95-804 Applied CryptographySlide 1 Applied Cryptography Week 3 Michael McCarthy.
-
date post
19-Dec-2015 -
Category
Documents
-
view
224 -
download
0
Transcript of 95-804 Applied CryptographySlide 1 Applied Cryptography Week 3 Michael McCarthy.
95-804 Applied Cryptography Slide 1
Applied CryptographyWeek 3Michael McCarthy
95-804 Applied Cryptography Slide 2
XML Encryption Examples
XML Encryption using .NET/C#
Web Service Security using Sun’s Application Server
Today’s Topics
95-804 Applied Cryptography Slide 3
XML Encryption
• W3C Recommendation 10 December 2002• JSR 105 XMLDSig proposed final draft• JSR 106 XMLEnc is in progress• JWSDP1.5 supports Web Services Security
V1.0• .Net supports XMLEnc out of the box• Some notes from
http://www-106.ibm.com/developerworks/library/x-encrypt/index.html by Bilal Siddiqui
And “Secure XML” by Eastlake and Niles Addison Wesley
95-804 Applied Cryptography Slide 4
General Form 1
<EncryptedData>
<CipherData>
<CipherValue>
cipher text in Base 64
</CipherValue>
</CipherData>
</EncryptedData>
95-804 Applied Cryptography Slide 5
General Form 2
<EncryptedData>
<CipherData>
<CipherReference>
pointer (URL) to cipher text
</CipherReference>
</CipherData>
</EncryptedData>
95-804 Applied Cryptography Slide 6
• Replaces the encrypted element or
• Serves as the new document root
• May contain a KeyInfo element that describes the key needed for decryption (borrowed from XML Digital Signature) or
signature verification
EncryptedData is the core element
95-804 Applied Cryptography Slide 7
General Example (1)
<MedInfo> <ID> <Name> <Address> </ID> <Medical>…</Medical> <Financial>…</Financial></MedInfo>
95-804 Applied Cryptography Slide 8
General Example (2)
<MedInfo> <ID>….</ID> <EncryptedData> <KeyInfo> <KeyName>Medical </KeyInfo> <CipherData> <CipherValue> cipher text </EncryptedData>
95-804 Applied Cryptography Slide 9
General Example (3)
<Financial> <EncryptedData> <KeyInfo> <KeyName>Pay </KeyInfo> <CipherData> <CipherValue> cipher text
</EncryptedData></Finacial>
</MedInfo>
95-804 Applied Cryptography Slide 10
Detailed Example (Listing 1)
<purchaseOrder>
<Order>
<Item>book</Item>
<Id>123-958-74598</Id>
<Quantity>12</Quantity>
</Order>
<Payment>
<CardId>123654-8988889-9996874</CardId>
<CardName>visa</CardName>
<ValidDate>12-10-2004</ValidDate>
</Payment>
</purchaseOrder>
95-804 Applied Cryptography Slide 11
Encrypting the Entire File (Listing 2)
<?xml version='1.0' ?>
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.isi.edu/in-notes/iana/assignments/media-types/text/xml'>
<CipherData>
<CipherValue>A23B45C56…</CipherValue>
</CipherData>
</EncryptedData>
IANA = Internet Assigned Numbers Authority a function of The Internet Corporationfor Assigned Names and Numbers
95-804 Applied Cryptography Slide 12
Encrypting The Payment (Listing 3)
<?xml version='1.0' ?> <PurchaseOrder> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> </Order> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C564587…</CipherValue> </CipherData> </EncryptedData> </PurchaseOrder>
One element
95-804 Applied Cryptography Slide 13
Encrypting Only the CardId (Listing 4)
<?xml version='1.0' ?> <PurchaseOrder> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> </Order> <Payment> <CardId> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Content' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData> </CardId> <CardName>visa</CardName> <ValidDate>12-10-2004</CardName> </Payment> </PurchaseOrder>
Element content
95-804 Applied Cryptography Slide 14
Encrypting Non-XML Data (Listing 5)
<?xml version='1.0' ?>
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlen#'
Type='http://www.isi.edu/in-notes/iana/assignments/media-types/jpeg' >
<CipherData>
<CipherValue>A23B45C56…</CipherValue>
</CipherData>
</EncryptedData>
95-804 Applied Cryptography Slide 15
Sending a public key (listing 6)<?xml version='1.0' ?> <SecureCommunicationDemonstration> <EncryptedKey CarriedKeyName="Muhammad Imran" xmlns='http://www.w3.org/2001/04/xmlenc#'> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyValue>1asd25fsdf2dfdsfsdfds2f1sd23 </ds:KeyValue> </ds:KeyInfo> </EncryptedKey></SecureCommunicationDemonstration>
This key is in the clear.
95-804 Applied Cryptography Slide 16
Receiving a Secret Key Encrypted with a Public Key (listing 7)
<?xml version='1.0' ?> <SecureCommunicationDemonstration> <EncryptedKey CarriedKeyName="Imran Ali" xmlns='http://www.w3.org/2001/04/xmlenc#'> <EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <CipherData> <CipherValue>xyza21212sdfdsfs7989fsdbc </CipherValue> </CipherData> </EncryptedKey></SecureCommunicationDemonstration>
This key is encrypted.It’s name is Imran Ali.
95-804 Applied Cryptography Slide 17
Data Encrypted to Secret Key (Listing 8)
<?xml version='1.0' ?> <<SecureCommunicationDemonstration> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> <CardName>Visa</CardName> <ExpDate>10-10-2005</ExpDate> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc '/> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>Imran ali</ds:KeyName> </ds:KeyInfo> <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData> </Order> </SecureCommunicationDemonstration>
An element is encryptedwith the Imran Ali key.
