Post on 07-Jan-2016
description
95-804 XML Encryption, .NET and Web Services Security Week 12
1
Applied CryptographyWeek 12
Michael McCarthy
95-804 XML Encryption, .NET and Web Services Security Week 12
2
XML Encryption Examples
XML Encryption using .NET/C#
Web Service Security using Sun’s Application Server
Today’s Topics
95-804 XML Encryption, .NET and Web Services Security Week 12
3
XML Encryption
• W3C Recommendation 10 December 2002• JSR 105 XMLDSig proposed final draft• JSR 106 XMLEnc is in progress• JWSDP1.5 supports Web Services Security
V1.0• .Net supports XMLEnc out of the box• Some notes from
http://www-106.ibm.com/developerworks/library/x-encrypt/index.html by Bilal Siddiqui
And “Secure XML” by Eastlake and Niles Addison Wesley
95-804 XML Encryption, .NET and Web Services Security Week 12
4
General Form 1
<EncryptedData>
<CipherData>
<CipherValue>
cipher text in Base 64
</CipherValue>
</CipherData>
</EncryptedData>
95-804 XML Encryption, .NET and Web Services Security Week 12
5
General Form 2
<EncryptedData>
<CipherData>
<CipherReference>
pointer (URL) to cipher text
</CipherReference>
</CipherData>
</EncryptedData>
95-804 XML Encryption, .NET and Web Services Security Week 12
6
• Replaces the encrypted element or
• Serves as the new document root
• May contain a KeyInfo element that describes the key needed for decryption (borrowed from XML Digital Signature) or
signature verification
EncryptedData is the core element
95-804 XML Encryption, .NET and Web Services Security Week 12
7
General Example (1)
<MedInfo> <ID> <Name> <Address> </ID> <Medical>…</Medical> <Financial>…</Financial></MedInfo>
95-804 XML Encryption, .NET and Web Services Security Week 12
8
General Example (2)
<MedInfo> <ID>….</ID> <EncryptedData> <KeyInfo> <KeyName>Medical </KeyInfo> <CipherData> <CipherValue> cipher text </EncryptedData>
95-804 XML Encryption, .NET and Web Services Security Week 12
9
General Example (3)
<Financial> <EncryptedData> <KeyInfo> <KeyName>Pay </KeyInfo> <CipherData> <CipherValue> cipher text
</EncryptedData></Finacial>
</MedInfo>
95-804 XML Encryption, .NET and Web Services Security Week 12
10
Detailed Example (Listing 1)
<purchaseOrder>
<Order>
<Item>book</Item>
<Id>123-958-74598</Id>
<Quantity>12</Quantity>
</Order>
<Payment>
<CardId>123654-8988889-9996874</CardId>
<CardName>visa</CardName>
<ValidDate>12-10-2004</ValidDate>
</Payment>
</purchaseOrder>
95-804 XML Encryption, .NET and Web Services Security Week 12
11
Encrypting the Entire File (Listing 2)
<?xml version='1.0' ?>
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.isi.edu/in-notes/iana/assignments/media-types/text/xml'>
<CipherData>
<CipherValue>A23B45C56…</CipherValue>
</CipherData>
</EncryptedData>
IANA = Internet Assigned Numbers Authority a function of The Internet Corporationfor Assigned Names and Numbers
95-804 XML Encryption, .NET and Web Services Security Week 12
12
Encrypting The Payment (Listing 3)
<?xml version='1.0' ?> <PurchaseOrder> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> </Order> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C564587…</CipherValue> </CipherData> </EncryptedData> </PurchaseOrder>
One element
95-804 XML Encryption, .NET and Web Services Security Week 12
13
Encrypting Only the CardId (Listing 4)
<?xml version='1.0' ?> <PurchaseOrder> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> </Order> <Payment> <CardId> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Content' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData> </CardId> <CardName>visa</CardName> <ValidDate>12-10-2004</CardName> </Payment> </PurchaseOrder>
Element content
95-804 XML Encryption, .NET and Web Services Security Week 12
14
Encrypting Non-XML Data (Listing 5)
<?xml version='1.0' ?>
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlen#'
Type='http://www.isi.edu/in-notes/iana/assignments/media-types/jpeg' >
<CipherData>
<CipherValue>A23B45C56…</CipherValue>
</CipherData>
</EncryptedData>
95-804 XML Encryption, .NET and Web Services Security Week 12
15
Sending a public key (listing 6)<?xml version='1.0' ?> <SecureCommunicationDemonstration> <EncryptedKey CarriedKeyName="Muhammad Imran" xmlns='http://www.w3.org/2001/04/xmlenc#'> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyValue>1asd25fsdf2dfdsfsdfds2f1sd23 </ds:KeyValue> </ds:KeyInfo> </EncryptedKey></SecureCommunicationDemonstration>
This key is in the clear.
