WEB SECURITY USING XML ENCRYPTION
description
Transcript of WEB SECURITY USING XML ENCRYPTION
![Page 1: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/1.jpg)
WEB SECURITY USING XML ENCRYPTION
Based on the Apache XML Security Project.
By Ajeya Krishnamurthy
![Page 2: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/2.jpg)
Presentation Overview
• Introduction
• XML Signature
• XML Encryption and Decryption
• The JCE ( Java Cryptography Extensions )
• Code Overview
• Future work
![Page 3: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/3.jpg)
Introduction
The XML Signature technology was developed by the XML-DSig Charter – an IETF/W3C charter – in response to the June16 2000 e-sign act, which made digital signatures legallybinding.
XML Signatures allow you to sign only specified sections of a document. This contrasts to non-XML Signatures that require you to sign all of a document.
XML Signatures are not limited to XML documents and can be applied to all types of electronic data, for example, HTML and GIF files.
![Page 4: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/4.jpg)
Introduction
Basics of cryptography
• Confidentiality - Protecting data from prying eyes while in transit over an insecure communications channel like the Internet
• Integrity - Provides communicating parties with the assurance that a message was not modified while in transit
• Non-repudiation - The recipient should be able to prove that a message actually originated with the purported sender and is not a forgery
![Page 5: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/5.jpg)
Canonical XML
Canonical XML normalizes the physical representation of XML, creating a standard for signature processing. Before the signature digest is created for a document, it is transformed to canonical XML. Then, when the received document is checked for data integrity, it is transformed to canonical XML before a digest is created for it.
Different XML applications may represent XML differently. The digest calculation is sensitive to changes in the physical representation of the XML.
![Page 6: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/6.jpg)
XML Signature
• XML Signatures are human readable and platform independent
• Unlike non-XML digital signatures, XML Signatures include processing information ( ex: Algorithm used to generate the signature )
• XML allows signing only portions of the document. Advantages?
![Page 7: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/7.jpg)
XML Signature Types
Enveloped - The XML Signature is included in the XML document. It is contained within a child element of the XML document
Enveloping - The XML document is included in the XML Signature. It is contained within a a child element of the XML Signature
Detached - The XML Signature is included in a separate document from the signed document. The location of the signed document is referenced in the XML Signature. This type of signature is used for non-XML documents
![Page 8: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/8.jpg)
XML Signature structure
![Page 9: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/9.jpg)
XML Signature structure
<Signature ID><SignedInfo><CanonicalizationMethod/><SignatureMethod/>(<Reference URI><DigestMethod><DigestValue></Reference>)</SignedInfo><SignatureValue>(<KeyInfo>)</Signature>
![Page 10: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/10.jpg)
XML Encryption
• Enables encryption of specified portions of a document, leaving the rest of the document in its original form
• Does not support the encryption of attributes
• Both symmetric and asymmetric encryption can be used
The ability to encrypt partial documents is unique to XML encryption.
![Page 11: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/11.jpg)
XML Encryption Interoperability
XML encryption is interoperable with XML Signature. However, if you want to encrypt and sign a document, you must always encrypt the document before you sign it. This is because the digest, generated for the digital signature, may give clues about the unencrypted content of a document.
![Page 12: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/12.jpg)
XML Encryption structure
<enc:EncryptedData Id="" Type=""><enc:EncryptionMethod/><enc:KeyInfo><enc:EncryptedKey/><enc:KeyRetrievalMethod/></enc:KeyInfo><enc:CipherData URI="">iamscrambled</enc:CipherData> </enc:EncryptedData>
![Page 13: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/13.jpg)
The Java Cryptography Extension
The JCE and the JCA are APIs provided by Java for cryptography.
Tutorials are available at
http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html
![Page 14: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/14.jpg)
XMLSignatureFactory.• XMLSignatureFactory is a standard FactorySingleton. The main purpose is to create allelements of a XMLSignature• It can be instantiated by:─ XMLSignatureFactory.getInstance()─ XMLSignatureFactory.getInstance(“DOM”,new <placeholder_provider>());─ XMLSignatureFactory.getInstance(“DOM”,“<placeholder_provider>”);
Class XMLSignatureFactory -- Main class used to create all elements required for a signature
Code Overview
![Page 15: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/15.jpg)
Code Overview
Main class for interaction
• CreatingXMLSignatureFactory.newInstance()XMLSignatureFactory.unmarshalXMLSignature()
• Important methodssign(XMLSignContext signContext)validate(XMLValidateContextvalidateContext)
Class XMLSignature
![Page 16: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/16.jpg)
XMLSignatureFactory fac = XMLSignatureFactory.getInstance();
Reference ref =fac.newReference(“http://xml.apache.org/",fac.newDigestMethod(DigestMethod.SHA1, null));
Code Overview – Creating the signature
This creates a new XMLSignatureFactory instance…
And this creates a reference to be signed. The reference contains a URI pointing to the data that we wish to sign.
