.NET Cryptography

.NET Cryptography Object Oriented Programming III

XML Encryption Notes from : http://www-106.ibm.com/developerworks/library/x-encrypt/index.html by Bilal Siddiqui “Secure XML” by Eastlake and Niles Addison Wesley “.NET Security and Cryptography” by Thorsteinson and Ganesh

Not a replacement for SSL • XML Encryption adds Encrypting part of the data being exchanged Secure sessions between more than two parties

General Form 1 <EncryptedData> <CipherData> <CipherValue> Cipher Text Gibberish in Base 64 </CipherValue> </CipherData> </EncryptedData>

General Form 2 <EncryptedData> <CipherData> <CipherReference> pointer (URL) to gibberish </CipherReference> </CipherData> </EncryptedData>

EncryptedData is the core element • Replaces the encrypted element or • Serves as the new document root • May contain a KeyInfo element that describes the key needed for decryption (borrowed from XML Digital Signature)

General Example (1) <MedInfo> <ID> <Name> <Address> </ID> <Medical>…</Medical> <Financial>…</Financial> </MedInfo>

General Example (2) <MedInfo> <ID>….</ID> <EncryptedData> <KeyInfo> <KeyName>Medical </KeyInfo> <CipherData> <CipherValue> gibberish </EncryptedData>

General Example (3) <Financial> <EncryptedData> <KeyInfo> <KeyName>Pay </KeyInfo> <CipherData> <CipherValue> gibberish </EncryptedData> </Finacial> </MedInfo>

Detailed Example (Listing 1) <purchaseOrder> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> </Order> <Payment> <CardId>123654-8988889-9996874</CardId> <CardName>visa</CardName> <ValidDate>12-10-2004</ValidDate> </Payment> </purchaseOrder>

Encrypting the Entire File (Listing 2) <?xml version='1.0' ?> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.isi.edu/in-notes/iana/assignments/media-types/text/xml'> <CipherData> <CipherValue>A23B45C56</CipherValue> </CipherData> </EncryptedData> IANA = Internet Assigned Numbers Authority a function of The Internet Corporationfor Assigned Names and Numbers

Encrypting The Payment (Listing 3) <?xml version='1.0' ?> <PurchaseOrder> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> </Order> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData> </PurchaseOrder> One element

Encrypting Only the CardId (Listing 4) <?xml version='1.0' ?> <PurchaseOrder> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> </Order> <Payment> <CardId> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Content' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData> </CardId> <CardName>visa</CardName> <ValidDate>12-10-2004</CardName> </Payment> </PurchaseOrder>

Encrypting Non-XML Data(Listing 5) <?xml version='1.0' ?> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlen#' Type='http://www.isi.edu/in-notes/iana/assignments/media-types/jpeg' > <CipherData> <CipherValue>A23B45C56</CipherValue> </CipherData> </EncryptedData>

Sending a Public key(listing 6) <?xml version='1.0' ?> <SecureCommunicationDemonstration> <EncryptedKey CarriedKeyName="Muhammad Imran" xmlns='http://www.w3.org/2001/04/xmlenc#'> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyValue>1asd25fsdf2dfdsfsdfds2f1sd23 </ds:KeyValue> </ds:KeyInfo> </EncryptedKey> </SecureCommunicationDemonstration>

Receiving a Session key encrypted to the public key (listing 7) <?xml version='1.0' ?> <SecureCommunicationDemonstration> <EncryptedKey CarriedKeyName="Imran Ali" xmlns='http://www.w3.org/2001/04/xmlenc#'> <EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <CipherData> <CipherValue>xyza21212sdfdsfs7989fsdbc </CipherValue> </CipherData> </EncryptedKey> </SecureCommunicationDemonstration>

Data Encrypted to Secret Key (Listing 8) <?xml version='1.0' ?> <<SecureCommunicationDemonstration> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> <CardName>Visa</CardName> <ExpDate>10-10-2005</ExpDate> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc '/> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>Imran ali</ds:KeyName> </ds:KeyInfo> <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData> </Order> </SecureCommunicationDemonstration>

Pointing to encrypted data (listing 9) <?xml version='1.0' ?> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type= 'http://www.w3.org/2001/04/xmlenc#Element'> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>Imran ali</ds:KeyName </ds:KeyInfo> <CipherData> <CipherReference URI="www.waxsys.com/secureData/waxFile.txt"/> </CipherData> </EncryptedData>

Point to a distant encrypted element (Listing 10) <?xml version='1.0' ?> <EncryptedData ID="Enc-Data" xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Element' > <CipherReference URI="http://www.waxsys.com/EncFile.xml" > <Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC- xpath-19991116"> <wax:XPath xmlns:wax="http://www.waxsys.com/xpathNS"> PruchaseOrder/EncryptedData [@Id="Imran-Enc-Data"] </wax:XPath> </ds:Transform> </Transforms> </CipherReference> </EncryptedData>

Hybrid Encryption • The way it’s done today • Bulk encryption using symmetric (session) keys – fast • Symmetric key exchange problem solved by encrypting the session key with the receivers public key

.Net Crypto API Example • The receiver builds an RSA key pair • The public key of the receiver is used by the sender to encrypt a symmetric session key • The encrypted session key along with the encrypted elements are sent to the receiver • The receiver decrypts the session key using her private RSA key • She then decrypts the encrypted element using the symmetric session key

The RSA Public key in XML <RSAKeyValue> <Modulus>z9zv0HMRK44BrjYIQtmKlDkA6WnQCIVOYmOjy/eKhFqXJM024JybC/5hOCQoYRRo5iYRopIV4gBZUBSolxgk8jIr38iO84lDoSisPl3ikcob/aCuhPe8jSl4zbKpiJ+rqQE8rSNJ3XDPDVIiRoDbSRbn04x210tjYNMbePw0RQk=</Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue>

The RSA Public/Private Key Pair <RSAKeyValue> <Modulus> z9zv0HMRK44BrjYIQtmKlDkA6WnQCIVOYmOjy/eKhFqXJM024JybC/5hOCQoYRRo5iYRopIV4gBZUBSolxgk8jIr38iO84lDoSisPl3ikcob/aCuhPe8jSl4zbKpiJ+rqQE8rSNJ3XDPDVIiRoDbSRbn04x210tjYNMbePw0RQk= </Modulus> <Exponent>AQAB</Exponent>

<P> 54xO9DFJ4Mydzqrq8/0mcWInv4pU+bJHx1W1TYiybkRs7TchIq56z1JSgedh SxYvGHfHKzDcdplK2PHC9Aik2w== </P> <Q> 5dBTIHj9btkq9Nss0ZC04OyRGjssKJs8+Y89MOhs9BB1YNnk6Ci6PqV8F2P 8FwcSFLXb5+II7nuvRTGS5enQ6w== </Q> <D> sLBBOZNWGQvQ6eEMDKcWYQBDgiVrrJKEGqZ P6WU13WOT7rhx2WPFd+B3i11Q5ZSPxnK9ss8y wrVBNg0ZcbYYUC+g6fYsfylKv1Lbpxr9h002syvR jmyywRcD9+TfvrVhOe27QYJKlE/QX4SHSgnTxq 4qkmHdTxZRtoRGGLdZ8XE= </D> </RSAKeyValue>

The Session Key <EncryptedKey CarriedKeyName="My 3DES Session Key"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <ds:KeyInfo> <KeyName>My Private Key</KeyName> </ds:KeyInfo>

<CipherData> <CipherValue> Shy7Nzo/ctBPAhwubFiAYpNNB2CuM4TpCUozP2oQZrEMT03O EzspgkBaItai8ImBUiSUT1KlPCbawG2edz40ISgJ+G+Sl4m6ZNm L0//gqs4/7eUyLY0rSFeCnW9hKU/hr0r4wDJaKiI+hS68OTHeBBc GLCyFEPSCQXeqbnvqQBo= </CipherValue> </CipherData> </EncryptedKey>

The Original Invoice <invoice> <items> <item> <desc>Deluxe corncob pipe</desc> <unitprice>14.95</unitprice> <quantity>1</quantity> </item> </items>

<creditinfo> <cardnumber>0123456789</cardnumber> <expiration>01/06/2005</expiration> <lastname>Finn</lastname> <firstname>Huckleberry</firstname> </creditinfo> </invoice>

The Encrypted Invoice <invoice> <items> <item> <desc>Deluxe corncob pipe</desc> <unitprice>14.95</unitprice> <quantity>1</quantity> </item> </items>

<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"> <ds:KeyInfo> <KeyName>My 3DES Session Key</KeyName> </ds:KeyInfo> <CipherData> <CipherValue> ZS0og/w6JtPj0BDtU4XiAS3ybUsqh4tvp4ItoNO8ZzWUSVl8290HH VG2MfbjPSr00dCftHpaBd8GBgHOUSqG6wiia3EYy8Bgz7y6NeQ6 zFu9i3J34Fy+uWETjmkROE/mg+RU0IxQTkcDWQVfUq6TECNafP 9voSvbOGTNbt87Rb0BDcjbAWWLjKkOT6KOOVwfq60TJxmmkxF onqwVAY2ARlm/yBqvbo2BHux5fvZFZBF5jCPZPkuOClYZVXpY3wVB </CipherValue> </CipherData> </EncryptedData> </invoice>