95-804 XML Encryption, .NET and Web Services Security Week 12
16
Receiving a Secret Key Encrypted with a Public Key (listing 7)
<?xml version='1.0' ?> <SecureCommunicationDemonstration> <EncryptedKey CarriedKeyName="Imran Ali" xmlns='http://www.w3.org/2001/04/xmlenc#'> <EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <CipherData> <CipherValue>xyza21212sdfdsfs7989fsdbc </CipherValue> </CipherData> </EncryptedKey></SecureCommunicationDemonstration>
This key is encrypted.It’s name is Imran Ali.
95-804 XML Encryption, .NET and Web Services Security Week 12
17
Data Encrypted to Secret Key (Listing 8)
<?xml version='1.0' ?> <<SecureCommunicationDemonstration> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> <CardName>Visa</CardName> <ExpDate>10-10-2005</ExpDate> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc '/> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>Imran ali</ds:KeyName> </ds:KeyInfo> <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData> </Order> </SecureCommunicationDemonstration>
An element is encryptedwith the Imran Ali key.
95-804 XML Encryption, .NET and Web Services Security Week 12
18
Pointing to encrypted data (listing 9)
<?xml version='1.0' ?> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type= 'http://www.w3.org/2001/04/xmlenc#Element'> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>Imran ali</ds:KeyName </ds:KeyInfo> <CipherData> <CipherReference URI="www.waxsys.com/secureData/waxFile.txt"/> </CipherData> </EncryptedData> The external source is encrypted
with the Imran Ali key.
95-804 XML Encryption, .NET and Web Services Security Week 12
19
Point to a distant encrypted element (Listing 10)
<?xml version='1.0' ?> <EncryptedData ID="Enc-Data" xmlns='http://www.w3.org/2001/04/xmlenc#'
Type='http://www.w3.org/2001/04/xmlenc#Element' > <CipherReference URI="http://www.waxsys.com/EncFile.xml" > <Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC- xpath-19991116"> <wax:XPath xmlns:wax="http://www.waxsys.com/xpathNS"> PruchaseOrder/EncryptedData [@Id="Imran-Enc-Data"] </wax:XPath> </ds:Transform> </Transforms> </CipherReference> </EncryptedData>
XPath is being used to point to the exact element that is encrypted.
95-804 XML Encryption, .NET and Web Services Security Week 12
20
An Example Output Using IBM’s XSS4J
<?xml version="1.0" encoding="UTF-8"?>
<EncryptedData xmlns= "http://www.w3.org/2001/04/xmlenc#" Id="Test" Type="http://www.isi.ed u/in-notes/iana/assignments/media-types/text/xml">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <KeyName>ImranAli</KeyName> </ds:KeyInfo> <CipherData> <CipherValue>cipher text</CipherValue> </CipherData></EncryptedData>
A key name is providedfor decryption.
95-804 XML Encryption, .NET and Web Services Security Week 12
21
XML Encryption using .NET/C#.NET Example
95-804 XML Encryption, .NET and Web Services Security Week 12
22
Hybrid Encryption
• The way it’s done today
• Bulk encryption using symmetric (session) keys – fast
• Symmetric key exchange problem solved by encrypting the session key with the receivers public key
95-804 XML Encryption, .NET and Web Services Security Week 12
23
.Net Crypto API Example
• The receiver builds an RSA key pair• The public key of the receiver is used by the
sender to encrypt a symmetric session key• The encrypted session key along with the
encrypted elements are sent to the receiver• The receiver decrypts the session key using her
private RSA key• She then decrypts the encrypted element using
the symmetric session key
95-804 XML Encryption, .NET and Web Services Security Week 12
24
The RSA Public key in XML
<RSAKeyValue><Modulus>z9zv0HMRK44BrjYIQtmKlDkA6WnQCIVOYmOj
y/eKhFqXJM024JybC/5hOCQoYRRo5iYRopIV4gBZUBSolxgk8jIr38iO84lDoSisPl3ikcob/aCuhPe8jSl4zbKpiJ+rqQE8rSNJ3XDPDVIiRoDbSRbn04x210tjYNMbePw0RQk=</Modulus>
<Exponent>AQAB</Exponent></RSAKeyValue> These are not arbitrary tags. This
representation is part of the XMLDSigstandard.