95-804 Applied Cryptography Slide 18
Pointing to encrypted data (listing 9)
<?xml version='1.0' ?> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type= 'http://www.w3.org/2001/04/xmlenc#Element'> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>Imran ali</ds:KeyName </ds:KeyInfo> <CipherData> <CipherReference URI="www.waxsys.com/secureData/waxFile.txt"/> </CipherData> </EncryptedData> The external source is encrypted
with the Imran Ali key.
95-804 Applied Cryptography Slide 19
Point to a distant encrypted element (Listing 10)
<?xml version='1.0' ?> <EncryptedData ID="Enc-Data" xmlns='http://www.w3.org/2001/04/xmlenc#'
Type='http://www.w3.org/2001/04/xmlenc#Element' > <CipherReference URI="http://www.waxsys.com/EncFile.xml" > <Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC- xpath-19991116"> <wax:XPath xmlns:wax="http://www.waxsys.com/xpathNS"> PruchaseOrder/EncryptedData [@Id="Imran-Enc-Data"] </wax:XPath> </ds:Transform> </Transforms> </CipherReference> </EncryptedData>
XPath is being used to point to the exact element that is encrypted.
95-804 Applied Cryptography Slide 20
An Example Output Using IBM’s XSS4J
<?xml version="1.0" encoding="UTF-8"?>
<EncryptedData xmlns= "http://www.w3.org/2001/04/xmlenc#" Id="Test" Type="http://www.isi.ed u/in-notes/iana/assignments/media-types/text/xml">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <KeyName>ImranAli</KeyName> </ds:KeyInfo> <CipherData> <CipherValue>cipher text</CipherValue> </CipherData></EncryptedData>
A key name is providedfor decryption.
95-804 Applied Cryptography Slide 21
More XML Encryption using .NET/C#
95-804 Applied Cryptography Slide 22
Hybrid Encryption
• The way it’s done today
• Bulk encryption using symmetric (session) keys – fast
• Symmetric key exchange problem solved by encrypting the session key with the receivers public key
95-804 Applied Cryptography Slide 23
.Net Crypto API Example
• The receiver builds an RSA key pair• The public key of the receiver is used by the
sender to encrypt a symmetric session key• The encrypted session key along with the
encrypted elements are sent to the receiver• The receiver decrypts the session key using her
private RSA key• She then decrypts the encrypted element using
the symmetric session key
95-804 Applied Cryptography Slide 24
The RSA Public key in XML
<RSAKeyValue><Modulus>z9zv0HMRK44BrjYIQtmKlDkA6WnQCIVOYmOj
y/eKhFqXJM024JybC/5hOCQoYRRo5iYRopIV4gBZUBSolxgk8jIr38iO84lDoSisPl3ikcob/aCuhPe8jSl4zbKpiJ+rqQE8rSNJ3XDPDVIiRoDbSRbn04x210tjYNMbePw0RQk=</Modulus>
<Exponent>AQAB</Exponent></RSAKeyValue> These are not arbitrary tags. This
representation is part of the XMLDSigstandard.
95-804 Applied Cryptography Slide 25
The RSA Public/Private Key data in XML
<RSAKeyValue> <!– defined by XMLDSig
<Modulus>
z9zv0HMRK44BrjYIQtmKlDkA6WnQCIVOYmOjy/eKhFqXJM024JybC/5hOCQoYRRo5iYRopIV4gBZUBSolxgk8jIr38iO84lDoSisPl3ikcob/aCuhPe8jSl4zbKpiJ+rqQE8rSNJ3XDPDVIiRoDbSRbn04x210tjYNMbePw0RQk=
</Modulus> <Exponent>AQAB</Exponent>
95-804 Applied Cryptography Slide 26
<P>54xO9DFJ4Mydzqrq8/0mcWInv4pU+bJHx1W1TYiybkRs7TchIq56z1JSgedhSxYvGHfHKzDcdplK2PHC9Aik2w==</P>
<Q>5dBTIHj9btkq9Nss0ZC04OyRGjssKJs8+Y89MOhs9BB1YNnk6Ci6PqV8F2P8FwcSFLXb5+II7nuvRTGS5enQ6w==</Q>
<D>sLBBOZNWGQvQ6eEMDKcWYQBDgiVrrJKEGqZP6WU13WOT7rhx2WPFd+B3i11Q5ZSPxnK9ss8ywrVBNg0ZcbYYUC+g6fYsfylKv1Lbpxr9h002syvRjmyywRcD9+TfvrVhOe27QYJKlE/QX4SHSgnTxq4qkmHdTxZRtoRGGLdZ8XE=</D></RSAKeyValue>
95-804 Applied Cryptography Slide 27
The Encrypted Session Key
<EncryptedKey CarriedKeyName="My 3DES Session Key"> <!– name of session key
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo> <!– use this key to decrypt the session key
<KeyName>My Private Key</KeyName></ds:KeyInfo>
95-804 Applied Cryptography Slide 28
<CipherData> <CipherValue> <!– session key encrypted Shy7Nzo/ctBPAhwubFiAYpNNB2CuM4TpCUozP2oQZrEMT03O EzspgkBaItai8ImBUiSUT1KlPCbawG2edz40ISgJ+G+Sl4m6ZNm L0//gqs4/7eUyLY0rSFeCnW9hKU/hr0r4wDJaKiI+hS68OTHeBBc GLCyFEPSCQXeqbnvqQBo= </CipherValue></CipherData></EncryptedKey>
95-804 Applied Cryptography Slide 29
The Original Invoice
<invoice><items> <item>
<desc>Deluxe corncob pipe</desc> <unitprice>14.95</unitprice> <quantity>1</quantity> </item> </items>
95-804 Applied Cryptography Slide 30
<creditinfo> <cardnumber>0123456789</cardnumber> <expiration>01/06/2005</expiration> <lastname>Finn</lastname> <firstname>Huckleberry</firstname></creditinfo>
</invoice>
95-804 Applied Cryptography Slide 31
The Encrypted Invoice
<invoice><items> <item>
<desc>Deluxe corncob pipe</desc> <unitprice>14.95</unitprice> <quantity>1</quantity> </item> </items>
