Home arrow Security arrow Page 3 - Trust, Access Control, and Rights for Web Services, Part 2

X-KRSS - Security

Web services themselves provide a powerful new approach to PKI that prevents each Web service requestor and provider from having to build their own PKI: accessing a trusted PKI as a service. XKMS aims to do just that. This is part 2 of chapter 9 from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).

TABLE OF CONTENTS:
  1. Trust, Access Control, and Rights for Web Services, Part 2
  2. The XKMS Services
  3. X-KRSS
  4. eXtensible Access Control Markup Language (XACML) Specification
  5. The XACML Data Model
  6. XACML Policy Example
  7. eXtensible Rights Markup Language (XrML) Management Specification
  8. XrML Use Case Example
  9. Summary
By: Sams Publishing
Rating: starstarstarstarstar / 6
October 12, 2004

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

From a Web services point of view, Locate and Validate will be the most common form of XKMS service requested. Depending on the nature of the Web service provided and the security policy in place, X-KRSS messages such as Register, Recover, Revoke, and Reissue may be processed only under a much more stringent environment.

In the registration phase, as shown in Figure 9.8, an XML application key pair holder registers its public key with a trusted infrastructure via a registration server. The public key is sent to the registration server using a digitally signed request specified by KRSS using the <Register> tag. The registration server responds with an XML formatted confirmation response using the <RegisterResponse> tag, which indicates status of the registration (accepted, rejected, or pending) and a confirmation of name and attribute information registered with the public key. Except in the case of rejection, a key pair identifier is returned in the <RegisterResponse> tag for subsequent referencing purposes. The registration is typically preceded by generation of the key pair in the key pair holder system.

Trust, Access Control, and Rights for Web Services

Figure 9.8  X-KRSS key registration.

A sample X-KRSS <Request> is shown in Listing 9.9.

Listing 9.9 X-KRSS Request to XKMS Registration Service for Key Registration

<?xml version="1.0"?>
 <soap:Envelope xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/"
 xmlns:soapenc="
http://schemas.xmlsoap.org/soap/encoding/"
 xmlns:xsi="
http://www.w3.org/1999/XMLSchema-instance"
 xmlns:xsd="
http://www.w3.org/1999/XMLSchema"
xmlns:ds="
http://www.w3.org/2000/09/xmldsig#">
  <soap:Body>
   <Register xmlns="
http://www.xkms.org/schema/xkms-2001-01-20">
    <Prototype>
     <Status>Valid</Status>
     <KeyID>mailto:Alice@cryptographer.test</KeyID>
      <ds:KeyInfo>
       <ds:KeyName>mailto:Alice@cryptographer.test</ds:KeyName>
      </ds:KeyInfo>
     <ValidityInterval>
      <NotBefore>2000-09-20T12:00:00</NotBefore>
      <NotAfter>2001-09-20T12:00:00</NotAfter>
     </ValidityInterval>
     <PassPhrase>qfarJIsfcVKLo</PassPhrase>
    </Prototype>
    <AuthInfo>
     <AuthUserInfo>
      <ProofOfPossession>
       <Signature>2PUN8HQlnhf9YI</Signature>
      </ProofOfPossession>
      <AuthKeyBinding>
       <Signature>EfdxSXAidruAszN</Signature>
      </AuthKeyBinding>
     </AuthUserInfo>
    </AuthInfo>
    <Respond>
     <string>KeyName</string>
     <string>KeyValue</string>
    </Respond>
   </Register>
  </soap:Body>
 </soap:Envelope>

The X-KRSS <RegisterResult> response to this request is shown in Listing 9.10.

Listing 9.10 X-KRSS Response from the XKMS Registration Service

<?xml version="1.0"?>
 <soap:Envelope xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/"
 xmlns:soapenc="
http://schemas.xmlsoap.org/soap/encoding/"
 xmlns:xsi="
http://www.w3.org/1999/XMLSchema-instance"
 xmlns:xsd="
http://www.w3.org/1999/XMLSchema"
xmlns:ds="
http://www.w3.org/2000/09/xmldsig#">
  <soap:Body>
   <RegisterResult xmlns="
http://www.xkms.org/schema/xkms-2001-01-20">
    <Result>Success</Result>
    <Answer soapenc:arrayType="KeyBinding[1]">
     <KeyBinding>
      <Status>Valid</Status>
      <KeyID>mailto:Alice@cryptographer.test</KeyID>
       <ds:KeyInfo>
        <ds:KeyValue>
         <ds:RSAKeyValue>
<ds:Modulus>998/T2PUN8HQlnhf9YIKdMHHGM7HkJwA56UD0a1oYq7EfdxSXAidruAszNqBoOqfarJ
IsfcVKLob1hGnQ/l6xw==</ds:Modulus>
          <ds:Exponent>AQAB</ds:Exponent>
         </ds:RSAKeyValue>
        </ds:KeyValue>
        <ds:KeyName>mailto:Alice@cryptographer.test</ds:KeyName>
       </ds:KeyInfo>

      <ValidityInterval>
       <NotBefore>2000-09-20T12:00:00</NotBefore>
       <NotAfter>2001-09-20T12:00:00</NotAfter>
      </ValidityInterval>
     </KeyBinding>
    </Answer>
    <Private/>
   </RegisterResult>
  </soap:Body>
 </soap:Envelope>

Revocation is handled via a similar protocol. The use of desktop (that is, file system) private key storage—as well as more broad XML client encryption applications—mandates some form of key recovery provision. Key recovery provides a way to recover a lost private key so that corporate-owned data encrypted with the lost private key is not lost forever. For historical reasons, key recovery is not supported by standardized protocols. In X-KRSS, such support is built in.

SamsThis chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.

Buy this book now.



 
 
>>> More Security Articles          >>> More By Sams Publishing
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

SECURITY ARTICLES

- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: