Apache Ssl Certificate Generate - Excel by wjr21472

VIEWS: 20 PAGES: 16

More Info
									Name
Description




Relevant Standards




Transport Protocol
(Message/Transport Binding)

Open Source Tools




Proprietary Tools




Test Suites

Industry Adoption




Potential Roadblocks to Industry
Adoption
Code Size




Required Libraries




Embedded Considerations




Execution Speed
XML WS-Man / CIM Affiliation
Proposal to leverage WS-Management transport protocol specifications for the
message transport protocol. The proposal also include a means to affiliate the
1619.3 objects and operations model to CIM to provide a method of
mechanically binding the 1619.3 object model to the transport protocol via the
CIM Binding and WS-CIM Mapping specifications.

Web Services for Management (WS-Management) -
http://www.dmtf.org/standards/published_documents/DSP0226_1.0.0.pdf
WS-Management CIM Binding Specification -
http://www.dmtf.org/standards/published_documents/DSP0227.pdf
WS-CIM Mapping Specification -
http://www.dmtf.org/standards/published_documents/DSP0230_1.0.0.pdf


See XML SOAP.


Openwsman - http://www.openwsman.org/
Wiseman - https://wiseman.dev.java.net/
Small Footprint CIM Broker - http://sblim.wiki.sourceforge.net/Sfcb


WBEM Solutions
American Megatrends Incorporated
Avocent Corporation

OpenTestMan - http://www.openwsman.org/wiki/OpenTestMan
Available from several Vendors including WBEM Solutions
Microsoft - WinRM, WinRS, PowerShell

Linux - OpenPegasus
Intel - AMT Desktop/Laptop embedded management
AMD - OPMA embedded management

Broadcom - TruManage Desktop/Laptop embedded management
HP - Server, Desktop/Laptop, Storage embedded management
Dell - Server, Desktop/Laptop embedded management
Lenovo - Desktop/Laptop embedded management
Marvell - PC embedded management

WS-Man required for DMTF SMASH (Servers) and DASH (Desktop and Mobile)
remote management initiatives
Resources Required to implement KM Client
WS-Management stack with WS-Eventing, including XML parser and HTTP 1.1
compatible protocol implementation = 65KB optimized code size. TLS 1.0
package with server side certificate support = 68KB optimized code size. Entire
secure web service interface runs in approximately 150KB RAM.

Code for the included sizing info was written in ANSI-C and requires libc and
uses NetX TCPIP stack running in ThreadX. Another implementation only had
libc as a dependency.




Many systems vendors and silicon eco-system component providers have
products available today that implement the WS-Management protocol. The
opportunity to align the 1619.3 key management protocol with these
implementations will increase the likelihood of adoption of 1619.3 as it will be
incremental capability on existing infrastructure.




Not sure what the criteria is for measuring execution speed but several
implementations have demonstrated the ability to handle at least dozens of
request/response transactions per second.
XML SOAP
For our purposes, XML SOAP defines a way to pass strongly typed data on a
remote procedure call through HTTP(s). The interfaces to the service are
defined in a WSDL file.




SOAP 1.2 - http://www.w3.org/TR/soap/
WSDL 1.1 - http://www.w3.org/TR/wsdl
HTTP 1.1 - http://www.ietf.org/rfc/rfc2616.txt




XML 1.0 - http://www.w3.org/TR/REC-xml/


Apache Axis - http://ws.apache.org/axis/
Netbeans and Eclipse both have extensions for working with SOAP
gsoap - http://sourceforge.net/projects/gsoap2
NuSOAP - http://sourceforge.net/projects/nusoap
SOAP::Lite - http://sourceforge.net/projects/soaplite;
Altova® XMLSpy® - http://www.altova.com/
Microsoft® SOAP Toolkit
IBM SOAP4J
Parasoft SOATest - http://www.parasoft.com

w3.org SOAP Test Collection

SOAPClient free web client - http://www.soapclient.com/

OpenSource: soapUI - http://www.soapui.org/
SOAP v1.2 ratified in 2003 (and updated in 2007)
basis for WS-Man (so adoption is same as WS-Man + non-WS-Man SOAP)

Microsoft, Oracle, Canon, IBM, Sun, contributed to the SOAP spec


Publicly available SOAP web services - http://www.xmethods.net/
Microsoft - BizTalk Server




Resources required to implement KM Client
We have a statically linked library that is ~470KB (including libxml2 and libcurl);
however, I am sure this could be much smaller




xml SAX/DOM (libxml2 for instance) (if parsing yourself, need library to handle
non-ASCII processing), sockets/ssl or perhaps HTTPs (openssl/curl for instance)




No hard numbers; it seems like messages can be more compact than ws-man,
but larger than binary (obviously).
OASIS SKSML (DRAFT 6)
The SKSML protocol is designed to be used by applications at “Layer 7 of the
application stack” and provides rich capability for defining policies and security of
the payload. However, since it is just another client-server protocol, it can be
used in other layers of the application stack, as needed.


