Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop...
-
Upload
sheldon-joubert -
Category
Documents
-
view
212 -
download
0
Transcript of Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop...
![Page 1: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/1.jpg)
Copyright © 2005, ContentGuard, Inc.
Use of REL Tokens for Use of REL Tokens for Higher-order OperationsHigher-order Operations
DIMACSDIMACS
Workshop on Security of Web Services and E-CommerceWorkshop on Security of Web Services and E-Commerce
2005-May-052005-May-05
Thomas DeMartiniThomas DeMartini
![Page 2: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/2.jpg)
Copyright © 2005, ContentGuard, Inc.
OutlineOutline
• Background– REL– Web Services
• WS-Security REL Token Profile– Authentication/Integrity– Confidentiality
• Higher-order Operations– Authorization– Trust-managed Authorization– Delegated Authorization– Federated Authorization
![Page 3: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/3.jpg)
Copyright © 2005, ContentGuard, Inc.
RELREL
• ISO/IEC 21000-5 specifies a Rights Expression Language (REL) for coding Rights Expressions (Licenses)
• At the high level, a License consists of 5 main building blocks:– Principal– Right– Resource– Condition– Issuer
• Makes the high-level statement: Issuer says Principal can do Right to Resource under Condition
![Page 4: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/4.jpg)
Copyright © 2005, ContentGuard, Inc.
RELREL license
grant
principal
right
resource
condition
issuer
Signature
details
license
grant
Alice
play
tree.jpg
month of April
issuer
Bob (+signature)
time of issue
Issuer says Principal can do Right to Resource under Condition
Bob says Alice can play tree.jpg in the month of April
![Page 5: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/5.jpg)
Copyright © 2005, ContentGuard, Inc.
<r:license ...> <r:grant> <r:keyHolder licensePartId="Alice">...</r:keyHolder> <mx:play/> <r:digitalResource> <r:nonSecureIndirect URI="tree.jpg"/> </r:digitalResource> <r:validityInterval> <r:notBefore>2004-04-01T00:00:00Z</r:notBefore> <r:notAfter>2004-05-01T00:00:00Z</r:notAfter> </r:validityInterval> </r:grant> <r:issuer> <dsig:Signature> <dsig:SignedInfo>...</dsig:SignedInfo> <dsig:SignatureValue>ycD...</dsig:SignatureValue> <dsig:KeyInfo>... <!-- Bob --> ...</dsig:KeyInfo> </dsig:Signature> <r:details> <r:timeOfIssue>2004-04-09T21:59:55Z</r:timeOfIssue> </r:details> </r:issuer></r:license>
<r:license ...> <r:grant> <r:keyHolder licensePartId="Alice">...</r:keyHolder> <mx:play/> <r:digitalResource> <r:nonSecureIndirect URI="tree.jpg"/> </r:digitalResource> <r:validityInterval> <r:notBefore>2004-04-01T00:00:00Z</r:notBefore> <r:notAfter>2004-05-01T00:00:00Z</r:notAfter> </r:validityInterval> </r:grant> <r:issuer> <dsig:Signature> <dsig:SignedInfo>...</dsig:SignedInfo> <dsig:SignatureValue>ycD...</dsig:SignatureValue> <dsig:KeyInfo>... <!-- Bob --> ...</dsig:KeyInfo> </dsig:Signature> <r:details> <r:timeOfIssue>2004-04-09T21:59:55Z</r:timeOfIssue> </r:details> </r:issuer></r:license>
RELREL license
grant
Alice
play
tree.jpg
month of April
issuer
Bob (+signature)
time of issue
Bob says Alice can play tree.jpg in the month of April
![Page 6: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/6.jpg)
Copyright © 2005, ContentGuard, Inc.
<r:license ...> <r:grant> <r:keyHolder licensePartId="Alice">...</r:keyHolder> <mx:play/> <r:digitalResource> <r:nonSecureIndirect URI="tree.jpg"/> </r:digitalResource> <r:validityInterval> <r:notBefore>2004-04-01T00:00:00Z</r:notBefore> <r:notAfter>2004-05-01T00:00:00Z</r:notAfter> </r:validityInterval> </r:grant> <r:issuer> <dsig:Signature> <dsig:SignedInfo>...</dsig:SignedInfo> <dsig:SignatureValue>ycD...</dsig:SignatureValue> <dsig:KeyInfo>... <!-- Bob --> ...</dsig:KeyInfo> </dsig:Signature> <r:details> <r:timeOfIssue>2004-04-09T21:59:55Z</r:timeOfIssue> </r:details> </r:issuer></r:license>
<r:license ...> <r:grant> <r:keyHolder licensePartId="Alice">...</r:keyHolder> <r:possessProperty/>
<sx:propertyUri definition=“urn:uni:student”/>
<r:validityInterval> <r:notBefore>2004-04-01T00:00:00Z</r:notBefore> <r:notAfter>2004-05-01T00:00:00Z</r:notAfter> </r:validityInterval> </r:grant> <r:issuer> <dsig:Signature> <dsig:SignedInfo>...</dsig:SignedInfo> <dsig:SignatureValue>ycD...</dsig:SignatureValue> <dsig:KeyInfo>... <!-- Bob --> ...</dsig:KeyInfo> </dsig:Signature> <r:details> <r:timeOfIssue>2004-04-09T21:59:55Z</r:timeOfIssue> </r:details> </r:issuer></r:license>
RELREL license
grant
Alice
play
tree.jpg
month of April
issuer
Bob (+signature)
time of issue
possessProperty
Student
Bob says Alice is a student in the month of April
![Page 7: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/7.jpg)
Copyright © 2005, ContentGuard, Inc.
