XML Key Management Services Tutorial - PowerPoint PPT Presentation
Title:
XML Key Management Services Tutorial
Description:
Make PKI-based security easier to use. Address multi-vendor, cross-plat issues ... Set the service URL. Understand supported KeyInfo elements ... – PowerPoint PPT presentation
Number of Views:64
Avg rating:3.0/5.0
Title: XML Key Management Services Tutorial
1
XML Key Management Services - Tutorial
- 9 December 01
Blair Dillaway Software Architect Microsoft Corp.
2
Outline
- Historical Perspective
- XKMS Overview
- Trust Models
- Using XKMS
- Whats Next
3
Historical Perspective
- PKI complexity has limited its use
- Enrollment multiple approaches
- No std discovery approach CAs, Certs, Keys
- Cert standardization interpretation
- Trust management
- Chain-building logic
- OID interpretation
- Cross certification cert hierarchies
- Client handling of complex ASN.1 and PKCS data
structures - Effective Revocation/Validation
- Affects every client
- Interoperability issues
4
XKMS Overview
- Define XML compatible key mgmt
- Make PKI-based security easier to use
- Address multi-vendor, cross-plat issues
- Support multiple Trust/PKI infrastructures
- Allow clients to offload complex, and difficult,
trust assessment - Integrate key validity checks
- Keep the interfaces simple
- Keep interactions simple
5
XKMS Approach
XKMS Service
Internet
Client App
PKI
Std. Protocols HTTP SOAP
Std. Discovery UDDI WSDL
Web Service App
6
Trust Models (1 of 2)
- XKMS is trust model agnostic
- PKIX, PGP, Key-based, Proprietary
- Services define supported model
- Similar to CA publishing a CPS
- Contract between the Service and Applications
- XKMS doesnt tell one how to do this or what the
business relationship should be
7
Trust (2 of 2)
- But, theres still a bootstrapping problem
- Apps need to pick the right trust infrastructure
- Need trust in an XKMS service(s)
- XKMS doesnt define how to handle this
- Will likely mirror what already happens
- Keys for high-volume, low-value, Services widely
distributed - Keys for Enterprise Services distributed via
internal trust - Keys for vertical market, high-value, apps using
high assurance mechanism
8
Using XKMS (1 of 2)
- Getting started
- Pick the right service, get its usage profile
info, etc. - Tailor the XKMS client for the service
- Cache the service identifying info
- Set the service URL
- Understand supported KeyInfo elements
- Structural requirements on data (i.e., KeyID or
KeyName formatting)
9
Using XKMS (2 of 2)
- Operations
- Register your public key
- Locate other public keys (optional)
- Ex find key so you can send encrypted data to
others - Check validity/trustworthiness of public keys
- Authentication, Signed documents,
- Possibly before sending encrypted data
- Manage your keys
- Revoke
- Update associated attributes
- Recover/roam your private key
10
Next Steps
- Refinement of XKMS 1.1
- Interface refinement
- Xml Signature context issues
- Bulk operations
- Message level authentication, integrity,
confidentiality - Update for conformance with latest XML stds
- Move forward as a W3C recommendation
11
XKMS Message Samples
12
Registration Request
- ltsoapEnvelope gt
- ltsoapBodygt
- ltRegister xmlns"http//www.xkms.org/schema/xk
ms-2001-01-20"gt - ltPrototype Id"KB01"gt
- ltStatusgtValidlt/Statusgt
- ltKeyIDgtabc123lt/KeyIDgt
- ltKeyInfo xmlns"http//www.w3.org/2000/09/
xmldsig"gt - ltKeyNamegtmykeylt/KeyNamegt
- ltKeyValuegt
- ltRSAKeyValuegt
ltModulusgt8nSoscDtBoSA5jiqrMn3yg0TRvRdfFFzrutP7zHAT
X4lD8cgPnslt/Modulusgt - ltExponentgtAQABlt/Exponentgt
- lt/RSAKeyValuegt
- lt/KeyValuegt
- ltRetrievalMethod URI"http//someURI"
Type"http//someType" /gt - ltPassPhrasegt85XRXbVMov0efQi1NvS41Q1YsZglt/P
assPhrasegt - ltValidityIntervalgt
- ltNotBeforegt2000-09-20T120000.0000000-0
