Receipt Token Profile for Web Services Eric Gravengaard Reactivity.

Slides:



Advertisements
Similar presentations
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Advertisements

A New Approach of Signing Documents with Symmetric Cryptosystems and an Arbitrator Nol Premasathian Faculty of Science King Mongkut’s.
SOAP.
Web Service Security CS409 Application Services Even Semester 2007.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
 Sertifi automates the process of sending and obtaining documents for approval and signature. A completely secure web-based solution, senders and signers.
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
NHIN Specifications Richard Kernan, NHIN Specification Lead (Contractor), Office of the National Coordinator for Health IT Karen Witting, Contractor to.
Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
Trusted Archive Protocol (TAP) Carl Wallace
Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.
Web services security I
Service Broker Lesson 11. Skills Matrix Service Broker Service Broker, provides a solution to common problems with message delivery and consistency that.
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.
Pay As You Go – Associating Costs with Jini Leases By: Peer Hasselmeyer and Markus Schumacher Presented By: Nathan Balon.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Security Standards under Review for esMD. Transaction Timeline An esMD transaction begins with the creation of some type of electronic content (e.g. X12.
Digital Signature Technologies & Applications Ed Jensen Fall 2013.
Cryptography 101 Frank Hecker
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
Copyright ©1997 NetDox, Inc. All Rights Reserved. CONFIDENTIAL 1 DATE HERE Julie Grace - NetDox, Inc. Emerging Internet Commerce.
AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.
Masud Hasan Secue VS Hushmail Project 2.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
DICOM Security Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington University in St. Louis School of Medicine.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Presented at: Demonstrations and Prototypes TIM 7 Presented by: Dominic Timoteo / Shoeb Jafri SWIM Implementation Team May 04, 2011 Federal Aviation Administration.
Web Server Administration Web Services XML SOAP. Overview What are web services and what do they do? What is XML? What is SOAP? How are they all connected?
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
SIMDAT Authentification and Autorisation Matteo Dell’Acqua ET-CTS meeting, Toulouse, May 2008.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
OTP-WSS-Token John Linn, RSA Laboratories DRAFT: 24 May 2005.
Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.
sec1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: TGa_Proposal_Antonio_Izquierdo (Protecting the Information Service.
Slide 1 © 2004 Reactivity The Gap Between Reliability and Security Eric Gravengaard Reactivity.
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
 A Web service is a method of communication between two electronic devices over World Wide Web.
ELECTROINC COMMERCE TOOLS Chapter 6. Outline 6.0 Introduction 6.1 PUBLIC KEY INFRASTRUCTURE (PKI) AND CERTIFICATE AUTHORITIES (CAs) TRUST
Lifecycle Metadata for Digital Objects October 18, 2004 Transfer / Authenticity Metadata.
Copyright © 2013 Curt Hill SOAP Protocol for exchanging data and Enabling Web Services.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Identity Proofing, Signatures, & Encryption in Direct esMD Author of Record Workgroup John Hall Coordinator, Direct Project June 13, 2012.
DIGITAL SIGNATURE.
Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
1 of 4 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.
1 Session 4 Module 6: Digital signatures. Digital Signatures / Session4 / 2 of 18 Module 4, 5 - Review (1)  Java 2 security model provides a consistent.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Web Services Security INFOSYS 290, Section 3 Web Services: Concepts, Design and Implementation Adam Blum
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Authentication Presenter Meteor Advisory Team Member Version 1.1.
Doc.: IEEE /0098r0 Submission July 2010 Alex Reznik, et. al. (InterDigital)Slide Security Procedures Notice: This document has been.
1 WS-Security Yosi Taguri Microsoft Israel
LAB#6 MAC & MASSAGE DIGEST CPIT 425. Message Authentication 2  Message authentication is a mechanism used to verify the integrity of a message.  Message.
Content Introduction History What is Digital Signature Why Digital Signature Basic Requirements How the Technology Works Approaches.
 Introduction  History  What is Digital Signature  Why Digital Signature  Basic Requirements  How the Technology Works  Approaches.
TAG Presentation 18th May 2004 Paul Butler
Secure HTTP (HTTPS) Pat Morin COMP 2405.
Training for developers of X-Road interfaces
TAG Presentation 18th May 2004 Paul Butler
DFI to DFI Messaging Concepts
Presentation transcript:

