310 likes | 477 Views
WEB SECURITY USING XML ENCRYPTION. Based on the Apache XML Security Project. By Ajeya Krishnamurthy. Presentation Overview. Introduction XML Signature XML Encryption and Decryption The JCE ( Java Cryptography Extensions ) Code Overview Future work. Introduction.
E N D
WEB SECURITY USING XML ENCRYPTION Based on the Apache XML Security Project. By Ajeya Krishnamurthy
Presentation Overview • Introduction • XML Signature • XML Encryption and Decryption • The JCE ( Java Cryptography Extensions ) • Code Overview • Future work
Introduction The XML Signature technology was developed by the XML-DSig Charter – an IETF/W3C charter – in response to the June 16 2000 e-sign act, which made digital signatures legally binding. XML Signatures allow you to sign only specified sections of a document. This contrasts to non-XML Signatures that require you to sign all of a document. XML Signatures are not limited to XML documents and can be applied to all types of electronic data, for example, HTML and GIF files.
Introduction • Basics of cryptography • Confidentiality - Protecting data from prying eyes while in transit over an insecure communications channel like the Internet • Integrity - Provides communicating parties with the assurance that a message was not modified while in transit • Non-repudiation - The recipient should be able to prove that a message actually originated with the purported sender and is not a forgery
Canonical XML Different XML applications may represent XML differently. The digest calculation is sensitive to changes in the physical representation of the XML. Canonical XML normalizes the physical representation of XML, creating a standard for signature processing. Before the signature digest is created for a document, it is transformed to canonical XML. Then, when the received document is checked for data integrity, it is transformed to canonical XML before a digest is created for it.
XML Signature • XML Signatures are human readable and platform independent • Unlike non-XML digital signatures, XML Signatures include processing information ( ex: Algorithm used to generate the signature ) • XML allows signing only portions of the document. Advantages?
XML Signature Types Enveloped - The XML Signature is included in the XML document. It is contained within a child element of the XML document Enveloping - The XML document is included in the XML Signature. It is contained within a a child element of the XML Signature Detached - The XML Signature is included in a separate document from the signed document. The location of the signed document is referenced in the XML Signature. This type of signature is used for non-XML documents
XML Signature structure <Signature ID><SignedInfo><CanonicalizationMethod/><SignatureMethod/>(<Reference URI><DigestMethod><DigestValue></Reference>)</SignedInfo><SignatureValue>(<KeyInfo>)</Signature>
XML Encryption • Enables encryption of specified portions of a document, leaving the rest of the document in its original form • Does not support the encryption of attributes • Both symmetric and asymmetric encryption can be used The ability to encrypt partial documents is unique to XML encryption.
XML Encryption Interoperability XML encryption is interoperable with XML Signature. However, if you want to encrypt and sign a document, you must always encrypt the document before you sign it. This is because the digest, generated for the digital signature, may give clues about the unencrypted content of a document.
XML Encryption structure <enc:EncryptedData Id="" Type=""><enc:EncryptionMethod/><enc:KeyInfo><enc:EncryptedKey/><enc:KeyRetrievalMethod/></enc:KeyInfo><enc:CipherData URI="">iamscrambled </enc:CipherData> </enc:EncryptedData>
The Java Cryptography Extension The JCE and the JCA are APIs provided by Java for cryptography. Tutorials are available at http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html
Code Overview Class XMLSignatureFactory -- Main class used to create all elements required for a signature • XMLSignatureFactory. • XMLSignatureFactory is a standard Factory • Singleton. The main purpose is to create all • elements of a XMLSignature • It can be instantiated by: • ─ XMLSignatureFactory.getInstance() • ─ XMLSignatureFactory.getInstance(“DOM”, • new <placeholder_provider>()); • ─ XMLSignatureFactory.getInstance(“DOM”, • “<placeholder_provider>”);
