Upload
sheldon-joubert
View
212
Download
0
Tags:
Embed Size (px)
Citation preview
Copyright © 2005, ContentGuard, Inc.
Use of REL Tokens for Use of REL Tokens for Higher-order OperationsHigher-order Operations
DIMACSDIMACS
Workshop on Security of Web Services and E-CommerceWorkshop on Security of Web Services and E-Commerce
2005-May-052005-May-05
Thomas DeMartiniThomas DeMartini
Copyright © 2005, ContentGuard, Inc.
OutlineOutline
• Background– REL– Web Services
• WS-Security REL Token Profile– Authentication/Integrity– Confidentiality
• Higher-order Operations– Authorization– Trust-managed Authorization– Delegated Authorization– Federated Authorization
Copyright © 2005, ContentGuard, Inc.
RELREL
• ISO/IEC 21000-5 specifies a Rights Expression Language (REL) for coding Rights Expressions (Licenses)
• At the high level, a License consists of 5 main building blocks:– Principal– Right– Resource– Condition– Issuer
• Makes the high-level statement: Issuer says Principal can do Right to Resource under Condition
Copyright © 2005, ContentGuard, Inc.
RELREL license
grant
principal
right
resource
condition
issuer
Signature
details
license
grant
Alice
play
tree.jpg
month of April
issuer
Bob (+signature)
time of issue
Issuer says Principal can do Right to Resource under Condition
Bob says Alice can play tree.jpg in the month of April
Copyright © 2005, ContentGuard, Inc.
<r:license ...> <r:grant> <r:keyHolder licensePartId="Alice">...</r:keyHolder> <mx:play/> <r:digitalResource> <r:nonSecureIndirect URI="tree.jpg"/> </r:digitalResource> <r:validityInterval> <r:notBefore>2004-04-01T00:00:00Z</r:notBefore> <r:notAfter>2004-05-01T00:00:00Z</r:notAfter> </r:validityInterval> </r:grant> <r:issuer> <dsig:Signature> <dsig:SignedInfo>...</dsig:SignedInfo> <dsig:SignatureValue>ycD...</dsig:SignatureValue> <dsig:KeyInfo>... <!-- Bob --> ...</dsig:KeyInfo> </dsig:Signature> <r:details> <r:timeOfIssue>2004-04-09T21:59:55Z</r:timeOfIssue> </r:details> </r:issuer></r:license>
<r:license ...> <r:grant> <r:keyHolder licensePartId="Alice">...</r:keyHolder> <mx:play/> <r:digitalResource> <r:nonSecureIndirect URI="tree.jpg"/> </r:digitalResource> <r:validityInterval> <r:notBefore>2004-04-01T00:00:00Z</r:notBefore> <r:notAfter>2004-05-01T00:00:00Z</r:notAfter> </r:validityInterval> </r:grant> <r:issuer> <dsig:Signature> <dsig:SignedInfo>...</dsig:SignedInfo> <dsig:SignatureValue>ycD...</dsig:SignatureValue> <dsig:KeyInfo>... <!-- Bob --> ...</dsig:KeyInfo> </dsig:Signature> <r:details> <r:timeOfIssue>2004-04-09T21:59:55Z</r:timeOfIssue> </r:details> </r:issuer></r:license>
RELREL license
grant
Alice
play
tree.jpg
month of April
issuer
Bob (+signature)
time of issue
Bob says Alice can play tree.jpg in the month of April
Copyright © 2005, ContentGuard, Inc.
<r:license ...> <r:grant> <r:keyHolder licensePartId="Alice">...</r:keyHolder> <mx:play/> <r:digitalResource> <r:nonSecureIndirect URI="tree.jpg"/> </r:digitalResource> <r:validityInterval> <r:notBefore>2004-04-01T00:00:00Z</r:notBefore> <r:notAfter>2004-05-01T00:00:00Z</r:notAfter> </r:validityInterval> </r:grant> <r:issuer> <dsig:Signature> <dsig:SignedInfo>...</dsig:SignedInfo> <dsig:SignatureValue>ycD...</dsig:SignatureValue> <dsig:KeyInfo>... <!-- Bob --> ...</dsig:KeyInfo> </dsig:Signature> <r:details> <r:timeOfIssue>2004-04-09T21:59:55Z</r:timeOfIssue> </r:details> </r:issuer></r:license>
<r:license ...> <r:grant> <r:keyHolder licensePartId="Alice">...</r:keyHolder> <r:possessProperty/>
<sx:propertyUri definition=“urn:uni:student”/>
<r:validityInterval> <r:notBefore>2004-04-01T00:00:00Z</r:notBefore> <r:notAfter>2004-05-01T00:00:00Z</r:notAfter> </r:validityInterval> </r:grant> <r:issuer> <dsig:Signature> <dsig:SignedInfo>...</dsig:SignedInfo> <dsig:SignatureValue>ycD...</dsig:SignatureValue> <dsig:KeyInfo>... <!-- Bob --> ...</dsig:KeyInfo> </dsig:Signature> <r:details> <r:timeOfIssue>2004-04-09T21:59:55Z</r:timeOfIssue> </r:details> </r:issuer></r:license>
RELREL license
grant
Alice
play
tree.jpg
month of April
issuer
Bob (+signature)
time of issue
possessProperty
Student
Bob says Alice is a student in the month of April
Copyright © 2005, ContentGuard, Inc.
Web ServicesWeb Services
ThirstyProgrammer
Alice
Soda++Service
On its way!
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Please send one case of Soda++
Copyright © 2005, ContentGuard, Inc.
WS-Security REL Token ProfileWS-Security REL Token Profile
• WS-Security: SOAP Message Security– Defines Security header for SOAP Messages
• Security Tokens• Signatures• Encryption Information
• WS-Security: REL Token Profile– Defines how to use a Rights Expression
(License) as a Security Token.– License Security Tokens are called REL
Tokens for short.
Copyright © 2005, ContentGuard, Inc.
Authentication/IntegrityAuthentication/Integrity
ThirstyProgrammer
Alice
Soda++Service
On its way!
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
Please send one case of Soda++
REL Token root says key123 is Alice
Signature Reference SigValue=ABC SigKey
Copyright © 2005, ContentGuard, Inc.
ConfidentialityConfidentiality
ThirstyProgrammer
Alice
Soda++Service
On its way!
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
Please send one case of Soda++EncryptedData CipherValue=DEF
REL Token root says key456 is Soda++ Service
EncryptedKey Reference CipherValue=HIJ KEK
Copyright © 2005, ContentGuard, Inc.
Building Higher-order OperationsBuilding Higher-order Operations
• Got baseline WS-Security Features:– Authentication– Integrity– Confidentiality
• Higher-order Operations:– Authorization– Trust-managed Authorization– Delegated Authorization– Federated Authorization
Copyright © 2005, ContentGuard, Inc.
Authentication/IntegrityAuthentication/IntegrityAuthorizationAuthorization
ThirstyProgrammer
Alice
Soda++Service
On its way!
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
Please send one case of Soda++
REL Token root says key123 is Alice
Signature Reference SigValue=ABC SigKey
REL Token root says Alice can order Soda++
Copyright © 2005, ContentGuard, Inc.
AuthorizationAuthorization
ThirstyProgrammer
Alice
Soda++Service
On its way!
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
Please send one case of Soda++
REL Token root says key123 is Alice
Signature Reference SigValue=ABC SigKey
REL Token root says Alice can order Soda++
REL Token root says key123 can order Soda++
Copyright © 2005, ContentGuard, Inc.
Trust-managed AuthorizationTrust-managed Authorization
• Consider the following use case:– Student Alice takes an online class. As part of the
class she gets a license authorizing her to view the online lecture videos until the end of the semester. She does not get to keep watching the lecture videos after the end of the semester or share them with friends. To ensure that she follows these rules, she is only permitted to watch the lecture videos on a secure box certified by her university.
– Alice arrives at a remote viewing terminal (secure box) and inserts her USB keychain containing her licenses. She watches the lecture video.
Copyright © 2005, ContentGuard, Inc.
Trust-managed AuthorizationTrust-managed Authorization
RemoteViewingTerminal(key 123)
LectureVideoCache
Lecture Video
Please send Lecture Video
StudentAlice
Licenses
Copyright © 2005, ContentGuard, Inc.
Trust-managed AuthorizationTrust-managed Authorization
RemoteViewingTerminal(key 123)
LectureVideoCache
Lecture Video
Please send Lecture Video
StudentAlice
LicensesREL Token onlineProf says onlineUni secureBoxes can retrieve Lecture Video
REL Token onlineProf says Alice can play Lecture Video until end of semester
Copyright © 2005, ContentGuard, Inc.
