|
X.509 certificates, 138. See also PKI (Public Key Infrastructure)
and LDAP (Lightweight Data Access Protocol), 30
and Microsoft WSDK (in WS-Security), 180
and WS-Security BinarySecurityToken, 172, 174
X.500 directories
and LDAP (Lightweight Data Access Protocol), 30
XACML (eXtensible Access Control Markup Language), 120–121
access control lists (ACLs) in, 121
architecture of, 128–131
authentication of PDP in, 135
checklist for, 136
confidentiality in, 135
and “deny” rule, 124–125
and metapolicy, 128
policy statement documents, integrity of, 135
policyStatement in, 125–128
privacy in, 136
processing SOAP requests in, 131–133
role-based access control in, 121
rule conditions, use of functions in, 123–124
rule definition in (target, effect, conditions), 122
rule obligations in, 124
rule typical code for, 122–123
and SAML, 54
security considerations in, 134–137
SOAP requests, order of execution of, 128–130
trust model in, 135
X-KISS protocol, 147. See also XKMS (XML Key Management Specification)
example: building trust paths in complex PKI, 148–149
example: sending an encrypted e-mail, 148
locate and validate, using VeriSign TSIK for, 151
locate information, verifying, 148
locate request, QueryKeyBinding in, 147
locate service, Request and Response Elements of, 147
trusted vs. trustworthy system, 150–151
validate service, introduction and discussion, 149–150
validate service, Request and Response Elements of, 149
X-KISS validation services, trusting, 153
XKMS (XML Key Management Specification). See also keys; PKI (Public Key Infrastructure); X-KISS protocol; XML Signature
asynchronous processing (in XKMS 2.0), 160–161
and centralized trust management, 142
checklist for, 162
client complexity, reducing, 141
client key generation in, 155
coding PKIs, ease of, 141
compound requests (in XKMS 2.0), 160
configuration options in: referral vs. chained, 151–152
and digital certificate verification, 76
DNS system, (in)security of, 152
and key binding, 143–145
Keybinding Element, members of, 145
locate and validate: implementing the X-KISS protocol, 147–153
locate and validate, using VeriSign TSIK for, 151
PKI, difficulties/advantages in implementing, 140
and PKI client deployment, 141–142
and PKI implementation, 55
private key recovery in, 157–158
private key revocation in, 158–159
register service in, 154–156
Request Elements, members of, 146
Request/Result Elements, common members of, 146
Response Element, members of, 146, 147
service key generation in, 155
two-phase request protocol (in XKMS 2.0), 161–162
X-KISS locate services, locating, 152–153
X-KISS validation services, trusting, 153
XKMS 2.0 (specification), 138
XKMS protocol, introduction to, 143, 145–147
X-KRSS (XML Key Registration Service Specification). See also PKI (Public Key Infrastructure); XKMS (XML Key Management Specification)
authenticating public keys with, 153–154
recovering public keys with (recover service), 157–158
reissuing public keys with (reissue service), 158–159
revoking public keys with (revoke service), 158–159
XML (eXtensible Markup Language), 6. See also ebXML (electronic business XML); XML gateway rollout (case study); XML Encryption; XML Signature
canonicalization of, 69–70
data transformation in, 69
DTD, structured documents using, 8–9
EDI implementation of, 12
restructuring of EDI fragment in, 7
SOAP implementation in, 11–12
using XPath in, 10
verbosity in, 7–8
as Web Services message layer, 4
well-formed, syntax rules for, 8
XML elements, abbreviation of, 7
XML firewalls, 57
XML Encryption, 52–53, 85. See also XML (eXtensible Markup Language); XML Signature
CBC (Cipher Block Chaining), 90
checklist for, 99
child nodes, including, 88
choosing an encryption algorithm, 90
creating/populating EncryptionContext Object, 97
data type information (for arbitrary data), 89
decryption, steps in, 95–96
decryption process: code examples, 98
DES/Triple DES (Data Encryption Standard), 25, 90–91, 96–97
Diffie-Hellman Key Agreement, using, 94
EncryptedData structure, processing, 95
encryption, steps in, 90–95
encryption process: code examples, 96–97
example: encrypting an XML element and its content, 87–88
example: encrypting arbitrary data (including XML), 88–89
example: encrypting XML content only, 88
example: using KeyName, 92
IANA (Internet Assigned Numbers Authority), 89
and IBM XML Security Suite, 96, 97
(IV) Initialization Vector, 24, 91–92
key transport example: sending a symmetric encrypted key, 92–94
large files, encrypting (using CipherReference), 89
overlap with XML Signature, 98
performing encryption; specifying data type, 94
and persistent encryption, 84–85
plaintext UTF-8 conversion, 94
sign-encrypt-sign, 99
types of information expressed in, 86
using transforms: XML Encryption vs. XML Signature, 90
using XML Encryption on a signed document, 98
using XML Signature on an encrypted document, 99
and WS-Security BinarySecurityToken, 175–177
XML gateway rollout (case study)
alert conditions, configuring via VordelSecure, 300
DoS/buffer overflow vulnerability, 290–291
loading Web Service description, 293–294
message-based authentication, configuring (X.509), 297–298
preexisting security policy, using, 294–295
project overview, 290
routing configuration, internal Web Service, 299
security management wizard (VordelSecure), 292–294
XML firewall, 291–292
XML Schema enforcement, configuring, 295–297
XML security, configurability of, 291
XML Signature filter, configuring, 295–296
XML Schema
document structure using, 9–10
security advantages of, 10
XML Signature, 28, 53, 64–65. See also contracts/contract law; keys; PKI (Public Key Infrastructure); XML (eXtensible Markup Language); XKMS (XML Key Management Specification); XML Encryption
and ASN.1, 68–69
authentication via KeyInfo, 76–77
checklist for, 81
creating, step-by-step procedure for, 77–78
detached signature (sample code for), 73–74
digital signatures, hierarchy of, 273–274
and enveloped XML Signature, 71–73
intelligibility of (vs. PKCS#7), 68
JAVA code example for, 78–79
and multiple signed documents, 74–75
and persistent integrity, 75–76
and replay attacks, 77
signature in XML Signature, sample code for, 66–67
SignedInfo element, 74–75
syntactical structure of, 65
validating (C+ code example), 80–81
validating (step-by-step example), 79–80
verification via KeyInfo, 76
and WS-Security BinarySecurityToken (sample code for), 173–174
as “XML aware Signature,” 75
XMLAssertionGeneratorFactory, 114
XMLRequestGeneratorFactory, 114
XMLResponseGeneratorFactory, 114
XMLSecurityParameters, 114
XMLSpy, 20
XPath
and SOAP message data validation, 59
in XML, 10–11
|