Securing web services with WCF and Cryptographic hardware

Securing web services with WCF and Cryptographic hardware Stagerapport van Filippe BORTELS Kandidaat voor de graad van Professionele Bachelor in de richting Elektronica-ICT Afstudeerrichting ICT Promotoren: Prof. Dr. Rer. Nat. U. HEUERT Prof. Ing. M. WAUTERS Academiejaar 2007 – 2008 Referentie: E08_S_ELO-ICT_ICT_01_BortelsFilippe

Preface As a final-year student ICT I got the opportunity to do a foreign work placement as part of an Erasmus project. I had the choice among several countries such as Spain, Denmark, Czech Republic, ... but I took my interest in Germany for this country has a well developed industry, especially in the field of information and communication technology. Moreover the German language and culture fascinate me since quite a long time. It became clear on arrival that going to East Germany was a wise decision. The international office at the Hochschule Merseburg has given me a very warm welcome and has arranged a comfortable and well-organized stay. To accomplish this project I would like to thank first of all my promoter Prof. Dr. rer. Nat. U. Heuert for his professional support and for the great time we spent together. I also would like to give many thanks to my promoter from Belgium Mr. M. Wauters for his durable advice and support during my stay in Merseburg. Besides work there was time for recreation. Many trips were planned for the foreign students, which were all a unique experience. Especially I would like to mention the buddies for their organisation and my fellow students for giving me an unforgettable time. Most certainly also a word of thanks to my dear friend Jef Vrijsen, who gave me support during my internship and for the fantastic time we spent together the last 3 months. I owe also many thanks to my family, especially to my mother for supporting me, giving advice and for encouraging me to go on this adventure. Last but not least I would like to thank my girlfriend Sofie Böhme, who I met during my internship for always being at my side, helping me out with German translations and for the wonderful time we have together. Filippe Bortels, mei 2008

Securing web services with WCF and Cryptographic hardware

Table of contents 1 Introduction ............................................................................................................................. 7

2 Project overview.................................................................................................................. 8 2.1 Scheme ............................................................................................................................. 8 2.2 Scheme Explanation......................................................................................................... 9

3 WCF ...................................................................................................................................... 10 3.1 Introduction WCF .......................................................................................................... 10 3.2 Features of Windows Communication Foundation........................................................ 12

3.2.1 ABC of WCF........................................................................................................... 12 3.2.2 Security in WCF...................................................................................................... 13

4 Comparison WCF / .NET 3.5 and WSE 2.0 / .NET 1.1........................................................ 16 4.1 WSE 2.0 / .NET 1.1........................................................................................................ 16 4.2 Differences between WSE 2.0 and WCF ....................................................................... 17

5 Web Standard’s / models....................................................................................................... 19 5.1 Web models.................................................................................................................... 19

5.1.1 Service Oriented Architecture................................................................................. 19 5.1.2 Cryptography........................................................................................................... 20

5.2 Web standards ................................................................................................................ 21 5.2.1 Oasis ........................................................................................................................ 21 5.2.2 W3C ........................................................................................................................ 23

6 Certificates ............................................................................................................................ 24 6.1 Certificate ....................................................................................................................... 24

6.1.1 Certificate properties ............................................................................................... 24 6.1.2 Working with Certificates ....................................................................................... 27

6.2 Public Key Infrastructure ............................................................................................... 32 7 Hardware and Software pre-requisites .................................................................................. 36

7.1 Cryptographic hardware................................................................................................. 36 7.2 Client side installation.................................................................................................... 37

7.2.1 CyberJack device Manager ..................................................................................... 37 7.2.2 SafeSign .................................................................................................................. 38

7.3 Server side installation ................................................................................................... 40 8 Program code......................................................................................................................... 42

8.1 Client side....................................................................................................................... 42 8.2 Server side ...................................................................................................................... 54 8.3 Problems when running the applications ....................................................................... 58

9 Conclusion............................................................................................................................. 59 10 References ........................................................................................................................... 60

10.1 Web sites ...................................................................................................................... 60 10.1.1 WCF ...................................................................................................................... 60 10.1.2 WSE 2.0, comparison WCF with WSE 2.0........................................................... 61 10.1.3 Web standards, standardizing organization........................................................... 61 10.1.4 Cryptography and cryptographic technologies ..................................................... 63

10.2 PDF’s and PowerPoints................................................................................................ 64 10.2.1 PDF’s..................................................................................................................... 64 10.2.2 Power points.......................................................................................................... 64

11 Apendix ............................................................................................................................... 65 11.1 Abriviations.................................................................................................................. 65



11.2 List of figures ............................................................................................................... 66 11.3 List of code fragments.................................................................................................. 67

1 Introduction This thesis is meant to be a guidance for students, who will work with (WCF) web services in the future. My project, building a secure web service in the .Net framework with WCF, is a modernisation of the project of my predecessor, Filip Van Lerberg, in 2005. His task was to make a secure web service in the .Net framework with WSE 2.0. A first and good question to ask yourself is: why to use web services? Since the creation of the World Wide Web, it became more and more important every year. A life without internet is almost unthinkable. Today, almost every computer is linked to the internet or to a Local Area Network. Most programs need it to be up to date and besides it’s the best source of information. The internet is also a good way to create a program that can be used by more than one user. Example: an application made for booking a flight. A lot of tourists will make use of the program and the information will be sent to the tour operator. Instead of installing the program on each client computer, it’s easier to use a server that is accessible to all of the clients. So all clients use the same application: the web service. The advantage of a web service is when it has to be modified only one program has to be changed. Another advantage is the world-wide accessibility. A second question to ask: why using security measures? Working with internet requires some caution. Of course nobody wants their personal information to be viewed, altered or used by other people. So there is definitely need of security when sending information. The security of my project is realised with certificates that are stored on hardware equipment. For the server an HSM from Ncipher is used to keep the server certificate with the stored keys secure from other applications. On the client’s side a smartcard reader from ReinerSCT is used to store the client certificate. It is also possible to protect the keys with software instead of hardware. The reason why hardware protection is used, is because with hardware equipment it is far more difficult to approach/steal the stored keys and thus making the application more secure. With software protection it is possible that the keys are stored in temporal folders, if certain (unwanted) programs are installed on a computer it is possible that the keys can be extracted and sent to other computers so that the applied security can be avoided by hackers. Also the software security protection level depends on other security levels such as the security level of the operation system. A high software protection for the keys in combination with a low security for the operating system, will result in a poor protection and will make it easy accessing and extracting the keys. Hardware security modules on the other hand use their own memory and CPU for working with keys and therefore the keys will not leave the HSM. Those keys are not accessible for other programs and the HSM has a higher tamper protection, thus providing a high security protection level. Then why not always use hardware security? Hardware security is more complex and in such way more expensive than software security and sometimes the software security is more than enough for an application. Also because hardware security is more secure, it is more difficult to access the stored keys with the application that needs these keys. During programming often an error appeared concerning that the private key was not accessible to the program.

Securing web services with WCF and Cryptographic hardware / 67

2 Project overview

2.1 Scheme


2.2 Scheme Explanation For this project a service application and a client application must be built. These applications will be both programmed in C# with Visual Studio 2008. Both programs are built from scratch. Centre of this project is the applied security, so both applications are fairly simple. The client program will be responsible for calling the web service (sending a request) over HTTP (Hyper Text Transfer Protocol). HTTP is a protocol for sending and receiving hypertext pages. In the most cases with HTTP a TCP (Transfer Control Protocol) connection is made, an other possible connection is UDP (User Datagram Protocol). TCP is more preferred because it sends the data in small packages in chronological order. This is important when dealing with files transfer and e-mail. However these two protocols don’t have security measures built in. The reason for this is: with Internet becoming being used world wide around 1990, there was no need for security because of the complexity and the little knowledge the users had about the Internet. In later years the Internet grew faster (and is still growing today). The whole world now uses the internet with better technology and thus with more advanced applications, therefore secure connections are needed. Nowadays there are many different ways to implement security and the use of it depends on the application which is being used. In this project certificates are used for secure transactions. For more information about certificates see Chapter 6 Certificates. For better security the certificates are stored on hardware equipment, on the client side a smartcard with smartcard reader is used. To access the client certificate the SafeSign CSP (Cryptographic Service Provider) is used. The CSP makes sure that the private key is only accessible for the application when the correct PIN (Personal Identifier Number) is entered on the pin pad. On the server side, a HSM (Hardware Security Module) of NCipher is used for safe storage of the server certificate. The HSM has its own processor for working with the keys. Therefor the private key doesn’t leave the HSM and the protection level is higher. How does this project work? The client application sends a request to the web service. This request (data) is signed by the client certificate and encrypted with the server certificate public key and converted into an XML-scheme called SOAP (Simple Object Access Protocol, see Chapter 3.1 Introduction WCF). The SOAP is sent to the service with HTTP protocol. The received SOAP message is decrypted with the server certificate private key at the server and the data are processed. The service will return a response, depending on the application and the data that are received. The response can be signed by the service but this is not always necessary. How do all these protocols and standards fit together to perform their task? The WCF (Windows Communication Foundation) is the used platform that interact with the different protocols and standards to combine them and makes the application work in the desired way.


