be the PKI solution to the Exchange Network, and the key element to a strong security model.
6
What is XKMS (Cont’d)
• XKMS Advantages
– A Web service interface to PKI technologies, accessible to any applications on the Internet
– Vendor-neutral PKI solution for public keys and certificates management
– Dramatically reduces cost of PKI. Key can be generated and registered at anytime on any machine
– Online real-time key/certificate validation using a simple Web method
7
What is XKMS (Cont’d)
• PKI Essentials
– A key is generated and broken up into two pieces – Public Key and Private Key
– Private Key never goes out of your machine, but share Public Key with anyone
– When a data is encrypted using one key, it could only be decrypted using another
– Encryption: Encrypt data using the receiver’s Public Key
– Signature: Encrypt data using your Private Key
8
XKMS Basic Services
• XML Key Information Services (XKISS) – Locate and validate Public Keys
• XML Key Registration Services (XKRSS) – Register, revoke, recover, and reissue public keys or X.509 certificates
• Secure key exchange with XML encryption and signature
• All operations are defined as Web service methods
9
XML Signature using XKMS
• A document is signed using the Private Key and key information (KeyName, KeyValue)
• The receiver locates / validates the Public Key used for the signature from an XKMS server
• The receiver verifies the signature using the valid key
10
XML Encryption Using XKMS
• The sender locates the receiver’s Public Key from an XKMS server
• The sender encrypts a document using the receiver’s Public Key
• The receiver decrypts the document using the Private Key
11
Authentication using XKMS
• A user registers Public Key in XKMS
• The user creates an Authenticate message and signs the message using the Private Key
• Network Authentication and Authorization Server (NAAS) locates / validates the user’s Public Key from XKMS
• NAAS verifies the signature. The user is authenticated if the signature is valid – the holder of the Private Key
12
Interaction with XKMS
13
Conclusion
• XKMS is the foundation for secure exchanges in the network – basic component for XML encryption and signature
• XKMS provides a simple standard interface to PKI
• Network XKMS services will be available to all network nodes and node clients
• XKMS will be integrated into NAAS for key-based authentication
• XKMS is the PKI solution without the PKI complexity and cost