95-804 Applied Cryptography Slide 32
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element">
<ds:KeyInfo> <!– use this session key for decryption <KeyName>My 3DES Session Key</KeyName></ds:KeyInfo>
<CipherData>
<CipherValue> ZS0og/w6JtPj0BDtU4XiAS3ybUsqh4tvp4ItoNO8ZzWUSVl8290HHVG2MfbjPSr00dCftHpaBd8GBgHOUSqG6wiia3EYy8Bgz7y6NeQ6zFu9i3J34Fy+uWETjmkROE/mg+RU0IxQTkcDWQVfUq6TECNafP9voSvbOGTNbt87Rb0BDcjbAWWLjKkOT6KOOVwfq60TJxmmkxFonqwVAY2ARlm/yBqvbo2BHux5fvZFZBF5jCPZPkuOClYZVXpY3wVB</CipherValue></CipherData></EncryptedData></invoice>
95-804 Applied Cryptography Slide 33
The C# Code (from Thorsteinson and Ganesh)
//XMLEncryption.cs
//NOTE: must add a project reference to System.Security
using System;using System.IO;using System.Text;using System.Xml;using System.Security.Cryptography;using System.Security.Cryptography.Xml;
95-804 Applied Cryptography Slide 34
class XMLEncryption{
static void Main(string[] args){
//create participantsSender sender = new Sender();Receiver receiver = new Receiver();
//establish public and private RSA key informationreceiver.EstablishXmlRsaParameters(
"RsaIncludePrivateParams.xml","RsaExcludePrivateParams.xml");
The receiver creates RSA keys and places them intwo files – one for the receiver and one for the sender.
95-804 Applied Cryptography Slide 35
//create original XML document to be encryptedsender.CreateOriginalXmlDocument(
"OriginalInvoice.xml");
//create session key and encrypt via RSA public keybyte [] IV = sender.CreateAndEncryptXmlSessionKey(
"RsaExcludePrivateParams.xml","SessionKeyExchange.xml");
The sender creates an XML document.
And generates a symmetric encryption key that is encryptedwith the public key of the receiver. E(SK)
95-804 Applied Cryptography Slide 36
//encrypt original XML document with session keysender.EncryptOriginalXmlDocument(
"OriginalInvoice.xml","RsaExcludePrivateParams.xml","SessionKeyExchange.xml", // no need"EncryptedInvoice.xml");
//decrypt XML document with session keyreceiver.DecryptXmlDocument(
"EncryptedInvoice.xml","RsaIncludePrivateParams.xml","SessionKeyExchange.xml","DecryptedCreditInfo.xml",IV);
}}
The sender encrypts sensitive parts of the document.
The receiver decrypts the session key and is then ableto decrypt the document.
95-804 Applied Cryptography Slide 37
class Sender{
public void CreateOriginalXmlDocument(String originalFilename){
//establish the original XML documentXmlDocument xmlDoc = new XmlDocument();xmlDoc.PreserveWhitespace = true;xmlDoc.LoadXml(
"<invoice>\n" +" <items>\n" +" <item>\n" +" <desc>Deluxe corncob pipe</desc>\n" +" <unitprice>14.95</unitprice>\n" +" <quantity>1</quantity>\n" +" </item>\n" +" </items>\n" +" <creditinfo>\n" +" <cardnumber>0123456789</cardnumber>\n" +" <expiration>01/06/2005</expiration>\n" +" <lastname>Finn</lastname>\n" +" <firstname>Huckleberry</firstname>\n" +" </creditinfo>\n" +"</invoice>\n");
The sender builds the document the hard way.
This part is sensitive.
95-804 Applied Cryptography Slide 38
//write original XML document to fileStreamWriter file =
new StreamWriter(originalFilename);file.Write(xmlDoc.OuterXml);file.Close();
//let the user know what happenedConsole.WriteLine(
"Original XML document written to:\n\t" + originalFilename);
}
Write the “hand built” XML to a file.
95-804 Applied Cryptography Slide 39
public byte [] CreateAndEncryptXmlSessionKey(String rsaExcludePrivateParamsFilename,String keyFilename)
{//create the session key for 3DES bulk encryptionTripleDESCryptoServiceProvider tripleDES =
new TripleDESCryptoServiceProvider();
//access the IV and Key for sender encryptionIV = tripleDES.IV;Key = tripleDES.Key;
//fetch public only RSA parameters from XML StreamReader fileRsaParams = new StreamReader(
rsaExcludePrivateParamsFilename);String rsaExcludePrivateParamsXML =
fileRsaParams.ReadToEnd();fileRsaParams.Close();
The sender creates the session key.
Before encryptingthe key it needs the public key of the receiver.
95-804 Applied Cryptography Slide 40
//RSA encrypt session key RSACryptoServiceProvider rsa =
new RSACryptoServiceProvider(); rsa.FromXmlString(rsaExcludePrivateParamsXML);
byte[] keyEncryptedBytes = rsa.Encrypt(tripleDES.Key, false);
//store encrypted 3DES session key in Base64 string String keyEncryptedString = Convert.ToBase64String(
keyEncryptedBytes);
//create XML document for 3DES session key exchange XmlDocument xmlKeyDoc = new XmlDocument();
xmlKeyDoc.PreserveWhitespace = true;
The sender encrypts the DES session key.
And builds an XML documentto hold it.
