web security using xml encryption
DESCRIPTION
WEB SECURITY USING XML ENCRYPTION. Based on the Apache XML Security Project. By Ajeya Krishnamurthy. Presentation Overview. Introduction XML Signature XML Encryption and Decryption The JCE ( Java Cryptography Extensions ) Code Overview Future work. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
WEB SECURITY USING XML ENCRYPTION
Based on the Apache XML Security Project.
By Ajeya Krishnamurthy
Presentation Overview
• Introduction
• XML Signature
• XML Encryption and Decryption
• The JCE ( Java Cryptography Extensions )
• Code Overview
• Future work
Introduction
The XML Signature technology was developed by the XML-DSig Charter – an IETF/W3C charter – in response to the June16 2000 e-sign act, which made digital signatures legallybinding.
XML Signatures allow you to sign only specified sections of a document. This contrasts to non-XML Signatures that require you to sign all of a document.
XML Signatures are not limited to XML documents and can be applied to all types of electronic data, for example, HTML and GIF files.
Introduction
Basics of cryptography
• Confidentiality - Protecting data from prying eyes while in transit over an insecure communications channel like the Internet
• Integrity - Provides communicating parties with the assurance that a message was not modified while in transit
• Non-repudiation - The recipient should be able to prove that a message actually originated with the purported sender and is not a forgery
Canonical XML
Canonical XML normalizes the physical representation of XML, creating a standard for signature processing. Before the signature digest is created for a document, it is transformed to canonical XML. Then, when the received document is checked for data integrity, it is transformed to canonical XML before a digest is created for it.
Different XML applications may represent XML differently. The digest calculation is sensitive to changes in the physical representation of the XML.
XML Signature
• XML Signatures are human readable and platform independent
• Unlike non-XML digital signatures, XML Signatures include processing information ( ex: Algorithm used to generate the signature )
• XML allows signing only portions of the document. Advantages?
XML Signature Types
Enveloped - The XML Signature is included in the XML document. It is contained within a child element of the XML document
Enveloping - The XML document is included in the XML Signature. It is contained within a a child element of the XML Signature
Detached - The XML Signature is included in a separate document from the signed document. The location of the signed document is referenced in the XML Signature. This type of signature is used for non-XML documents
XML Signature structure
XML Signature structure
<Signature ID><SignedInfo><CanonicalizationMethod/><SignatureMethod/>(<Reference URI><DigestMethod><DigestValue></Reference>)</SignedInfo><SignatureValue>(<KeyInfo>)</Signature>
XML Encryption
• Enables encryption of specified portions of a document, leaving the rest of the document in its original form
• Does not support the encryption of attributes
• Both symmetric and asymmetric encryption can be used
The ability to encrypt partial documents is unique to XML encryption.
XML Encryption Interoperability
XML encryption is interoperable with XML Signature. However, if you want to encrypt and sign a document, you must always encrypt the document before you sign it. This is because the digest, generated for the digital signature, may give clues about the unencrypted content of a document.
XML Encryption structure
<enc:EncryptedData Id="" Type=""><enc:EncryptionMethod/><enc:KeyInfo><enc:EncryptedKey/><enc:KeyRetrievalMethod/></enc:KeyInfo><enc:CipherData URI="">iamscrambled</enc:CipherData> </enc:EncryptedData>
The Java Cryptography Extension
The JCE and the JCA are APIs provided by Java for cryptography.
Tutorials are available at
http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html
XMLSignatureFactory.• XMLSignatureFactory is a standard FactorySingleton. The main purpose is to create allelements of a XMLSignature• It can be instantiated by:─ XMLSignatureFactory.getInstance()─ XMLSignatureFactory.getInstance(“DOM”,new <placeholder_provider>());─ XMLSignatureFactory.getInstance(“DOM”,“<placeholder_provider>”);
Class XMLSignatureFactory -- Main class used to create all elements required for a signature
Code Overview
Code Overview
Main class for interaction
• CreatingXMLSignatureFactory.newInstance()XMLSignatureFactory.unmarshalXMLSignature()
• Important methodssign(XMLSignContext signContext)validate(XMLValidateContextvalidateContext)
Class XMLSignature
XMLSignatureFactory fac = XMLSignatureFactory.getInstance();
Reference ref =fac.newReference(“http://xml.apache.org/",fac.newDigestMethod(DigestMethod.SHA1, null));
Code Overview – Creating the signature
This creates a new XMLSignatureFactory instance…
And this creates a reference to be signed. The reference contains a URI pointing to the data that we wish to sign.
SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod (CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS,null),fac.newSignatureMethod(SignatureMethod.DSA_SHA1,null),Collections.singletonList(ref));
Code Overview
This creates the SignedInfo object we need…
XMLSignature signature = fac.newXMLSignature(si, null);
And this creates a new Signature object.
Code Overview – Creating the signature
Code Overview
Now we generate the key pair using the JCA.
Document doc =dbf.newDocumentBuilder().newDocument();DOMSignContext signContext = newDOMSignContext(kp.getPrivate(), doc);
//Sign the URL. The XML-Signature structure is//appended to the documentsignature.sign(signContext);
KeyPair kp = …
And then we create the document object and sign it
Code Overview – Creating the signature
Code Overview – Verifying the signature
1: Create a XMLSignature from XML
2: Setup a KeySelector
3: Create a XMLValidateContext
4: Validate the Signature
// Parse the documentDocument doc = dbf.newDocumentBuilder().parse(newFileInputStream(args[0]));// Find Signature element. This only checks for a// Signature root element.Node signatureNode =doc.getElementsByTagNameNS(XMLSignature.XMLNS,"Signature").item(0);// Create a XMLSignatureFactoryXMLSignatureFactory fac =XMLSignatureFactory.getInstance();
Code Overview – Verifying the signature
// Create a KeySelectorKeySelector ks =KeySelector.singletonKeySelector(key);// Create a XMLValidateContextDOMValidateContext valContext = newDOMValidateContext(ks, signatureNode);// Unmarshal the XMLSignatureXMLSignature signature =fac.unmarshalXMLSignature(valContext);// Validate the XMLSignature (generated above)boolean coreValidity =signature.validate(valContext);
Code Overview – Verifying the signature
Code Overview – Encryption
Designed to have fewest possible dependencies
Dependencies
• Xalan• Xerces• Commons Logging• Cryptographic service provider
1: Specify key algorithm
2: Initialize KeyCipher
3: Generate encryption key
4: Specify encryption algorithm
5: Initialize XMLCipher
6: Encrypt
Steps to encrypt data
Code Overview – Encryption
Code Overview – Encryption
// get algorithmString algo =XMLCipher.TRIPPELDES_KeyWrap;
// construct XMLCipherXMLCipher c = XMLCipher.getInstance(algo);
1: Specify key algorithm2: Initialize KeyCipher
Code Overview – Encryption
KeyGenerator kg =KeyGenerator.getInstance(“DESede”);SecretKey sk = kg.generateKey();byte[] kb = sk.getEncoded();
3: Generate encryption key4: Specify encryption algorithm
XMLCipher keyCipher =XMLCipher.getInstance(algo);Key symmKey = //as in generate keyencryption keykeyCipher.init(XMLCipher.WRAP_MODE, symmKey);EncryptedKey encryptedKey =keyCipher.encryptKey(document, symmKey);
XMLCipher xmlCipher =XMLCipher.getInstance(XMLCipher.AES_128)xmlCipher.init(XMLCipher.ENCRYPT_MODE,symmKey);
Code Overview – Encryption
5: Initialize XMLCipher
EncryptedData d = xmlCipher.getEncryptedData();KeyInfo keyInfo = new KeyInfo(document);keyInfo.add(encryptedKey);d.setKeyInfo(keyInfo);
Prepare for encryption
xmlCipher.doFinal(document,rootElement,true);
6: Encrypt
Code Overview – Encryption
Code Overview – Decryption
1: Get the element that need to be decrypted
2: Get the key
3: Decrypt
Steps involved in Decryption
Code Overview – Decryption
// Get the element that need to bedecryptedElement e = (Element)document.getElementsByTagNameNS(EncryptionSpecNS, ENCRYPTEDDATA).item(0);// Get the keyKey kek = loadKeyEncryptionKey();
Prepare for encryption
XMLCipher xmlCipher = XMLCipher.getInstance();xmlCipher.init(XMLCipher.DECRYPT_MODE, null);xmlCipher.setKEK(kek);xmlCipher.doFinal(document,encryptedDataElement);
Now perform Decryption
Code Overview – Decryption
Future Work
The Apache foundation will focus next on the XKMS for this project. Currently, the Java API is complete and robust. The C++ library is still evolving.