95-804 XML Encryption, .NET and Web Services Security Week 12
25
The RSA Public/Private Key data in XML
<RSAKeyValue> <!– defined by XMLDSig
<Modulus>
z9zv0HMRK44BrjYIQtmKlDkA6WnQCIVOYmOjy/eKhFqXJM024JybC/5hOCQoYRRo5iYRopIV4gBZUBSolxgk8jIr38iO84lDoSisPl3ikcob/aCuhPe8jSl4zbKpiJ+rqQE8rSNJ3XDPDVIiRoDbSRbn04x210tjYNMbePw0RQk=
</Modulus> <Exponent>AQAB</Exponent>
95-804 XML Encryption, .NET and Web Services Security Week 12
26
<P>54xO9DFJ4Mydzqrq8/0mcWInv4pU+bJHx1W1TYiybkRs7TchIq56z1JSgedhSxYvGHfHKzDcdplK2PHC9Aik2w==</P>
<Q>5dBTIHj9btkq9Nss0ZC04OyRGjssKJs8+Y89MOhs9BB1YNnk6Ci6PqV8F2P8FwcSFLXb5+II7nuvRTGS5enQ6w==</Q>
<D>sLBBOZNWGQvQ6eEMDKcWYQBDgiVrrJKEGqZP6WU13WOT7rhx2WPFd+B3i11Q5ZSPxnK9ss8ywrVBNg0ZcbYYUC+g6fYsfylKv1Lbpxr9h002syvRjmyywRcD9+TfvrVhOe27QYJKlE/QX4SHSgnTxq4qkmHdTxZRtoRGGLdZ8XE=</D></RSAKeyValue>
95-804 XML Encryption, .NET and Web Services Security Week 12
27
The Encrypted Session Key
<EncryptedKey CarriedKeyName="My 3DES Session Key"> <!– name of session key
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo> <!– use this key to decrypt the session key
<KeyName>My Private Key</KeyName></ds:KeyInfo>
95-804 XML Encryption, .NET and Web Services Security Week 12
28
<CipherData> <CipherValue> <!– session key encrypted Shy7Nzo/ctBPAhwubFiAYpNNB2CuM4TpCUozP2oQZrEMT03O EzspgkBaItai8ImBUiSUT1KlPCbawG2edz40ISgJ+G+Sl4m6ZNm L0//gqs4/7eUyLY0rSFeCnW9hKU/hr0r4wDJaKiI+hS68OTHeBBc GLCyFEPSCQXeqbnvqQBo= </CipherValue></CipherData></EncryptedKey>
95-804 XML Encryption, .NET and Web Services Security Week 12
29
The Original Invoice
<invoice><items> <item>
<desc>Deluxe corncob pipe</desc> <unitprice>14.95</unitprice> <quantity>1</quantity> </item> </items>
95-804 XML Encryption, .NET and Web Services Security Week 12
30
<creditinfo> <cardnumber>0123456789</cardnumber> <expiration>01/06/2005</expiration> <lastname>Finn</lastname> <firstname>Huckleberry</firstname></creditinfo>
</invoice>
95-804 XML Encryption, .NET and Web Services Security Week 12
31
The Encrypted Invoice
<invoice><items> <item>
<desc>Deluxe corncob pipe</desc> <unitprice>14.95</unitprice> <quantity>1</quantity> </item> </items>
95-804 XML Encryption, .NET and Web Services Security Week 12
32
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element">
<ds:KeyInfo> <!– use this session key for decryption <KeyName>My 3DES Session Key</KeyName></ds:KeyInfo>
<CipherData>
<CipherValue> ZS0og/w6JtPj0BDtU4XiAS3ybUsqh4tvp4ItoNO8ZzWUSVl8290HHVG2MfbjPSr00dCftHpaBd8GBgHOUSqG6wiia3EYy8Bgz7y6NeQ6zFu9i3J34Fy+uWETjmkROE/mg+RU0IxQTkcDWQVfUq6TECNafP9voSvbOGTNbt87Rb0BDcjbAWWLjKkOT6KOOVwfq60TJxmmkxFonqwVAY2ARlm/yBqvbo2BHux5fvZFZBF5jCPZPkuOClYZVXpY3wVB</CipherValue></CipherData></EncryptedData></invoice>
95-804 XML Encryption, .NET and Web Services Security Week 12
33
The C# Code (from Thorsteinson and Ganesh)
//XMLEncryption.cs
//NOTE: must add a project reference to System.Security
using System;using System.IO;using System.Text;using System.Xml;using System.Security.Cryptography;using System.Security.Cryptography.Xml;
95-804 XML Encryption, .NET and Web Services Security Week 12
34
class XMLEncryption{
static void Main(string[] args){
//create participantsSender sender = new Sender();Receiver receiver = new Receiver();
//establish public and private RSA key informationreceiver.EstablishXmlRsaParameters(
"RsaIncludePrivateParams.xml","RsaExcludePrivateParams.xml");
The receiver creates RSA keys and places them intwo files – one for the receiver and one for the sender.
