XML Key Management Protocol for Secure Web Service
Submitted By : Md. Hasan Basri Reg. No. : 1010048, Roll: 700030, Session: 2006 -2007 Department of Computer Science, IST. National University Bangladesh.Supervised By: A.N.M Khaleqdad Khan Assistant Professor, Department of Computer Science, Institute of Science and Technology (IST). National University Bangladesh.
“Without Trust and Security, Web Services are Dead on Arrival.” - Phillip Hallam-Baker
Providing a key management specification for secure web service communication considering the principal of symmetric key cryptography.
• Security Requirements• Public Key Infrastructure (PKI) Challenge• What is XML Key Management Services (XKMS)• XKMS Basic Services (Advantages, PKI Essentials)• XML Signature using XKMS• XML Encryption using XKMS• Authentication using XKMS• Interaction with XKMS• Conclusion
• Secure Authentication Requirement: Password-based authentication is weak, costly, and difficult to manage• Message Security: Message-level confidentiality and non- repudiation needed• Payload Security: Confidential business information (CBI) may require submissions to be signed and encrypted
• Very complicated technology with some proprietary implementations• Non-standard interface, difficult to use, deploy, and maintain• Very high cost of acquisition, support, and operation• Very low interoperability (No PKI standard interfaces)• Certificate validation is very challenging
• A World Wide Web Consortium (W3C) standard, XKMS 2.0, is finalized• A central key depository with Web service interface to PKI• Vendor-neutral PKI solution for public key and certificate management• A very simple access model• Foundation for secure Web services (XML signature, XML encryption, XKMS)• XKMS will be the PKI solution to the Exchange Network, and the key element to a strong security model.
• XKMS Advantages – A Web service interface to PKI technologies, accessible to any applications on the Internet – Vendor-neutral PKI solution for public keys and certificates management – Dramatically reduces cost of PKI. Key can be generated and registered at anytime on any machine – Online real-time key/certificate validation using a simple Web method
• PKI Essentials – A key is generated and broken up into two pieces – Public Key and Private Key – Private Key never goes out of your machine, but share Public Key with anyone – When a data is encrypted using one key, it could only be decrypted using another – Encryption: Encrypt data using the receiver’s Public Key – Signature: Encrypt data using your Private Key
• XML Key Information Services (XKISS) – Locate and validate Public Keys• XML Key Registration Services (XKRSS) – Register, revoke, recover, and reissue public keys or X.509 certificates• Secure key exchange with XML encryption and signature• All operations are defined as Web service methods
• A document is signed using the Private Key and key information (KeyName, KeyValue)• The receiver locates / validates the Public Key used for the signature from an XKMS server• The receiver verifies the signature using the valid key
• The sender locates the receiver’s Public Key from an XKMS server• The sender encrypts a document using the receiver’s Public Key• The receiver decrypts the document using the Private Key
• A user registers Public Key in XKMS• The user creates an Authenticate message and signs the message using the Private Key• Network Authentication and Authorization Server (NAAS) locates / validates the user’s Public Key from XKMS• NAAS verifies the signature. The user is authenticated if the signature is valid – the holder of the Private Key
• XKMS is the foundation for secure exchanges in the network – basic component for XML encryption and signature• XKMS provides a simple standard interface to PKI• Network XKMS services will be available to all network nodes and node clients• XKMS will be integrated into NAAS for key-based authentication• XKMS is the PKI solution without the PKI complexity and cost