95-804 Applied Cryptography Slide 41
//add EncryptedKey element to key XML XmlElement xmlEncryptedKey =
xmlKeyDoc.CreateElement("EncryptedKey"); xmlKeyDoc.AppendChild(xmlEncryptedKey); XmlAttribute xmlCarriedKeyName =
xmlKeyDoc.CreateAttribute("CarriedKeyName"); xmlCarriedKeyName.Value = "My 3DES Session Key"; xmlEncryptedKey.Attributes.Append(
xmlCarriedKeyName);
So far we have…<EncryptedKey CarriedKeyName="My 3DES Session Key">
95-804 Applied Cryptography Slide 42
//add the EncryptionMethod element to key XML XmlElement xmlEncryptionMethod =
xmlKeyDoc.CreateElement("EncryptionMethod"); xmlEncryptedKey.AppendChild(xmlEncryptionMethod); XmlAttribute xmlAlgorithm =
xmlKeyDoc.CreateAttribute("Algorithm"); xmlAlgorithm.Value = "http://www.w3.org/2001/04/xmlenc#rsa-1_5"; xmlEncryptionMethod.Attributes.Append(
xmlAlgorithm);
<EncryptedKey CarriedKeyName="My 3DES Session Key">
<EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
95-804 Applied Cryptography Slide 43
//add KeyInfo element to key XMLXmlElement xmlKeyInfo =
xmlKeyDoc.CreateElement("ds", "KeyInfo","http://www.w3.org/2000/09/xmldsig#");
xmlEncryptedKey.AppendChild(xmlKeyInfo);
//add KeyName element to key XMLXmlElement xmlKeyName =
xmlKeyDoc.CreateElement("ds", "KeyName", null);xmlKeyName.InnerText = "My Private Key";xmlKeyInfo.AppendChild(xmlKeyName);
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><KeyName>My Private Key</KeyName></ds:KeyInfo>
<!-- My Private Key will be used to decrypt the session key
95-804 Applied Cryptography Slide 44
//add CipherData element to key XMLXmlElement xmlCipherData =
xmlKeyDoc.CreateElement("CipherData");xmlEncryptedKey.AppendChild(xmlCipherData);
<CipherData>
95-804 Applied Cryptography Slide 45
//add CipherValue element to key XMLXmlElement xmlCipherValue =
xmlKeyDoc.CreateElement("CipherValue");
xmlCipherValue.InnerText = keyEncryptedString;xmlCipherData.AppendChild(xmlCipherValue);
<CipherValue>Shy7Nzo/ctBPAhwubFiAYpNNB2CuM4TpCUozP2oQZrEMT03OEzspgkBaItai8ImBUiSUT1KlPCbawG2edz40ISgJ+G+Sl4m6ZNmL0//gqs4/7eUyLY0rSFeCnW9hKU/hr0r4wDJaKiI+hS68OTHeBBcGLCyFEPSCQXeqbnvqQBo=</CipherValue></CipherData></EncryptedKey>
95-804 Applied Cryptography Slide 46
//save key XML informationxmlKeyDoc.Save(keyFilename);
//let the user know what happenedConsole.WriteLine(
"Encrypted Session Key XML written to:\n\t" + keyFilename);
return IV; //needed by receiver too}
The sender has placed an encrypted session key on file. It includes the name of the decryption key. The receiver candecrypt the session key but needs the IV to use it to decrypt the invoice.
95-804 Applied Cryptography Slide 47
public void EncryptOriginalXmlDocument(String originalFilename,String rsaExcludePrivateParamsFilename,String keyFilename,String encryptedFilename)
{
Original XML Document
Receiver’s publicKey?
Encrypted symmetric keyfile name??
Document partially encrypted with session key
Working code but with someunnecessary parameters.
95-804 Applied Cryptography Slide 48
//load XML document to be encryptedXmlDocument xmlDoc = new XmlDocument();xmlDoc.PreserveWhitespace = true;xmlDoc.Load(originalFilename);
//get creditinfo node plaintext bytes to encryptXmlElement xmlCreditinfo =
(XmlElement)xmlDoc.SelectSingleNode("invoice/creditinfo");
byte[] creditinfoPlainbytes = Encoding.UTF8.GetBytes(xmlCreditinfo.OuterXml);
Load the documentholding sensitivetag
Find the tag usingXPath.
Get the bytes and include the tag name.
95-804 Applied Cryptography Slide 49
//create 3DES algorithm object for bulk encryptionTripleDESCryptoServiceProvider tripleDES =
new TripleDESCryptoServiceProvider();
Getting ready for symmetric encryption…
95-804 Applied Cryptography Slide 50
//establish crypto stream using 3DES algorithmMemoryStream ms = new MemoryStream();CryptoStream cs = new CryptoStream(
ms,tripleDES.CreateEncryptor(Key, IV),CryptoStreamMode.Write);
//write creditinfo plaintext to crypto streamcs.Write(
creditinfoPlainbytes, 0, creditinfoPlainbytes.Length);
cs.Close();
Use the sameKey/IV that weencryptedbefore. Thesevariables aredefined outside the methods.
Encrypt the sensitive tag with thesession key.