95-804 XML Encryption, .NET and Web Services Security Week 12
35
//create original XML document to be encryptedsender.CreateOriginalXmlDocument(
"OriginalInvoice.xml");
//create session key and encrypt via RSA public keybyte [] IV = sender.CreateAndEncryptXmlSessionKey(
"RsaExcludePrivateParams.xml","SessionKeyExchange.xml");
The sender creates an XML document.
And generates a symmetric encryption key that is encryptedwith the public key of the receiver. E(SK)
95-804 XML Encryption, .NET and Web Services Security Week 12
36
//encrypt original XML document with session keysender.EncryptOriginalXmlDocument(
"OriginalInvoice.xml","RsaExcludePrivateParams.xml","SessionKeyExchange.xml", // no need"EncryptedInvoice.xml");
//decrypt XML document with session keyreceiver.DecryptXmlDocument(
"EncryptedInvoice.xml","RsaIncludePrivateParams.xml","SessionKeyExchange.xml","DecryptedCreditInfo.xml",IV);
}}
The sender encrypts sensitive parts of the document.
The receiver decrypts the session key and is then ableto decrypt the document.
95-804 XML Encryption, .NET and Web Services Security Week 12
37
class Sender{
public void CreateOriginalXmlDocument(String originalFilename){
//establish the original XML documentXmlDocument xmlDoc = new XmlDocument();xmlDoc.PreserveWhitespace = true;xmlDoc.LoadXml(
"<invoice>\n" +" <items>\n" +" <item>\n" +" <desc>Deluxe corncob pipe</desc>\n" +" <unitprice>14.95</unitprice>\n" +" <quantity>1</quantity>\n" +" </item>\n" +" </items>\n" +" <creditinfo>\n" +" <cardnumber>0123456789</cardnumber>\n" +" <expiration>01/06/2005</expiration>\n" +" <lastname>Finn</lastname>\n" +" <firstname>Huckleberry</firstname>\n" +" </creditinfo>\n" +"</invoice>\n");
The sender builds the document the hard way.
This part is sensitive.
95-804 XML Encryption, .NET and Web Services Security Week 12
38
//write original XML document to fileStreamWriter file =
new StreamWriter(originalFilename);file.Write(xmlDoc.OuterXml);file.Close();
//let the user know what happenedConsole.WriteLine(
"Original XML document written to:\n\t" + originalFilename);
}
Write the “hand built” XML to a file.
95-804 XML Encryption, .NET and Web Services Security Week 12
39
public byte [] CreateAndEncryptXmlSessionKey(String rsaExcludePrivateParamsFilename,String keyFilename)
{//create the session key for 3DES bulk encryptionTripleDESCryptoServiceProvider tripleDES =
new TripleDESCryptoServiceProvider();
//access the IV and Key for sender encryptionIV = tripleDES.IV;Key = tripleDES.Key;
//fetch public only RSA parameters from XML StreamReader fileRsaParams = new StreamReader(
rsaExcludePrivateParamsFilename);String rsaExcludePrivateParamsXML =
fileRsaParams.ReadToEnd();fileRsaParams.Close();
The sender creates the session key.
Before encryptingthe key it needs the public key of the receiver.
95-804 XML Encryption, .NET and Web Services Security Week 12
40
//RSA encrypt session key RSACryptoServiceProvider rsa =
new RSACryptoServiceProvider(); rsa.FromXmlString(rsaExcludePrivateParamsXML);
byte[] keyEncryptedBytes = rsa.Encrypt(tripleDES.Key, false);
//store encrypted 3DES session key in Base64 string String keyEncryptedString = Convert.ToBase64String(
keyEncryptedBytes);
//create XML document for 3DES session key exchange XmlDocument xmlKeyDoc = new XmlDocument();
xmlKeyDoc.PreserveWhitespace = true;
The sender encrypts the DES session key.