Trust-managed AuthorizationTrust-managed Authorization
RemoteViewingTerminal(key 123)
LectureVideoCache
Lecture Video
Please send Lecture Video
StudentAlice
Licenses
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
Please send Lecture Video
REL Token onlineUni says key123 is secureBox
Signature Reference SigValue=ABC SigKey
REL Token onlineProf says onlineUni secureBoxes can retrieve Lecture VideoREL Token
onlineProf says onlineUni secureBoxes can retrieve Lecture Video
Copyright © 2005, ContentGuard, Inc.
Trust-managed AuthorizationTrust-managed Authorization
RemoteViewingTerminal(key 123)
LectureVideoCache
Lecture Video
Please send Lecture Video
StudentAlice
Licenses
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
Please send Lecture Video
REL Token onlineUni says key123 is secureBox
Signature Reference SigValue=ABC SigKey
REL Token onlineProf says onlineUni secureBoxes can retrieve Lecture Video
Copyright © 2005, ContentGuard, Inc.
Trust-managed AuthorizationTrust-managed Authorization
RemoteViewingTerminal(key 123)
LectureVideoCache
Lecture Video
Please send Lecture Video
StudentAlice
Licenses
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
EncryptedData (Lecture Video)
REL Token onlineUni says key123 is secureBox
EncryptedKey Reference CipherValue=HIJ KEK
Copyright © 2005, ContentGuard, Inc.
Trust-managed AuthorizationTrust-managed Authorization
RemoteViewingTerminal(key 123)
LectureVideoCache
Lecture Video
Please send Lecture Video
StudentAlice
LicensesREL Token onlineProf says Alice can play Lecture Video until end of semester
Copyright © 2005, ContentGuard, Inc.
Delegated AuthorizationDelegated Authorization
• Consider the following use case:– Alice signs up for MyQuotes and obtains a license
authorizing her to get real time NYSE stock quotes. She can also delegate this right to others that have executed the NYSE exchange agreement as certified by Notary1.
– Alice likes to see graphs rather than numbers. She has a summarizer service which provides her such graphs. So she can get real-time graphs, she delegates to the summarizer service the right to get real time NYSE stock quotes.
– The summarizer service then retrieves the stock quotes, creates the summary, and sends it to Alice.
Copyright © 2005, ContentGuard, Inc.
Delegated AuthorizationDelegated Authorization
SummarizerService(key 123)
QuoteService
Quote
GetQuote
InvestorAlice
Licenses
Copyright © 2005, ContentGuard, Inc.
Delegated AuthorizationDelegated Authorization
SummarizerService(key 123)
QuoteService
Quote
GetQuote
InvestorAlice
Licenses
REL Token Alice says key123 can get quotes
REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
Signature Reference SigValue=ABC SigKey
GetQuote
REL Token Notary1 says key123 exec exch agr
REL Token Alice says key123 can get quotes
REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1
REL Token Alice says key123 can get quotes
REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1
Copyright © 2005, ContentGuard, Inc.
Federated AuthorizationFederated Authorization
• Consider the following use case:– Alice signs up for MyQuotes and obtains a license authorizing
her to get real time NYSE stock quotes. She can also delegate this right to others that have executed the NYSE exchange agreement as certified by Notary1.
– Alice likes to see graphs rather than numbers. She has a summarizer service which provides her such graphs. So she can get real-time graphs, she delegates to the summarizer service the right to get real time NYSE stock quotes.
– The summarizer service has executed the NYSE exchange agreement but was certified by Notary2.
– Notary1 recognizes the certifications of Notary2.– The summarizer service then retrieves the stock quotes, creates
the summary, and sends it to Alice.
Copyright © 2005, ContentGuard, Inc.
Federated AuthorizationFederated Authorization
SummarizerService(key 123)
QuoteService
Quote
GetQuote
InvestorAlice
Licenses
Copyright © 2005, ContentGuard, Inc.
Federated AuthorizationFederated Authorization
SummarizerService(key 123)
QuoteService
Quote
GetQuote
InvestorAlice
Licenses
REL Token Alice says key123 can get quotes
REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
Signature Reference SigValue=ABC SigKey
GetQuote
REL Token Notary2 says key123 exec exch agr
REL Token Notary1 says Notary2 certs recognized
REL Token Alice says key123 can get quotes
REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1
REL Token Alice says key123 can get quotes
REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1
Copyright © 2005, ContentGuard, Inc.
DiscussionDiscussion
• Background– REL– Web Services
• WS-Security REL Token Profile– Authentication/Integrity– Confidentiality
• Higher-order Operations– Authorization– Trust-managed Authorization– Delegated Authorization– Federated Authorization
Copyright © 2005, ContentGuard, Inc.