![Page 17: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/17.jpg)
SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod (CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS,null),fac.newSignatureMethod(SignatureMethod.DSA_SHA1,null),Collections.singletonList(ref));
Code Overview
This creates the SignedInfo object we need…
XMLSignature signature = fac.newXMLSignature(si, null);
And this creates a new Signature object.
Code Overview – Creating the signature
![Page 18: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/18.jpg)
Code Overview
Now we generate the key pair using the JCA.
Document doc =dbf.newDocumentBuilder().newDocument();DOMSignContext signContext = newDOMSignContext(kp.getPrivate(), doc);
//Sign the URL. The XML-Signature structure is//appended to the documentsignature.sign(signContext);
KeyPair kp = …
And then we create the document object and sign it
Code Overview – Creating the signature
![Page 19: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/19.jpg)
Code Overview – Verifying the signature
1: Create a XMLSignature from XML
2: Setup a KeySelector
3: Create a XMLValidateContext
4: Validate the Signature
![Page 20: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/20.jpg)
// Parse the documentDocument doc = dbf.newDocumentBuilder().parse(newFileInputStream(args[0]));// Find Signature element. This only checks for a// Signature root element.Node signatureNode =doc.getElementsByTagNameNS(XMLSignature.XMLNS,"Signature").item(0);// Create a XMLSignatureFactoryXMLSignatureFactory fac =XMLSignatureFactory.getInstance();
Code Overview – Verifying the signature
![Page 21: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/21.jpg)
// Create a KeySelectorKeySelector ks =KeySelector.singletonKeySelector(key);// Create a XMLValidateContextDOMValidateContext valContext = newDOMValidateContext(ks, signatureNode);// Unmarshal the XMLSignatureXMLSignature signature =fac.unmarshalXMLSignature(valContext);// Validate the XMLSignature (generated above)boolean coreValidity =signature.validate(valContext);
Code Overview – Verifying the signature
![Page 22: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/22.jpg)
Code Overview – Encryption
Designed to have fewest possible dependencies
Dependencies
• Xalan• Xerces• Commons Logging• Cryptographic service provider
![Page 23: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/23.jpg)
1: Specify key algorithm
2: Initialize KeyCipher
3: Generate encryption key
4: Specify encryption algorithm
5: Initialize XMLCipher
6: Encrypt
Steps to encrypt data
Code Overview – Encryption
![Page 24: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/24.jpg)
Code Overview – Encryption
// get algorithmString algo =XMLCipher.TRIPPELDES_KeyWrap;
// construct XMLCipherXMLCipher c = XMLCipher.getInstance(algo);
1: Specify key algorithm2: Initialize KeyCipher
![Page 25: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/25.jpg)
Code Overview – Encryption
KeyGenerator kg =KeyGenerator.getInstance(“DESede”);SecretKey sk = kg.generateKey();byte[] kb = sk.getEncoded();
3: Generate encryption key4: Specify encryption algorithm
XMLCipher keyCipher =XMLCipher.getInstance(algo);Key symmKey = //as in generate keyencryption keykeyCipher.init(XMLCipher.WRAP_MODE, symmKey);EncryptedKey encryptedKey =keyCipher.encryptKey(document, symmKey);
![Page 26: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/26.jpg)
XMLCipher xmlCipher =XMLCipher.getInstance(XMLCipher.AES_128)xmlCipher.init(XMLCipher.ENCRYPT_MODE,symmKey);
Code Overview – Encryption
5: Initialize XMLCipher
EncryptedData d = xmlCipher.getEncryptedData();KeyInfo keyInfo = new KeyInfo(document);keyInfo.add(encryptedKey);d.setKeyInfo(keyInfo);
Prepare for encryption
![Page 27: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/27.jpg)
xmlCipher.doFinal(document,rootElement,true);
6: Encrypt
Code Overview – Encryption
![Page 28: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/28.jpg)
Code Overview – Decryption
1: Get the element that need to be decrypted
2: Get the key
3: Decrypt
Steps involved in Decryption
![Page 29: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/29.jpg)
Code Overview – Decryption
// Get the element that need to bedecryptedElement e = (Element)document.getElementsByTagNameNS(EncryptionSpecNS, ENCRYPTEDDATA).item(0);// Get the keyKey kek = loadKeyEncryptionKey();
Prepare for encryption
![Page 30: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/30.jpg)
XMLCipher xmlCipher = XMLCipher.getInstance();xmlCipher.init(XMLCipher.DECRYPT_MODE, null);xmlCipher.setKEK(kek);xmlCipher.doFinal(document,encryptedDataElement);
Now perform Decryption
Code Overview – Decryption
![Page 31: WEB SECURITY USING XML ENCRYPTION](https://reader035.fdocuments.us/reader035/viewer/2022062309/56815994550346895dc6db80/html5/thumbnails/31.jpg)
Future Work
The Apache foundation will focus next on the XKMS for this project. Currently, the Java API is complete and robust. The C++ library is still evolving.