The C# Code (from Thorsteinson and Ganesh) //XMLEncryption.cs //NOTE: must add a project reference to System.Security using System; using System.IO; using System.Text; using System.Xml; using System.Security.Cryptography; using System.Security.Cryptography.Xml;

The receiver creates RSA keys and places them in two files – one for the receiver and one for the sender. class XMLEncryption { static void Main(string[] args) { //create participants Sender sender = new Sender(); Receiver receiver = new Receiver(); //establish public and private RSA key information receiver.EstablishXmlRsaParameters( "RsaIncludePrivateParams.xml", "RsaExcludePrivateParams.xml");

The sender creates an XML document. //create original XML document to be encrypted sender.CreateOriginalXmlDocument( "OriginalInvoice.xml"); //create session key and encrypt via RSA public key byte [] IV = sender.CreateAndEncryptXmlSessionKey( "RsaExcludePrivateParams.xml", "SessionKeyExchange.xml"); And generates a symmetric encryption key that is encrypted with the public key of the receiver. E(SK)

The sender encrypts sensitive parts of the document. //encrypt original XML document with session key sender.EncryptOriginalXmlDocument( "OriginalInvoice.xml", "RsaExcludePrivateParams.xml", "SessionKeyExchange.xml", // no need "EncryptedInvoice.xml"); //encrypt XML document with session key receiver.DecryptXmlDocument( "EncryptedInvoice.xml", "RsaIncludePrivateParams.xml", "SessionKeyExchange.xml", "DecryptedCreditInfo.xml", IV); } } The receiver decrypts the session key and is then able to decrypt the document.

class Sender { public void CreateOriginalXmlDocument(String originalFilename) { //establish the original XML document XmlDocument xmlDoc = new XmlDocument(); xmlDoc.PreserveWhitespace = true; xmlDoc.LoadXml( "<invoice>\n" + " <items>\n" + " <item>\n" + " <desc>Deluxe corncob pipe</desc>\n" + " <unitprice>14.95</unitprice>\n" + " <quantity>1</quantity>\n" + " </item>\n" + " </items>\n" + " <creditinfo>\n" + " <cardnumber>0123456789</cardnumber>\n" + " <expiration>01/06/2005</expiration>\n" + " <lastname>Finn</lastname>\n" + " <firstname>Huckleberry</firstname>\n" + " </creditinfo>\n" + "</invoice>\n"); The sender builds the document the hard way. This part is sensitive.

//write original XML document to file StreamWriter file = new StreamWriter(originalFilename); file.Write(xmlDoc.OuterXml); file.Close(); //let the user know what happened Console.WriteLine( "Original XML document written to:\n\t" + originalFilename); } Write the “hand built” XML to a file.

The sender creates the session key. public byte [] CreateAndEncryptXmlSessionKey( String rsaExcludePrivateParamsFilename, String keyFilename) { //obtain session key for 3DES bulk encryption TripleDESCryptoServiceProvider tripleDES = new TripleDESCryptoServiceProvider(); //store IV and Key for sender encryption IV = tripleDES.IV; Key = tripleDES.Key; //fetch public only RSA parameters from XML StreamReader fileRsaParams = new StreamReader( rsaExcludePrivateParamsFilename); String rsaExcludePrivateParamsXML = fileRsaParams.ReadToEnd(); fileRsaParams.Close(); Before encrypting the key it needs the public key of the receiver.

//RSA encrypt session key RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(); rsa.FromXmlString(rsaExcludePrivateParamsXML); byte[] keyEncryptedBytes = rsa.Encrypt(tripleDES.Key, false); //store encrypted 3DES session key in Base64 string String keyEncryptedString = Convert.ToBase64String( keyEncryptedBytes); //create XML document for 3DES session key exchange XmlDocument xmlKeyDoc = new XmlDocument(); xmlKeyDoc.PreserveWhitespace = true; The sender encrypts the DES session key. And builds an XML document to hold it.

//add EncryptedKey element to key XML XmlElement xmlEncryptedKey = xmlKeyDoc.CreateElement("EncryptedKey"); xmlKeyDoc.AppendChild(xmlEncryptedKey); XmlAttribute xmlCarriedKeyName = xmlKeyDoc.CreateAttribute("CarriedKeyName"); xmlCarriedKeyName.Value = "My 3DES Session Key"; xmlEncryptedKey.Attributes.Append( xmlCarriedKeyName); So far we have… <EncryptedKey CarriedKeyName="My 3DES Session Key">