700lt/NotBeforegt - ltNotAftergt2001-09-20T120000.0000000-07
00lt/NotAftergt - lt/ValidityIntervalgt
- ltReference URI"KB01"gt
- ltDigestMethod
Algorithm"http//www.w3.org/2000/09/xmldsigsha1"
/gt - ltDigestValuegtmX8qoz9eKo01d4GcfL
iyBeFg5Qlt/DigestValuegt - lt/Referencegt
- lt/SignedInfogt
- ltSignatureValuegtKKRHMd5eL7wwBG1Xs7Alt/SignatureVal
uegt - lt/Signaturegt
- lt/ProofOfPossessiongt
- ltKeyBindingAuthgt
- ltSignature xmlns"http//www.w3.org/20
00/09/xmldsig"gt - ltSignedInfogt
- ltCanonicalizationMethod
Algorithm"http//www.w3.org/TR/2001/REC-xml-c14n-
20010315" /gt - ltSignatureMethod
Algorithm"http//www.w3.org/2000/09/xmldsighmac-
sha1" /gt - ltReference URI"KB01"gt
- ltDigestMethod
Algorithm"http//www.w3.org/2000/09/xmldsigsha1"
/gt - ltDigestValuegtmX8qoz9e1d4GcfLiyB
eFg5Qlt/DigestValuegt - lt/Referencegt
- lt/SignedInfogt
- ltSignatureValuegt9uT2hVmuZ4sBLk414lt/
SignatureValuegt
13
Register Result
- ltsoapEnvelope gt
- ltsoapBodygt
- ltRegisterResult xmlns"http//www.xkms.org/sch
ema/xkms-2001-01-20"gt - ltResultgtSuccesslt/Resultgt
- ltAnswergt
- ltKeyBinding Id"KB01"gt
- ltStatusgtValidlt/Statusgt
- ltKeyIDgtabc123lt/KeyIDgt
- ltKeyInfo xmlns"http//www.w3.org/2000/0
9/xmldsig"gt - ltKeyNamegtmykeylt/KeyNamegt
- ltX509Datagt
- ltX509SubjectNamegtCNMyName,
OMicrosoftlt/X509SubjectNamegt - ltX509IssuerSerialgt
- ltX509IssuerNamegtCNTheCAlt/X509Issu
erNamegt - ltX509SerialNumbergt123456lt/X509Seri
alNumbergt - lt/X509IssuerSerialgt
- ltX509CertificategtThn3s9ozskDXj1ibjrh
xz092LG4ivz3ARpNTmARKYlt/X509Certificategt - lt/X509Datagt
- ltValidityIntervalgt
14
Locate Request
- ltsoapEnvelopegt
- ltsoapBodygt
- ltLocate xmlns"http//www.xkms.org/schema/xkms
-2001-01-20"gt - ltQuerygt
- ltKeyInfo xmlns"http//www.w3.org/2000/09/
xmldsig"gt - ltKeyNamegtmykeylt/KeyNamegt
- lt/KeyInfogt
- lt/Querygt
- ltRespondgt
- ltstringgtKeyNamelt/stringgt
- ltstringgtX509Certlt/stringgt
- lt/Respondgt
- lt/Locategt
- lt/soapBodygt
- lt/soapEnvelopegt
15
Locate Response
- ltsoapEnvelopegt
- ltsoapBodygt
- ltLocateResult xmlns"http//www.xkms.org/schem
a/xkms-2001-01-20"gt - ltResultgtSuccesslt/Resultgt
- ltAnswergt
- ltKeyInfo xmlns"http//www.w3.org/2000/09/
xmldsig"gt - ltKeyNamegtmykeylt/KeyNamegt
- ltMgmtDatagtMy Management Datalt/MgmtDatagt
- ltSPKIDatagtMy-SPKI-Certlt/SPKIDatagt
- ltKeyValuegt
- ltRSAKeyValuegt
- ltModulusgtmpk9qt0uwUb8KyMNiHEK6Y1efkB
VBC3FElt/Modulusgt - ltExponentgtAQABlt/Exponentgt
- lt/RSAKeyValuegt
- lt/KeyValuegt
- ltX509Datagt
- ltX509SubjectNamegtCNMyName,
OMicrosoftlt/X509SubjectNamegt - ltX509IssuerSerialgt
- ltX509IssuerNamegtCNTheCAlt/X509Issuer
Namegt
16
Validate Request
- ltsoapEnvelope gt
- ltsoapBodygt
- ltValidate xmlns"http//www.xkms.org/schema/xk
ms-2001-01-20"gt - ltQuerygt
- ltStatusgtValidlt/Statusgt
- ltKeyIDgtabc123lt/KeyIDgt
- ltKeyUsageTypegtSignaturelt/KeyUsageTypegt
- ltKeyUsageTypegtEncryptionlt/KeyUsageTypegt
- lt/Querygt
- ltRespondgt
- ltstringgtKeyNamelt/stringgt
- ltstringgtX509Certlt/stringgt
- lt/Respondgt
- lt/Validategt
- lt/soapBodygt
- lt/soapEnvelopegt
17
Validate Response
- ltsoapEnvelope gt
- ltsoapBodygt
- ltValidateResult xmlns"http//www.xkms.org/sch
ema/xkms-2001-01-20"gt - ltResultgtSuccesslt/Resultgt
- ltAnswergt
- ltKeyBindinggt
- ltStatusgtValidlt/Statusgt
- ltKeyIDgtabc123lt/KeyIDgt
- ltKeyInfo xmlns"http//www.w3.org/2000/0
9/xmldsig"gt - ltKeyNamegtmykeylt/KeyNamegt
- ltMgmtDatagtMy Management
Datalt/MgmtDatagt - ltX509Datagt
- ltX509SubjectNamegtCNMyName,
OMicrosoftlt/X509SubjectNamegt - ltX509IssuerSerialgt
- ltX509IssuerNamegtCNTheCAlt/X509Issu
erNamegt - ltX509SerialNumbergt123456lt/X509Seri
alNumbergt - lt/X509IssuerSerialgt
- ltX509CertificategtUbCDPEkqMtlSNBxmfQt
8i6tZWpqFntJilP50iRKwBLwlt/X509Certificategt - lt/X509Datagt
Recommended
CrystalGraphics Presentations
