130 likes | 283 Vues
Receipt Token Profile for Web Services. Eric Gravengaard Reactivity. What is the problem?. Signatures prove: The signed contents of the message have not been changed since it was signed Receipts prove: The signed contents of a message I sent was received by you as I sent it Example:
 
                
                E N D
Receipt Token Profilefor Web Services Eric Gravengaard Reactivity
What is the problem? • Signatures prove: • The signed contents of the message have not been changed since it was signed • Receipts prove: • The signed contents of a message I sent was received by you as I sent it • Example: • I sign and send: Add(1, 3) • I receive a signed response: 5 • Is there a simple and secure way to know that Add(1, 3) = 5? • Can I trust that you really checked my signature? Can I prove it?
Ben: I received your draft. Here are some of my comments. John Hancock JH John: Please review my draft copy of a declaration of independence. Benjamin Franklin BF How can receipts be used? In a simple client/server request/response system: • The Client • Composes a request • Signs the request with its private key • The Server • Composes a response and attaches a receipt • Signs the response and receipt with its private key • Both Parties • Validate signatures • Write logs at each step
What can we prove? • The secure logs prove: • That a transaction occurred • That our record of the transaction has not been altered • The signatures prove: • Server can prove that someone with the client’s private key sent the request • Client can prove that someone with the server’s private key returned the response and the receipt together • The receipt proves: • Client can prove that someone with the sender’s private key received their request and that the response message is in response to the original request
Existing uses of non-repudiation • Most large business to business transactional systems implement some form of non-repudiation • Example: EDI • Early mechanisms were proprietary • More recently: AS1/AS2 Standards (RFC #3335, Sept 2002) • Web Services have no existing mechanism… • …but current specifications provide some good tools: • XML-Signature <ds:Signature> • Web Service Security: SOAP Message Security <wsse:Security> • Intermediate Roles (<S:role>)
XML-Signature • Provides a mechanism for specifying a signature and relevant meta-information <ds:Signature> <ds:SignedInfo> <ds:SignatureValue> <ds:KeyInfo> <ds:Object>
Web services security: receipt token profile • WSS: SOAP Message Security does not provide a mechanism for receipts and secure logging WSS:RTP is Reactivity’s proposed extension to WSS that: • Creates a new security token for requesting receipts • Creates a new security token for receipts • Defines both signed and unsigned receipts
RTP receipt mechanism • Provide a general purpose receipt request mechanism • <wsnr:ReceiptRequest> provides: • /ReceiptRequest/@ReceiptFormat : signed or unsigned request • /ReceiptRequest/@CorrelationId : UUID for tracking receipts • /ReceiptRequest/ReceiptTo : how to send receipt • /ReceiptRequest/SignatureRequest : what elements to be signed • /ReceiptRequest/wsu:TimeStamp : when this request was made • <wsnr:Receipt> provides: • /Receipt/@ReceiptFormat : signed or unsigned receipt • /Receipt/@CorrelationId : same UUID as request • /Receipt/SignatureResponse : signature of receipt generator • /Receipt/wsu:TimeStamp : when this receipt was generated
Receipt example Request Response
Signed receipts • Main concept: Split the <ds:Signature> into two pieces • Requestor specifies a <wsnr:SignatureRequest> element: • /SignatureRequest/ds:SignedInfo : specifies algorithms and data to be signed by receipt generator • /SignatureRequest/ds:Object : allows other data to be included in the signature • Responder returns a <wsnr:SignatureResponse> element: • /SignatureResponse/ds:SignatureValue : cryptographic signature that covers the <ds:SignedInfo> of the request • /SignatureResponse/ds:KeyInfo : specifies information about the key used to generate the signature
Isn’t this defined in… • Reliable Messaging • WS-Policy • WS-Addressing • WS-Routing • …maybe, but none of them offer any form of cryptographic proof of receipt
Proposal • The TC takes on the work of producing a receipt mechanism to be specified in a token profile, timeframe to be determined • The TC accepts as an input to this profile the document submitted by Reactivity • Further work to be done: • Utilize message identifiers from other specifications