Protocols Part II Brian A. LaMacchia [email protected] [email protected] Portions © 2002-2006,...

ProtocolsProtocolsPart IIPart II

Brian A. LaMacchiaBrian A. [email protected]@[email protected]@microsoft.com

Portions © 2002-2006, Brian A. LaMacchia. This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability for any purpose. This material is not guaranteed to be error free and is intended for instructional use only.

January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 22

AgendaAgenda Finish up session-based Finish up session-based

protocolsprotocols IPSEC Key ManagementIPSEC Key Management

Message-based protocolsMessage-based protocols S/MIMES/MIME XMLDSIG, XMLENC & WS-SecurityXMLDSIG, XMLENC & WS-Security

IPSEC Key IPSEC Key ManagementManagement


IPSEC Key IPSEC Key ManagementManagement IPSEC Key Management is all IPSEC Key Management is all

about establishing and about establishing and maintaining Security maintaining Security Associations (SAs) between Associations (SAs) between pairs of communicating hostspairs of communicating hosts


Security Associations Security Associations (SA)(SA) New concept for IP New concept for IP

communicationcommunication SA not a “connection”, but very SA not a “connection”, but very

similarsimilar Establishes trust between Establishes trust between

computerscomputers If securing with IPSEC, need SAIf securing with IPSEC, need SA

IKE protocol negotiates security IKE protocol negotiates security parameters according to policyparameters according to policy

Manages cryptographic keys and Manages cryptographic keys and lifetimelifetime

Enforces trust by mutual Enforces trust by mutual authenticationauthentication


General idea of IKEv2General idea of IKEv2

It’s just Diffie-Hellman Key It’s just Diffie-Hellman Key Exchange!Exchange!

Alice BobgA mod p, nonceA

{“Alice”, proof I’m Alice}gAB mod p

gB mod p, nonceB

{“Bob”, proof I’m Bob}gAB mod p


Internet Key Exchange Internet Key Exchange (IKE)(IKE) Resynchronize two ends of an Resynchronize two ends of an

IPsec SAIPsec SA Choose cryptographic keysChoose cryptographic keys Reset sequence numbers to zeroReset sequence numbers to zero Authenticate endpointsAuthenticate endpoints

Simple, right?Simple, right? Design evolved into something very Design evolved into something very

complexcomplex


IKE ContendersIKE Contenders

Photuris: Signed Diffie-Hellman, Photuris: Signed Diffie-Hellman, stateless cookies, optional stateless cookies, optional hiding endpoint IDshiding endpoint IDs

SKIP: Diffie-Hellman public SKIP: Diffie-Hellman public keys, so if you know someone’s keys, so if you know someone’s public key gpublic key gBB, you automatically , you automatically know a shared secret gknow a shared secret gABAB. Each . Each msg starts with per-msg key S msg starts with per-msg key S encrypted with gencrypted with gABAB

And the winner was...And the winner was...


ISAKMPISAKMP Internet Security Association and Key Management ProtocolInternet Security Association and Key Management Protocol Gift to the IETF from NSAGift to the IETF from NSA A “framework”, not a protocol. Complex encodings. Flexible yet A “framework”, not a protocol. Complex encodings. Flexible yet

constraining.constraining. Two “phases”. Phase 1 expensive, establishes a session key with Two “phases”. Phase 1 expensive, establishes a session key with

which to negotiate multiple phase 2 sessionswhich to negotiate multiple phase 2 sessions


Internet Key Exchange Internet Key Exchange (IKE)(IKE) Phase IPhase I

Establish a secure channel Establish a secure channel (ISAKMP SA)(ISAKMP SA)

Authenticate computer identityAuthenticate computer identity Phase IIPhase II

Establishes a secure channel Establishes a secure channel between computers intended for between computers intended for the transmission of data (IPSEC the transmission of data (IPSEC SA)SA)


Internet Key Exchange Internet Key Exchange (IKE)(IKE) IKEv1 authors tried to fit academic papers (SKEME, OAKLEY) into IKEv1 authors tried to fit academic papers (SKEME, OAKLEY) into

ISAKMPISAKMP Mostly a rewriting of ISAKMP, but not self-contained. Uses ISAKMPMostly a rewriting of ISAKMP, but not self-contained. Uses ISAKMP Since both so badly written, hadn’t gotten thorough reviewSince both so badly written, hadn’t gotten thorough review

Really 3+ specs (ISAKMP, IKE, DOI)Really 3+ specs (ISAKMP, IKE, DOI) Plus a few more (NAT traversal, etc.)Plus a few more (NAT traversal, etc.)


Imagine 150 pages of Imagine 150 pages of this!this! While Oakley defines “modes”, While Oakley defines “modes”,

ISAKMP defines “phases”. The ISAKMP defines “phases”. The relationship between the two is relationship between the two is very straightforward and IKE very straightforward and IKE presents different exchanges as presents different exchanges as modes which operate in one of modes which operate in one of two phases.two phases.

—RFC 2409—RFC 2409


IKEIKE

Two phases, like ISAKMPTwo phases, like ISAKMP Phase 1 is 8 protocols!Phase 1 is 8 protocols!

Two “modes”: aggressive (3 msgs), Two “modes”: aggressive (3 msgs), and main (6 msgs)and main (6 msgs)

Main does more, like hiding Main does more, like hiding endpoint identifiersendpoint identifiers

Phase 2 known as “quick mode”Phase 2 known as “quick mode” So 9 protocols (8 for phase 1, + So 9 protocols (8 for phase 1, +

phase 2)phase 2)


General Idea of Aggressive General Idea of Aggressive ModeMode

Alice BobI’m Alice, gA mod p, nonceA

proof I’m Alice

I’m Bob, gB mod p, proof I’m Bob, nonceB


General Idea of Main General Idea of Main ModeMode

Alice Bob

gA mod p, nonceA

{“Alice”, proof I’m Alice} key variant-dependent

gB mod p, nonceB

crypto suites I support

crypto suites I choose

{“Bob”, proof I’m Bob}


Main-Mode-Preshared Main-Mode-Preshared key Skey S

Alice Bob

gA mod p, nonceA

{“Alice”, proof I’m Alice} f(S,gAB)

gB mod p, nonceB

crypto suites I support

crypto suites I choose

{“Bob”, proof I’m Bob} f(S,gAB)


General idea of Quick General idea of Quick ModeMode

IKE-SA, Y, Ni, traffic, SPIA, [gA mod p]

IKE-SA, Y, ack

IKE-SA, Y, Nr, traffic, SPIB, [gB mod p]

Alice Bob

New key is PRF(current key, gAB | Ni | Nr )


IPSEC IPSEC Bundling/WrappingBundling/Wrapping Multiple IPSEC transforms may Multiple IPSEC transforms may

be wrapped successively be wrapped successively around a single IP datagramaround a single IP datagram Example: IPSEC transport sent Example: IPSEC transport sent

over an IPSEC tunnelover an IPSEC tunnel


Sending in Transport Sending in Transport ModeMode

ApplicationApplication

TransportTransport

IPIP

PhysicalPhysical

IPSecIPSec

PhysicalPhysical IPIP IPSecIPSec TCPTCPApplicationApplication

DataData


Sending in Tunnel Sending in Tunnel ModeMode


DataData

IPIP IPSecIPSec TCPTCPApplicationApplication

DataData

InnerInnerIPIP

IPSecIPSec TCPTCPApplicationApplication

DataDataIPSecIPSec

OuterOuterIPIP

PhysicalPhysical

IPIP

PhysicalPhysical

IPSecIPSec IPIP

PhysicalPhysical

IPSecIPSec


Receiving in Tunnel Receiving in Tunnel ModeMode


DataData

IPIP IPSecIPSec TCPTCPApplicationApplication

DataData

InnerInnerIPIP

IPSecIPSec TCPTCPApplicationApplication

DataDataIPSecIPSec

OuterOuterIPIP

PhysicalPhysical

IPIP

PhysicalPhysical

IPSecIPSec IPIP

PhysicalPhysical

IPSecIPSec


Receiving in Transport Receiving in Transport ModeMode

ApplicationApplication

TransportTransport

IPIP

PhysicalPhysical

IPSecIPSec


DataData


What is Network Address What is Network Address Translation (NAT) ?Translation (NAT) ?

Network Address Translation Network Address Translation (NAT)(NAT) Dynamically modifies source addressDynamically modifies source address Dynamically recomputes interior Dynamically recomputes interior

UDP/TCP checksums UDP/TCP checksums Port Address Translation (PAT)Port Address Translation (PAT)

Dynamically modifies TCP/UDP Dynamically modifies TCP/UDP source address and portsource address and port

Dynamically recomputes interior Dynamically recomputes interior UDP/TCP checksumsUDP/TCP checksums


10.0.0.3, 1185, 23 =172.31.249.14

TCPIP Stack

NATs Rewrite Address/Port NATs Rewrite Address/Port PairsPairs

KernelUser

10.0.0.2, 1185, 23 =172.31.249.1410.0.0.2131.107.1.7D

SNAT Intercept

10.0.0.2131.107.1.7D

S 10.0.0.2131.107.1.7D

S

172.31.249.14131.107.1.7D

S 172.31.249.14131.107.1.7D

S

Translation Table

Kernel mode

firewall hook


IPSEC AH and NATIPSEC AH and NAT Change in address or port will cause Change in address or port will cause

message integrity check to fail message integrity check to fail Packet will be rejected by destination Packet will be rejected by destination

IPSECIPSEC AH cannot be used with NAT or PAT AH cannot be used with NAT or PAT

devicesdevices

DataDataTCP HdrTCP HdrAH HdrAH HdrOrig IP HdrOrig IP Hdr

Message Integrity Check coverage (except for mutable fields)Message Integrity Check coverage (except for mutable fields)


IPSEC ESP and NATIPSEC ESP and NAT Can change IP header in special Can change IP header in special

cases onlycases only Special TCP/UDP ignores pseudo header Special TCP/UDP ignores pseudo header

used in checksum calculationused in checksum calculation Port information encrypted!Port information encrypted! Can’t change ESP header because Can’t change ESP header because

integrity hash coverageintegrity hash coverage

DataDataTCP HdrTCP HdrESP HdrESP HdrOrig IP HdrOrig IP Hdr ESP TrailerESP Trailer ESP AuthESP Auth

encryptedencrypted

integrity hash coverageintegrity hash coverage

Message-based Message-based ProtocolsProtocols


Message-Based Message-Based ProtocolsProtocols ““Session” vs. “Message”Session” vs. “Message”

Synchronous vs. AsynchronousSynchronous vs. Asynchronous In message-based protocols, we In message-based protocols, we

cannot assume we have the cannot assume we have the luxury of being able to luxury of being able to negotiate ciphersuites, negotiate ciphersuites, parameter values, etc.parameter values, etc.

In the common scenario, each In the common scenario, each message is a “fire-and-forget” message is a “fire-and-forget” communicationcommunication Each message has to contain Each message has to contain

enough information to allow the enough information to allow the recipient to decrypt it.recipient to decrypt it.


Message-Based Message-Based ProtocolsProtocols There are lots of message-There are lots of message-

based protocolsbased protocols Examples: RPC, routing table Examples: RPC, routing table

updatesupdates The most common scenario to The most common scenario to

date, though, is e-maildate, though, is e-mail Digitally signed for sender Digitally signed for sender

authentication and integrity authentication and integrity protectionprotection

Encrypted for confidentialityEncrypted for confidentiality

S/MIMES/MIME


Secure MIMESecure MIMEWhat is S/MIME?What is S/MIME?

Secure Multipurpose Internet Secure Multipurpose Internet Mail ExtensionsMail Extensions

Initially designed by RSA-led Initially designed by RSA-led vendor consortium in 1995vendor consortium in 1995

S/MIME messaging and S/MIME S/MIME messaging and S/MIME certificate handling are Internet certificate handling are Internet RFC’sRFC’s Widely supported format for Widely supported format for

secure secure e-mail messagese-mail messages

Uses X.509v3 certificatesUses X.509v3 certificates


Scenario AssumptionsScenario Assumptions

Each participant has two public-Each participant has two public-private key pairs: one for signing private key pairs: one for signing messages and one for receiving messages and one for receiving encrypted messages from othersencrypted messages from others ““Separation of duty” – separate keys Separation of duty” – separate keys

(with separate controls) for separate (with separate controls) for separate usesuses

Encryption key archival/escrow/recoveryEncryption key archival/escrow/recovery For now, we assume key distribution For now, we assume key distribution

isn’t a problem for participantsisn’t a problem for participants If I want to send you a message, I can If I want to send you a message, I can

obtain a copy of your encryption public obtain a copy of your encryption public key that I trust.key that I trust.