Simple Object Access Protocol (SOAP) - W3C Recommendation 08 May 2000.
http://www.w3.org/TR/soap/
XML Encryption - W3C Recommendation 10 Dec 2002.
http://www.w3.org/TR/xmlenc-core/
XML Signature - W3C Recommendation 12 Feb 2002.
http://www.w3.org/TR/xmldsig-core/


Web Services Security - SOAP Message Security 1.0 - OASIS Standard 200401,
March 2004 - http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-
message-security-1.0.pdf
StrongKey 1.0 (DRAFT 1 implementation)




None (yet)




OASIS to define as part of deliverables

ARX

CA
FundServ
MISMO

NuParadigm Government Systems
Primekey Solutions
Red Hat
StrongAuth
US Department of Defense
Wave Systems
Wells Fargo

Resources required to implement KM Client
4475187 bytes for Java-based Symmetric Key Client Library (SKCL)




9450324 bytes for Java-based Symmetric Key Services (SKS) server




Java-based StrongKey 1.0 SKS implementation requires the following for the
server:
- RDBMS with JDBC driver
- Java Development Kit
- J2EE Application Server
- Web Services Developer Pack
Java-based StrongKey 1.0 SKCL implementation requires the following for the
client:
- Web Service Security libraries
- Web Service Libraries

SKSML was not designed for small footprint devices such as disk-drive firmware.
It is a heavy protocol (which requires mandatory digital signatures and encryption
using XML Signature/XML Encryption) and was created for PDAs, Laptops,
Desktops & Servers. However, it is recommended that storage manufacturers
can use SKSML between their Management Consoles and the KM server, and the
1619.3 protocol between the MC and the device and use the best of both
protocols for bridging two different environments.
XML (raw)
Extensible Markup Language (XML) is a simple, very flexible text format derived
from SGML (ISO 8879). Using raw XML as a messaging format uses a simple
request and response mechanism to perform all key management functions (i.e.
generate, get, store, etc...)


XML homepage
http://www.w3.org/XML/
Extensible Markup Language (XML) 1.0 (Fourth Edition)
W3C Recommendation 16 August 2006, edited in place 29 September 2006
http://www.w3.org/TR/xml
XML 1.0 Fourth Edition Errata
http://www.w3.org/XML/xml-V10-4e-errata




Hundreds of XML Parsers via SourceForge including Simple XML parsers to
application specific XML parsers.
http://sourceforge.net
Xerces XML Parser (Licensed under Apache License 2.0)
http://xerces.apache.org/index.html
nCipher KMS toolkit




XML is the standard messaging format for web services as well as many other
service based protocols




Resources required to implement KM Client
Not all Cryptographic Units and/or endpoints have the ability to support XML
messaging due to limited processing power.
Varies based on implementation. Currently none available.




Would potentially require development as an open source project




Specific tools will have specific OS and system requirements that may or may not
be supported by all vendors without custom development




Based on custom messaging performance will tend to be better using targetted
XML messaging versus other formats that may have non-applicable overhead
(SOAP, WSman, etc…)
BINARY (Fixed structure)
Fastest due to complete customization to specific application.
Binary TLV
Binary format constrained by a Tag, Length and Value field.




None defined




nCipher KDP+ protocol




KDP protocol built into existing security devices such as HSM's and off the shelf
encryption chips.




No relevent standards that exist today
Varies by implementation requirements




Varies by implementation requirements




Can be embedded directly into silicon and/or software solutions where the KM
Client and Cryptographic Unit are one and the same




Usually fast due to customization for a specific application
Binary ASN.1 DER
DER is a particular way to encode an ASN.1 structure in an unambiguous way. An
alternative, BER, may be suitable for many of the applications being considered
by P1619.3.




ITU-T Recommendation X.680: Information Technology - Abstract Syntax
Notation One (ASN.1): Specification of Basic Notation," July 2002.
ITU-T Recommendation X.690: OSI Networking and System Aspects: Abstract
Syntax Notation One (ASN.1), July 2002.




The ASN.1 Compiler (http://sourceforge.net/projects/asn1c/)
SNACC Compiler (http://www.digitalnet.com/knowledge/snacc_home.htm)




OSS ASN.1 tools (OSS Nokalva, Inc., http://www.oss.com/)
ASN1C Compiler (Objective Systems, Inc., http://www.obj-sys.com/products.php)
Asn1Compiler (uniGone, http://www.unigone.com/en/solutions/asn1)

Vendors of commericial ASN.1 products also sell test software -
http://www.asn1.com/products/asn1step.html, for example
As close to ubiquitous as possible - virtually any application of cryptography uses
ASN.1, along with BER and DER encoding.




Moderate
Depends on the compiler




Probably perferable to XML in most embedded applications




Relatively fast

								
To top