Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.

Copyright © 2005, ContentGuard, Inc.

Use of REL Tokens for Use of REL Tokens for Higher-order OperationsHigher-order Operations

DIMACSDIMACS

Workshop on Security of Web Services and E-CommerceWorkshop on Security of Web Services and E-Commerce

2005-May-052005-May-05

Thomas DeMartiniThomas DeMartini


OutlineOutline

• Background– REL– Web Services

• WS-Security REL Token Profile– Authentication/Integrity– Confidentiality

• Higher-order Operations– Authorization– Trust-managed Authorization– Delegated Authorization– Federated Authorization


RELREL

• ISO/IEC 21000-5 specifies a Rights Expression Language (REL) for coding Rights Expressions (Licenses)

• At the high level, a License consists of 5 main building blocks:– Principal– Right– Resource– Condition– Issuer

• Makes the high-level statement: Issuer says Principal can do Right to Resource under Condition


RELREL license

grant

principal

right

resource

condition

issuer

Signature

details

license

grant

Alice

play

tree.jpg

month of April

issuer

Bob (+signature)

time of issue

Issuer says Principal can do Right to Resource under Condition

Bob says Alice can play tree.jpg in the month of April


<r:license ...> <r:grant> <r:keyHolder licensePartId="Alice">...</r:keyHolder> <mx:play/> <r:digitalResource> <r:nonSecureIndirect URI="tree.jpg"/> </r:digitalResource> <r:validityInterval> <r:notBefore>2004-04-01T00:00:00Z</r:notBefore> <r:notAfter>2004-05-01T00:00:00Z</r:notAfter> </r:validityInterval> </r:grant> <r:issuer> <dsig:Signature> <dsig:SignedInfo>...</dsig:SignedInfo> <dsig:SignatureValue>ycD...</dsig:SignatureValue> <dsig:KeyInfo>...  ...</dsig:KeyInfo> </dsig:Signature> <r:details> <r:timeOfIssue>2004-04-09T21:59:55Z</r:timeOfIssue> </r:details> </r:issuer></r:license>


RELREL license

grant

Alice

play

tree.jpg

month of April

issuer

Bob (+signature)

time of issue

Bob says Alice can play tree.jpg in the month of April



<r:license ...> <r:grant> <r:keyHolder licensePartId="Alice">...</r:keyHolder> <r:possessProperty/>

<sx:propertyUri definition=“urn:uni:student”/>

<r:validityInterval> <r:notBefore>2004-04-01T00:00:00Z</r:notBefore> <r:notAfter>2004-05-01T00:00:00Z</r:notAfter> </r:validityInterval> </r:grant> <r:issuer> <dsig:Signature> <dsig:SignedInfo>...</dsig:SignedInfo> <dsig:SignatureValue>ycD...</dsig:SignatureValue> <dsig:KeyInfo>...  ...</dsig:KeyInfo> </dsig:Signature> <r:details> <r:timeOfIssue>2004-04-09T21:59:55Z</r:timeOfIssue> </r:details> </r:issuer></r:license>

RELREL license

grant

Alice

play

tree.jpg

month of April

issuer

Bob (+signature)

time of issue

possessProperty

Student

Bob says Alice is a student in the month of April


Web ServicesWeb Services

ThirstyProgrammer

Alice

Soda++Service

On its way!

SOAP Message (SOAP Envelope)

SOAP Headers

SOAP Body

Please send one case of Soda++


WS-Security REL Token ProfileWS-Security REL Token Profile

• WS-Security: SOAP Message Security– Defines Security header for SOAP Messages

• Security Tokens• Signatures• Encryption Information

• WS-Security: REL Token Profile– Defines how to use a Rights Expression

(License) as a Security Token.– License Security Tokens are called REL

Tokens for short.


Authentication/IntegrityAuthentication/Integrity

ThirstyProgrammer

Alice

Soda++Service

On its way!


SOAP Headers

SOAP Body

Security Header


REL Token root says key123 is Alice

Signature Reference SigValue=ABC SigKey


ConfidentialityConfidentiality

ThirstyProgrammer

Alice

Soda++Service

On its way!


SOAP Headers

SOAP Body

Security Header

Please send one case of Soda++EncryptedData CipherValue=DEF

REL Token root says key456 is Soda++ Service

EncryptedKey Reference CipherValue=HIJ KEK


Building Higher-order OperationsBuilding Higher-order Operations

• Got baseline WS-Security Features:– Authentication– Integrity– Confidentiality

• Higher-order Operations:– Authorization– Trust-managed Authorization– Delegated Authorization– Federated Authorization


Authentication/IntegrityAuthentication/IntegrityAuthorizationAuthorization

ThirstyProgrammer

Alice

Soda++Service

On its way!