95-804 Applied Cryptography Slide 51
//get creditinfo ciphertext from crypto streambyte[] creditinfoCipherbytes = ms.ToArray();ms.Close();String creditinfoCiphertext =
Convert.ToBase64String(creditinfoCipherbytes);
Get the encrypted bytes and convert them to base 64
95-804 Applied Cryptography Slide 52
//create EncryptedData in XML fileXmlElement xmlEncryptedData =
xmlDoc.CreateElement("EncryptedData");XmlAttribute xmlType =
xmlDoc.CreateAttribute("Type");xmlType.Value =
"http://www.w3.org/2001/04/xmlenc#Element";xmlEncryptedData.Attributes.Append(xmlType);
//add KeyInfo elementXmlElement xmlKeyInfo =
xmlDoc.CreateElement("ds", "KeyInfo","http://www.w3.org/2000/09/xmldsig#");
xmlEncryptedData.AppendChild(xmlKeyInfo);
XML Encryption
95-804 Applied Cryptography Slide 53
//add KeyName elementXmlElement xmlKeyName =
xmlDoc.CreateElement("ds", "KeyName",null);xmlKeyName.InnerText = "My 3DES Session Key";xmlKeyInfo.AppendChild(xmlKeyName);
//add CipherData elementXmlElement xmlCipherData =
xmlDoc.CreateElement("CipherData");xmlEncryptedData.AppendChild(xmlCipherData);
//add CipherValue element with encrypted creditinfoXmlElement xmlCipherValue =
xmlDoc.CreateElement("CipherValue");xmlCipherValue.InnerText = creditinfoCiphertext;xmlCipherData.AppendChild(xmlCipherValue);
95-804 Applied Cryptography Slide 54
//replace original node with the encrypted nodexmlCreditinfo.ParentNode.ReplaceChild(
xmlEncryptedData, xmlCreditinfo);
//save XML to encrypted filexmlDoc.Save(encryptedFilename);
//let the user know what happenedConsole.WriteLine(
"Encrypted XML document written to:\n\t" + encryptedFilename);
}
//information sender needs across method callsstatic byte [] IV;static byte [] Key;
}
The encrypted document is built. The receiver needsto read it…
95-804 Applied Cryptography Slide 55
What does the receiver need ?
• The encrypted document
• The encrypted session key
95-804 Applied Cryptography Slide 56
class Receiver {
public void EstablishXmlRsaParameters(String rsaIncludePrivateParamsFilename, String rsaExcludePrivateParamsFilename)
{//create RSA object with new key pairRSACryptoServiceProvider rsa =
new RSACryptoServiceProvider();
//store public and private RSA key params in XMLStreamWriter fileRsaIncludePrivateParams
= new StreamWriter(rsaIncludePrivateParamsFilename);
fileRsaIncludePrivateParams.Write(rsa.ToXmlString(true));
fileRsaIncludePrivateParams.Close();
Executedbefore anything else
The receiverneeds the publicand private keys.
95-804 Applied Cryptography Slide 57
//store public only RSA key params in XMLStreamWriter fileRsaExcludePrivateParams =
new StreamWriter(rsaExcludePrivateParamsFilename);
fileRsaExcludePrivateParams.Write(rsa.ToXmlString(false));
fileRsaExcludePrivateParams.Close();
//let the user know what happenedConsole.WriteLine(
"RSA parameters written to:\n\t" + rsaIncludePrivateParamsFilename + "\n\t" +rsaExcludePrivateParamsFilename);
}
The sender needs the public keys.
Two files written.
95-804 Applied Cryptography Slide 58
public void DecryptXmlDocument(String encryptedFilename,String rsaIncludePrivateParamsFilename,String keyFilename,String decryptedFilename,byte [] IV)
{//load encrypted XML documentXmlDocument xmlDoc = new XmlDocument();xmlDoc.PreserveWhitespace = true;xmlDoc.Load(encryptedFilename);
//get creditinfo node ciphertext bytes to decryptXmlElement xmlEncryptedData =
(XmlElement)xmlDoc.SelectSingleNode("invoice/EncryptedData");
Decrypt – get the document and find the encrypted elementusing XPath.
95-804 Applied Cryptography Slide 59
XmlElement xmlCipherValue = (XmlElement)xmlEncryptedData.SelectSingleNode("CipherData/CipherValue");
byte[] creditinfoCipherbytes = Convert.FromBase64String( xmlCipherValue.InnerText);
//load XML key documentXmlDocument xmlKeyDoc = new XmlDocument();xmlKeyDoc.PreserveWhitespace = true;xmlKeyDoc.Load(keyFilename);
//get encrypted session key bytesXmlElement xmlKeyCipherValue =
(XmlElement)xmlKeyDoc.SelectSingleNode("EncryptedKey/CipherData/CipherValue");
byte[] xmlKeyCipherbytes = Convert.FromBase64String( xmlKeyCipherValue.InnerText);
Get the encryptedsymmetric key..
..as an array of bytes
Get encryptedbytes
95-804 Applied Cryptography Slide 60
//Get RSA private key to decrypt the session key StreamReader fileRsaParams = new StreamReader(
rsaIncludePrivateParamsFilename);
String rsaIncludePrivateParamsXML = fileRsaParams.ReadToEnd();
fileRsaParams.Close();
//RSA decrypt 3DES session keyRSACryptoServiceProvider rsa =
new RSACryptoServiceProvider();rsa.FromXmlString(rsaIncludePrivateParamsXML);
byte[] keyPlainBytes = rsa.Decrypt(xmlKeyCipherbytes, false);
//create 3DES algorithm object for bulk encryptionTripleDESCryptoServiceProvider tripleDES =
new TripleDESCryptoServiceProvider();
Get the RSAPrivate key
Decrypt the sessionkey
Prepare to use DESdecryption
95-804 Applied Cryptography Slide 61
//establish crypto stream using 3DES algorithmMemoryStream ms = new MemoryStream(
creditinfoCipherbytes);CryptoStream cs = new CryptoStream(
ms,tripleDES.CreateDecryptor(keyPlainBytes, IV),CryptoStreamMode.Read);
//read creditinfo plaintext from crypto streambyte[] creditinfoPlainbytes =
new Byte[creditinfoCipherbytes.Length];cs.Read(
creditinfoPlainbytes, 0, creditinfoPlainbytes.Length);
cs.Close();ms.Close();
String creditinfoPlaintext = Encoding.UTF8.GetString(creditinfoPlainbytes);
Operate on theSensitive data
Now it’s in theclear
95-804 Applied Cryptography Slide 62
//Create a document fragment. XmlDocumentFragment docFrag = xmlDoc.CreateDocumentFragment(); //Set the contents of the document fragment. docFrag.InnerXml = creditinfoPlaintext;
//Add the children of the document fragment to the //original document. xmlDoc.DocumentElement.AppendChild(docFrag);
Console.WriteLine("Display the modified XML..."); Console.WriteLine(xmlDoc.OuterXml);
XmlElement invoiceTag = (XmlElement)xmlDoc.SelectSingleNode("invoice");
invoiceTag.ReplaceChild(docFrag,xmlEncryptedData);
Rebuild the encrypted document
95-804 Applied Cryptography Slide 63
//write decrypted XML node to fileStreamWriter fileplaintext =
new StreamWriter(decryptedFilename);fileplaintext.Write(xmlDoc.OuterXml);
fileplaintext.Close();
//let the user know what happenedConsole.WriteLine(
"Decrypted XML credit info written to:\n\t" + decryptedFilename);
}}
95-804 Applied Cryptography Slide 64
Web Services SecurityUsing Sun’s Application Server
User Authentication (Security token propagation)Message integrity
Message ConfidentialitySOAP Communications
95-804 Applied Cryptography Slide 65
What is Web Services Security About?
