X-KRSS - Security

Web services themselves provide a powerful new approach to PKI that prevents each Web service requestor and provider from having to build their own PKI: accessing a trusted PKI as a service. XKMS aims to do just that. This is part 2 of chapter 9 from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).

TABLE OF CONTENTS:

By: Sams Publishing

Poor Best

Rating:

/ 6

October 12, 2004

print this article

SEARCH DEV SHED

TOOLS YOU CAN USE

From a Web services point of view, Locate and Validate will be the most common form of XKMS service requested. Depending on the nature of the Web service provided and the security policy in place, X-KRSS messages such as Register, Recover, Revoke, and Reissue may be processed only under a much more stringent environment.

In the registration phase, as shown in Figure 9.8, an XML application key pair holder registers its public key with a trusted infrastructure via a registration server. The public key is sent to the registration server using a digitally signed request specified by KRSS using the <Register> tag. The registration server responds with an XML formatted confirmation response using the <RegisterResponse> tag, which indicates status of the registration (accepted, rejected, or pending) and a confirmation of name and attribute information registered with the public key. Except in the case of rejection, a key pair identifier is returned in the <RegisterResponse> tag for subsequent referencing purposes. The registration is typically preceded by generation of the key pair in the key pair holder system.

Trust, Access Control, and Rights for Web Services

Figure 9.8 X-KRSS key registration.

A sample X-KRSS <Request> is shown in Listing 9.9.

Listing 9.9 X-KRSS Request to XKMS Registration Service for Key Registration

<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/1999/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<soap:Body>
   <Register xmlns="http://www.xkms.org/schema/xkms-2001-01-20">
    <Prototype>
     <Status>Valid</Status>
     <KeyID>mailto:Alice@cryptographer.test</KeyID>
      <ds:KeyInfo>
       <ds:KeyName>mailto:Alice@cryptographer.test</ds:KeyName>
      </ds:KeyInfo>
     <ValidityInterval>
      <NotBefore>2000-09-20T12:00:00</NotBefore>
      <NotAfter>2001-09-20T12:00:00</NotAfter>
     </ValidityInterval>
     <PassPhrase>qfarJIsfcVKLo</PassPhrase>
    </Prototype>
    <AuthInfo>
     <AuthUserInfo>
      <ProofOfPossession>
       <Signature>2PUN8HQlnhf9YI</Signature>
      </ProofOfPossession>
      <AuthKeyBinding>
       <Signature>EfdxSXAidruAszN</Signature>
      </AuthKeyBinding>
     </AuthUserInfo>
    </AuthInfo>
    <Respond>
     <string>KeyName</string>
     <string>KeyValue</string>
    </Respond>
   </Register>
</soap:Body>
</soap:Envelope>

The X-KRSS <RegisterResult> response to this request is shown in Listing 9.10.

Listing 9.10 X-KRSS Response from the XKMS Registration Service

<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/1999/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<soap:Body>
   <RegisterResult xmlns="http://www.xkms.org/schema/xkms-2001-01-20">
    <Result>Success</Result>
    <Answer soapenc:arrayType="KeyBinding[1]">
     <KeyBinding>
      <Status>Valid</Status>
      <KeyID>mailto:Alice@cryptographer.test</KeyID>
       <ds:KeyInfo>
        <ds:KeyValue>
         <ds:RSAKeyValue>
<ds:Modulus>998/T2PUN8HQlnhf9YIKdMHHGM7HkJwA56UD0a1oYq7EfdxSXAidruAszNqBoOqfarJ
IsfcVKLob1hGnQ/l6xw==</ds:Modulus>
          <ds:Exponent>AQAB</ds:Exponent>
         </ds:RSAKeyValue>
        </ds:KeyValue>
        <ds:KeyName>mailto:Alice@cryptographer.test</ds:KeyName>
       </ds:KeyInfo>

Revocation is handled via a similar protocol. The use of desktop (that is, file system) private key storage—as well as more broad XML client encryption applications—mandates some form of key recovery provision. Key recovery provides a way to recover a lost private key so that corporate-owned data encrypted with the lost private key is not lost forever. For historical reasons, key recovery is not supported by standardized protocols. In X-KRSS, such support is built in.

This chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.