Web ServicesWeb Services
ThirstyProgrammer
Alice
Soda++Service
On its way!
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Please send one case of Soda++
![Page 8: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/8.jpg)
Copyright © 2005, ContentGuard, Inc.
WS-Security REL Token ProfileWS-Security REL Token Profile
• WS-Security: SOAP Message Security– Defines Security header for SOAP Messages
• Security Tokens• Signatures• Encryption Information
• WS-Security: REL Token Profile– Defines how to use a Rights Expression
(License) as a Security Token.– License Security Tokens are called REL
Tokens for short.
![Page 9: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/9.jpg)
Copyright © 2005, ContentGuard, Inc.
Authentication/IntegrityAuthentication/Integrity
ThirstyProgrammer
Alice
Soda++Service
On its way!
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
Please send one case of Soda++
REL Token root says key123 is Alice
Signature Reference SigValue=ABC SigKey
![Page 10: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/10.jpg)
Copyright © 2005, ContentGuard, Inc.
ConfidentialityConfidentiality
ThirstyProgrammer
Alice
Soda++Service
On its way!
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
Please send one case of Soda++EncryptedData CipherValue=DEF
REL Token root says key456 is Soda++ Service
EncryptedKey Reference CipherValue=HIJ KEK
![Page 11: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/11.jpg)
Copyright © 2005, ContentGuard, Inc.
Building Higher-order OperationsBuilding Higher-order Operations
• Got baseline WS-Security Features:– Authentication– Integrity– Confidentiality
• Higher-order Operations:– Authorization– Trust-managed Authorization– Delegated Authorization– Federated Authorization
![Page 12: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/12.jpg)
Copyright © 2005, ContentGuard, Inc.
Authentication/IntegrityAuthentication/IntegrityAuthorizationAuthorization
ThirstyProgrammer
Alice
Soda++Service
On its way!
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
Please send one case of Soda++
REL Token root says key123 is Alice
Signature Reference SigValue=ABC SigKey
REL Token root says Alice can order Soda++
![Page 13: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/13.jpg)
Copyright © 2005, ContentGuard, Inc.
AuthorizationAuthorization
ThirstyProgrammer
Alice
Soda++Service
On its way!
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
Please send one case of Soda++
REL Token root says key123 is Alice
Signature Reference SigValue=ABC SigKey
REL Token root says Alice can order Soda++
REL Token root says key123 can order Soda++
![Page 14: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/14.jpg)
Copyright © 2005, ContentGuard, Inc.
Trust-managed AuthorizationTrust-managed Authorization
• Consider the following use case:– Student Alice takes an online class. As part of the
class she gets a license authorizing her to view the online lecture videos until the end of the semester. She does not get to keep watching the lecture videos after the end of the semester or share them with friends. To ensure that she follows these rules, she is only permitted to watch the lecture videos on a secure box certified by her university.
– Alice arrives at a remote viewing terminal (secure box) and inserts her USB keychain containing her licenses. She watches the lecture video.
![Page 15: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/15.jpg)
Copyright © 2005, ContentGuard, Inc.
Trust-managed AuthorizationTrust-managed Authorization
RemoteViewingTerminal(key 123)
LectureVideoCache
Lecture Video
Please send Lecture Video
StudentAlice
Licenses
![Page 16: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/16.jpg)
Copyright © 2005, ContentGuard, Inc.
Trust-managed AuthorizationTrust-managed Authorization
RemoteViewingTerminal(key 123)
LectureVideoCache
Lecture Video
Please send Lecture Video
StudentAlice
LicensesREL Token onlineProf says onlineUni secureBoxes can retrieve Lecture Video
REL Token onlineProf says Alice can play Lecture Video until end of semester
![Page 17: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/17.jpg)
Copyright © 2005, ContentGuard, Inc.
Trust-managed AuthorizationTrust-managed Authorization
RemoteViewingTerminal(key 123)
LectureVideoCache
Lecture Video
Please send Lecture Video
StudentAlice
Licenses
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
Please send Lecture Video
REL Token onlineUni says key123 is secureBox
Signature Reference SigValue=ABC SigKey
REL Token onlineProf says onlineUni secureBoxes can retrieve Lecture VideoREL Token
onlineProf says onlineUni secureBoxes can retrieve Lecture Video
![Page 18: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/18.jpg)
Copyright © 2005, ContentGuard, Inc.