* User Authentication (Security token propagation)* Message integrity* Message Confidentiality* SOAP Communications
95-804 Applied Cryptography Slide 66
Web Services Security
• Web Services Security Language (WSS)
• SOAP extension • Supports multiple security token formats such as X509 certificates
and Kerberos tickets and is extensible.• WS-Security does not imply that a particular protocol is secure
95-804 Applied Cryptography Slide 67
Web Services Security Definitions (from the
Specification)Claim - A claim is a statement that a client makes (e.g. name, identity, key, group, privilege, capability, etc).Security Token - A security token represents a collection of claims.Signed Security Token - A signed security token is a security token that is asserted and cryptographically endorsed by a specific authority (e.g. an X.509 certificate or a Kerberos ticket).A claim can be either endorsed or unendorsed by a trusted authority. A set of endorsed claims is usually represented as a signed security token that is digitally signed or encrypted by the authority. An X.509 certificate, claiming the binding between one's identity and public key, is an example of a signed security token.
95-804 Applied Cryptography Slide 68
Web Services Security Main Elements
<Security> Root - may be present several times for different receivers
<UserNameToken> Used for sending basic authentication <UserName> Required for the UserNameToken element <Password> Used with an underlying secure transport (e.g. SSL)
<SecurityTokenReference> The claims may exist somewhere else. This element may point to an X509 Certtificate
<BinarySecurityToken Id=... EncodingType=... ValueType=.../>
95-804 Applied Cryptography Slide 69
A Bit of Web Services Security Syntax
<S:Envelope> <S:Header> ... <Security S:actor="..." S:mustUnderstand="..."> ... </Security> ... </S:Header> ... </S:Envelope>
Makes extensive use of XML Encryption and XML Digital Signature standards.
95-804 Applied Cryptography Slide 70
An Example Web Services Security Implementation
Examples running with:• JDK1.5• Sun Application Server &• JWSDP1.5 • Security issues handled with configuration files
95-804 Applied Cryptography Slide 71
package simple;
import javax.xml.rpc.*;import javax.xml.namespace.QName;
public class TestClient {
private static final QName portName = new QName("http://xmlsoap.org/Ping", "Ping");
TestClient.java (SOAP Client)
This web service clientwants to execute the Ping web service.
95-804 Applied Cryptography Slide 72
public static void main(String[] args) throws Exception { // Get access to the client side proxy PingService pingService = new PingService_Impl();
// build an endpoint from system properties
String serviceHost = System.getProperty("endpoint.host"); String servicePort = System.getProperty("endpoint.port"); String serviceURLFragment = System.getProperty("service.url"); String serviceURL = "http://" + serviceHost + ":" + servicePort + serviceURLFragment;
95-804 Applied Cryptography Slide 73
System.out.println("Service URL=" + serviceURL);
// Use pingService to get a client side stub PingPort_Ping_Stub stub = (PingPort_Ping_Stub) (pingService.getPing());
// set the URL of the web service stub._setProperty( javax.xml.rpc.Stub.ENDPOINT_ADDRESS_PROPERTY, serviceURL);
// make the call System.out.println("About to ping"); stub.ping(new TicketType(null, "SUNW"), "Hello!"); System.out.println("Ping complete"); }}
95-804 Applied Cryptography Slide 74
PingImpl.java (Server side)
package simple;
import java.io.*;
import javax.xml.rpc.*;import javax.xml.rpc.ServiceException;import javax.xml.rpc.server.ServiceLifecycle;import javax.xml.rpc.server.ServletEndpointContext;
import javax.servlet.ServletContext;
import com.sun.xml.rpc.server.http.ServletEndpointContextImpl;import com.sun.xml.rpc.server.TieBase;import com.sun.xml.rpc.spi.runtime.Tie;
import com.sun.xml.wss.SubjectAccessor;
95-804 Applied Cryptography Slide 75
import javax.security.auth.Subject;import java.util.Set;import java.util.Iterator;
public class PingImpl implements PingPort, ServiceLifecycle {
Object context = null;
public void init(Object context) throws ServiceException { this.context = context; }
// --- implementation of main operation takes a ticket and a message public String ping(TicketType ticket, String message) {
System.out.println("The message is here : " + message); Subject clientSubject = null; try { clientSubject = SubjectAccessor.getRequesterSubject(context); } catch(Exception e) { e.printStackTrace(); }
95-804 Applied Cryptography Slide 76
if (clientSubject != null) { Set principals = clientSubject.getPrincipals(); for (Iterator it = principals.iterator(); it.hasNext();) { System.out.println("Client Principals:" + it.next()); } } else { System.out.println("Client Principal not set"); }
return message + “ Mike!”; }
public String ping0(TicketType ticket, String message) { return ping(ticket, message); }
95-804 Applied Cryptography Slide 77
/* (non-Javadoc) * @see javax.xml.rpc.server.ServiceLifecycle#destroy() */ public void destroy() { // Do nothing } }
95-804 Applied Cryptography Slide 78
