The Statement Service Block


The statement service block provides services for securing information. The protection offered is:

Conventional methods require that the two parties share a key. A key exchange functionality is provided by a module. However, in principle, statements can also be secured using keys shared in other ways. The actual cryptographic operations are supplied by the Crypto Manager. All key material supplied as parameter must be handled using the class CryptoKeyInfo

Statements can be operated in two ways. Either directly on the Statement object or by first generating a StatementTransaction object. Operations directly on the Statement requires quite a lot of inputs (e.g., keys). By first establishing a transaction object these keys are fixed as part of the session context. Thus by using the operations this way the interface is quite simple, and in most cases the most convenient way to use statements is to initially set up such a transaction object and use this in all subsequent transfers and exchanges of statements.

In both cases the following operations are available

For more information on the cryptographic services see the cryptographic manager.

A StatementTransaction object is generated by calling the methods openInitiatorStatementSession or openResponderStatementSession of StatementMan. These methods first negotiate cryptographic algorithms to be used and a method for key exchange. Each party select candidate algorithms according to the following schedule:

  1. Which algorithms are supported
  2. Remove those public key algorithms for which the necessary keys are missing (e.g., remove signature algorithms where no public key is registered)
  3. From those remaining select (and possibly order) the algorithms according to the users preferences.

When both client and server have selected algorithms they use as result an arbitrary one which is in both lists. Note, other negotiation algorithms will be supplied in later versions of the Statement manager..

The following services are negotiated:

If key exchange is requested and the two parties agree on a method for this, a session key is generated afterwards. Key exchange is provided by a module in the state ent block. Currently, only one module exists. This is implemented as part of SEMPER in StatementModule. For the moment only two key exchange protocols are supported:

Use of other Blocks

As mentioned above the Statement Block relies on the Crypto Block for cryptographic services and handling of keys.

It uses the Certificate Block for handling certificates. This is necessary when setting up sessions and when making/verifying signatures.

The Preferences Manager is used for letting the user select cryptographic algorithms. If the user does not make any selections, all supported algorithms are considered to be preferred.

The Archive Manager is used when retrieving keys or when checking the availability of keys. This is done when setting up a statetment session.

Test programs

To see how to test the statement operations run make test. Two tests are given. A simple one simply tests the various operations on a Statement. A more advanced test consists of first setting up keys of a client and a server using the online CAserver at GMD, and next setting up a session between these two (including key exchange) and testing the Statement operations using the resulting Transaction object.

To be done