Trust-managed AuthorizationTrust-managed Authorization
RemoteViewingTerminal(key 123)
LectureVideoCache
Lecture Video
Please send Lecture Video
StudentAlice
Licenses
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
Please send Lecture Video
REL Token onlineUni says key123 is secureBox
Signature Reference SigValue=ABC SigKey
REL Token onlineProf says onlineUni secureBoxes can retrieve Lecture Video
![Page 19: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/19.jpg)
Copyright © 2005, ContentGuard, Inc.
Trust-managed AuthorizationTrust-managed Authorization
RemoteViewingTerminal(key 123)
LectureVideoCache
Lecture Video
Please send Lecture Video
StudentAlice
Licenses
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
EncryptedData (Lecture Video)
REL Token onlineUni says key123 is secureBox
EncryptedKey Reference CipherValue=HIJ KEK
![Page 20: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/20.jpg)
Copyright © 2005, ContentGuard, Inc.
Trust-managed AuthorizationTrust-managed Authorization
RemoteViewingTerminal(key 123)
LectureVideoCache
Lecture Video
Please send Lecture Video
StudentAlice
LicensesREL Token onlineProf says Alice can play Lecture Video until end of semester
![Page 21: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/21.jpg)
Copyright © 2005, ContentGuard, Inc.
Delegated AuthorizationDelegated Authorization
• Consider the following use case:– Alice signs up for MyQuotes and obtains a license
authorizing her to get real time NYSE stock quotes. She can also delegate this right to others that have executed the NYSE exchange agreement as certified by Notary1.
– Alice likes to see graphs rather than numbers. She has a summarizer service which provides her such graphs. So she can get real-time graphs, she delegates to the summarizer service the right to get real time NYSE stock quotes.
– The summarizer service then retrieves the stock quotes, creates the summary, and sends it to Alice.
![Page 22: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/22.jpg)
Copyright © 2005, ContentGuard, Inc.
Delegated AuthorizationDelegated Authorization
SummarizerService(key 123)
QuoteService
Quote
GetQuote
InvestorAlice
Licenses
![Page 23: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/23.jpg)
Copyright © 2005, ContentGuard, Inc.
Delegated AuthorizationDelegated Authorization
SummarizerService(key 123)
QuoteService
Quote
GetQuote
InvestorAlice
Licenses
REL Token Alice says key123 can get quotes
REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
Signature Reference SigValue=ABC SigKey
GetQuote
REL Token Notary1 says key123 exec exch agr
REL Token Alice says key123 can get quotes
REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1
REL Token Alice says key123 can get quotes
REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1
![Page 24: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/24.jpg)
Copyright © 2005, ContentGuard, Inc.
Federated AuthorizationFederated Authorization
• Consider the following use case:– Alice signs up for MyQuotes and obtains a license authorizing
her to get real time NYSE stock quotes. She can also delegate this right to others that have executed the NYSE exchange agreement as certified by Notary1.
– Alice likes to see graphs rather than numbers. She has a summarizer service which provides her such graphs. So she can get real-time graphs, she delegates to the summarizer service the right to get real time NYSE stock quotes.
– The summarizer service has executed the NYSE exchange agreement but was certified by Notary2.
– Notary1 recognizes the certifications of Notary2.– The summarizer service then retrieves the stock quotes, creates
the summary, and sends it to Alice.
![Page 25: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/25.jpg)
Copyright © 2005, ContentGuard, Inc.
Federated AuthorizationFederated Authorization
SummarizerService(key 123)
QuoteService
Quote
GetQuote
InvestorAlice
Licenses
![Page 26: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/26.jpg)
Copyright © 2005, ContentGuard, Inc.
Federated AuthorizationFederated Authorization
SummarizerService(key 123)
QuoteService
Quote
GetQuote
InvestorAlice
Licenses
REL Token Alice says key123 can get quotes
REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1
SOAP Message (SOAP Envelope)
SOAP Headers
SOAP Body
Security Header
Signature Reference SigValue=ABC SigKey
GetQuote
REL Token Notary2 says key123 exec exch agr
REL Token Notary1 says Notary2 certs recognized
REL Token Alice says key123 can get quotes
REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1
REL Token Alice says key123 can get quotes
REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1
![Page 27: Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.](https://reader035.fdocuments.us/reader035/viewer/2022070306/5516db06550346821e8b4568/html5/thumbnails/27.jpg)
Copyright © 2005, ContentGuard, Inc.
DiscussionDiscussion
• Background– REL– Web Services
• WS-Security REL Token Profile– Authentication/Integrity– Confidentiality
• Higher-order Operations– Authorization– Trust-managed Authorization– Delegated Authorization– Federated Authorization
Copyright © 2005, ContentGuard, Inc.