3 WCF

3.1 Introduction WCF WCF stands for Windows Communication Foundation and was formerly called Indigo. The WCF model is a set of .NET 3.0/3.5 technologies which combine several communications programming models that already existed in the .Net 2.0 framework. The idea behind WCF is to facilitate the communication between applications. In the .Net 2.0 framework you had the choice between the existing communication models: Web services, .Net Remoting, Distributed Transactions and Messages Qeues. Before building a web service it was very important to know which communication model you were going to use. The problem was that, when you had chosen for a specific model you weren’t able to use any of the features of the other models and therefore your possibilities were limited. There was definitely need of a model that covered all features of the different communication models, so building communication between applications didn’t rely only on one of the communication models. Windows Communication Foundation was the result of that. With WCF it is possible to use the features of all different models, without being restricted to one of the communication models. WCF is a SOAP based model. SOAP stands for Simple Object Access Protocol and is an xml-based message. SOAP is designed for simple, structured information exchange between applications. The data is structured in an xml file through tags. The xml file is made in such a way that it is readable on its own, which makes finding information for the viewer much easier. The xml-file can be read by many different applications on different systems, so it is a uniform data file that is suitable for sending information between applications. The SOAP/xml consists of an Envelope-element, encoding rules and RPC representation. The SOAP envelope contains two sub elements: the header element (is optional) and the body element. In the header element, data are stored that don’t depend on the application such as: how to handle the message. The body element however contains the data that is transmitted from one application to the other and therefore different from application to application. The SOAP encoding rules contain information on how the programming language of the application should interprete the data of the file. Remote Procedure Call (RPC): a client sends a request to a service and therefore invoking a procedure. The service will return an answer to the request of the client. The current version of SOAP is 1.2, where there are some slight differences with SOAP 1.1.


SOAP Message example:

Fig 1. Soap message example

This example is a short SOAP message. The elements (Envelope, Header, Body) that are always in a SOAP message are marked with a green rectangular. It is possible that there are more sub elements between the Header and Body element.


3.2 Features of Windows Communication Foundation

3.2.1 ABC of WCF The ABC is fundamental for building a WCF web service. It defines how an endpoint is composed. The endpoint can be composed either by code or through configuration. The most used is through configuration, because the endpoint doesn’t undergo any changes.

• A: address. The address is the place (URI) where the application looks for calling the service. It is also possible for the service to have more than one address, in this way there are more binding possibilities thus making the service more flexible. The available address protocols for WCF are: HTTP , TCP ,NamedPipe , Peer2Peer, MSMQ.

• B: binding. With the binding the transport is defined in other words, how the client

application and the service communicate with each other. The bindings specify the transport, encoding, and protocol details of the client and service application. In WCF there are many different binding types each with their own properties, some have better security, others are easier to use,... Besides the offered binding types of WCF, it is possible to create your own custom binding.

Binding Class Name Transport Message

Encoding Message Version

Security mode

BasicHttpBinding HTTP Text SOAP 1.1 None WSHttpBinding HTTP Text SOAP 1.2

WS-A 1.0 Message

WSDualHttpBinding HTTP Text SOAP 1.2 WS-A 1.0

Message

WSFederationHttpBinding HTTP Text SOAP 1.2 WS-A 1.0

Message

NetTcpBinding TCP Binary SOAP 1.2 Transport NetPeerTcpBinding P2P Binary SOAP 1.2 Transport NetNamedPipesBinding Named Pipes Binary SOAP 1.2 Transport NetMsmqBinding MSMQ Binary SOAP 1.2 Message MsmqIntegrationBinding MSMQ / / Transport CustomBinding You decide You decide You decide You decide These are the default values for the different bindings. In some cases the properties can be changed for

example: by WSHttpBinding the security mode can be set to transport or to transport and message.

• C: contract. The contract tells what the service actually does: it specifies what an

endpoint communicates to the outside world. It is a reference to the used class of the service application.


3.2.2 Security in WCF As earlier explained, WCF is a SOAP based model. For a secure environment, the message must be secured in order to keep the data protected from malicious users. A big advantage of WCF is that it implements existing security such as Windows integrated security, HTTPS, user and password authentication. WCF security is based upon security standards for SOAP messages and on the existing security. To obtain a secure ‘world’, WCF provides: Service endpoint authentication, Client principal authentication, Message integrity, Message confidentiality, Replay detection. The services built WCF can be used on local networks (Intranet) as on the world wide web (Internet). For both types of networks there are different ways for authentication. It’s therefore necessary that WCF supports both security standards. The WCF web services can be hosted on different platforms and they must be able to communicate with each other. WCF realises all these security measures by using different binding types (See Chapter 3.2.1 ABC of WCF). The security in WCF is divided into three sections: transfer security, access control, and auditing. Transfer security contains message integrity (check if the message has been altered), message confidentiality (encryption of the message with cryptography), and authentication (checking the claimed identity). Within transfer security, there are three security modes: Transport, Message and TransportWithMessageCredential.

• Transport mode: this mode uses transport protocols for security such as SSL. The advantage is that it is easy to use and implement, disadvantage is that it only secures the message from point-to-point.

• Message mode: here WS-security is used for securing the message. The advantage is

that the security is applied to the SOAP message (protocol independent) therefore protecting the data from end-to-end (from the client application to the service application. The disadvantage is that it is more complex and slower than the Transport mode.

• TransportWithMessageCredential mode: this mode combines the two previous modes.

The transport mode authenticates the server and the message mode authenticates the client. The advantage is that this mode is as fast as the Transport mode with the usage of message credentials. The disadvantage is that it is not an end-to-end security like the Message mode.


For each of these modes you can specify different client credential types for authentication. Transport mode client credential types:

Setting Description

None Specifies that the client does not need to present any credential. This translates to an anonymous client.

Basic Specifies basic authentication for the client. Digest Specifies digest authentication for the client.

Ntlm

Specifies NT LAN Manager (NTLM) authentication. This is used when you cannot use Kerberos authentication for some reason. You can also disable its use as a fallback by setting the Allow Ntlm property to false, which causes WCF to make a best-effort to throw an exception if NTLM is used. Note that setting this property to false may not prevent NTLM credentials from being sent over the wire.

Windows Specifies Windows authentication. To specify only the Kerberos protocol on a Windows domain, set the Allow Ntlm property to false (the default is true).

Certificate Performs client authentication using an X509 certificate.

Password User must supply a user name and password. Validate the user name/password pair using Windows authentication or another custom solution.

Message mode client credential types:

Setting Description

None Specifies that the client does not need to present a credential. This translates to an anonymous client.

Windows Allows SOAP message exchanges to occur under the security context established with a Windows credential.

Username

Allows the service to require that the client be authenticated with a user name credential. Note that WCF does not allow any cryptographic operations with user names, such as generating a signature or encrypting data. WCF ensures that the transport is secured when using user name credentials.

Certificate Allows the service to require that the client be authenticated using an X.509 certificate.

Issued Token

A custom token type configured according to a security policy. The default token type is Security Assertions Markup Language (SAML). The token is issued by a secure token service.


Access control or authorization defines who is allowed / restricted to view the information. In WCF there are different access control models, each with their specific properties and usage.

• PrincipalPermissionAttribute: limits the access to a service method, the caller’s identity can be used to get access.

• ASP.NET Membership Provider: the access is restricted to users who have a valid username and password in the included database.

• ASP.NET Role Provider: the developer is able to create and assign roles for users. • Authorization Manager: individual operations can be grouped and put into tasks. It is

also able to check whether the user can perform a task. • Identity Model: policies and claims can be managed to authorize clients.

The auditing features enables or disables to log the security events. You can set to log failures, success or both. This is useful for detecting attacks and also for debugging and finding troubles regarding security. There are two levels that can be set: Service authorization level, in which a caller is authorized and Message level, in which WCF checks for message validity and authenticates the caller. Important to take into consideration is to set the SuppressAuditFailure property to true because it is possible for a malicious user to send wrong messages in order to change the audit entries and thereby the auditing system will fail. In WCF there is a possibility to impersonate and delegate a client. Impersonation is a method that is used to restrict the access to the service. The service will use the credentials of the client. With delegation it is possible to perform impersonation without the password. Both impersonation and delegation require that the client has a Windows identity. The impersonation can be set separately for the different operation contracts.

Fig 2. Impersonation of Operation Contracts

It is also possible to impersonate all the Operation contracts. ServiceAuthorizationBehavior MyServiceAuthoriationBehavior = serviceHost.Description.Behaviors.Find<ServiceAuthorizationBehavior>(); MyServiceAuthoriationBehavior.ImpersonateCallerForAllOperations = true;

Fig 3. Impersonate all Operation Contracts


4 Comparison WCF / .NET 3.5 and WSE 2.0 / .NET 1.1

4.1 WSE 2.0 / .NET 1.1 With The .Net 1.1 framework it is possible to build web services based on XML, SOAP and WSDL (Web Services Description Language). The security however relies on the security of HTTP. To add more security to the web services and the data, WSE (Web Services Enhancements) was created by Microsoft Corporation. WSE 2.0 is built upon 1.0 version and provides more security measures. WSE 1.0 provided for security: message-based authentication, digital signatures, and encryption/decryption. WSE 2.0 supports all this and adds Kerberos tokens. Another improvement of WSE 2.0 over WSE 1.0 is that it supports WS-Security (Oasis-standardized WS-Security). WSE 2.0 supports not only message transport over HTTP but also over TCP, hereby WSE 2.0 can be used over a wide range of internet protocols. TTL (Time To Live) restrictions, access restrictions are included and maybe the biggest advantage of WSE 2.0 is that developers can adjust the security to their own will, custom transport, security token support, ... To use WSE 2.0 in visual studio, you have to download it from the Microsoft Download Center because WSE 2.0 was not implemented in the System library of .NET 1.1. When WSE 2.0 was installed, extra options became available in visual studio. Today there is a third version of WSE. In this version the main ideas are: to build secure web services easily, to simplify development of service-oriented systems using the web service protocols and .NET framework v2.0 and future-proofing and interoperability.