If you want to verify a message I signed, If you want to verify a message I signed, you can obtain a copy of my public you can obtain a copy of my public signing key that you trust.signing key that you trust.


Encrypting MessagesEncrypting Messages

How do we want to encrypt How do we want to encrypt messages?messages?

We have public keys for We have public keys for recipients, so we could recipients, so we could repeatedly apply PK-encryption repeatedly apply PK-encryption to portions of the messageto portions of the message Recall that we can only RSA-Recall that we can only RSA-

encrypt messages M with |M| ≤ |n|encrypt messages M with |M| ≤ |n| Plus, public key encryption is Plus, public key encryption is

relatively slow, so we’d like to use relatively slow, so we’d like to use it efficientlyit efficiently

Idea: use PK to convey a Idea: use PK to convey a random symmetric “session” random symmetric “session” key to recipientskey to recipients


Encrypting MessagesEncrypting Messages

We use symmetric encryption We use symmetric encryption with randomly-generated with randomly-generated session keys to encrypt session keys to encrypt message bodiesmessage bodies Since symmetric encryption is fast Since symmetric encryption is fast

and messages may be arbitrarily and messages may be arbitrarily largelarge

We use public-key encryption to We use public-key encryption to encrypt the session keys to encrypt the session keys to message recipientsmessage recipients

We send both encrypted We send both encrypted message and session key as a message and session key as a unit to recipients…unit to recipients…


Message

AliceAliceAliceAlice

m

Sym.

Message EncryptionMessage Encryption


Decrypting MessagesDecrypting Messages

Message decryption is just the Message decryption is just the reverse from encryptionreverse from encryption

Recipients use their private Recipients use their private encryption key to decrypt the encryption key to decrypt the session key for the messagesession key for the message

Recipients then use the session Recipients then use the session key to symmetrically decrypt key to symmetrically decrypt the message body.the message body.


Sym.

m

BobBobBobBob

Message DecryptionMessage Decryption


Signing MessagesSigning Messages

How do we want to sign How do we want to sign messages?messages?

Each user has a signing key Each user has a signing key pair, but again we can only sign pair, but again we can only sign values that are at most the values that are at most the same size as our signing public same size as our signing public key moduluskey modulus So we can’t sign the entire So we can’t sign the entire

message directly, and repeated message directly, and repeated signing of parts of the message signing of parts of the message would open us up to attackswould open us up to attacks

Idea: Sign a Idea: Sign a hashhash of the of the messagemessage


Signing MessagesSigning Messages To sign a message, we first To sign a message, we first

choose a cryptographic hash choose a cryptographic hash function H() to use with our function H() to use with our signature algorithmsignature algorithm Normally defined as part of a Normally defined as part of a

signing ciphersuitesigning ciphersuite We apply the hash function H to We apply the hash function H to

the exact sequence of bytes that the exact sequence of bytes that forms our message (usually forms our message (usually including header info)including header info)

We sign the hash valueWe sign the hash value We append the signed hash We append the signed hash

value to the message.value to the message.


m Hash Hash FunctionFunction

Hash Hash ValueValue


Signed Signed HashHash

m

Message

Digital SignaturesDigital SignaturesProvide Authentication and Provide Authentication and IntegrityIntegrity


Verifying SignaturesVerifying Signatures To verify a signed message, the To verify a signed message, the

recipient has to do three things:recipient has to do three things:1.1. Independently compute the hash value Independently compute the hash value

of the signed portion of the messageof the signed portion of the message2.2. Verify that the signature on the Verify that the signature on the

message came from the sender (by message came from the sender (by applying the sender’s public signing applying the sender’s public signing key)key)

This yields the hash value signed by This yields the hash value signed by the senderthe sender

3.3. Compare the independently-computed Compare the independently-computed hash value with the one the sender hash value with the one the sender signedsigned

If the hash values are equal, then If the hash values are equal, then the message has not been modified the message has not been modified since it was signed.since it was signed.


mm

Message

BobBobBobBob

Verifying SignaturesVerifying Signatures

HashHashFunctionFunction

HashHashValueValue

HashHashValueValue


More Complex More Complex SignaturesSignatures A single signer acknowledging A single signer acknowledging

understanding or commitment to understanding or commitment to different concepts or agreements different concepts or agreements within one document.within one document.

Multiple signers signing unique Multiple signers signing unique content within the same document.content within the same document.

Multiple signers “co-signing” the Multiple signers “co-signing” the same content within the same same content within the same document.document.

Multiple signers, one signing Multiple signers, one signing content the other “counter-signing” content the other “counter-signing” the prior signature.the prior signature.


Co-SigningCo-Signing

Alice and Bob want to sign the same Alice and Bob want to sign the same message “in parallel”message “in parallel”

mHash Hash

FunctionFunction



Signed Signed Hash 2Hash 2

m

Co-SignedMessage

BobBobBobBob

To-be-signed To-be-signed MessageMessage

Signed Signed Hash 1Hash 1


Counter-SigningCounter-Signing Alice and Bob want to sign the same Alice and Bob want to sign the same

message “in series” (Alice first, then message “in series” (Alice first, then Bob)Bob)

m Hash Hash FunctionFunction



AliceAliceSigned HashSigned Hash

m

MessageSigned by Alice

Hash Hash FunctionFunction


BobBobBobBob

BobBobSigned HashSigned Hash

m

Counter-Signed MessageCounter-Signed Message


PKCS #7/CMS PKCS #7/CMS StructureStructureCMSCMS

VersionVersion

Digest AlgorithmDigest Algorithm

ContentContent

CertificatesCertificates

CRLsCRLs

Signer InfosSigner Infos

Signer Info 1Signer Info 1



Signer InfoSigner Info

VersionVersion

Serial NumberSerial Number

Digest AlgorithmDigest Algorithm

Authenticated AttributesAuthenticated Attributes

Unauthenticated AttributesUnauthenticated Attributes

Digital SignatureDigital Signature

Countersignatures go hereCountersignatures go here


Limitations of the CMS Limitations of the CMS formatformat The CMS standard only covers The CMS standard only covers

