XKMS Service Overview - 8.0

Talend ESB Infrastructure Services Configuration Guide

Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
Talend ESB
Talend Runtime
Design and Development
Installation and Upgrade
Last publication date

The Public Key Infrastructure (PKI) is a system for encrypting, decrypting, signing, authorizing and verifying the authenticity of information transmitted over the Internet, or of people's identity, using public-key cryptography. In a PKI system, a user or business has two keys, a public key and a private key. The public key is used to encrypt information by those who want to send private information to the user and only the private key of the user can decrypt the information.

To manage Public Key Infrastructure, Talend ESB is using XML Key Management Specification (XKMS) which handles the distribution and registration of public keys in conjunction with XML Signature [XML-SIG] and XML Encryption [XML-ENC] to decouple PKI complexity.

XKMS does not handle the actual work of managing public and private key pairs and other PKI details. Instead, it outsources the jobs of key registration, validation, and similar processes to an XKMS trust utility. The XKMS trust utility works with any PKI system, passing the information back and forth between it and the Web service.

XKMS itself is made of two standards:
  • XML Key Information Service Specification (X-KISS) which performs location and validation of keys.

  • XML Key Registration Service Specification (X-KRSS) which supports the key registration and management functionality.

The X-KISS protocol provides the two following operations:
  • Locate, which resolves a <ds:Keyinfo> element that may be associated with XML encryption or XML signature, but it does not determine the validity of the binding between the data and the <ds:KeyInfo> element and therefore does not certify that the binding information can be trustworthy. It may relay the request to other services or act as a gateway to the PKI.

  • Validate, which does all that the Locate operation does: it looks for the public key that corresponds to the <ds:KeyInfo> element, and in addition, it determines the validity and trustworthiness of the binding between the data and the returned key.

So, Talend ESB employs the XML Signature [XML-SIG] for the purpose of providing message security in the form of authentication and integrity. With the help of the XKMS service, the use of XML Signature by the Talend ESB is simplified, as it minimize the complexity and syntax of the underlying public key infrastructure used to establish trust relationships.

And Talend ESB also employs XML Encryption [XML-ENC] for the purpose of sending secured message to a receiver. This way, even if a client does not know the public key of a receiver, it can still query the XKMS service for it as XKMS is based on the use of the <ds:KeyInfo> element as a means of transporting key information used as templates for the various operations it specifies.