Presentation is loading. Please wait.

Presentation is loading. Please wait.

Receipt Token Profile for Web Services Eric Gravengaard Reactivity.

Published byDominic Richardson Modified over 8 years ago

Similar presentations

Presentation on theme: "Receipt Token Profile for Web Services Eric Gravengaard Reactivity."— Presentation transcript:

1 Receipt Token Profile for Web Services Eric Gravengaard Reactivity

2 © 2003 Reactivity slide 2 What is the problem? Signatures prove: The signed contents of the message have not been changed since it was signed Receipts prove: The signed contents of a message I sent was received by you as I sent it Example: I sign and send: Add(1, 3) I receive a signed response: 5 Is there a simple and secure way to know that Add(1, 3) = 5? Can I trust that you really checked my signature? Can I prove it?

3 © 2003 Reactivity slide 3 How can receipts be used? In a simple client/server request/response system: The Client Composes a request Signs the request with its private key The Server Composes a response and attaches a receipt Signs the response and receipt with its private key Both Parties Validate signatures Write logs at each step John: Please review my draft copy of a declaration of independence. Benjamin Franklin BF Ben: I received your draft. Here are some of my comments. John Hancock JH

4 © 2003 Reactivity slide 4 What can we prove? The secure logs prove: That a transaction occurred That our record of the transaction has not been altered The signatures prove: Server can prove that someone with the client’s private key sent the request Client can prove that someone with the server’s private key returned the response and the receipt together The receipt proves: Client can prove that someone with the sender’s private key received their request and that the response message is in response to the original request

5 © 2003 Reactivity slide 5 Existing uses of non-repudiation Most large business to business transactional systems implement some form of non-repudiation Example: EDI Early mechanisms were proprietary More recently: AS1/AS2 Standards (RFC #3335, Sept 2002) Web Services have no existing mechanism… …but current specifications provide some good tools: XML-Signature Web Service Security: SOAP Message Security Intermediate Roles ( )

6 © 2003 Reactivity slide 6 XML-Signature Provides a mechanism for specifying a signature and relevant meta-information I8U/3X26MjaTplqjQeTu1C56Elo=

7 © 2003 Reactivity slide 7 Web services security: receipt token profile WSS: SOAP Message Security does not provide a mechanism for receipts and secure logging WSS:RTP is Reactivity’s proposed extension to WSS that: Creates a new security token for requesting receipts Creates a new security token for receipts Defines both signed and unsigned receipts

8 © 2003 Reactivity slide 8 RTP receipt mechanism Provide a general purpose receipt request mechanism provides: /ReceiptRequest/@ReceiptFormat : signed or unsigned request /ReceiptRequest/@CorrelationId : UUID for tracking receipts /ReceiptRequest/ReceiptTo : how to send receipt /ReceiptRequest/SignatureRequest : what elements to be signed /ReceiptRequest/wsu:TimeStamp : when this request was made provides: /Receipt/@ReceiptFormat : signed or unsigned receipt /Receipt/@CorrelationId : same UUID as request /Receipt/SignatureResponse : signature of receipt generator /Receipt/wsu:TimeStamp : when this receipt was generated

9 © 2003 Reactivity slide 9 Receipt example 2003-03-11T16:30:17Z 2003-03-11T16:33:43Z Response Request

10 © 2003 Reactivity slide 10 Signed receipts Main concept: Split the into two pieces Requestor specifies a element: /SignatureRequest/ds:SignedInfo : specifies algorithms and data to be signed by receipt generator /SignatureRequest/ds:Object : allows other data to be included in the signature Responder returns a element: /SignatureResponse/ds:SignatureValue : cryptographic signature that covers the of the request /SignatureResponse/ds:KeyInfo : specifies information about the key used to generate the signature

11 © 2003 Reactivity slide 11 Bringing it all together: an example 2003-03-11T08:42:00Z <wsse:BinarySecurityToken wsu:Id="#theCert“ EncodingType="Base64Binary"> MIIEZzCCA9CgAWIQEmtJZco... ABCDEFG1234567890... 2003-03-11T08:42:12Z

12 © 2003 Reactivity slide 12 Isn’t this defined in… Reliable Messaging WS-Policy WS-Addressing WS-Routing …maybe, but none of them offer any form of cryptographic proof of receipt

13 © 2003 Reactivity slide 13 Proposal The TC takes on the work of producing a receipt mechanism to be specified in a token profile, timeframe to be determined The TC accepts as an input to this profile the document submitted by Reactivity Further work to be done: Utilize message identifiers from other specifications

Download ppt "Receipt Token Profile for Web Services Eric Gravengaard Reactivity."

Similar presentations

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
A New Approach of Signing Documents with Symmetric Cryptosystems and an Arbitrator Nol Premasathian Faculty of Science King Mongkut’s.

A New Approach of Signing Documents with Symmetric Cryptosystems and an Arbitrator Nol Premasathian Faculty of Science King Mongkut’s.
SOAP.

SOAP.
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
 Sertifi automates the process of sending and obtaining documents for approval and signature. A completely secure web-based solution, senders and signers.

 Sertifi automates the process of sending and obtaining documents for approval and signature. A completely secure web-based solution, senders and signers.
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.

SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
NHIN Specifications Richard Kernan, NHIN Specification Lead (Contractor), Office of the National Coordinator for Health IT Karen Witting, Contractor to.

NHIN Specifications Richard Kernan, NHIN Specification Lead (Contractor), Office of the National Coordinator for Health IT Karen Witting, Contractor to.
Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.

Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.

SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
Trusted Archive Protocol (TAP) Carl Wallace

Trusted Archive Protocol (TAP) Carl Wallace
Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.
Web services security I

Web services security I
Service Broker Lesson 11. Skills Matrix Service Broker Service Broker, provides a solution to common problems with message delivery and consistency that.

Service Broker Lesson 11. Skills Matrix Service Broker Service Broker, provides a solution to common problems with message delivery and consistency that.
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.
Pay As You Go – Associating Costs with Jini Leases By: Peer Hasselmeyer and Markus Schumacher Presented By: Nathan Balon.

Pay As You Go – Associating Costs with Jini Leases By: Peer Hasselmeyer and Markus Schumacher Presented By: Nathan Balon.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Similar presentations

Ads by Google