“wrapped” signatures“wrapped” signatures Signatures where the signed Signatures where the signed

content is enclosed by the content is enclosed by the signature objectsignature object

Signing assumes you start with Signing assumes you start with a bytestream that is completely a bytestream that is completely immutableimmutable This is the safest assumption, but This is the safest assumption, but

sometimes it’s overly conservativesometimes it’s overly conservative Example: CR-LF rewriting and Example: CR-LF rewriting and

tab/whitespace conversions for tab/whitespace conversions for text.text.

Message security for Message security for XML objects: XML objects: XMLDSIG, XMLENC & XMLDSIG, XMLENC & WS-SecurityWS-Security


What is XML?What is XML?

<Address><Address>

<Street>1 Microsoft <Street>1 Microsoft Way</Street>Way</Street>

<City>Redmond</City><City>Redmond</City>

<State>WA</State><State>WA</State>

<ZipCode>98052</ZipCode><ZipCode>98052</ZipCode>

</Address></Address>


What is XML?What is XML? XML is a W3C standard for XML is a W3C standard for

describing “markup languages”describing “markup languages” XML == “eXtensible Markup XML == “eXtensible Markup

Language” Language” Had its roots in SGML (of which Had its roots in SGML (of which

HTML is an offshoot)HTML is an offshoot) Now, though, XML has really Now, though, XML has really

become a standard means of become a standard means of representing data structures in representing data structures in text.text. ““XML provides a text-based XML provides a text-based

means to describe and apply a means to describe and apply a tree-based structure to tree-based structure to information.” -- Wikipediainformation.” -- Wikipedia


Securing XMLSecuring XML

As XML’s popularity grew, so As XML’s popularity grew, so did the need to secure XML did the need to secure XML objects (trees of XML elements)objects (trees of XML elements)

How should we sign & encrypt How should we sign & encrypt XML?XML?

One possibility: just treat an One possibility: just treat an XML object as a byte sequence XML object as a byte sequence and use S/MIMEand use S/MIME It’s just a sequence of characters, It’s just a sequence of characters,

so we can Unicode encode that so we can Unicode encode that sequence, hash it, encrypt it and sequence, hash it, encrypt it and wrap it in S/MIMEwrap it in S/MIME


Securing XMLSecuring XML

Using S/MIME works, but it has some Using S/MIME works, but it has some drawbacks:drawbacks:1.1. The result of signing or encrypting an The result of signing or encrypting an

XML object is now some binary blob, XML object is now some binary blob, not an XML object, so signing & not an XML object, so signing & encrypting this way doesn’t “play nice” encrypting this way doesn’t “play nice” with the XML ecosystemwith the XML ecosystem

2.2. An XML object isn’t a piece of text – An XML object isn’t a piece of text – that text is just a representation of the that text is just a representation of the objectobject

There are many equivalent There are many equivalent representations of an XML objectrepresentations of an XML object

3.3. There are semantically-neutral There are semantically-neutral transforms allowed on XML transforms allowed on XML representations that should not break representations that should not break signatures.signatures.


Signing & Encrypting Signing & Encrypting XMLXML Thus, there was a need to Thus, there was a need to

develop a standard for signing develop a standard for signing & encrypting XML objects& encrypting XML objects July 1999: work began on July 1999: work began on

XMLDSIG, a standard for signing XMLDSIG, a standard for signing XML objects and representing XML objects and representing signatures as XMLsignatures as XML

Summer 2000: work began on Summer 2000: work began on XMLENC, a standard for XMLENC, a standard for encrypting data and representing encrypting data and representing the ciphertext and associated key the ciphertext and associated key information as XMLinformation as XML

XMLDSIGXMLDSIG


The XMLDSIG StandardThe XMLDSIG Standard

XMLDSIG is an IETF/W3C joint XMLDSIG is an IETF/W3C joint standard for XML Digital standard for XML Digital SignaturesSignatures Signatures are represented as XML Signatures are represented as XML

objectsobjects Signed content may be XML Signed content may be XML

documents, document fragments, documents, document fragments, or any binary streamor any binary stream

Baseline standard for further Baseline standard for further security work on XML Web Services security work on XML Web Services (WS-Security)(WS-Security)


Major Requirements and Major Requirements and Key Features of XMLDSIGKey Features of XMLDSIG XMLDSIG supports three methods XMLDSIG supports three methods

of signing an XML elementof signing an XML element Wrapped, Detached and EmbeddedWrapped, Detached and Embedded

XMLDSIG signatures can be over an XMLDSIG signatures can be over an entire XML document or a fragment entire XML document or a fragment (sub-part) of a document(sub-part) of a document

XMLDSIG has to support the fact XMLDSIG has to support the fact that an XML object might have that an XML object might have multiple representationsmultiple representations Some modifications to the text must be Some modifications to the text must be

allowed and not break the signatureallowed and not break the signature XMLDSIG has to support signatures XMLDSIG has to support signatures

over groups or collections of XML over groups or collections of XML objectsobjects


Wrapped SignaturesWrapped Signatures Wrapped Wrapped

signatures include signatures include the signed content the signed content within the XMLDSIG within the XMLDSIG structurestructure

Similar in format to Similar in format to a CMS (S/MIME) a CMS (S/MIME) messagemessage

Useful if the Useful if the amount of to-be-amount of to-be-signed data is smallsigned data is small Note: the signed Note: the signed

content’s schema is content’s schema is not preserved at not preserved at top-leveltop-level

