exchange network key management services a security component february 28, 2005 the exchange network...

Exchange Network Key Management Services

A Security Component

February 28, 2005

The Exchange NetworkNode Mentoring Workshop

2

Topics

• Security Requirements

• Public Key Infrastructure (PKI) Challenge

• What is XML Key Management Services (XKMS)

• XKMS Basic Services (Advantages, PKI Essentials)

• XML Signature using XKMS

• XML Encryption using XKMS

• Authentication using XKMS

• Interaction with XKMS

• Conclusion

3

Security Requirements

• Secure Authentication Requirement: Password-based authentication is weak, costly, and difficult to manage

• Message Security: Message-level confidentiality and non-repudiation needed

• Payload Security: Confidential business information (CBI) may require submissions to be signed and encrypted

4

Public Key Infrastructure (PKI) Challenge

• Very complicated technology with some proprietary implementations

• Non-standard interface, difficult to use, deploy, and maintain

• Very high cost of acquisition, support, and operation

• Very low interoperability (No PKI standard interfaces)

• Certificate validation is very challenging

5

What is XKMS

• A World Wide Web Consortium (W3C) standard, XKMS 2.0, is finalized

• A central key depository with Web service interface to PKI

• Vendor-neutral PKI solution for public key and certificate management

• A very simple access model

• Foundation for secure Web services (XML signature, XML encryption, XKMS)

• XKMS will be the PKI solution to the Exchange Network, and the key element to a strong security model.

6

What is XKMS (Cont’d)

• XKMS Advantages

– A Web service interface to PKI technologies, accessible to any applications on the Internet

– Vendor-neutral PKI solution for public keys and certificates management

– Dramatically reduces cost of PKI. Key can be generated and registered at anytime on any machine

– Online real-time key/certificate validation using a simple Web method

7

What is XKMS (Cont’d)

• PKI Essentials

– A key is generated and broken up into two pieces – Public Key and Private Key

– Private Key never goes out of your machine, but share Public Key with anyone

– When a data is encrypted using one key, it could only be decrypted using another

– Encryption: Encrypt data using the receiver’s Public Key

– Signature: Encrypt data using your Private Key

8

XKMS Basic Services

• XML Key Information Services (XKISS) – Locate and validate Public Keys

• XML Key Registration Services (XKRSS) – Register, revoke, recover, and reissue public keys or X.509 certificates

• Secure key exchange with XML encryption and signature

• All operations are defined as Web service methods

9

XML Signature using XKMS

• A document is signed using the Private Key and key information (KeyName, KeyValue)

• The receiver locates / validates the Public Key used for the signature from an XKMS server

• The receiver verifies the signature using the valid key

10

XML Encryption Using XKMS

• The sender locates the receiver’s Public Key from an XKMS server

• The sender encrypts a document using the receiver’s Public Key

• The receiver decrypts the document using the Private Key

11

Authentication using XKMS

• A user registers Public Key in XKMS

• The user creates an Authenticate message and signs the message using the Private Key

• Network Authentication and Authorization Server (NAAS) locates / validates the user’s Public Key from XKMS

• NAAS verifies the signature. The user is authenticated if the signature is valid – the holder of the Private Key

12

Interaction with XKMS

13

Conclusion

• XKMS is the foundation for secure exchanges in the network – basic component for XML encryption and signature

• XKMS provides a simple standard interface to PKI

• Network XKMS services will be available to all network nodes and node clients

• XKMS will be integrated into NAAS for key-based authentication

• XKMS is the PKI solution without the PKI complexity and cost