And builds an XML documentto hold it.
95-804 XML Encryption, .NET and Web Services Security Week 12
41
//add EncryptedKey element to key XML XmlElement xmlEncryptedKey =
xmlKeyDoc.CreateElement("EncryptedKey"); xmlKeyDoc.AppendChild(xmlEncryptedKey); XmlAttribute xmlCarriedKeyName =
xmlKeyDoc.CreateAttribute("CarriedKeyName"); xmlCarriedKeyName.Value = "My 3DES Session Key"; xmlEncryptedKey.Attributes.Append(
xmlCarriedKeyName);
So far we have…<EncryptedKey CarriedKeyName="My 3DES Session Key">
95-804 XML Encryption, .NET and Web Services Security Week 12
42
//add the EncryptionMethod element to key XML XmlElement xmlEncryptionMethod =
xmlKeyDoc.CreateElement("EncryptionMethod"); xmlEncryptedKey.AppendChild(xmlEncryptionMethod); XmlAttribute xmlAlgorithm =
xmlKeyDoc.CreateAttribute("Algorithm"); xmlAlgorithm.Value = "http://www.w3.org/2001/04/xmlenc#rsa-1_5"; xmlEncryptionMethod.Attributes.Append(
xmlAlgorithm);
<EncryptedKey CarriedKeyName="My 3DES Session Key">
<EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
95-804 XML Encryption, .NET and Web Services Security Week 12
43
//add KeyInfo element to key XMLXmlElement xmlKeyInfo =
xmlKeyDoc.CreateElement("ds", "KeyInfo","http://www.w3.org/2000/09/xmldsig#");
xmlEncryptedKey.AppendChild(xmlKeyInfo);
//add KeyName element to key XMLXmlElement xmlKeyName =
xmlKeyDoc.CreateElement("ds", "KeyName", null);xmlKeyName.InnerText = "My Private Key";xmlKeyInfo.AppendChild(xmlKeyName);
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><KeyName>My Private Key</KeyName></ds:KeyInfo>
<!-- My Private Key will be used to decrypt the session key
95-804 XML Encryption, .NET and Web Services Security Week 12
44
//add CipherData element to key XMLXmlElement xmlCipherData =
xmlKeyDoc.CreateElement("CipherData");xmlEncryptedKey.AppendChild(xmlCipherData);
<CipherData>
95-804 XML Encryption, .NET and Web Services Security Week 12
45
//add CipherValue element to key XMLXmlElement xmlCipherValue =
xmlKeyDoc.CreateElement("CipherValue");
xmlCipherValue.InnerText = keyEncryptedString;xmlCipherData.AppendChild(xmlCipherValue);
<CipherValue>Shy7Nzo/ctBPAhwubFiAYpNNB2CuM4TpCUozP2oQZrEMT03OEzspgkBaItai8ImBUiSUT1KlPCbawG2edz40ISgJ+G+Sl4m6ZNmL0//gqs4/7eUyLY0rSFeCnW9hKU/hr0r4wDJaKiI+hS68OTHeBBcGLCyFEPSCQXeqbnvqQBo=</CipherValue></CipherData></EncryptedKey>
95-804 XML Encryption, .NET and Web Services Security Week 12
46
//save key XML informationxmlKeyDoc.Save(keyFilename);
//let the user know what happenedConsole.WriteLine(
"Encrypted Session Key XML written to:\n\t" + keyFilename);
return IV; //needed by receiver too}
The sender has placed an encrypted session key on file. It includes the name of the decryption key. The receiver candecrypt the session key but needs the IV to use it to decrypt the invoice.
95-804 XML Encryption, .NET and Web Services Security Week 12
47
public void EncryptOriginalXmlDocument(String originalFilename,String rsaExcludePrivateParamsFilename,String keyFilename,String encryptedFilename)
{
Original XML Document
Receiver’s publicKey?
Encrypted symmetric keyfile name??
Document partially encrypted with session key
Working code but with someunnecessary parameters.