4.2 Differences between WSE 2.0 and WCF The main difference between WSE 2.0 and WCF is that WCF is much larger but it isn’t exactly a complete new model. As explained in Chapter 3, WCF combines the already existing models. Therefore WCF is a lot more complicated to secure a web service because of the many possibilities compared to WSE 2.0. WCF can interact with other services as long as they support SOAP messages, this can’t be done with WSE 2.0. WCF is implemented in the System.ServiceModel library of the .Net 3.0 framework whereas WSE 2.0 had to be installed and used the Microsoft.Web.Services2 namespace. The signing process, encryption and decryption of the SOAP message in WCF is done automatically in contrast to WSE 2.0 where the developer had to add the signature to the SOAP by code. In WCF it is possible to configure many features such as certificates (See Chapter 6 Certificates) in hard code (config files). In WSE 2.0 this had all to be done through code, which made the configuration files in WSE 2.0 more simple but the code more difficult. In WCF it is advised to use the Configuration Editor Tool (SvcConfigEditor.exe). With this tool it is easier to configure the app.config and web.config, however the tool is very extended and without any knowledge of WCF it is almost impossible to configure the settings you specifically want. In speed there is also a difference between WSE 2.0 and WCF. In 2007 Saurabh Gupta, Program Manager with the Windows Communication Foundation team at Microsoft, has compared WCF with other technologies including WSE 2.0. The results are that the performance of WCF is almost four times higher than the performance of WSE 2.0

Fig 4. Test results of WSE 2.0 / WCF, single processor


Fig 5. Test results of WSE 2.0 / WCF, quad processor

The charts show the test results with a single processor and with a quad processor. The binding type of WCF was BasicHttpBinding and the security used was: transport security with message credentials. The results are impressive although it has to be taken in consideration that the other bindings (Chapter 3.2.1 ABC of WCF) are slower and when message security is used, the process will slow down. Still then WCF performance is higher than the performance of WSE 2.0.


5 Web Standard’s / models

5.1 Web models

5.1.1 Service Oriented Architecture Service Oriented Architecture (SOA) is developed to connect different applications to each other for exchanging information in a simple, flexible way. The different applications are structured and divided into services. These services can be approached from inside or outside the company. The SOA services are not linked to each other, SOA uses loose coupling to achieve better support for different applications. To form executable, dll (dynamic linked library) or an assembly, the services must be linked together. These SOA services can be used in a develop environment such as Java or .Net. To use a SOA there must be interoperability between the programming languages and the used systems. This can be realised with messages such as SOAP-messages (See chapter 3.1 Introduction WCF) These messages have standards and thereby they can be used on different systems. Regarding to web services a SOA block can fulfil three tasks: service provider, service broker and service requestor. The service provider role, creates a web service and sets its properties such as who is able to access the service. The service broker creates an interface and the information necessary for implementation access. The service requestor calls a web service with the help of the service provider and the service broker. SOA does not depend on one technology or model but it is implemented in SOAP, REST, RPC, DCOM, CORBA, Web Services or WCF.


http://en.wikipedia.org/wiki/SOAP

http://en.wikipedia.org/wiki/REST

http://en.wikipedia.org/wiki/Remote_procedure_call

http://en.wikipedia.org/wiki/Distributed_Component_Object_Model

http://en.wikipedia.org/wiki/Common_Object_Request_Broker_Architecture

http://en.wikipedia.org/wiki/Web_Services

http://en.wikipedia.org/wiki/Windows_Communication_Foundation

5.1.2 Cryptography This is a technique to hide the information you want to send. The data are encrypted in a way that no one can read it except the people you want to send the information. The receivers decrypt the data to obtain readable/understandable information. Not always the information that’s readable is understandable as well, e.g. “apple pie” means “attack at dawn”. Today cryptography is mostly associated with computers, but this is not necessarily true. Cryptography can be done by many different methods, as long as there is a key (cipher) to encrypt and to decrypt the message. Throughout history there are many examples of using cryptography. In early stages simple encryption was used such as replacing letters by numbers, later on encryption had to become stronger. Especially during war time cryptography was commonly used. A good example is the Enigma machine used during World War 2. The machine was used to decrypt and encrypt secret messages. When the cipher of the used cryptographic method was found the whole use of cryptography failed, therefore it was important to have a shielded and strong cipher. The most well-known example today of the use of cryptography is the credit card which has a chip that asks for a PIN code before exchanging information with a ATM. With more web applications, requiring higher security measures, cryptography became more and more important. Encryption and decryption, on computer applications, is now done by methods such as Sha1 and md5 (the two most used). There are previous versions of encryption algorithms but with new technology and thus for that matter better processors to break the algorithms, the need for better and mostly longer algorithms is required. Today it is not only important to be able to encrypt a message but also to know if the message has been altered or to find out who the sender of the message is. Encryption thereby comes with authentication, digital signatures, ... Two main methods of cryptography are: Symmetric-key cryptography and Public-key cryptography. With Symmetric-key cryptography the encryption and decryption was realized with the same key. In other words the sender and the receiver had the same key. There are examples where two different keys were used but they were linked in an easy way. Public-key cryptography or asymmetric key, uses two different keys: a public key and a private key. The public key is used to encrypt the message while the private key is used to decrypt the message. The private key, as its name implies, must be kept secret. The public key can be distributed for encryption purpose. The two keys are linked but it is impossible to find the private key with the public key. Another advantage is that digital signing can be used. The private key adds a signature to the message and with this value and the public key the identity can be checked. Popular schemes for signing are RSA (Rivest, Shamir, Adleman, the developers of the technique) and DSA (Digital Signature Algorithm).


5.2 Web standards

5.2.1 Oasis Oasis, Organization for the Advancement of Structured Information Standards, as the name implies it is an organization that makes standards, related to these topic standards for web services. Oasis was founded in 1993 under the name SGML Open and is a non profit consortium creating standards to keep the web services structured and uniform for better and easier programming. The main purpose of SGML Open was to update the CALS Table Model specification and specifications for fragment interchange and entity management. The name changed to Oasis because XML (Extensible Markup language) was replacing SGML (Standard Generalized Markup Language). SGML was developed in 1960 to have a document format that could be exchanged between machines and that would be readable by machines and people. Example of a SGML document:

Fig 6. SGML document

The syntax of SGML looks similar to the syntax of HTML (HyperText Marup Language) and XML. HTML is derived from SGML but the syntax is not the same because it has other guidelines and in the beginning HTML had no specific guidelines. Later HTML became more standardized and today XHTML (Extensible HyperText Marup Language) is a reformation of HTML which has a specific structure and some small differences compared to HTML. XML is a subset of SGML, to make it easier to implement a parser rather than implementing the complete SGML parser. XML is a general purpose document to exchange information between application in an easy and dynamic way. The developer can compose his own elements in an XML document. This is very useful when sending information through the internet. Applications can be modified to the will of the developer.


Example of XML document:

Fig 7. XML document

To come back to Oasis, the standardization of the organization concerns security, e-business, web services, ... Today standardization becomes more and more important, as learned from WCF, web services are growing, becoming more powerful with more flexibility and more options. Without any standards to build web services it would become a chaos in making web services, because each company will have different types, schemes and thereby they cannot cooperate with other web services. The standardization can be compared with the structure of a country. A country is divided in smaller factions (Provinces). If these provinces have different ways of driving, different economic systems, ..., it will become very difficult to organise the country for the many internal differences and chaos will arise when trying to communicate or trying to organise events with other provinces. If the provinces align themselves then a structure will arise and communication is no problem. Another example is the standardization of the countries within the European Union. The most visible example is the currency, each country in the EU has now the Euro as currency. For a complete list of standards realised by Oasis visit: http://www.oasis-open.org/specs/index.php. Besides defining standards, the corporation writes guidelines, reports test results to facilitate the usage of the structured information standards.


http://www.oasis-open.org/specs/index.php

http://www.oasis-open.org/specs/index.php

5.2.2 W3C W3C stands for World Wide Web Consortium. Like Oasis, this organisation develops standards for the web applications. The standards of W3C concern more than structured information standards like Oasis, standards such as HTML, XHTML, CSS,... W3C was founded in 1993 by CERN (European Organization for Nuclear Research), DARPA (Defense Advanced Research Projects Agency) and the European Commission. W3C works with organizations all over the world that develop standards for the Web. The organisation not only works on standards (called: W3C recommendations) but also develops software, educates people, ... The main goal is Web interoperability, making access to the Internet more easier for the users as for the applications themselves. W3C also targets the whole web and not only a small portion of it, thereby keeping the Internet as an entity instead of fragmentations. W3C differs on this point from Oasis, because Oasis goal is to structure information standards. For keeping the Web as one, the developed standards must be independent of the used system, hardware, ... , the protocols have to intractable with each other. The themes for this are: accessibility, internationalization, device independence, mobile access and quality assurance of the Web, in order to improve the Web so that its future will be guaranteed and that it still can go on growing.


6 Certificates

6.1 Certificate

6.1.1 Certificate properties As earlier explained, securing the web is becoming more and more important. One way of securing is through SSL (Secure Sockets Layer). This however only provides security on the transport level. A more advanced way of securing messages is to make use of certificates. Certificates are a kind of document which has a private key and a public key. With these keys encryption and decryption can be preformed on documents. The certificate can be compared with a passport, it contains information about the user with extra features for securing messages. The certificate type used in the project is X509v3 certificates. X509 is an ITU-T (ITU Telecommunication Standardization Sector) standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI).

Fig 8. X509 certificate structure.


Mandatory fields: • Version:

Version number of the certificate format.

• Serial Number This is a unique number for every certificate, which is set by the CA.

• Algorithm Identifiers and parameters The signature algorithm used by the CA (e.g. shaRSA)

• Issuer The name of the Certification Authority that issued the certificate.

• Not Before The certificate is not valid before this date.

• Not After The certificate is no longer valid after this date.

• Subject Name This field contains the name to whom the certificate is issued. It’s not requisite that the field contains the name of a person, it can also contain the name of a company or state, ...

• Subject public key algorithm and parameters

The algorithms used for the public key of the certificate.

• Subject public key The public key in a bit string.

• Signature Signature as provided by the issuer.

Fig 9. X509 Certificate, version 1 field.


Optional fields:

• Issuer unique ID If the name of the issuer already exists, this field makes it possible to differ between them.