Code Overview Class XMLSignature • Main class for interaction • Creating • XMLSignatureFactory.newInstance() • XMLSignatureFactory. • unmarshalXMLSignature() • Important methods • sign(XMLSignContext signContext) • validate(XMLValidateContext • validateContext)
Code Overview – Creating the signature This creates a new XMLSignatureFactory instance… XMLSignatureFactory fac = XMLSignatureFactory.getInstance(); And this creates a reference to be signed. The reference contains a URI pointing to the data that we wish to sign. Reference ref = fac.newReference(“http://xml.apache.org/", fac.newDigestMethod(DigestMethod.SHA1, null));
Code Overview Code Overview – Creating the signature This creates the SignedInfo object we need… SignedInfo si = fac.newSignedInfo( fac.newCanonicalizationMethod ( CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS, null), fac.newSignatureMethod(SignatureMethod.DSA_SHA1, null), Collections.singletonList(ref)); And this creates a new Signature object. XMLSignature signature = fac.newXMLSignature(si, null);
Code Overview Code Overview – Creating the signature Now we generate the key pair using the JCA. KeyPair kp = … And then we create the document object and sign it Document doc = dbf.newDocumentBuilder().newDocument(); DOMSignContext signContext = new DOMSignContext(kp.getPrivate(), doc); //Sign the URL. The XML-Signature structure is //appended to the document signature.sign(signContext);
Code Overview – Verifying the signature 1: Create a XMLSignature from XML 2: Setup a KeySelector 3: Create a XMLValidateContext 4: Validate the Signature
Code Overview – Verifying the signature // Parse the document Document doc = dbf.newDocumentBuilder().parse(new FileInputStream(args[0])); // Find Signature element. This only checks for a // Signature root element. Node signatureNode = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0); // Create a XMLSignatureFactory XMLSignatureFactory fac = XMLSignatureFactory.getInstance();
Code Overview – Verifying the signature // Create a KeySelector KeySelector ks = KeySelector.singletonKeySelector(key); // Create a XMLValidateContext DOMValidateContext valContext = new DOMValidateContext(ks, signatureNode); // Unmarshal the XMLSignature XMLSignature signature = fac.unmarshalXMLSignature(valContext); // Validate the XMLSignature (generated above) boolean coreValidity = signature.validate(valContext);
Code Overview – Encryption • Designed to have fewest possible dependencies • Dependencies • Xalan • Xerces • Commons Logging • Cryptographic service provider
Code Overview – Encryption Steps to encrypt data 1: Specify key algorithm 2: Initialize KeyCipher 3: Generate encryption key 4: Specify encryption algorithm 5: Initialize XMLCipher 6: Encrypt
Code Overview – Encryption 1: Specify key algorithm 2: Initialize KeyCipher // get algorithm String algo = XMLCipher.TRIPPELDES_KeyWrap; // construct XMLCipher XMLCipher c = XMLCipher.getInstance(algo);
Code Overview – Encryption 3: Generate encryption key 4: Specify encryption algorithm KeyGenerator kg = KeyGenerator.getInstance(“DESede”); SecretKey sk = kg.generateKey(); byte[] kb = sk.getEncoded(); XMLCipher keyCipher = XMLCipher.getInstance(algo); Key symmKey = //as in generate key encryption key keyCipher.init(XMLCipher.WRAP_MODE, symmKey); EncryptedKey encryptedKey = keyCipher.encryptKey(document, symmKey);
Code Overview – Encryption 5: Initialize XMLCipher XMLCipher xmlCipher = XMLCipher.getInstance(XMLCipher.AES_128) xmlCipher.init(XMLCipher.ENCRYPT_MODE, symmKey); Prepare for encryption EncryptedData d = xmlCipher.getEncryptedData(); KeyInfo keyInfo = new KeyInfo(document); keyInfo.add(encryptedKey); d.setKeyInfo(keyInfo);
Code Overview – Encryption 6: Encrypt xmlCipher.doFinal(document, rootElement, true);
Code Overview – Decryption Steps involved in Decryption 1: Get the element that need to be decrypted 2: Get the key 3: Decrypt
Code Overview – Decryption Prepare for encryption // Get the element that need to be decrypted Element e = (Element) document.getElementsByTagNameNS(Encrypti onSpecNS, ENCRYPTEDDATA).item(0); // Get the key Key kek = loadKeyEncryptionKey();
Code Overview – Decryption Now perform Decryption XMLCipher xmlCipher = XMLCipher.getInstance(); xmlCipher.init(XMLCipher.DECRYPT_MODE, null); xmlCipher.setKEK(kek); xmlCipher.doFinal(document, encryptedDataElement);
Future Work The Apache foundation will focus next on the XKMS for this project. Currently, the Java API is complete and robust. The C++ library is still evolving.