//add the EncryptionMethod element to key XML XmlElement xmlEncryptionMethod = xmlKeyDoc.CreateElement("EncryptionMethod"); xmlEncryptedKey.AppendChild(xmlEncryptionMethod); XmlAttribute xmlAlgorithm = xmlKeyDoc.CreateAttribute("Algorithm"); xmlAlgorithm.Value = "http://www.w3.org/2001/04/xmlenc#rsa-1_5"; xmlEncryptionMethod.Attributes.Append( xmlAlgorithm); <EncryptedKey CarriedKeyName="My 3DES Session Key"> <EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#rsa-1_5" />

//add KeyInfo element to key XML XmlElement xmlKeyInfo = xmlKeyDoc.CreateElement( "ds", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#"); xmlEncryptedKey.AppendChild(xmlKeyInfo); //add KeyName element to key XML XmlElement xmlKeyName = xmlKeyDoc.CreateElement("ds", "KeyName", null); xmlKeyName.InnerText = "My Private Key"; xmlKeyInfo.AppendChild(xmlKeyName); <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <KeyName>My Private Key</KeyName> </ds:KeyInfo>

//add CipherData element to key XML XmlElement xmlCipherData = xmlKeyDoc.CreateElement("CipherData"); xmlEncryptedKey.AppendChild(xmlCipherData); <CipherData>

//add CipherValue element to key XML XmlElement xmlCipherValue = xmlKeyDoc.CreateElement("CipherValue"); xmlCipherValue.InnerText = keyEncryptedString; xmlCipherData.AppendChild(xmlCipherValue); <CipherValue>Shy7Nzo/ctBPAhwubFiAYpNNB2CuM4TpC UozP2oQZrEMT03OEzspgkBaItai8ImBUiSUT1KlPCbawG 2edz40ISgJ+G+Sl4m6ZNmL0//gqs4/7eUyLY0rSFeCnW9h KU/hr0r4wDJaKiI+hS68OTHeBBcGLCyFEPSCQXeqbnvq QBo= </CipherValue> </CipherData> </EncryptedKey>

//save key XML information xmlKeyDoc.Save(keyFilename); //let the user know what happened Console.WriteLine( "Encrypted Session Key XML written to:\n\t" + keyFilename); return IV; //needed by receiver too } The sender has placed an encrypted session key on file.

public void EncryptOriginalXmlDocument( String originalFilename, String rsaExcludePrivateParamsFilename, String keyFilename, String encryptedFilename) { Document partially encrypted with session key Receiver’s public key Encrypted symmetric key file name?? Original XML Document

Load the document holding sensitive tag //load XML document to be encrypted XmlDocument xmlDoc = new XmlDocument(); xmlDoc.PreserveWhitespace = true; xmlDoc.Load(originalFilename); //get creditinfo node plaintext bytes to encrypt XmlElement xmlCreditinfo = (XmlElement)xmlDoc.SelectSingleNode( "invoice/creditinfo"); byte[] creditinfoPlainbytes = Encoding.UTF8.GetBytes(xmlCreditinfo.OuterXml); Find the tag Get the bytes and include the tag name.

//create 3DES algorithm object for bulk encryption TripleDESCryptoServiceProvider tripleDES = new TripleDESCryptoServiceProvider(); Getting ready for symmetric encryption…

//establish crypto stream using 3DES algorithm MemoryStream ms = new MemoryStream(); CryptoStream cs = new CryptoStream( ms, tripleDES.CreateEncryptor(Key, IV), CryptoStreamMode.Write); //write creditinfo plaintext to crypto stream cs.Write( creditinfoPlainbytes, 0, creditinfoPlainbytes.Length); cs.Close(); Use the same Key that we Encrypted before Encrypt the sensitive tag with the session key.

Get the encrypted bytes and convert them to base 64 //get creditinfo ciphertext from crypto stream byte[] creditinfoCipherbytes = ms.ToArray(); ms.Close(); String creditinfoCiphertext = Convert.ToBase64String( creditinfoCipherbytes);

//create EncryptedData in XML file XmlElement xmlEncryptedData = xmlDoc.CreateElement("EncryptedData"); XmlAttribute xmlType = xmlDoc.CreateAttribute("Type"); xmlType.Value = "http://www.w3.org/2001/04/xmlenc#Element"; xmlEncryptedData.Attributes.Append(xmlType); //add KeyInfo element XmlElement xmlKeyInfo = xmlDoc.CreateElement( "ds", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#"); xmlEncryptedData.AppendChild(xmlKeyInfo); Homework: Trace through the construction of this document.

.NET Cryptography

.NET Cryptography

Presentation Transcript

Cryptography

Cryptography in .Net

Cryptography

Cryptography

Cryptography

CRYPTOGRAPHY

Cryptography

Cryptography

CRYPTOGRAPHY

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography in .Net Chapters 12-17 (O’Reilly book)

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography and .NET

Cryptography and .NET

Cryptography and .NET