• Subject unique Id Same as Issuer unique ID, but for the subject field.

• Extensions Custom properties that can be set. Those contain more specific information about the certificate.

Fig 10. X509 Certificate, Extensions

Fig 11. X509 Certificate, properties


6.1.2 Working with Certificates First of all before implementing the certificates they must be issued. In this project two certificates are required: A server certificate and a client certificate. There are different ways in obtaining the certificates. One way is to make them with the tool provided by Microsoft: MakeCert. The purpose of MakeCert is to create certificates which are only used for test and development. These certificates have some troubles, such as slowing down the performance when cryptographic operations are performed.

Fig 12. MakeCert test certificate

Another way for acquiring a certificate is to use CertEnroll tool of Microsoft. This tool automates the process of sending a request to the CA which in return creates a certificate. The disadvantage is that when creating the certificate a .pfx file (Personal Information Exchange File) is also created. With this file the certificate can be copied easily, thereby decreasing the security level of the certificate. A third option for requesting a certificate would be to open the current user certificate store, either through mmc and adding the Current user store or through certmgr.msc which opens Current user store directly. In the store right click the store “My”, select all tasks and click Request new certificate. This option only works when the Active Directory is properly installed on the server.

Fig 13 Requesting a certificate with personal certificate store,

Error: failed to contact Active Directory


A fourth option, and the preferred option, is to use Microsoft Internet Explorer (IE). The reason why IE must be used is because other browsers like Netscape, Opera,... use a different request format, SPKAC (Signed Public Key And Challenged) while IE PKCS#10 and PKCS#7 (Public-Key Cryptography Standards). When requesting a certificate through IE, the certificate will be automatically stored in the right store which facilitates the process. When browsing to the main page (http://ServerIP-address/certsrv/), three options are available:

• retrieve the CA certificate or Certificate revocation list; • request a certificate; • check on a pending certificate;

After selecting “Request a certificate” a form is shown where the information about the certificate must be filled in. It is also possible to select the CSP (Cryptographic Service Provider). In Windows XP there are standard some CSP’s installed. When installing another CSP such as SafeSign (for Smartcard reader, client side) or Ncipher (HSM, server side), the list with CSP will be updated.

Fig 14. Requesting a certificate


An OID (Object Identifier) can be set. The OID is a number that refers to the function of the certificate. Possible OID’s are:

• 1.3.6.5.5.7.3.1 Server authentication certificate • 1.3.6.5.5.7.3.2 Client authentication certificate • 1.3.6.5.5.7.3.3 Code signing certificate • 1.3.6.5.5.7.3.4 E mail protection certificate

Fig 15. Certificate OID's

Other Options are available such as properties for the key. Important for the project is to select “Both” for “Key Usage”. For the “Key Size” it is better to take the largest available, because the longer the key, the more difficult it is to break it. There is also the option to set the hash algorithm. Typical algorithms are sha1 and md5.

Fig 16. Advanced options


After submitting the form to the server, the certificate has to be issued by the administrator in server’s CA.

Fig 17. Issuing a certificate by CA (Austellen = Issue)

After the certificate has been issued, the client must visit the web site of the CA once again to download the certificate. On the main page select “Check on a pending certificate”, to view the status of the certificate. A warning message can be shown, because the user must be sure that the certificate can be trusted. A malicious user can send a certificate to tamper with your private data. After agreeing with the security risk, the certificate is installed.

Fig 18. Download certificate & Warning


The process of installing a certificate has to be done twice, once for the client certificate that will be stored on a smartcard and once for the server, stored on a HSM (see chapter 7 Hardware and Software pre-requisites). As discussed in the previous chapter (6.1.1 certificate properties), the certificates have a time period in which they are valid. After this period the certificate is no longer valid. It is also possible to revoke a certificate before it has reached its time limit. For example if a certificate’s private key is no longer secure, malicious users can use the certificate to obtain personal information or when a certificate has been issued to the wrong person. To solve the problem the certificates must be revoked. To do this, a CRL (certificate revocation list) can be used. This list contains all the serial numbers of the certificates that are no longer valid and has a signature of the CA that created the CRL. Still the CRL’s are not often used, mainly because checking the CRL’s takes processor time and slows down the application.


6.2 Public Key Infrastructure PKI (Public Key Infrastructure) is a method used for securing messages and transactions over the Web. PKI is one of the most reliable methods because it uses a key pair (a public key and a private key) for signing and encryption/decryption. For explaining how PKI works, an example is at best. Many explanations on the Internet use the names Alice and Bob to explain PKI. For convenient I will use these names as well. The situation is as follows: Alice and Bob want to send secure messages over the web and they want to be sure that no one else can read them and they must be able to verify (Authentication) the sender of the message. To exchange secure messages they both need the public key of the certificate of the other person. The key can be sent by e-mail, or exchanged manually but this is not a proper solution. E-mail security is far from perfect and exchanging keys manually is not good either because the persons can live on the other side of the world. A solution to the posed problem is a CA (Certificate Authority). This is a trusted third party that takes care of the certificates. Both Alice and Bob install a certificate that is issued by a trusted CA. The CA can give the public key to the other users. In practical use there is more than one CA to issue certificates. Using only one CA would be impossible because there are millions of certificates. The CA’s are all linked together through a root CA.

Fig 19. Root CA


Situation: Alice sends a message to Bob. Step 1: For authentication a signature will be added to the message. The signature is a hash value of the message which is encrypted with the private key (of Alice). The hash can be made by algorithms such as sha1 or md5. The signature is based on PKCS#7.

Fig 20. Signature

Step 2: To encrypt the message a third key is generated, a session key. This session key is based on symmetric key algorithm. The session key encrypts the message. The session key is encrypted by the public key (of Bob) and added to the encrypted message.

Fig 21. Encryption


Step 3: The Signature is added to the encrypted message and Alice can send the secure message over the Internet to Bob.

Fig 22. Adding the signature

Step 4: Bob receives the secure message and decrypts the session key with his private key. With the session key he can decrypt the message itself to obtain the readable message sent by Alice.

Fig 23. Decryption


Step 5: To check if the message is sent by Alice, the signature is decrypted by the public key of Alice (which Bob has received of the CA). With the decryption, Bob gets the hash value of the unencrypted message. The software of Bob calculates the hash value of the in step 4 decrypted message and compares it to the hash value of the decrypted signature. If they are the same then Bob is sure that the message is sent by Alice.

Fig 24. Check signature


7 Hardware and Software pre-requisites

7.1 Cryptographic hardware To use the cryptographic hardware there is need of an interface. There are many different interfaces available such as: PKCS#11, CSP, ... Public Key Cryptography Standards number 11 (PKCS#11) is developed by RSA Labs. RSA Security created the PKCS group to facilitate the use of public key cryptography. Another standard of this group, PKCS#7, is well known for its usage with SOAP signature (see chapter 6.2 Public Key Infrastructure). The PKCS#11 specifies an application programming interface (API), known as Cryptoki (pronounced as crypto-key). Cryptoki is a simple-object based approach, it is platform independent and multiple applications can access multiple devices. PKCS#11 contains information and functions about cryptography such as encoding, decoding, ... API’s are implemented as libraries. In windows these libraries are: DLL (Dynamic Link Library). The advantage, of the libraries, is that a program doesn’t need to know how external machines or programs work. The program calls upon an API (a library file) and the software of the API performs the task of addressing the external device or program. Cryptographic Service Provider (CSP) is the Microsoft’s counterpart of PKCS. Like PKCS, CSP is an API, to be more precise it is a CAPI (Cryptographic Application Programming Interface). The CSP contains implementations of cryptographic standards and algorithms. In this project the Cryptographic Service Provider will be used. The HSM and SmartCard reader can use PKCS#11, but the CSP are better supported in Microsoft Windows operating systems.


7.2 Client side installation The client computer uses the Microsoft Windows XP Service Pack 2 as operation system. For working with certificates on the client computer, a pin pad is installed from ReinerSCT. With the pin pad there were some smartcards that could be used for storing the certificates. The software that accompanied the smartcard was outdated and a more recent version of the software is obtained from ReinerSCT. The only needed software for the project is cyberJack device Manager and SafeSign. The other software packages: smartMate, cryptMate, passMate and loginMate provide more and advanced possibilities to work with certificates, but these are not needed for the project.

7.2.1 CyberJack device Manager With cyberJack device manager is a test tool for checking the connection between the client computer and the pin pad.

Fig 25. CyberJack device manager, checking the connection

All the checks are positive and the smartcard reader is ready to be used. With the cyberJack device manager it is also possible to obtain information about the used pin pad. This information can be obtained by selecting the ‘Info’ label.


7.2.2 SafeSign With SafeSign the smartcards can be configured and viewed. When starting the program all available smartcard readers are shown.

Fig 26.Available pin pads

The available cards were already set to work with the project of Filip Van Lerberge and needed to be reset. After resetting the smartcard, they must be configured again.

Fig 27. Configuration of smartcard

The smartcard is now ready to store a certificate on it (see chapter 6.1.2 Working with certificates).


The requested and stored certificate on the smartcard can be shown with Safe Sign.

Fig 28. Certificate on smartcard

The green card in front of the certificate name indicates that the certificate is stored on the smart card. Also if the smartcard is removed, the certificate will disappear from the list. If the certificate is stored on the computer, an image of a small computer will be in front of the certificate name. Another feature of the pin pad is that the keyboard cannot be used to enter the pin code of the smartcard, the cyberJack keypad must be used. With this feature the certificate is better protected.


7.3 Server side installation The operating system on the server computer is: Microsoft Windows 2003 Enterprise, Service Pack 1. On the server a HSM (Hardware Security Module) must be installed for the project. The HSM used in this project is nShield F2 from nCipher. The HSM is already implemented on the server machine, because the same HSM was used in the project of my predecessor in 2005. The software CD ROM available with the HSM package is still useable but it is advised to download the latest available software. First an install wizard is used to configure the security world. A new security world is created and important is that the mode of the HSM is placed in the ‘pre-initialization’ mode. This is done manually on the back of the module.

Fig 29. Install wizard

The ‘security world’ is necessary to work with the CSP. It will also make sure that the keys stored on the HSM are only used by the HSM. This way the software on the server isn’t able to access the keys without the CSP. The second step is to configure a smart card for the HSM. There is to possibility to set more than one smart card. For testing purpose and convenience only one smart card is set to use the security world.


The next step is to install KeySafe for managing the newly created security world. KeySafe needs the Java platform 2. An earlier version of the Java platform was already installed, but it is outdated to be used with the KeySafe software.

Fig 30. KeySafe error concerning Java platform

The Java 2 platform software is available from: http://java.sun.com. The installed edition is the latest available: Java platform standard edition 6. After installing the Java platform, KeySafe still threw an error.

Fig 31. Fatal error KeySafe

This error concerns the ports that need to be set for accepting TCP connections. These ports, ‘nonpriv_port’ and ‘priv_port’, need to be set to 9000 and 9001. By default these ports don’t accept TCP connections. After adjusting the ports the nFast server must be restarted.

Fig 32. TCP ports settings

The KeySafe software operates correctly. The server is now ready to request certificates, safely store them on the HSM and work with the keys of the certificates.


8 Program code

8.1 Client side For the client application a windows executable will be used to call the web service. The function of the client application is to send a request to the web service. The request message will be a SOAP message (see chapter 3.1 Introduction WCF) that will be signed and encrypted (see chapter 6.2 Public Key Infrastructure). The server computer will receive the request and the web service will run one of its operation contracts and sends back an answer to the client computer. To start with this project, first the web service must be made (see chapter 8.2 Server side). This is because he web service will be implemented in the client application by: adding the service reference.

Fig 33. Adding a service reference


For this al to happen a few configurations must be made in the client application. This can be done either by configuration files (app.config) or by the programming language (in this project C#). The configurations that must be set are: the binding, the endpoint and were to find the certificates. The settings of the binding and the endpoint don’t change so it is advised to set these in the configuration file (app.config). WCF is a large communication model with a lot of features and it is thereby difficult to set the configurations without any guidance. To facilitate this process, there is a tool (SvcConfigEditor) to set the configurations in an easier way. Still with the SvcConfigEditor there are many options that can be set. The best advice is to use the SvcConfigEditor with a manual (which can be found on the internet).

Fig 34. SvcConfigEditor


The binding: The binding tells how the web service and the client application communicate with each other. As previous explained (chapter 3.2 Features of Windows Communication Foundation), there are different types of bindings. For this project the message must be send over HTTP, with message security and the message must in the form of SOAP. The most appropriate binding, besides the custom, is the wsHttpBinding. The wsHttpBinding support all the needed features. <bindings> <wsHttpBinding> <binding name="ServiceBinding" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/> <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="true"/> <security mode="Message"> <message clientCredentialType="Certificate" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" /> </security> </binding> </wsHttpBinding> </bindings>

Code 1.1: Binding in configuration file WSHttpBinding binding = new WSHttpBinding(); binding.Name = "ServiceBinding"; binding.Security.Mode = SecurityMode.Message; binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;

Code 1.2: Binding in C# In the fragments of code above for the binding, there are two elements that are important for the project: setting the binding to wsHttpBinding and the applied security. The security mode must be set to Message and within the message element the clientCredentialType must be set to certificate, to be able to sign, encrypt, decrypt with certificates. WCF knows with these settings to sign and encrypt the SOAP message with a certificate.


The endpoint: The endpoint tells the client application were to find the web service so there must be a reference to the server computer. The endpoint also contains the address, the type of binding and the contract. <client> <endpoint address="http://149.205.61.158/Service1_Secure/Service1.svc" binding="wsHttpBinding" bindingConfiguration="ServiceBinding" contract="test_Secure.IService1" name="ServiceEndpoint1"> <identity> <certificate encodedValue="AwAAAAEAAAAUAAAA7aLxKD/89GByh1EpQnIuFgwG9u8 gAAAAAQAAAIsDAAAwggOHMIICb6ADAgECAgphQPsxAAAAAAAKMA0GCSqGSIb3DQEBBQUA MBAxDjAMBgNVBAMTBU5UNUNBMB4XDTA4MDMwNjE3MTMyMVoXDTA5MDMwNjE3MjMyMVowE jEQMA4GA1UEAxMHU2VydmVyMjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAv/hIIX ... XiuqTpveAKoffBVyrjdkiSeeTklOWMeDw3OL+xPYLyAkN8FXLczRs5t+EmmgUtWSFoHU5 hx3Jk5PHWVqzlu3DfWF1OJUeMahmPhyKUGaseUEJI2zR5vqQTBE2hEsJvNoexrYvgKrAj wosoXLr+kjkOIzvxrC1rKVtROhE1NfQgh0YCSnNLKBjWfKeV8+LVHa0smufozvoCe4fMt bsDWa+pzCn32cQOOvBMzBiuhFUZRhQy1ASy5HWWGkFUeun4rx4eY" /> </identity> </endpoint> </client>

Code 2.1: Endpoint in configuration file Type contract = typeof(IService1); Uri address = new Uri("http://149.205.61.158/ Service1_Secure/Service1.svc"); Uri[] baseAddresses = new Uri[] { address }; ServiceHost sh = new ServiceHost(Service, baseAddresses); sh.AddServiceEndpoint(contract, binding, "ServiceBinding");

Code 2.2: Endpoint in C# The address is the location were the web service is accessible. This can be done by the IP address of the server computer or the server computer name. The IP address is used because then web service is accessible from outside the LAN network. The binding configuration is a reference to the specifications of the binding, explained in the previous page. The contract is the actual name of the class where the operation contracts of the web service are located. It tells what the web service does.


Selecting the certificates: WCF must know which certificates to use for signing, encryption and decryption. The public key of the server certificate is needed on the client computer for encryption and the client certificate is needed for signing. <behaviors> <endpointBehaviors> <behavior name="ClientCredentialsBehavior"> <clientCredentials> <clientCertificate findValue="31 48 83 58 28 fe 79 67 79 7f 21 f3 a8 8d df 12 30 0d 0e 0d" x509FindType="FindByThumbprint" storeLocation="CurrentUser" storeName="My" /> <serviceCertificate> <defaultCertificate findValue="ed a2 f1 28 3f fc f4 60 72 87 51 29 42 72 2e 16 0c 06 f6 ef" storeName="My" x509FindType="FindByThumbprint" /> <authentication revocationMode="NoCheck" /> </serviceCertificate> </clientCredentials> </behavior> </endpointBehaviors> </behaviors>

Code 3.1: Selecting the certificates in configuration file sh.Credentials.ClientCertificate.SetCertificate( StoreLocation.CurrentUser, StoreName.My, X509FindType.FindBySubjectName, "Filippe Bortels E-Mail"); sh.Credentials.ServiceCertificate.SetCertificate( StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint, "7f 55 46 7b db d0 08 8d 6b b0 5e bc 99 9e 1a 56 4e 5d 43 83");

Code 3.2: Selecting the certificates in C# The certificates can be found either by their thumbprint (unique number for every certificate) of by their subject name. Since a subject name isn’t unique, the Find Type: ‘By Thumbprint’ is more preferred. The server certificate doesn’t change so this can be set by configuration. The client certificate can change (depending how much persons use the application), therefore it is better to select the client certificate (which is stored on a smartcard) in a more dynamic way.


X509Certificate2 Certificate_Client_2 = GetCertificate_2("My","SmartCard"); Service.ClientCredentials.ClientCertificate.Certificate = Certificate_Client_2; Service.ClientCredentials.ServiceCertificate.SetDefaultCertificate( StoreLocation.CurrentUser, StoreName.TrustedPeople, X509FindType.FindByThumbprint, "ed a2 f1 28 3f fc f4 60 72 87 51 29 42 72 2e 16 0c 06 f6 ef");

Code 3.3: Selecting the client certificate in a dynamic way A function is written to make it possible for to user to select his certificate from a list. To make it more flexible there is an option to set the source of the certificate (SmartCard or PC) and there is an option to set the store name of the certificate. To select a certificate on the computer the System.Security.Cryptography.X509Certificates class can be used. However to obtain a certificate from a smartcard, another approach must be used. In WCF CAPICOM is needed to handle the selection on a smart card, CAPICOM can be downloaded from http://www.microsoft.com/downloads. The problem with CAPICOM is that there is no selecting box available. To obtain the goal of dynamic selection of certificates, I have combined the System.Security.Cryptography.X509Certificates class with the CAPICOM class. private X509Certificate2 GetCertificate_2(string Store_Name, string x) { //Selection Interface: System.Security.Cryptography.X509Certificates X509Certificate2 cert = null; X509Certificate2 cert_Capicom = null; string cert_Thumb = ""; X509Store Cert_Store = new X509Store(Store_Name, StoreLocation.CurrentUser); Cert_Store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly); X509Certificate2Collection Cert_Collection = (X509Certificate2Collection)Cert_Store.Certificates; X509Certificate2Collection Find_Collection = (X509Certificate2Collection)Cert_Collection. Find(X509FindType.FindByTimeValid, DateTime.Now, false); X509Certificate2Collection Select_Collection = X509Certificate2UI.SelectFromCollection (Find_Collection, "Test Certificate Select", "Select a certificate from the following list to get information on that certificate", X509SelectionFlag.MultiSelection); foreach (X509Certificate2 x509 in Select_Collection) { cert = x509; cert_Thumb = cert.Thumbprint.Trim().ToString(); MessageBox.Show(cert_Thumb); } Cert_Store.Close(); cert.Reset();


//Selection: Capicom store = new StoreClass(); switch (x) { case "SmartCard": store.Open(CAPICOM_STORE_LOCATION. CAPICOM_SMART_CARD_USER_STORE, Store_Name, CAPICOM_STORE_OPEN_MODE. CAPICOM_STORE_OPEN_READ_ONLY); break; case "Pc": store.Open(CAPICOM_STORE_LOCATION. CAPICOM_CURRENT_USER_STORE, Store_Name, CAPICOM_STORE_OPEN_MODE. CAPICOM_STORE_OPEN_READ_ONLY); break; default: MessageBox.Show("No STore Selected"); break; } if (store.Certificates.Count > 0) { foreach (Certificate certificate in store.Certificates) { if (certificate.Thumbprint.ToString() == cert_Thumb) { ICertContext context = certificate as ICertContext; IntPtr ptr = new IntPtr(context.CertContext); cert_Capicom = new X509Certificate2(ptr); } } } if (cert_Capicom == null) { MessageBox.Show("No certificate selected"); } else { MessageBox.Show("Certificate Subject name: " + cert_Capicom. SubjectName.Name, "Certificaat", MessageBoxButtons.OK); } return cert_Capicom; }

Code 3.4: Function, selecting the client certificate with a selection interface With the System.Security.Cryptography.X509Certificates class, a selection box will be show and the user is able to select his certificate. The actual selection of the certificate will be handled by CAPICOM. After the user has selected his certificate, the thumbprint of the certificate will be read by the System.Security.Cryptography.X509Certificates class and stored in a variable. This variable will be passed to the selection with CAPICOM. CAPICOM uses the thumbprint, which is obtained by the System.Security.Cryptography. X509Certificates class, to select the certificate of the user. In this way the flexibility of selecting a certificate is preserved even when the certificate is located on a smartcard.


Windows form application:

Fig 35. Client Application

There are 3 functions (operation contracts) that can be called: Hello world, Input Value (Name) and Get data (number). Only one of these can be called at a time by clicking the radio button and pressing the ‘Send’ button. The server will send a response, which will be visible in label 3. To give the user some information about the running process, the ‘toolStripStatusLabel 1’ will show what the program is doing such as: ‘contacting web service’, ‘ready’ or ‘error’. private void btnsend_Click(object sender, EventArgs e) { string response = ""; string value = ""; int number = 0; lblstatus.Text = "Connecting to the webservice ..."; this.Refresh(); try { X509Certificate2 Certificate_Client_2 = GetCertificate_2("My", "Pc"); Service1Client Service = new Service1Client(); Service.ClientCredentials.ServiceCertificate. SetDefaultCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint, "ed a2 f1 28 3f fc f4 60 72 87 51 29 42 72 2e 16 0c 06 f6 ef"); Service.ClientCredentials.ClientCertificate.Certificate = Certificate_Client_2; lstcert.Items.Clear(); if (rdbrequest1.Checked == true)


{ response = Service.HelloWorld(); } else if (rdbinputvalue.Checked == true) { value = txtname.Text.Trim(); if (value == "") { MessageBox.Show("The textfield is a required field."); } else { response = Service.MyOperation1(value); } } else { try { response = txtnumber.Text.Trim(); number = Int32.Parse(response); response = Service.GetData(number); } catch (Exception) { MessageBox.Show("You must enter a number", "Format error", MessageBoxButtons.OK, MessageBoxIcon.None); response = ""; } } //Only shows the response if there is a response text if (response == "") { lblresponse.Visible = false; lblresponse1.Visible = false; } else { lblresponse.Visible = true; lblresponse1.Visible = true; } lblresponse.Text = response; Service.Close(); } catch (Exception ex) { lblstatus.Text = "Failed to contact the webservice"; this.Refresh(); MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); if (ex.InnerException != null) { MessageBox.Show(ex.InnerException.ToString(), "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); } } finally { lblstatus.Text = "Ready"; } }

Code 4: Clicking the send button


After pressing the send button, the ‘toolStripStatusLabel 1’’ will change to ‘Connecting to the web service ...’. The needed certificates will be selected and an object will be made of the web service (Service1Client Service = new Service1Client();). Then the program will check which radio button is clicked. If the first radio button is clicked the operation contract: ‘Helloworld’ of the web service will be called and the response will be stored in the variable ‘response’. If the second radio button is clicked, the operation contract ‘MyOperation1’ will be called. This operation contract requires a variable which the user can enter in the field next to ‘Name’. The program also checks if the ‘Name’ field is not empty, if this is the case an error message will be shown. If the third radio button is clicked, the program will first check if the entered value in the ‘Number’ field is actually a number. If it is not a number an error will be shown, else the operation contract ‘GetData’ will be called. If there was an error the variable ‘response’ will be empty, otherwise it will contain the answer from the web service. If there is a response of the service, the answer will be shown in label3 and the label will be made visible (lblresponse1.Visible = true;). The last thing that should be done is closing the connection with the web service (Service. Close();). If there was an error or problem while executing the code, this error will be shown in a message box and also in the ’toolStripStatusLabel 1’. If there wasn’t a problem the ’toolStripStatusLabel 1’ will show: ‘ready’. private void btnclose_Click(object sender, EventArgs e) { Close(); }

Code 5: Closing the form When the button ‘Close’ is pressed, the client application will, as the name implies, close. private void Form1_Load(object sender, EventArgs e) { lblresponse.Visible = false; lblresponse1.Visible = false; lblname.Visible = false; txtname.Visible = false; txtnumber.Visible = false; lblnumber.Visible = false; lblrequest.ForeColor = Color.MediumBlue; lblresponse1.ForeColor = Color.MediumBlue; lstcert.Items.Clear(); lblstatus.Text = "Ready"; }

Code 6: Form loading, setting the properties of the form When opening the form, a few properties will be set. The ‘response’ field, the ‘Name’ field and the ‘Number’ field will be invisible and the Status bar will show the text: ‘Ready’.


private void rdbinputvalue_CheckedChanged(object sender, EventArgs e) { txtname.Text = ""; txtnumber.Text = ""; lblresponse.Visible = false; lblresponse1.Visible = false; if (rdbinputvalue.Checked == true) { txtname.Visible = true; lblname.Visible = true; } else { txtname.Visible = false; lblname.Visible = false; } }

Code 7: Change radio button inputvalue If the radio button ‘rdbinputvalue’ is clicked, the program will check if the radio button is active or not. If the radio button is active the ‘Name’ field must be shown, else the ‘Name’ field must be invisible. private void rdbgetdata_CheckedChanged(object sender, EventArgs e) { txtname.Text = ""; txtnumber.Text = ""; lblresponse.Visible = false; lblresponse1.Visible = false; if (rdbgetdata.Checked == true) { txtnumber.Visible = true; lblnumber.Visible = true; } else { txtnumber.Visible = false; lblnumber.Visible = false; } }

Code 8: Change radio button getdata This code does the same as the Code 7, but now for the rdbgetdata radio button. If it is active, the ‘Number’ field must be visible, otherwise not.


//Namespace for implementing the service using WCF_Client_2_Secure.test_Secure; //for the binding, ... using System.ServiceModel; //Namespaces voor X509 Certificaten using System.ServiceModel.Security; using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; using System.Security.Permissions; //certificate on smartcard using CAPICOM;

Code 9: Namespaces For this project there were some namespaces needed for working with the features of WCF (System.ServiceModel). For working with cryptography and certificates the System.Security namespaces were needed. To use CAPICOM, it was necessary to download CAPICOM from the Microsoft download site, the namespace has to be made first and than added to the library. The CAPICOM namespace is needed for WCF to access certificates that are stored on a smartcard.


8.2 Server side On the server side a WCF web service must be created. Building a WCF web service is possible with the .NET 3.0 framework in Visual Studio 2005, but it required some effort for creating a WCF web service. To facilitate the process of creating a WCF web service, there is a template in Visual Studio 2008 that is called: WCF service application. Within the template there is already a simple service made. In the client application you have the choice to configure the binding, the endpoint, ... in the configuration file or by the C# code. This is not possible in the web service, here every setting has to be done in the configuration file. This configuration file (Web.config) is also much larger than the app.config. Also in comparison with WSE 2.0 the Web.config is larger. This is because there are more settings possible in WCF, thus the service is more flexible. To work in the Web.config it is best advised to use the SvcConfigEditor tool. The binding: <bindings> <wsHttpBinding> <binding name="ServiceBinding" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" /> <security mode="Message"> <message clientCredentialType="Certificate" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" /> </security> </binding> </wsHttpBinding> </bindings>

Code 10: The binding in Web.config To set the binding in the Web.config (server application) is similar to set the binding in the app.config (client application). It is important that the security mode in the binding is the same in both the client application as the server application. The binding itself doesn’t have to be the same but it is advised that they are, otherwise unnecessary errors can occur. Different bindings are used when it is not possible to use the same, for example when the web service isn’t accessible with HTTP, the NetTCPBinding can be used.


The endpoint: <services> <service behaviorConfiguration="ServiceCredentialsBehavior" name="Service1_Secure.Service1"> <endpoint address="http://149.205.61.158/Service1_Secure/Service1.svc" binding="wsHttpBinding" bindingConfiguration="ServiceBinding" name="ServiceEndpoint" contract="Service1_Secure.IService1" listenUri="http:// 149.205.61.158/Service1_Secure/Service1.svc"> <identity> <certificateReference storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" findValue="TestServer2" isChainIncluded="true" /> </identity> </endpoint> <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> </service> </services>

Code 11: Endpoints and certificate reference in Web.config The endpoint configuration is like the binding the same as in the client application and there is the possibility to set a reference to the server certificate. The only difference is that in the Web.config another endpoint is added: the mex data. Like every endpoint it has an address, binding and contract. The mex data is necessary when the client application adds the service reference. For the client application to work with the web service there is another file needed: a wsdl (Web Services Description Language) file. This is an xml file which describes the web service. The wsdl file is automatically created when the reference to the web service is added in the client application. The behaviours: <behaviors> <serviceBehaviors> <behavior name="ServiceCredentialsBehavior"> <serviceMetadata httpGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="false" /> <serviceCredentials> <clientCertificate> <authentication revocationMode="NoCheck" /> </clientCertificate> <serviceCertificate findValue="TestServer2" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />


<userNameAuthentication userNamePasswordValidationMode="Windows" /> <issuedTokenAuthentication revocationMode="NoCheck" certificateValidationMode="PeerOrChainTrust" trustedStoreLocation="CurrentUser" /> </serviceCredentials> <serviceAuthorization impersonateCallerForAllOperations="true" /> </behavior> </serviceBehaviors> </behaviors>

Code 12: Behaviours of the service and selecting the server certificate in the Web.config Important is to enable the ‘httpGetEnabled’, otherwise client application cannot communicate with the web service. In the behaviours, the server certificate will be selected. This is done the same way as to select a certificate in the client app.config. There are other options that can be set like impersonation, revocation of the client certificate, ... The service class: namespace Service1_Secure { [ServiceContract] public interface IService1 { [OperationContract] string GetData(int value); [OperationContract] string MyOperation1(string myValue1); [OperationContract] string HelloWorld(); } }

Code 13: The service class of the web service In the service class the operation contracts will be listed, these operation contracts will be called by the client application and the code will redirect to the service.svc file. The operation contracts can be seen as functions of the web service. In this project there are 2 operation contracts (functions) that can be called. The advantage of service class is that it gives a good overview of the functions. Imagine that a web service has 20 operation contracts, if the code of the operation contract is in the same file than there is no overview of which operations that web service can perform.


The service.svc file: namespace Service1_Secure { public class Service1 : IService1 { public string GetData(int value) { return string.Format("You entered: {0}", value); } public string MyOperation1(string myValue1) { return "Hello: " + myValue1; } public string HelloWorld() { return "Hello World"; } } }

Code 14: The actual code of the web service located in service.svc In this file the functions of the operation contracts are listed. In this project there are three functions. The ‘Getdata()’ function requires a value (client application checks if the value is entered) and the returns the string: ‘You entered: {0}’ plus the value that has been entered by the user to the client application. The function ‘MyOperation1()’ also requires a value that has been entered by the user on the client side and the function returns the string ‘Hello: ’ plus the value that has been submitted. The last function, ‘HelloWorld()’ is the standard function that is implemented in the template. This function doesn’t require a value to be send with. When ‘HelloWorld()’ is called, the function will return the string: ‘Hello World’.


8.3 Problems when running the applications When trying to run the application the server will throw an error, concerning the server certificate cannot be found. However after checking were the web service search for the certificate and were the certificate is stored everything appears to be in order. Even when the certificate is not stored on the HSM the error is thrown. When the virtual server of visual studio is used the error is not throw, but when the application is run over HTTP with the IIS server the error occurs. When running the project of Filip Van Lerberge everything is working, the web service can access the certificate stored on the HSM. The two last weeks of my project I have tried with my mentor to solve the problem, but without success. To have a working solution with encryption, signing and decryption, I have made some changes to the program. The program still works the same way as it was intended to be but now the singing, encryption and decryption will be based on windows security. <security mode="Message"> <message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" /> </security>

Code 15: clientCredentialType set to Windows in both the web.config and app.config With Wireshark, a network monitor program, it is possible to have a look at the SOAP message that is been send between the client application and the web service.

Fig 36. Soap message with encrypted message


9 Conclusion In the end the project works, not in the first intended way (with hardware to store the certificates on). The project that consisted of building a WCF web service, building a client application, signing, encrypting and decrypting the SOAP message that is been send over HTTP has been realised. WCF is a good communication model for building web services but the implementation of hardware security was not as good as expected. Maybe this will be change in future development of WCF and the .Net framework. Still without the hardware security WCF scores much better at performance with the highest security applied than other communication models. This project was very interesting for me, in a short time I have learned many different technologies: the programming language C#, building web services, WCF, Cryptographic hardware, PKI and working with certificates. Especially the knowledge of C#, that I now have, will be very useful since object-based programming will become more and more important in the future. Also implementing security is an important feature on the internet, more applications need to be secured and this will only become more important in the future. When realizing the project, I encountered some difficulties, which is normal when writing a program. When working with many different technologies it is not always easy to let them cooperate with each other. WCF is still a new communication model and will more used and better supported in the next years. Another part that caused a little bit of troubles was the operating systems. Both the client and server computer had German versions of the used operating systems (Win XP and Win server 2003) and reading the error messages or configure settings was not as easy on an English version. Still it was a good way to get to know the German language. In the end it was a nice experience and I have learned a lot when working on this project. I want to thank Prof. Dr. Heuert for offering me the chance to realize this project and for his support during the last 3 months.


10 References To find information about the topic I have manly consulted sources on the internet. I also have consulted PDF’s and Powerpoints that were usable. These I have also found on the internet.

10.1 Web sites

10.1.1 WCF

• http://www.markbarto.nl/wordpress/archives/2006/05/02/windows-communication-foundation-wcf-indigo/

WCF explanation

• http://msdn2.microsoft.com/en-us/netframework/aa663324.aspx WCF explanation

• http://msdn.microsoft.com/en-us/netframework/aa663324.aspx WCF in general

• http://msdn.microsoft.com/de-de/magazine/cc163570(en-us).aspx WCF in general

• http://msdn.microsoft.com/en-us/library/ms735119.aspx WCF in general

• http://en.wikipedia.org/wiki/Windows_Communication_Foundation WCF in general

• http://msdn.microsoft.com/en-us/library/ms731082.aspx WCF in general

• http://msdn2.microsoft.com/en-us/library/aa480190.aspx#introt_topic1 ABC of WCF

• http://bloggingabout.net/blogs/dennis/archive/2006/11/29/WCF-Part-6-_3A00_-

Address.aspx ABC of WCF

• http://www.pluralsight.com/blogs/aaron/archive/2007/03/22/46560.aspx ABC of WCF

• http://msdn.microsoft.com/en-us/library/ms735093.aspx WCF security

• http://msdn.microsoft.com/en-us/library/ms730088.aspx


http://www.markbarto.nl/wordpress/archives/2006/05/02/windows-communication-foundation-wcf-indigo/

http://www.markbarto.nl/wordpress/archives/2006/05/02/windows-communication-foundation-wcf-indigo/

http://msdn2.microsoft.com/en-us/netframework/aa663324.aspx

http://msdn.microsoft.com/en-us/netframework/aa663324.aspx

http://msdn.microsoft.com/de-de/magazine/cc163570(en-us).aspx

http://msdn.microsoft.com/en-us/library/ms735119.aspx

http://en.wikipedia.org/wiki/Windows_Communication_Foundation


http://msdn2.microsoft.com/en-us/library/aa480190.aspx#introt_topic1

http://bloggingabout.net/blogs/dennis/archive/2006/11/29/WCF-Part-6-_3A00_-Address.aspx

http://bloggingabout.net/blogs/dennis/archive/2006/11/29/WCF-Part-6-_3A00_-Address.aspx

http://www.pluralsight.com/blogs/aaron/archive/2007/03/22/46560.aspx



WCF security

10.1.2 WSE 2.0, comparison WCF with WSE 2.0

• http://msdn.microsoft.com/en-us/library/ms977323.aspx WSE 2.0

• http://www.microsoft.com/downloads/details.aspx?familyid=fc5f06c5-821f-41d3-

a4fe-6c7b56423841&displaylang=en WSE 2.0

• http://wcf.netfx3.com/content/WindowsCommunicationFoundationWCFInteroperabili

tyandMigrationwithWSE20.aspx Comparison WCF with WSE 2.0

• http://msdn.microsoft.com/en-us/library/bb310550.aspx Comparison WCF with WSE 2.0

10.1.3 Web standards, standardizing organization

• http://www.oasis-open.org/home/index.php Oasis

• http://en.wikipedia.org/wiki/OASIS_(organization) Oasis

• http://perens.com/Articles/OASIS.html Oasis

• http://www.w3.org/ W3C

• http://www.w3c.nl/Dutch/w3c-nl-7punten.shtml W3C

• http://en.wikipedia.org/wiki/Service-oriented_architecture SOA

• http://www.service-architecture.com/web-services/articles/service-

oriented_architecture_soa_definition.html SOA

• http://www.xml.com/pub/a/ws/2003/09/30/soa.html SOA

• http://www.w3.org/TR/2007/REC-soap12-part0-20070427/ SOAP explanation



http://www.microsoft.com/downloads/details.aspx?familyid=fc5f06c5-821f-41d3-a4fe-6c7b56423841&displaylang=en

http://www.microsoft.com/downloads/details.aspx?familyid=fc5f06c5-821f-41d3-a4fe-6c7b56423841&displaylang=en

http://wcf.netfx3.com/content/WindowsCommunicationFoundationWCFInteroperabilityandMigrationwithWSE20.aspx

http://wcf.netfx3.com/content/WindowsCommunicationFoundationWCFInteroperabilityandMigrationwithWSE20.aspx

http://msdn.microsoft.com/en-us/library/bb310550.aspx

http://www.oasis-open.org/home/index.php

http://en.wikipedia.org/wiki/OASIS_(organization)

http://perens.com/Articles/OASIS.html

http://www.w3.org/

http://www.w3c.nl/Dutch/w3c-nl-7punten.shtml

http://en.wikipedia.org/wiki/Service-oriented_architecture

http://www.service-architecture.com/web-services/articles/service-oriented_architecture_soa_definition.html

http://www.service-architecture.com/web-services/articles/service-oriented_architecture_soa_definition.html

http://www.xml.com/pub/a/ws/2003/09/30/soa.html

http://www.w3.org/TR/2007/REC-soap12-part0-20070427/

• http://en.wikipedia.org/wiki/SGML SGML

• http://www.xs4all.nl/~werksman/webmees/xml.html XML

• http://nl.wikipedia.org/wiki/XML XML

• http://en.wikipedia.org/wiki/Remote_procedure_call RPC

• http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP

• http://en.wikipedia.org/wiki/Transmission_Control_Protocol TCP


http://en.wikipedia.org/wiki/SGML

http://www.xs4all.nl/%7Ewerksman/webmees/xml.html

http://nl.wikipedia.org/wiki/XML

http://en.wikipedia.org/wiki/Remote_procedure_call

http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol

http://en.wikipedia.org/wiki/Transmission_Control_Protocol

10.1.4 Cryptography and cryptographic technologies

• http://en.wikipedia.org/wiki/Cryptography Cryptography

• http://world.std.com/~franl/crypto.html Cryptography

• http://weblogs.asp.net/cibrax/archive/2006/08/08/Creating-X509-Certificates-for-

WSE-or-WCF.aspx Certificate

• http://en.wikipedia.org/wiki/X.509 Certificate

• http://en.wikipedia.org/wiki/Certificate_revocation_list Certificate

• http://technet.microsoft.com/en-us/library/bb457027.aspx Certificate

• http://en.wikipedia.org/wiki/Public_key_infrastructure PKI

• http://www.tbs-sct.gc.ca/pki-icp/beginners/whatisapki/whatisapki-eng.asp PKI

• http://msdn.microsoft.com/en-us/library/bb540813(VS.85).aspx PKI

• http://www.rsa.com/rsalabs/node.asp?id=2133 PKCS#11


http://en.wikipedia.org/wiki/Cryptography

http://world.std.com/%7Efranl/crypto.html

http://weblogs.asp.net/cibrax/archive/2006/08/08/Creating-X509-Certificates-for-WSE-or-WCF.aspx

http://weblogs.asp.net/cibrax/archive/2006/08/08/Creating-X509-Certificates-for-WSE-or-WCF.aspx

http://en.wikipedia.org/wiki/X.509

http://en.wikipedia.org/wiki/Certificate_revocation_list

http://technet.microsoft.com/en-us/library/bb457027.aspx

http://en.wikipedia.org/wiki/Public_key_infrastructure

http://www.tbs-sct.gc.ca/pki-icp/beginners/whatisapki/whatisapki-eng.asp

http://msdn.microsoft.com/en-us/library/bb540813(VS.85).aspx

http://www.rsa.com/rsalabs/node.asp?id=2133

10.2 PDF’s and PowerPoints

10.2.1 PDF’s

• http://shycohen.com/Events/06_11_TechEd_EMEA_WCF_Secure_Reliable_Transacted.ppt

WCF

• http://www.cs.ru.nl/~jhh/publications/pki-answer.pdf PKI • http://www.discretix.com/PDF/Security%20Implications%20of%20Hardware%20vs.

%20Software%20Cryptographic%20Modules.pdf PKI • ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf PKCS • http://www.nehta.gov.au/index.php?option=com_docman&task=doc_download&gid=

272&Itemid=139 SvcConfigEditor • http://www.opsec.com/solutions/partners/downloads/aet_cp_SafeSign_v1.0.pdf SafeSign • WCF_Example-implementation.pdf WCF

10.2.2 Power points • http://wcf.netfx3.com/files/folders/3742/download.aspx WCF • http://www.uth.tmc.edu/netcenter/middleware/digital-id/PKI-101.ppt PKI


http://shycohen.com/Events/06_11_TechEd_EMEA_WCF_Secure_Reliable_Transacted.ppt

http://shycohen.com/Events/06_11_TechEd_EMEA_WCF_Secure_Reliable_Transacted.ppt

http://www.cs.ru.nl/%7Ejhh/publications/pki-answer.pdf

http://www.discretix.com/PDF/Security%20Implications%20of%20Hardware%20vs.%20Software%20Cryptographic%20Modules.pdf

http://www.discretix.com/PDF/Security%20Implications%20of%20Hardware%20vs.%20Software%20Cryptographic%20Modules.pdf

ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf

http://www.nehta.gov.au/index.php?option=com_docman&task=doc_download&gid=272&Itemid=139

http://www.nehta.gov.au/index.php?option=com_docman&task=doc_download&gid=272&Itemid=139

http://www.opsec.com/solutions/partners/downloads/aet_cp_SafeSign_v1.0.pdf

http://wcf.netfx3.com/files/folders/3742/download.aspx

http://www.uth.tmc.edu/netcenter/middleware/digital-id/PKI-101.ppt

11 Apendix

11.1 Abriviations .pfx Personal Information Exchange File ATM Automated Teller Machine CAPI Cryptographic Application Programming Interface CERN European Organization for Nuclear Research COBRA Common Object Request Broker Architecture CRL Certificate Revocation List CSP Cryptographic service provider CSS Cascading style sheets DARPA Defense Advanced Research Projects Agency DCOM Distributed Component Object Model dll dynamic linked library DSA Digital Signature Algorithm HSM hardware security module HTML HyperText Markup Language HTTP HyperText Transfer Protocol IE Microsoft Internet Explorer ITU-T ITU Telecommunication Standardization Sector MSMQ Microsoft Message Queuing OASIS Organization for the Advancement of Structured Information Standards PIN Personal Identifier Number PKCS Public-Key Cryptography Standards PKCS# Public Key Cryptography Standards number PKI Public Key Infrastructure PMI Privilege Management Infrastructure REST Representational state transfer RPC Remote Procedure call RSA Rivest, Shamir, Adleman, the developers of the technique SGMl Standard Generalized Markup Language SLL Secure Sockets Layer SOA Service Oriented Architecture SOAP Simple Object Access Protocol SPKAC Signed Public Key And Challenged TCP Transmission Control Protocol URI Uniform Resource Identifier WCF windows communication foundation WSDL Web Services Description Language WSE Web services Enhancements WS-Security Web Services Security XHTML Extensible HyperText Marup Language XML Extensible Markup language


11.2 List of figures • 3 WCF

Fig 1. Soap message example ...................................................................................... 11 Fig 2. Impersonation of Operation Contracts............................................................... 15 Fig 3. Impersonate all Operation Contracts ................................................................. 15

• 4 Comparison

Fig 4. Test results of WSE 2.0 / WCF, single processor.............................................. 17 Fig 5. Test results of WSE 2.0 / WCF, quad processor................................................ 18

• 5 Web standards / models

Fig 6. SGML document................................................................................................ 21 Fig 7. XML document .................................................................................................. 22

• 6 Certificates

Fig 8. X509 certificate structure................................................................................... 24 Fig 9. X509 Certificate, version 1 field........................................................................ 25 Fig 10. X509 Certificate, Extensions ........................................................................... 26 Fig 11. X509 Certificate, properties............................................................................. 26 Fig 12. MakeCert test certificate .................................................................................. 27 Fig 13 Requesting a certificate with personal certificate store, ................................... 27 Error: failed to contact Active Directory...................................................................... 27 Fig 14. Requesting a certificate.................................................................................... 28 Fig 15. Certificate OID's .............................................................................................. 29 Fig 16. Advanced options............................................................................................. 29 Fig 17. Issuing a certificate by CA (Austellen = Issue) ............................................... 30 Fig 18. Download certificate & Warning..................................................................... 30 Fig 19. Root CA ........................................................................................................... 32 Fig 20. Signature .......................................................................................................... 33 Fig 21. Encryption........................................................................................................ 33 Fig 22. Adding the signature ........................................................................................ 34 Fig 23. Decryption........................................................................................................ 34 Fig 24. Check signature................................................................................................ 35

• 7 Hardware and Software pre-requisites

Fig 25. CyberJack device manager, checking the connection...................................... 37 Fig 26.Available pin pads............................................................................................. 38 Fig 27. Configuration of smartcard .............................................................................. 38 Fig 28. Certificate on smartcard................................................................................... 39 Fig 29. Install wizard.................................................................................................... 40 Fig 30. KeySafe error concerning Java platform ......................................................... 41 Fig 31. Fatal error KeySafe .......................................................................................... 41

• 8 Program application code

Fig 32. TCP ports settings ............................................................................................ 41 Fig 33. Adding a service reference............................................................................... 42 Fig 34. SvcConfigEditor .............................................................................................. 43 Fig 35. Client Application............................................................................................ 49 Fig 36. Soap message with encrypted message............................................................ 58



11.3 List of code fragments • 8 Program application code

Code 1.1: Binding in configuration file ....................................................................... 44 Code 1.2: Binding in C#............................................................................................... 44 Code 2.1: Endpoint in configuration file...................................................................... 45 Code 2.2: Endpoint in C#............................................................................................. 45 Code 3.1: Selecting the certificates in configuration file ............................................. 46 Code 3.2: Selecting the certificates in C# .................................................................... 46 Code 3.3: Selecting the client certificate in a dynamic way ........................................ 47 Code 3.4: Function, selecting the client certificate with a selection interface ............. 48 Code 4: Clicking the send button ................................................................................. 50 Code 5: Closing the form ............................................................................................. 51 Code 6: Form loading, setting the properties of the form ............................................ 51 Code 7: Change radio button inputvalue...................................................................... 52 Code 8: Change radio button getdata ........................................................................... 52 Code 9: Namespaces .................................................................................................... 53 Code 10: The binding in Web.config ........................................................................... 54 Code 11: Endpoints and certificate reference in Web.config....................................... 55 Code 12: Behaviours of the service and selecting the server certificate in the

Web.config ................................................................................................................... 56 Code 13: The service class of the web service............................................................. 56 Code 14: The actual code of the web service located in service.svc ........................... 57 Code 15: clientCredentialType set to Windows in both the web.config and

app.config..................................................................................................................... 58

Securing web services with WCF and Cryptographic hardware

Documents

Transcript of Securing web services with WCF and Cryptographic hardware