SOAP Headers

SOAP Body

Security Header




REL Token root says Alice can order Soda++


AuthorizationAuthorization

ThirstyProgrammer

Alice

Soda++Service

On its way!


SOAP Headers

SOAP Body

Security Header




REL Token root says Alice can order Soda++

REL Token root says key123 can order Soda++


Trust-managed AuthorizationTrust-managed Authorization

• Consider the following use case:– Student Alice takes an online class. As part of the

class she gets a license authorizing her to view the online lecture videos until the end of the semester. She does not get to keep watching the lecture videos after the end of the semester or share them with friends. To ensure that she follows these rules, she is only permitted to watch the lecture videos on a secure box certified by her university.

– Alice arrives at a remote viewing terminal (secure box) and inserts her USB keychain containing her licenses. She watches the lecture video.



RemoteViewingTerminal(key 123)

LectureVideoCache

Lecture Video

Please send Lecture Video

StudentAlice

Licenses




LectureVideoCache

Lecture Video


StudentAlice

LicensesREL Token onlineProf says onlineUni secureBoxes can retrieve Lecture Video

REL Token onlineProf says Alice can play Lecture Video until end of semester




LectureVideoCache

Lecture Video


StudentAlice

Licenses


SOAP Headers

SOAP Body

Security Header


REL Token onlineUni says key123 is secureBox


REL Token onlineProf says onlineUni secureBoxes can retrieve Lecture VideoREL Token

onlineProf says onlineUni secureBoxes can retrieve Lecture Video




LectureVideoCache

Lecture Video


StudentAlice

Licenses


SOAP Headers

SOAP Body

Security Header




REL Token onlineProf says onlineUni secureBoxes can retrieve Lecture Video




LectureVideoCache

Lecture Video


StudentAlice

Licenses


SOAP Headers

SOAP Body

Security Header

EncryptedData (Lecture Video)


EncryptedKey Reference CipherValue=HIJ KEK




LectureVideoCache

Lecture Video


StudentAlice

LicensesREL Token onlineProf says Alice can play Lecture Video until end of semester


Delegated AuthorizationDelegated Authorization

• Consider the following use case:– Alice signs up for MyQuotes and obtains a license

authorizing her to get real time NYSE stock quotes. She can also delegate this right to others that have executed the NYSE exchange agreement as certified by Notary1.

– Alice likes to see graphs rather than numbers. She has a summarizer service which provides her such graphs. So she can get real-time graphs, she delegates to the summarizer service the right to get real time NYSE stock quotes.

– The summarizer service then retrieves the stock quotes, creates the summary, and sends it to Alice.



SummarizerService(key 123)

QuoteService

Quote

GetQuote

InvestorAlice

Licenses




QuoteService

Quote

GetQuote

InvestorAlice

Licenses

REL Token Alice says key123 can get quotes

REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1


SOAP Headers

SOAP Body

Security Header


GetQuote

REL Token Notary1 says key123 exec exch agr






Federated AuthorizationFederated Authorization

• Consider the following use case:– Alice signs up for MyQuotes and obtains a license authorizing

her to get real time NYSE stock quotes. She can also delegate this right to others that have executed the NYSE exchange agreement as certified by Notary1.

– Alice likes to see graphs rather than numbers. She has a summarizer service which provides her such graphs. So she can get real-time graphs, she delegates to the summarizer service the right to get real time NYSE stock quotes.

– The summarizer service has executed the NYSE exchange agreement but was certified by Notary2.

– Notary1 recognizes the certifications of Notary2.– The summarizer service then retrieves the stock quotes, creates

the summary, and sends it to Alice.




QuoteService

Quote

GetQuote

InvestorAlice

Licenses




QuoteService

Quote

GetQuote

InvestorAlice

Licenses




SOAP Headers

SOAP Body

Security Header


GetQuote

REL Token Notary2 says key123 exec exch agr

REL Token Notary1 says Notary2 certs recognized






DiscussionDiscussion

• Background– REL– Web Services

• WS-Security REL Token Profile– Authentication/Integrity– Confidentiality

• Higher-order Operations– Authorization– Trust-managed Authorization– Delegated Authorization– Federated Authorization

Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.

Documents

soap message security

rel issuer

rel isoiec

def rel token root

case of soda

z rel bob

condition slide

abc sigkey rel token