XMLDSIG Signature

SignedInfo

Includes pointer to Signed content

Signed Content


Detached SignaturesDetached Signatures Detached Detached

signatures signatures separate the separate the signature from the signature from the signed contentsigned content Signature travels Signature travels

in a separate XML in a separate XML documentdocument

Useful when you Useful when you want to sign non-want to sign non-XML dataXML data E.g. audio/visual E.g. audio/visual

data streamdata stream

XMLDSIG Signature

SignedInfo


Signed Content(separate XML resource)


Embedded SignaturesEmbedded Signatures

New mechanism New mechanism unique to unique to XMLDSIGXMLDSIG

Standard way to Standard way to embed an embed an XMLDSIG XMLDSIG signature within signature within another XML another XML documentdocument

Signed document Signed document carries the carries the signature inside signature inside itselfitself

XMLDSIG Signature

SignedInfo


Signed Content


Signing Portions of Signing Portions of DocsDocs A key feature of XMLDSIG is its A key feature of XMLDSIG is its

ability to sign selected portions ability to sign selected portions of documentsof documents Instead of hashing the entire Instead of hashing the entire

document, identify & hash only document, identify & hash only those sections requiring protectionthose sections requiring protection

““Transform processing model”Transform processing model”

Tra

nsf

orm

1

Input Content

Tra

nsf

orm

2

Tra

nsf

orm

n

... To-be-signedContent


Alice Bob

Alice completes her part andsends F to Bob so Bob cancomplete his part

On-line form

Alice’s part

Bob’s part

Form F

Bob’s part

Form F

On-line form

Alice’s part

Bob’s part

Form F

Alice starts with a blank form

Bob completes his part and fills out the remainder of the form

Workflow ScenarioWorkflow Scenario

Alice’s sig

On-line form

Alice’s part

Alice’s sig

Bob’s sig


Canonicalization Canonicalization (C14N)(C14N) XMLDSIG introduced the notion XMLDSIG introduced the notion

of a “canonical form” for an of a “canonical form” for an XML objectXML object C14N is an algorithm that converts C14N is an algorithm that converts

an XML text representation into an XML text representation into its canonical form bytestream.its canonical form bytestream.

All semantically-equivalent All semantically-equivalent representations of an XML object representations of an XML object have the same canonical form have the same canonical form bytestreambytestream That’s the ideal case – in That’s the ideal case – in

practice for various technical practice for various technical reasons we don’t quite get reasons we don’t quite get therethere


C14N and SigningC14N and Signing

In XMLDSIG, we compute the In XMLDSIG, we compute the digital signature over the hash digital signature over the hash of the canonical form of of the canonical form of whatever we want to signwhatever we want to sign

Input Content

To-be-signedContent

C14N Bytestream

Hash function

Signature Algorithm

0-n Transforms

Signature Value


Signature

SignedInfo

Identifies the signature algorithm, canonicalization method and the list of signed contents.

KeyInfo (optional)

Information related to the signing key

SignatureValue

The actual signature value, computed over the contents of the SignedInfo element

Object (optional)

Optional sub-element usually used to embed signed content within the signature

Structural OverviewStructural Overview Top-level Top-level

element is element is always a always a <Signature><Signature> <SignedInfo> <SignedInfo>

and and <SignatureVa<SignatureValue> are lue> are required sub-required sub-elementselements

<Keyinfo> <Keyinfo> and <Object> and <Object> are optionalare optional


SignedInfo

CanonicalizationMethod

Identifies the canonicalization algorithm.

Reference (one or more)

Identify specific content signed by the signature

SignatureMethod

Identifies the digital signature algorithm.

SignedInfo DetailsSignedInfo Details The The

<SignedInfo> <SignedInfo> element element contains a list contains a list <Reference> <Reference> elementselements

Each Each <Reference> <Reference> element element points to a points to a piece of piece of signed signed contentcontent <SignedInfo> <SignedInfo>

is a manifest is a manifest listing all the listing all the contents contents signed by the signed by the signaturesignature

URI (pointer to content)

DigestMethod (hash algorithm for content)

DigestValue (content’s hash value)

Transforms (optional) – Used to select a portion of the URI’s content for signing


Sample SignatureSample Signature<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo><SignedInfo> <CanonicalizationMethod<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-

20010315" />20010315" /> <SignatureMethod<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-

sha1"/>sha1"/> <Reference URI="http://www.farcaster.com/index.htm"><Reference URI="http://www.farcaster.com/index.htm"> <DigestMethod<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>XoaHIm+jLKnPocR7FX0678DUOqs=</DigestValue><DigestValue>XoaHIm+jLKnPocR7FX0678DUOqs=</DigestValue> </Reference></Reference> </SignedInfo></SignedInfo> <SignatureValue> <SignatureValue>

M5BhlrxPaOEYcCwSZ3WEDR6dfK5id/ef1JWK6OO5PEGHp9/JxrdA2xT5TM5BhlrxPaOEYcCwSZ3WEDR6dfK5id/ef1JWK6OO5PEGHp9/JxrdA2xT5TYr5egArZGdVURpMVGUeViWoeHcGAyMNG9Cmc/I56sYd/TSV/MjLgb/Yr5egArZGdVURpMVGUeViWoeHcGAyMNG9Cmc/I56sYd/TSV/MjLgb/mxq+6Fh/mxq+6Fh/HWtVhjHIG+AdL4lA+ZxxEi147QVVzgCl4+dvIZaGo7oAFneDKv0I=HWtVhjHIG+AdL4lA+ZxxEi147QVVzgCl4+dvIZaGo7oAFneDKv0I=

</SignatureValue></SignatureValue></Signature></Signature>

XMLENCXMLENC


The XMLENC StandardThe XMLENC Standard

XMLENC is a W3C Standard XMLENC is a W3C Standard defining how to encrypt data defining how to encrypt data and represent the result in XMLand represent the result in XML The data may be arbitrary data The data may be arbitrary data

(including an XML document), an (including an XML document), an XML element, or XML element XML element, or XML element content.content.

The result of encrypting data is an The result of encrypting data is an XML Encryption element which XML Encryption element which contains or references the cipher contains or references the cipher data. data.


