[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Security Demo
POC Members,
I believe we need more discussion for security demo of the ebXML Message
Service. I'd like to propose that we discuss following issues in
Vancouver meeting.
1. What security technologies are used?
In the draft proposal of the security demo, three security
technologies were proposed.
- XML Signature
- S/MIME
- PGP/MIME
We need to decide what security technologies are used to reduce our
implementation work. In addition, there are some different version of
standard in S/MIME and PGP/MIME. We also need to decide what version
of standard is used.
- S/MIME
- version 2 (RFC 2311 - 2315, 2268)
- version 3 (RFC 2630 - 2634, etc.)
- PGP/MIME
- PGP (RFC 1991, 2015)
- OpenPGP (RFC 2440)
2. What algorithms are used?
In the security technologies, several algorithms can be used (see
following examples). We need to decide what algorithms are used for
interoperability.
- Used algorithms in XML Signature
Algorithm Type Algorithm Requirements
---------------------------------------------------------------
Digest SHA1 Required
Encoding base64 Required
MAC HMAC-SHA1 Required
Signature DSAwithSHA1(DSS) Required
RSAwithSHA1 Recommended
Canonicalization minimal Recommended
Canonical XML with Comments Recommended
Canonical XML (omits comments) Required
Transform XSLT Optional
XPath Recommended
Enveloped Signature Required
- Used algorithms in S/MIME Version 3
- Digest Algorithms
SHA-1
MD5
- Signature Algorithms
DSA
RSA
- Key Management Algorithms
- Key Agreement Algorithms
X9.42 Ephemeral-Static Diffie-Hellman
- Key Transport Algorithms
RSA
- Symmetric Key-Encryption Key Algorithms
Triple-DES Key Wrap
RC2 Key Wrap
- Content Encryption Algorithms
Triple-DES CBC
RC2 CBC
- Message Authentication Code Algorithms
HMAC with SHA-1
- Triple-DES and RC2 Key Wrap Algorithms
Key Checksum
Triple-DES Key Wrap
Triple-DES Key Unwrap
RC2 Key Wrap
RC2 Key Unwrap
- Used algorithms in OpenPGP
- Public Key Algorithms
ID Algorithm
-- ---------
1 - RSA (Encrypt or Sign)
2 - RSA Encrypt-Only
3 - RSA Sign-Only
16 - Elgamal (Encrypt-Only), see [ELGAMAL]
17 - DSA (Digital Signature Standard)
18 - Reserved for Elliptic Curve
19 - Reserved for ECDSA
20 - Elgamal (Encrypt or Sign)
21 - Reserved for Diffie-Hellman (X9.42,
as defined for IETF-S/MIME)
100 to 110 - Private/Experimental algorithm.
Implementations MUST implement DSA for signatures, and Elgamal for
encryption. Implementations SHOULD implement RSA keys.
Implementations MAY implement any other algorithm.
- Symmetric Key Algorithms
ID Algorithm
-- ---------
0 - Plaintext or unencrypted data
1 - IDEA [IDEA]
2 - Triple-DES (DES-EDE, as per spec -
168 bit key derived from 192)
3 - CAST5 (128 bit key, as per RFC 2144)
4 - Blowfish (128 bit key, 16 rounds) [BLOWFISH]
5 - SAFER-SK128 (13 rounds) [SAFER]
6 - Reserved for DES/SK
7 - Reserved for AES with 128-bit key
8 - Reserved for AES with 192-bit key
9 - Reserved for AES with 256-bit key
100 to 110 - Private/Experimental algorithm.
Implementations MUST implement Triple-DES. Implementations SHOULD
implement IDEA and CAST5.Implementations MAY implement any other
algorithm.
- Compression Algorithms
ID Algorithm
-- ---------
0 - Uncompressed
1 - ZIP (RFC 1951)
2 - ZLIB (RFC 1950)
100 to 110 - Private/Experimental algorithm.
Implementations MUST implement uncompressed data. Implementations
SHOULD implement ZIP. Implementations MAY implement ZLIB.
- Hash Algorithms
ID Algorithm Text Name
-- --------- ---- ----
1 - MD5 "MD5"
2 - SHA-1 "SHA1"
3 - RIPE-MD/160 "RIPEMD160"
4 - Reserved for double-width SHA (experimental)
5 - MD2 "MD2"
6 - Reserved for TIGER/192 "TIGER192"
7 - Reserved for HAVAL (5 pass, 160-bit) "HAVAL-5-160"
100 to 110 - Private/Experimental algorithm.
Implementations MUST implement SHA-1. Implementations SHOULD
implement MD5.
3. How to test interoperability of the security technologies?
As showed above, the security technologies utilize many algorithms.
I think interoperability test of the security technologies require
long time. So I'd like to propose that we test interoperability of
the security technologies previously on the internet among POC
members.
Regards,
--
SHIMAMURA Masayoshi <shima.masa@jp.fujitsu.com>
TEL:+81-45-476-4590(ext.7128-4241) FAX:+81-45-476-4726(ext.7128-6783)
Planning Dep., Strategic Planning Div., Software Group, FUJITSU LIMITED
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC