Tokenauthenticatie en xml signature in detail
-
Upload
marc-de-graauw -
Category
Technology
-
view
598 -
download
1
Transcript of Tokenauthenticatie en xml signature in detail
![Page 1: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/1.jpg)
Tokenauthenticatie&
XML Signaturein detail
![Page 2: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/2.jpg)
Tokenauthenticatie
signedData SignedInfo SignatureValue
Certificaat
RSA / SHAsig maken
Bericht maken
SOAP bericht
QURX_EX990011NL
token makenSignedInfomaken
smartcard metprivate key
![Page 3: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/3.jpg)
Transformatie XML 2 SignedData
Verstrekkings-Lijstquery
signedData.xsl
signedData
QURX_IN990111NL_01.xml
QURX_IN990111NL_01_signedData.xml
![Page 4: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/4.jpg)
VerstrekkingsLijstquery
![Page 5: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/5.jpg)
signedData
• X.509 Strong Authentication– message id
• nonce• unieke indentificatie van bericht• (if duplicate removal has already taken place)
– notBefore & notAfter• time to live• security semantics can expire• time to store & check nonce
– addressedParty• replay against other receivers
• Koppeling met bericht– BSN
• voor patiëntgerelateerde berichten
– Trigger Event Id• versieonafhankelijk, itt. InteractionId
![Page 6: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/6.jpg)
signedData.xml (pretty print)
![Page 7: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/7.jpg)
Token versus bestand
![Page 8: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/8.jpg)
Whitespace eruit
signedData
remove-whitespace-between-elements.xsl
signedData QURX_IN990111NL_01_signedData.xml
QURX_IN990111NL_01_signedData.xml
![Page 9: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/9.jpg)
Exclusive Canonicalization
signedData
excc14n(Oxygen gebruikt)
signedDataexcc14n
signedData_ excc14n.xml
QURX_IN990111NL_01_signedData.xml
![Page 10: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/10.jpg)
Exclusive Canonicalization
![Page 11: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/11.jpg)
Exclusive Canonicalization
• Dubbele quotes ipv. enkele
• Namespace declaraties vóór attributen
• Namespaces alfabetisch rangschikken
• Linefeed, geen carriage return of CR/LF
• Geen Byte Order Mark
• UTF-8
![Page 12: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/12.jpg)
Signed Info element
signedDataexcc14n
Base64
SignedInfo
signedData_ excc14n.xml
SignedInfotemplate
maken SignedInfo
SignedInfo.xml
SHA1 hash
bits
160 bits
karakters
wsu Id
![Page 13: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/13.jpg)
SHA: Cryptographic hashWikipedia: A cryptographic hash function is a deterministic procedure that
takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to
the data will change the hash value.
![Page 14: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/14.jpg)
SHA
• SHA1 ... SHA256
– 1995: SHA-1 NSA
– 2005: zwaktes in SHA-1 ontdekt
– 2001: SHA-2 (225, 256, 384, 512)
– 2008 – 12: SHA-3, open competitie
• SHA-1
– input: message maximum (264 − 1) bits
– output: 160 bits
![Page 15: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/15.jpg)
Base 64
• UTF-8: niet alle octets zijn toegestaan!
• Ergo: binaire data kunnen niet zomaar in XML / UTF-8
• Oplossing: bits -> karakters
• RFC2045 (MIME) alfabet: [A-Z][a-z][0-9]+/
![Page 16: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/16.jpg)
SHA + Base64
4vBP5K5M5llABaWYzxCrKIdjS2I=
Input (bits)
SHA1 (160 bits)
Base 64
![Page 17: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/17.jpg)
SignedInfo
![Page 18: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/18.jpg)
RSA with SHA
SignedInfo(exc c14n)
ASN.1 DERformaat
SHA1 hash
bits
160 bits
400 bits
Base64
SignatureValue
RSA
408 bits
karakters
3021300906052b0e03021a05000414
3031300d060960864801650304020105000420
SHA 256 -> 464 bits
private key
![Page 19: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/19.jpg)
“Hello world”
SHA-1 hash:5llABaWYzxCrKIdjS...
RSA sig value:c9fVK7vYAdvs2DRZVtS...
Private key:shhhh.....
Public key:MIICHzCCAYygAwIBAgI.....
“Hello world”
RSA sig value:c9fVK7vYAdvs2DRZVtS...
OK
Sender Receiver
![Page 20: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/20.jpg)
![Page 21: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/21.jpg)
Security Services (X.800)
• Authentication
• Authorization
• Data Confidentiality
• Data Integrity
• Non-repudiation
![Page 22: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/22.jpg)
Security services
Secure connection
Authentication Token
Digital
Signature
Authentication √ √ √
Authorization
Confidentiality √
Integrity √ √
Non-repudiation √
![Page 23: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/23.jpg)
Naam Key Usage omschrijving
Toepassing Key usage hexadecimaal
authenticiteit-certificaat
digitalSignature tokenauthenticatie
0x80
handtekening-certificaat
NonRepudiation elektronische handtekening
0x40
vertrouwelijkheidcertificaat
keyEncipherment, dataEncipherment, keyAgreement
0x38
(OR'ed 0x20, 0x10, 0x08)
Key usage
![Page 24: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/24.jpg)
SOAP bericht
signedData SignedInfo
Header maken
SignatureValueCertificaatverwijzing
authenticationTokens
Header maken
wss:Security
Bericht maken
SOAP bericht
QURX_EX990011NL
![Page 25: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/25.jpg)
SOAP bericht
![Page 26: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/26.jpg)
Functie Algoritme URI
Signature RSA+SHA-1 <SignatureMethod Algorithm=
"http://www.w3.org/2000/09/xml
dsig#rsa-sha1"/>
Digest SHA-1 <DigestMethod Algorithm=
"http://www.w3.org/2000/09/xml
dsig#sha1"/>
Signature RSA+SHA-256 <SignatureMethod Algorithm=
"http://www.w3.org/2001/04/xml
dsig-more#rsa-sha256"/>
Digest SHA-256 <DigestMethod Algorithm=
"http://www.w3.org/2001/04/xml
enc#sha256"/>
![Page 27: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/27.jpg)
Transformatie XML 2 SignedData
Verstrekkings-Lijstquery
signedData.xsl
signedData
QURX_IN990111NL_01.xml
QURX_IN990111NL_01_signedData.xml
![Page 28: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/28.jpg)
Whitespace eruit
signedData
remove-whitespace-between-elements.xsl
signedData QURX_IN990111NL_01_signedData.xml
QURX_IN990111NL_01_signedData.xml
![Page 29: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/29.jpg)
Exclusive Canonicalization
signedData
excc14n(Oxygen gebruikt)
signedDataexcc14n
signedData_ excc14n.xml
QURX_IN990111NL_01_signedData.xml
![Page 30: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/30.jpg)
Signed Info element
signedDataexcc14n
Base64
SignedInfo
signedData_ excc14n.xml
SignedInfotemplate
maken SignedInfo
SignedInfo.xml
SHA1 hash
bits
160 bits
karakters
wsu Id
![Page 31: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/31.jpg)
RSA with SHA
SignedInfo(exc c14n)
ASN.1 DERformaat
SHA1 hash
bits
160 bits
400 bits
Base64
SignatureValue
RSA
160 bits
karakters
3021300906052b0e03021a05000414
3031300d060960864801650304020105000420
SHA 256 -> 464 bits
private key
![Page 32: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/32.jpg)
SOAP bericht
signedData SignedInfo
Header maken
SignatureValueCertificaatverwijzing
authenticationTokens
Header maken
wss:Security
Bericht maken
SOAP bericht
QURX_EX990011NL
![Page 33: Tokenauthenticatie en xml signature in detail](https://reader034.fdocuments.net/reader034/viewer/2022052601/55959e631a28ab572d8b45ec/html5/thumbnails/33.jpg)
Tokenauthenticatie
signedData SignedInfo SignatureValue
Certificaat
RSA / SHAsig maken
Bericht maken
SOAP bericht
QURX_EX990011NL
token makenSignedInfomaken
smartcard metprivate key