Key Features of Key Features of XMLENCXMLENC Wrapped or detached Wrapped or detached

CipherDataCipherData Encrypted data may be enclosed Encrypted data may be enclosed

within the metadata describing within the metadata describing how it was encrypted, or sent how it was encrypted, or sent separatelyseparately

EncryptedKey inside KeyInfoEncryptedKey inside KeyInfo Bulk data encryption keys Bulk data encryption keys

wrapped in recipient public keys wrapped in recipient public keys can be sent along with the data (a can be sent along with the data (a la S/MIME)la S/MIME)

Detached CipherData Detached CipherData references use the same references use the same Transforms structure as Transforms structure as XMLDSIGXMLDSIG


EncryptedData or EncryptedKey

EncryptionMethod (optional)

Optional element that describes the encryption algorithm used to protect the CipherData.

CipherData

Envelopes or references encrypted data

KeyInfo

Information identifying the key used to encrypt the CipherData

EncryptionProperties (optional)

Optional sub-element

Structural OverviewStructural Overview Top-level element Top-level element

is either is either <EncryptedData> <EncryptedData> or or <EncryptedKey><EncryptedKey>

<EncryptedKey> <EncryptedKey> has two additional has two additional properties over properties over <EncryptedData><EncryptedData> <CipherData> <CipherData>

always contains always contains key materialkey material

An An <EncryptedKey> <EncryptedKey> may appear may appear within an within an <EncryptedData<EncryptedData>’s <KeyInfo> >’s <KeyInfo> element.element.


XMLENC ExampleXMLENC Example

<?xml version='1.0'?><?xml version='1.0'?><PaymentInfo xmlns='http://example.org/paymentv2'><PaymentInfo xmlns='http://example.org/paymentv2'>

<Name>John Smith</Name><Name>John Smith</Name><CreditCard Limit='5,000' Currency='USD'><CreditCard Limit='5,000' Currency='USD'>

<Number>4019 2445 0277 5567</Number><Number>4019 2445 0277 5567</Number><Issuer>Example Bank</Issuer><Issuer>Example Bank</Issuer><Expiration>04/07</Expiration><Expiration>04/07</Expiration>

</CreditCard></CreditCard></PaymentInfo> </PaymentInfo>

Raw (unencrypted) XML: a Raw (unencrypted) XML: a simple payment structure with simple payment structure with embedded credit card embedded credit card informationinformation

123


XMLENC Example (1)XMLENC Example (1)

<?xml version='1.0'?><?xml version='1.0'?><PaymentInfo xmlns='http://example.org/paymentv2'><PaymentInfo xmlns='http://example.org/paymentv2'>

<Name>John Smith</Name><Name>John Smith</Name><EncryptedData<EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element’Type='http://www.w3.org/2001/04/xmlenc#Element’ xmlns='http://www.w3.org/2001/04/xmlenc#'>xmlns='http://www.w3.org/2001/04/xmlenc#'>

<CipherData><CipherData><CipherValue>A23B45C56</CipherValue><CipherValue>A23B45C56</CipherValue>

</CipherData></CipherData></EncryptedData></EncryptedData>

</PaymentInfo></PaymentInfo>

Encrypting the entire Encrypting the entire <CreditCard> element including <CreditCard> element including tag & attributestag & attributes



<?xml version='1.0'?><?xml version='1.0'?><PaymentInfo xmlns='http://example.org/paymentv2'><PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name><Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'><CreditCard Limit='5,000' Currency='USD'> <EncryptedData <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#‘xmlns='http://www.w3.org/2001/04/xmlenc#‘

Type='http://www.w3.org/2001/04/xmlenc#Content’>Type='http://www.w3.org/2001/04/xmlenc#Content’> <CipherData><CipherData> <CipherValue>A23B45C56</CipherValue><CipherValue>A23B45C56</CipherValue> </CipherData></CipherData> </EncryptedData></EncryptedData> </CreditCard></CreditCard></PaymentInfo> </PaymentInfo>

Encrypting the contents of Encrypting the contents of <CreditCard> element<CreditCard> element



<?xml version='1.0'?><?xml version='1.0'?><PaymentInfo xmlns='http://example.org/paymentv2'><PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name><Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'><CreditCard Limit='5,000' Currency='USD'> <Number><Number> <EncryptedData <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#’xmlns='http://www.w3.org/2001/04/xmlenc#’

Type='http://www.w3.org/2001/04/xmlenc#Content'>Type='http://www.w3.org/2001/04/xmlenc#Content'> <CipherData><CipherData> <CipherValue>A23B45C56</CipherValue><CipherValue>A23B45C56</CipherValue> </</CipherDatCipherData>a> </</EncryptedDatEncryptedData>a> </Number></Number> <Issuer>Example Bank</Issuer><Issuer>Example Bank</Issuer> <Expiration>04/07</Expiration> <Expiration>04/07</Expiration> </CreditCard></CreditCard></PaymentInfo> </PaymentInfo>

Encrypting just the card numberEncrypting just the card number

Web Services & WS-Web Services & WS-SecuritySecurity


Web Services in One Web Services in One SlideSlide Software components accessible via Software components accessible via

standard “Web” protocolsstandard “Web” protocols Think of them as “remote procedure Think of them as “remote procedure

calls using SOAP/XML messages (over calls using SOAP/XML messages (over HTTP)”HTTP)”

Available to any client that speaks Available to any client that speaks XML, SOAP and the transport XML, SOAP and the transport protocolprotocol Platform independent componentsPlatform independent components

Enables Service-Oriented Enables Service-Oriented Architecture (SOA)-based Architecture (SOA)-based application developmentapplication development

Provides a general-purpose, Provides a general-purpose, composable protocol frameworkcomposable protocol framework


Local ProceduresLocal Procedures

public static float GetQuote(String symbol) {public static float GetQuote(String symbol) { // implementation goes here// implementation goes here // details are hidden from caller// details are hidden from caller}}

public static void Main(String[] args) {public static void Main(String[] args) { float msftPrice = GetQuote(“MSFT”);float msftPrice = GetQuote(“MSFT”); Console.WriteLine("MSFT: {0:F2}",msftPrice);Console.WriteLine("MSFT: {0:F2}",msftPrice);}}