Receipt Token Profile for Web Services Eric Gravengaard Reactivity

© 2003 Reactivity slide 2 What is the problem? Signatures prove: The signed contents of the message have not been changed since it was signed Receipts prove: The signed contents of a message I sent was received by you as I sent it Example: I sign and send: Add(1, 3) I receive a signed response: 5 Is there a simple and secure way to know that Add(1, 3) = 5? Can I trust that you really checked my signature? Can I prove it?

© 2003 Reactivity slide 3 How can receipts be used? In a simple client/server request/response system: The Client Composes a request Signs the request with its private key The Server Composes a response and attaches a receipt Signs the response and receipt with its private key Both Parties Validate signatures Write logs at each step John: Please review my draft copy of a declaration of independence. Benjamin Franklin BF Ben: I received your draft. Here are some of my comments. John Hancock JH

© 2003 Reactivity slide 4 What can we prove? The secure logs prove: That a transaction occurred That our record of the transaction has not been altered The signatures prove: Server can prove that someone with the client’s private key sent the request Client can prove that someone with the server’s private key returned the response and the receipt together The receipt proves: Client can prove that someone with the sender’s private key received their request and that the response message is in response to the original request

© 2003 Reactivity slide 5 Existing uses of non-repudiation Most large business to business transactional systems implement some form of non-repudiation Example: EDI Early mechanisms were proprietary More recently: AS1/AS2 Standards (RFC #3335, Sept 2002) Web Services have no existing mechanism… …but current specifications provide some good tools: XML-Signature Web Service Security: SOAP Message Security Intermediate Roles ( )

© 2003 Reactivity slide 6 XML-Signature Provides a mechanism for specifying a signature and relevant meta-information I8U/3X26MjaTplqjQeTu1C56Elo=

© 2003 Reactivity slide 7 Web services security: receipt token profile WSS: SOAP Message Security does not provide a mechanism for receipts and secure logging WSS:RTP is Reactivity’s proposed extension to WSS that: Creates a new security token for requesting receipts Creates a new security token for receipts Defines both signed and unsigned receipts

© 2003 Reactivity slide 8 RTP receipt mechanism Provide a general purpose receipt request mechanism provides: : signed or unsigned request : UUID for tracking receipts /ReceiptRequest/ReceiptTo : how to send receipt /ReceiptRequest/SignatureRequest : what elements to be signed /ReceiptRequest/wsu:TimeStamp : when this request was made provides: : signed or unsigned receipt : same UUID as request /Receipt/SignatureResponse : signature of receipt generator /Receipt/wsu:TimeStamp : when this receipt was generated

© 2003 Reactivity slide 9 Receipt example T16:30:17Z T16:33:43Z Response Request

© 2003 Reactivity slide 10 Signed receipts Main concept: Split the into two pieces Requestor specifies a element: /SignatureRequest/ds:SignedInfo : specifies algorithms and data to be signed by receipt generator /SignatureRequest/ds:Object : allows other data to be included in the signature Responder returns a element: /SignatureResponse/ds:SignatureValue : cryptographic signature that covers the of the request /SignatureResponse/ds:KeyInfo : specifies information about the key used to generate the signature

© 2003 Reactivity slide 11 Bringing it all together: an example T08:42:00Z <wsse:BinarySecurityToken wsu:Id="#theCert“ EncodingType="Base64Binary"> MIIEZzCCA9CgAWIQEmtJZco... ABCDEFG T08:42:12Z

© 2003 Reactivity slide 12 Isn’t this defined in… Reliable Messaging WS-Policy WS-Addressing WS-Routing …maybe, but none of them offer any form of cryptographic proof of receipt

© 2003 Reactivity slide 13 Proposal The TC takes on the work of producing a receipt mechanism to be specified in a token profile, timeframe to be determined The TC accepts as an input to this profile the document submitted by Reactivity Further work to be done: Utilize message identifiers from other specifications

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.