<!-- dump-client.xml client side configuration file - NO Security Version--><xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config"> <xwss:Service> <xwss:SecurityConfiguration dumpMessages="true"/> </xwss:Service> <xwss:SecurityEnvironmentHandler> com.sun.xml.wss.sample.SecurityEnvironmentHandler </xwss:SecurityEnvironmentHandler></xwss:JAXRPCSecurity>
95-804 Applied Cryptography Slide 79
To Run
Install JDK1.5 (with RSA support)
Install Sun’s Application Server PE8
Install JWSDP1.5
Start up the application server
asadmin start-domain domain1
C:\Sun\jwsdp-1.5\xws-security\samples\simple>asant run-sample
95-804 Applied Cryptography Slide 80
No Security SOAP Going to Service
Running the simple.TestClient program.... Service URL=http://localhost:8080/securesimple/Ping About to ping Apr 9, 2005 10:17:52 AM com.sun.xml.wss.filter.DumpFilter process INFO: ==== Sending Message Start ==== <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns0:Ping> <ns0:ticket>SUNW</ns0:ticket> <ns0:text>Hello!</ns0:text> </ns0:Ping> </env:Body> </env:Envelope>
95-804 Applied Cryptography Slide 81
SOAP Response <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns0:PingResponse> <ns0:text>Hello! Mike!</ns0:text> </ns0:PingResponse> </env:Body> </env:Envelope> Ping complete
95-804 Applied Cryptography Slide 82
Configure the client to sign<!-- sign-client.xml – Same tags as before except the part in blue --><xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Service> <xwss:SecurityConfiguration dumpMessages="true"> <!-- Note that in the <Sign> operation, a Timestamp is exported in the security header and signed by default. --> <xwss:Sign> <xwss:X509Token certificateAlias="xws-security-client"/> </xwss:Sign>
95-804 Applied Cryptography Slide 83
<!-- Signature requirement. No target is specified, hence the soap body is expected to be signed. Also, by default, a Timestamp is expected to be signed. --> <xwss:RequireSignature/> </xwss:SecurityConfiguration> </xwss:Service>
<xwss:SecurityEnvironmentHandler> com.sun.xml.wss.sample.SecurityEnvironmentHandler </xwss:SecurityEnvironmentHandler>
</xwss:JAXRPCSecurity>
95-804 Applied Cryptography Slide 84
Tell server to check the signature
<!-- sign-server tells the server to check the signature Server-side config --><xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Service> <xwss:SecurityConfiguration dumpMessages="true"> <xwss:Sign/> <xwss:RequireSignature/> </xwss:SecurityConfiguration> </xwss:Service>
<xwss:SecurityEnvironmentHandler> com.sun.xml.wss.sample.SecurityEnvironmentHandler </xwss:SecurityEnvironmentHandler>
</xwss:JAXRPCSecurity>
95-804 Applied Cryptography Slide 85
Signed SOAP Request
Service URL=http://localhost:8080/securesimple/Ping About to ping Apr 9, 2005 11:27:18 AM com.sun.xml.wss.filter.DumpFilter process INFO: ==== Sending Message Start ====
<?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
95-804 Applied Cryptography Slide 86
<env:Header> <wsse:Security xmlns:wsse= "http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1"> <wsse:BinarySecurityToken xmlns:wsu= "http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType= "http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType= "http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="Id5125092215767425665"> MIIDWTCCAsKgAwIBAgIBAjANBgkqhkiG 9w0BAQQFADB0MQswCQYDVQQGEwJ OQTELMAkGA1UECBMC large truncation for slides </wsse:BinarySecurityToken>
95-804 Applied Cryptography Slide 87
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#Id4800076074773895559"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/ xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>WU8ei/UnbaccmyhdcgqIWlbTUKA= </ds:DigestValue> </ds:Reference>
95-804 Applied Cryptography Slide 88
<ds:Reference URI="#Id-6392346557835507110"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>eOcD6/Dw0Ap+UHFoVhtVwWE/yD4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> R/K5w3J5/kTTyh7zV4uNDQztfFDYPXxjWnuKRLnjcIcc6ekBrPJkjwcfA CiOXXp7r8/jThn1nevpWxV7qf3O955iGpjxiPuzJXh7QoUJXRlddt3CVO o2+377JO5Gl08PnyEj6ucFnIX26mKXo1urccys YEPBABPlFS07ACEkXGU= </ds:SignatureValue>
95-804 Applied Cryptography Slide 89
<ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#Id5125092215767425665" ValueType="http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-6392346557835507110"> <wsu:Created>2005-04-09T15:27:03Z</wsu:Created> <wsu:Expires>2005-04-09T15:32:03Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> </env:Header>
95-804 Applied Cryptography Slide 90
<env:Body xmlns:wsu= "http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id4800076074773895559"> <ns0:Ping> <ns0:ticket>SUNW</ns0:ticket> <ns0:text>Hello!</ns0:text> </ns0:Ping> </env:Body> </env:Envelope>
95-804 Applied Cryptography Slide 91
SOAP Response <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Header> <wsse:Security xmlns:wsse= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1"> <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="Id-2811617958072086928">MIIDWTCCAsKgAwIBAgIBATANBgkqhki G9w0BAQQFADB0MQswCQYDVQQGEw TkExCzAJBgNVBAcTAk5BMQswCQYDV Truncated for slides </wsse:BinarySecurityToken>
95-804 Applied Cryptography Slide 92