C:\>test.exeC:\>test.exeMSFT: 27.50MSFT: 27.50

Procedures create abstraction Procedures create abstraction boundariesboundaries Callers only care about inputs to & Callers only care about inputs to &

outputs from a procedureoutputs from a procedure


Quote Request Quote Request MessageMessage<?xml version="1.0" encoding="UTF-8" ?><?xml version="1.0" encoding="UTF-8" ?><SOAP-ENV:Envelope <SOAP-ENV:Envelope

xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/” envelope/” xmlns:ns1="urn:xmethods-delayed-quotes" xmlns:ns1="urn:xmethods-delayed-quotes" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoxmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" ding/" SOAP-ENV:encodingStyle=SOAP-ENV:encodingStyle=http://http://schemas.xmlsoap.orgschemas.xmlsoap.org/soap/encoding//soap/encoding/>>

<SOAP-ENV:Body><SOAP-ENV:Body> <ns1:getQuote> <ns1:getQuote> <symbol xsi:type="xsd:string">MSFT</symbol> <symbol xsi:type="xsd:string">MSFT</symbol> </ns1:getQuote></ns1:getQuote> </SOAP-ENV:Body></SOAP-ENV:Body></SOAP-ENV:Envelope> </SOAP-ENV:Envelope>

http://schemas.xmlsoap.org/soap/encoding/




Quote Response Quote Response MessageMessage<?xml version="1.0" encoding="UTF-8"?><?xml version="1.0" encoding="UTF-8"?>

<SOAP-ENV:Envelope<SOAP-ENV:Envelope

xmlns:SOAP-ENV=xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/http://schemas.xmlsoap.org/soap/envelope/

xmlns:ns1="urn:xmethods-delayed-quotes“xmlns:ns1="urn:xmethods-delayed-quotes“

xmlns:xsd=xmlns:xsd=http://www.w3.org/2001/XMLSchemahttp://www.w3.org/2001/XMLSchema

xmlns:xsi=xmlns:xsi=http://www.w3.org/2001/XMLSchema-instancehttp://www.w3.org/2001/XMLSchema-instance

xmlns:SOAP-ENC=xmlns:SOAP-ENC=http://schemas.xmlsoap.org/soap/encoding/http://schemas.xmlsoap.org/soap/encoding/

SOAP-ENV:encodingStyle="http://SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">schemas.xmlsoap.org/soap/encoding/">

<SOAP-ENV:Body><SOAP-ENV:Body>

<ns1:getQuoteResponse><ns1:getQuoteResponse>

<Result xsi:type="xsd:float">27.50</Result><Result xsi:type="xsd:float">27.50</Result>

</ns1:getQuoteResponse></ns1:getQuoteResponse>

</SOAP-ENV:Body></SOAP-ENV:Body>

</SOAP-ENV:Envelope> </SOAP-ENV:Envelope>

http://schemas.xmlsoap.org/soap/envelope/

http://www.w3.org/2001/XMLSchema

http://www.w3.org/2001/XMLSchema-instance



Security RequirementsSecurity Requirements Message-level securityMessage-level security

Confidentiality, integrity and Confidentiality, integrity and authentication for every SOAP request authentication for every SOAP request and responseand response

Web services are asynchronous – no Web services are asynchronous – no “channel”“channel”

InteroperableInteroperable People, systems, applications, and People, systems, applications, and

servicesservices Heterogeneous environmentsHeterogeneous environments

Can be composed with other SOAP Can be composed with other SOAP protocol featuresprotocol features Ex: reliable messaging, transactionsEx: reliable messaging, transactions

Decentralized and dynamicDecentralized and dynamic Arbitrary network topology with no Arbitrary network topology with no

central authoritycentral authority Assume policies change and evolve over Assume policies change and evolve over

timetime Dynamic authorization modelDynamic authorization model


WS-SecurityWS-Security

Defines a framework for Defines a framework for building security protocolsbuilding security protocols IntegrityIntegrity ConfidentialityConfidentiality Propagation of Propagation of security tokenssecurity tokens

Authorization credentialsAuthorization credentials Framework designed for end-to-Framework designed for end-to-

end security of SOAP messagesend security of SOAP messages From initial sender, through 0-n From initial sender, through 0-n

intermediaries to ultimate intermediaries to ultimate receiverreceiver


What are security What are security tokens?tokens? Represent claims about Represent claims about

identity, capabilities, privilegesidentity, capabilities, privileges

UsernameToken

X.509 Certificate

KerberosTicket


Protecting messagesProtecting messages Parts of a message can be Parts of a message can be

signed to ensure integritysigned to ensure integrity Parts of a message can be Parts of a message can be

encrypted to ensure encrypted to ensure confidentialityconfidentiality

Underlying technologies Underlying technologies support pluggable algorithmssupport pluggable algorithms Encryption, Digest, Signature, Encryption, Digest, Signature,

Canonicalization, TransformsCanonicalization, Transforms


<s:Envelope xmlns:s='http://www.w3.org/2003/05/soap-envelope' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' xmlns:ws='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:ds='http://www.w3.org/2000/09/xmldsig#' > <s:Header> <ws:Security s:mustUnderstand='true' > <ws:BinarySecurityToken wsu:Id='Me' ValueType=‘http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' EncodingType=‘http://dosc.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' > MeIIZFgea4FGiu5cvWEklO8pl... </ws:BinarySecurityToken> . . .

My security token


. . . <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI='#Body' > <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>uJhGtef54ed91iKLoA...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>FR8yaKmNDePQ7E3Hj...</ds:SignatureValue> . . .

Reference to data I want to protect

Digest of data I want to protect

Signature over ds:SignedInfo element


. . . <ds:KeyInfo> <ws:SecurityTokenReference> <ws:Reference URI='#Me‘ ValueType=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' /> </ws:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </ws:Security> . . . </s:Header> <s:Body wsu:Id='Body' > . . . </s:Body></s:Envelope>

Reference to certificate that can be used to verify signature

Signed data


Confidentiality example Confidentiality example (Sender)(Sender) I want to send a SOAP message I want to send a SOAP message

and ensure that only you can and ensure that only you can read the content of the bodyread the content of the body I generate a symmetric keyI generate a symmetric key I encrypt that key using your I encrypt that key using your

public keypublic key I encrypt the content of the body I encrypt the content of the body

using the symmetric keyusing the symmetric key I include both the encrypted data I include both the encrypted data

and encrypted key in the messageand encrypted key in the message


<s:Envelope xmlns:s='http://www.w3.org/2003/05/soap-envelope' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-utility-1.0.xsd' xmlns:ws='http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-secext-1.0.xsd' xmlns:ds='http://www.w3.org/2000/09/xmldsig#' xmlns:xe='http://www.w3.org/2001/04/xmlenc#' > <s:Header> <ws:Security s:mustUnderstand='true' > . . .


