Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop

Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop

  • View

  • Download

Embed Size (px)

Citation preview

Page 1: Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop

Exchange Network Key Management Services

A Security Component

February 28, 2005

The Exchange NetworkNode Mentoring Workshop

Page 2: Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop



• Security Requirements

• Public Key Infrastructure (PKI) Challenge

• What is XML Key Management Services (XKMS)

• XKMS Basic Services (Advantages, PKI Essentials)

• XML Signature using XKMS

• XML Encryption using XKMS

• Authentication using XKMS

• Interaction with XKMS

• Conclusion

Page 3: Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop


Security Requirements

• Secure Authentication Requirement: Password-based authentication is weak, costly, and difficult to manage

• Message Security: Message-level confidentiality and non-repudiation needed

• Payload Security: Confidential business information (CBI) may require submissions to be signed and encrypted

Page 4: Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop


Public Key Infrastructure (PKI) Challenge

• Very complicated technology with some proprietary implementations

• Non-standard interface, difficult to use, deploy, and maintain

• Very high cost of acquisition, support, and operation

• Very low interoperability (No PKI standard interfaces)

• Certificate validation is very challenging

Page 5: Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop


What is XKMS

• A World Wide Web Consortium (W3C) standard, XKMS 2.0, is finalized

• A central key depository with Web service interface to PKI

• Vendor-neutral PKI solution for public key and certificate management

• A very simple access model

• Foundation for secure Web services (XML signature, XML encryption, XKMS)

• XKMS will be the PKI solution to the Exchange Network, and the key element to a strong security model.

Page 6: Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop


What is XKMS (Cont’d)

• XKMS Advantages

– A Web service interface to PKI technologies, accessible to any applications on the Internet

– Vendor-neutral PKI solution for public keys and certificates management

– Dramatically reduces cost of PKI. Key can be generated and registered at anytime on any machine

– Online real-time key/certificate validation using a simple Web method

Page 7: Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop


What is XKMS (Cont’d)

• PKI Essentials

– A key is generated and broken up into two pieces – Public Key and Private Key

– Private Key never goes out of your machine, but share Public Key with anyone

– When a data is encrypted using one key, it could only be decrypted using another

– Encryption: Encrypt data using the receiver’s Public Key

– Signature: Encrypt data using your Private Key

Page 8: Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop


XKMS Basic Services

• XML Key Information Services (XKISS) – Locate and validate Public Keys

• XML Key Registration Services (XKRSS) – Register, revoke, recover, and reissue public keys or X.509 certificates

• Secure key exchange with XML encryption and signature

• All operations are defined as Web service methods

Page 9: Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop


XML Signature using XKMS

• A document is signed using the Private Key and key information (KeyName, KeyValue)

• The receiver locates / validates the Public Key used for the signature from an XKMS server

• The receiver verifies the signature using the valid key

Page 10: Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop


XML Encryption Using XKMS

• The sender locates the receiver’s Public Key from an XKMS server

• The sender encrypts a document using the receiver’s Public Key

• The receiver decrypts the document using the Private Key

Page 11: Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop


Authentication using XKMS

• A user registers Public Key in XKMS

• The user creates an Authenticate message and signs the message using the Private Key

• Network Authentication and Authorization Server (NAAS) locates / validates the user’s Public Key from XKMS

• NAAS verifies the signature. The user is authenticated if the signature is valid – the holder of the Private Key

Page 12: Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop


Interaction with XKMS

Page 13: Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop



• XKMS is the foundation for secure exchanges in the network – basic component for XML encryption and signature

• XKMS provides a simple standard interface to PKI

• Network XKMS services will be available to all network nodes and node clients

• XKMS will be integrated into NAAS for key-based authentication

• XKMS is the PKI solution without the PKI complexity and cost