Exchange Network Key Management Services

1
The Exchange NetworkNode Mentoring Workshop

• Exchange Network Key Management Services
• A Security Component
• February 28, 2005

2
Topics

• Security Requirements
• Public Key Infrastructure (PKI) Challenge
• What is XML Key Management Services (XKMS)
• XKMS Basic Services (Advantages, PKI Essentials)
• XML Signature using XKMS
• XML Encryption using XKMS
• Authentication using XKMS
• Interaction with XKMS
• Conclusion

3
Security Requirements

• Secure Authentication Requirement Password-based
  authentication is weak, costly, and difficult to
  manage
• Message Security Message-level confidentiality
  and non-repudiation needed
• Payload Security Confidential business
  information (CBI) may require submissions to be
  signed and encrypted

4
Public Key Infrastructure (PKI) Challenge

• Very complicated technology with some proprietary
  implementations
• Non-standard interface, difficult to use, deploy,
  and maintain
• Very high cost of acquisition, support, and
  operation
• Very low interoperability (No PKI standard
  interfaces)
• Certificate validation is very challenging

5
What is XKMS

• A World Wide Web Consortium (W3C) standard, XKMS
  2.0, is finalized
• A central key depository with Web service
  interface to PKI
• Vendor-neutral PKI solution for public key and
  certificate management
• A very simple access model
• Foundation for secure Web services (XML
  signature, XML encryption, XKMS)
• XKMS will be the PKI solution to the Exchange
  Network, and the key element to a strong security
  model.

6
What is XKMS (Contd)

• XKMS Advantages
• A Web service interface to PKI technologies,
  accessible to any applications on the Internet
• Vendor-neutral PKI solution for public keys and
  certificates management
• Dramatically reduces cost of PKI. Key can be
  generated and registered at anytime on any
  machine
• Online real-time key/certificate validation using
  a simple Web method

7
What is XKMS (Contd)

• PKI Essentials
• A key is generated and broken up into two pieces
  Public Key and Private Key
• Private Key never goes out of your machine, but
  share Public Key with anyone
• When a data is encrypted using one key, it could
  only be decrypted using another
• Encryption Encrypt data using the receivers
  Public Key
• Signature Encrypt data using your Private Key

8
XKMS Basic Services

• XML Key Information Services (XKISS) Locate and
  validate Public Keys
• XML Key Registration Services (XKRSS) Register,
  revoke, recover, and reissue public keys or X.509
  certificates
• Secure key exchange with XML encryption and
  signature
• All operations are defined as Web service methods

9
XML Signature using XKMS

• A document is signed using the Private Key and
  key information (KeyName, KeyValue)
• The receiver locates / validates the Public Key
  used for the signature from an XKMS server
• The receiver verifies the signature using the
  valid key

10
XML Encryption Using XKMS

• The sender locates the receivers Public Key from
  an XKMS server
• The sender encrypts a document using the
  receivers Public Key
• The receiver decrypts the document using the
  Private Key

11
Authentication using XKMS

• A user registers Public Key in XKMS
• The user creates an Authenticate message and
  signs the message using the Private Key
• Network Authentication and Authorization Server
  (NAAS) locates / validates the users Public Key
  from XKMS
• NAAS verifies the signature. The user is
  authenticated if the signature is valid the
  holder of the Private Key

12
Interaction with XKMS
13
Conclusion

• XKMS is the foundation for secure exchanges in
  the network basic component for XML encryption
  and signature
• XKMS provides a simple standard interface to PKI
• Network XKMS services will be available to all
  network nodes and node clients
• XKMS will be integrated into NAAS for key-based
  authentication
• XKMS is the PKI solution without the PKI
  complexity and cost