. . . <xe:EncryptedKey Id='Sym' > <xe:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' /> <ds:KeyInfo> <ws:SecurityTokenReference> <ws:KeyIdentifier> aKKuvtdlAnUm+I6+ZTDrUA== </ws:KeyIdentifier> </ws:SecurityTokenReference> </ds:KeyInfo> <xe:CipherData> <xe:CipherValue>bvDfEg6Sh7GbCvDiAl</xe:CipherValue> </xe:CipherData> <xe:ReferenceList> <xe:DataReference URI='#EncBody' /> </xe:ReferenceList> <xe:EncryptedKey> </ws:Security> . . .


. . . </s:Header> <s:Body> <xe:EncryptedData Id='EncBody' Type='http://www.w3.org/2001/04/xmlenc#Element' > <xe:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#aes128-cbc' /> <ds:KeyInfo> <ws:SecurityTokenReference> <ws:Reference URI=‘#Sym’ /> </ws:SecurityTokenReference> </ds:KeyInfo> <xe:CipherData> <xe:CipherValue> ABfg5eFdiKmNeQlPsDFoMNb... </xe:CipherValue> </xe:CipherData> </xe:EncryptedData> </s:Body></s:Envelope>

WS-TrustWS-Trust(if we have time)(if we have time)


Authorization ModelAuthorization Model Web Services need mechanisms for Web Services need mechanisms for

conveying authorization information conveying authorization information from client to serverfrom client to server ““Is the client authorized to make this type Is the client authorized to make this type

of request and receive the results?”of request and receive the results?” Use Use security tokenssecurity tokens to convey to convey

authorizationsauthorizations Capabilities-based model (sender proves Capabilities-based model (sender proves

he has the right to make the request)he has the right to make the request) Tokens contain Tokens contain claimsclaims that state that state

propertiesproperties Ex: identity, age, state of residenceEx: identity, age, state of residence

Servers need a way to publish their Servers need a way to publish their authorization policiesauthorization policies ““Who is allowed to call this web service?”Who is allowed to call this web service?” Policy describes required claims (and Policy describes required claims (and

semantics)semantics)


Security token Security token exampleexample Alice's X.509 certificate is a Alice's X.509 certificate is a

security tokensecurity token Allows a message to claim to be Allows a message to claim to be

from Alicefrom Alice Proof of claim is based on Proof of claim is based on

Alice's private keyAlice's private key Signing part of the message with Signing part of the message with

her private key proves that she her private key proves that she knows the key and is therefore knows the key and is therefore AliceAlice


WS-TrustWS-Trust

Defines how to broker trust Defines how to broker trust relationshipsrelationships Some trust relationship has to Some trust relationship has to

exist exist a priori a priori between the two between the two partiesparties

Defines how to exchange Defines how to exchange security tokens security tokens

Defined as an interface Defined as an interface specification for a specification for a Security Security Token ServiceToken Service STS = Token issuerSTS = Token issuer


Common PatternsCommon Patterns IssuanceIssuance

Exchanging one set of credentials Exchanging one set of credentials (optionally null) for another(optionally null) for another

RenewalRenewal Renewing previously issued tokensRenewing previously issued tokens

ValidationValidation Verifying tokens and signatures using a Verifying tokens and signatures using a

serviceservice Cancellation/RevocationCancellation/Revocation

Cancelling a previously issued tokenCancelling a previously issued token Challenges/NegotiationsChallenges/Negotiations

How to have secure multi-leg challenges How to have secure multi-leg challenges and negotiations prior to token issuanceand negotiations prior to token issuance


ExampleExample I want to have a secure I want to have a secure

conversation with youconversation with you I ask the trust service for a I ask the trust service for a

token to allow me to talk to youtoken to allow me to talk to you The trust service sends me a The trust service sends me a

token containing two copies of token containing two copies of a secret keya secret key One encrypted for meOne encrypted for me One encrypted for youOne encrypted for you

The former is a “proof token”The former is a “proof token” I can use the secret key in it to I can use the secret key in it to

respond to a challenge you give respond to a challenge you give meme


ExampleExample

11U/P

TrustTrust

33

T1

55T2

Tru

st

Tru

st

T#

P#

Security tokenSecurity tokenProof tokenProof token

T1

P122

T2

P2

44


ChallengesChallenges

Request TokenRequest Token

Issue ChallengeIssue Challenge

Respond to ChallengeRespond to Challenge

Issue Token, authenticateIssue Token, authenticate


Getting TokensGetting Tokens

A RequestSecurityToken A RequestSecurityToken message is sent to the trust message is sent to the trust serviceservice

It responds with a It responds with a RequestSecurityTokenResponseRequestSecurityTokenResponse

Contains required security token Contains required security token and associated and associated metadata/attributes/etc.metadata/attributes/etc.

Various bindings definedVarious bindings defined A binding defines wsa:Action A binding defines wsa:Action

values and wst:RequestType values and wst:RequestType valuesvalues E.g. Message types associated E.g. Message types associated

with the “Issue” actionwith the “Issue” action


Other token Other token characteristicscharacteristics Requester can specify various Requester can specify various

required characteristics of the required characteristics of the security tokensecurity token Key type, sizeKey type, size Whether token is forwardable, Whether token is forwardable,

delegateable etc.delegateable etc. Trust service can then indicate Trust service can then indicate

those characteristics in the those characteristics in the responseresponse

Date post:	03-Jan-2016
Category:	Documents
Upload:	justin-chapman
View:	216 times
Download:	0 times

Protocols Part II Brian A. LaMacchia [email protected] [email protected] Portions © 2002-2006,...

Documents