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#Id-2759303837586178391"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>+wIvYh7do417KoMegTdIsceVwa4=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#Id-6781605803276963"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>LmLfuY64iaJ1GNm2tYFVxbGrFO8=</ds:DigestValue> </ds:Reference> </ds:SignedInfo>
95-804 Applied Cryptography Slide 93
<ds:SignatureValue> kSzWeh29OTfPhYl1/+8RM2z2puuWXrfJLU6k+8MlC0PRYljt279NzSVgWUuKsCjYEggAtY6OEKIC hvNp18NQ3Im2NOb35vsFCzc4GQkIm8jn70TF9YF+vEYx5xX39f7mV96YMuwWfebYAAS/AEOnx/zh /YNfPT6l5oSdd2l5OzI= </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#Id-2811617958072086928" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-6781605803276963"> <wsu:Created>2005-04-09T15:27:44Z</wsu:Created> <wsu:Expires>2005-04-09T15:32:44Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> </env:Header>
95-804 Applied Cryptography Slide 94
<env:Body xmlns:wsu= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-2759303837586178391"> <ns0:PingResponse> <ns0:text>Hello! Mike!</ns0:text> </ns0:PingResponse> </env:Body> </env:Envelope>
95-804 Applied Cryptography Slide 95
Tell The Client to Encrypt<xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Service> <xwss:SecurityConfiguration dumpMessages="true"> <!-- Since no targets have been specified below, the contents of the soap body would be encrypted by default. --> <xwss:Encrypt> <xwss:X509Token certificateAlias="s1as"/> </xwss:Encrypt> </xwss:SecurityConfiguration> </xwss:Service>
<xwss:SecurityEnvironmentHandler> com.sun.xml.wss.sample.SecurityEnvironmentHandler </xwss:SecurityEnvironmentHandler>
</xwss:JAXRPCSecurity>
95-804 Applied Cryptography Slide 96
Tell the server to require encryption
<xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Service> <xwss:SecurityConfiguration dumpMessages="true"> <!-- Encryption requirement. As no target is specified, the contents of the soap body of the request are expected to be encrypted. --> <xwss:RequireEncryption/> </xwss:SecurityConfiguration> </xwss:Service>
<xwss:SecurityEnvironmentHandler> com.sun.xml.wss.sample.SecurityEnvironmentHandler </xwss:SecurityEnvironmentHandler>
</xwss:JAXRPCSecurity>
95-804 Applied Cryptography Slide 97
Encrypted Request <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1"> <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="Id-6842673312555922560">MIIDWTCCAsKgAwIBAgIBATANBgkqhki G9w0BAQQFADB0MQswCQYDVQQGEw Large truncation for slides
95-804 Applied Cryptography Slide 98
</wsse:BinarySecurityToken> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <wsse:Reference URI="#Id-6842673312555922560" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>KB79tvoF6Bu7JeL2Re6iGG8 BhdhOFcZiNDJrJNe8lV3GE6 Sk+s453IF3GFpmkmQttPhzH1D HKQ+2nFjIWPdyZObK3cVyDf rox7Ysjbfuo4TNwElHvKtnGVNb cQIGWiwyxHIZCjqCdF8LM8E1 gCZgYSaRh3V48VMlOsfZ8RCR Vjw= </xenc:CipherValue> </xenc:CipherData>
95-804 Applied Cryptography Slide 99
<xenc:ReferenceList> <xenc:DataReference URI="#Id7870285788177789579"/> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> </env:Header> <env:Body> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="Id7870285788177789579" Type="http://www.w3.org/2001/04/xmlenc#Content"> <xenc:EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <xenc:CipherData> <xenc:CipherValue> SL1G08+bGFaqEOefJWtBpOipgkvs8i7JWNwoGum5TO EyZkStSKav/lYygoC5/ji11rccnQWNq/Tg1eYX52UTalAS Large truncation for slides </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </env:Body> </env:Envelope>
95-804 Applied Cryptography Slide 100
SOAP Response <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env= "http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns0:PingResponse> <ns0:text>Hello! Mike!</ns0:text> </ns0:PingResponse> </env:Body> </env:Envelope>
95-804 Applied Cryptography Slide 101
Tell the client to send a username/password
<xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Service> <xwss:SecurityConfiguration dumpMessages="true"> <!-- Default: Digested password will be sent. --> <xwss:UsernameToken name="Ron" password="noR"/> </xwss:SecurityConfiguration> </xwss:Service>
<xwss:SecurityEnvironmentHandler> com.sun.xml.wss.sample.SecurityEnvironmentHandler </xwss:SecurityEnvironmentHandler>
</xwss:JAXRPCSecurity>
95-804 Applied Cryptography Slide 102
Username/Password Request<?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
95-804 Applied Cryptography Slide 103
<wsse:UsernameToken> <wsse:Username>Ron</wsse:Username> <wsse:Password>****</wsse:Password> <wsse:Nonce EncodingType= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"> yk/r/wJ0Ny/vbkm9OKpZwR6s </wsse:Nonce> <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> 2005-04-09T20:48:40Z </wsu:Created> </wsse:UsernameToken> </wsse:Security> </env:Header> <env:Body> <ns0:Ping> <ns0:ticket>SUNW</ns0:ticket> <ns0:text>Hello!</ns0:text> </ns0:Ping> </env:Body> </env:Envelope>
95-804 Applied Cryptography Slide 104
SOAP Response <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns0:PingResponse> <ns0:text>Hello! Mike!</ns0:text> </ns0:PingResponse> </env:Body> </env:Envelope>