XKMS Service
The XML Key Management Specification (XKMS) is an XML-based protocol that is used for the distribution and registration of public keys, and Talend ESB uses it for encryption and signing of messages.
XKMS Service Overview
The Public Key Infrastructure (PKI) is a system for encrypting, decrypting, signing, authorizing and verifying the authenticity of information transmitted over the Internet, or of people's identity, using public-key cryptography. In a PKI system, a user or business has two keys, a public key and a private key. The public key is used to encrypt information by those who want to send private information to the user and only the private key of the user can decrypt the information.
To manage Public Key Infrastructure, Talend ESB is using XML Key Management Specification (XKMS) which handles the distribution and registration of public keys in conjunction with XML Signature [XML-SIG] and XML Encryption [XML-ENC] to decouple PKI complexity.
XKMS does not handle the actual work of managing public and private key pairs and other PKI details. Instead, it outsources the jobs of key registration, validation, and similar processes to an XKMS trust utility. The XKMS trust utility works with any PKI system, passing the information back and forth between it and the Web service.
-
XML Key Information Service Specification (X-KISS) which performs location and validation of keys.
-
XML Key Registration Service Specification (X-KRSS) which supports the key registration and management functionality.
-
Locate, which resolves a <ds:Keyinfo> element that may be associated with XML encryption or XML signature, but it does not determine the validity of the binding between the data and the <ds:KeyInfo> element and therefore does not certify that the binding information can be trustworthy. It may relay the request to other services or act as a gateway to the PKI.
-
Validate, which does all that the Locate operation does: it looks for the public key that corresponds to the <ds:KeyInfo> element, and in addition, it determines the validity and trustworthiness of the binding between the data and the returned key.
So, Talend ESB employs the XML Signature [XML-SIG] for the purpose of providing message security in the form of authentication and integrity. With the help of the XKMS service, the use of XML Signature by the Talend ESB is simplified, as it minimize the complexity and syntax of the underlying public key infrastructure used to establish trust relationships.
And Talend ESB also employs XML Encryption [XML-ENC] for the purpose of sending secured message to a receiver. This way, even if a client does not know the public key of a receiver, it can still query the XKMS service for it as XKMS is based on the use of the <ds:KeyInfo> element as a means of transporting key information used as templates for the various operations it specifies.
Encryption functional architecture
To send encrypted data to a receiver, senders locate the public key of the receiver in the XKMS repository via Service Qname, and use this public key to encrypt the data.
The receiver will now be able to decrypt the data with the private key that corresponds to the public key used for encryption.
Signature functional architecture
To send encrypted data to a receiver, senders encrypt the data with their own certificate (they sign the data). This way, the data are sent to the receiver associated with their own public key.
The receiver receives the signed data, validate that the public key is in the XKMS repository, and if the public key is valid, the receiver will be able to access the data.