95-804 XML Encryption, .NET and Web Services Security Week 12
48
//load XML document to be encryptedXmlDocument xmlDoc = new XmlDocument();xmlDoc.PreserveWhitespace = true;xmlDoc.Load(originalFilename);
//get creditinfo node plaintext bytes to encryptXmlElement xmlCreditinfo =
(XmlElement)xmlDoc.SelectSingleNode("invoice/creditinfo");
byte[] creditinfoPlainbytes = Encoding.UTF8.GetBytes(xmlCreditinfo.OuterXml);
Load the documentholding sensitivetag
Find the tag usingXPath.
Get the bytes and include the tag name.
95-804 XML Encryption, .NET and Web Services Security Week 12
49
//create 3DES algorithm object for bulk encryptionTripleDESCryptoServiceProvider tripleDES =
new TripleDESCryptoServiceProvider();
Getting ready for symmetric encryption…
95-804 XML Encryption, .NET and Web Services Security Week 12
50
//establish crypto stream using 3DES algorithmMemoryStream ms = new MemoryStream();CryptoStream cs = new CryptoStream(
ms,tripleDES.CreateEncryptor(Key, IV),CryptoStreamMode.Write);
//write creditinfo plaintext to crypto streamcs.Write(
creditinfoPlainbytes, 0, creditinfoPlainbytes.Length);
cs.Close();
Use the sameKey/IV that weencryptedbefore. Thesevariables aredefined outside the methods.
Encrypt the sensitive tag with thesession key.
95-804 XML Encryption, .NET and Web Services Security Week 12
51
//get creditinfo ciphertext from crypto streambyte[] creditinfoCipherbytes = ms.ToArray();ms.Close();String creditinfoCiphertext =
Convert.ToBase64String(creditinfoCipherbytes);
Get the encrypted bytes and convert them to base 64
95-804 XML Encryption, .NET and Web Services Security Week 12
52
//create EncryptedData in XML fileXmlElement xmlEncryptedData =
xmlDoc.CreateElement("EncryptedData");XmlAttribute xmlType =
xmlDoc.CreateAttribute("Type");xmlType.Value =
"http://www.w3.org/2001/04/xmlenc#Element";xmlEncryptedData.Attributes.Append(xmlType);
//add KeyInfo elementXmlElement xmlKeyInfo =
xmlDoc.CreateElement("ds", "KeyInfo","http://www.w3.org/2000/09/xmldsig#");
xmlEncryptedData.AppendChild(xmlKeyInfo);
XML Encryption
95-804 XML Encryption, .NET and Web Services Security Week 12
53
//add KeyName elementXmlElement xmlKeyName =
xmlDoc.CreateElement("ds", "KeyName",null);xmlKeyName.InnerText = "My 3DES Session Key";xmlKeyInfo.AppendChild(xmlKeyName);
//add CipherData elementXmlElement xmlCipherData =
xmlDoc.CreateElement("CipherData");xmlEncryptedData.AppendChild(xmlCipherData);
//add CipherValue element with encrypted creditinfoXmlElement xmlCipherValue =
xmlDoc.CreateElement("CipherValue");xmlCipherValue.InnerText = creditinfoCiphertext;xmlCipherData.AppendChild(xmlCipherValue);
95-804 XML Encryption, .NET and Web Services Security Week 12
54
//replace original node with the encrypted nodexmlCreditinfo.ParentNode.ReplaceChild(
xmlEncryptedData, xmlCreditinfo);
//save XML to encrypted filexmlDoc.Save(encryptedFilename);
//let the user know what happenedConsole.WriteLine(
"Encrypted XML document written to:\n\t" + encryptedFilename);
}
//information sender needs across method callsstatic byte [] IV;static byte [] Key;
}
The encrypted document is built. The receiver needsto read it…
95-804 XML Encryption, .NET and Web Services Security Week 12
55
What does the receiver need ?
• The encrypted document
• The encrypted session key
95-804 XML Encryption, .NET and Web Services Security Week 12
56
class Receiver {
public void EstablishXmlRsaParameters(String rsaIncludePrivateParamsFilename, String rsaExcludePrivateParamsFilename)
{//create RSA object with new key pairRSACryptoServiceProvider rsa =
new RSACryptoServiceProvider();
//store public and private RSA key params in XMLStreamWriter fileRsaIncludePrivateParams
= new StreamWriter(rsaIncludePrivateParamsFilename);
fileRsaIncludePrivateParams.Write(rsa.ToXmlString(true));
fileRsaIncludePrivateParams.Close();
Executedbefore anything else
The receiverneeds the publicand private keys.
95-804 XML Encryption, .NET and Web Services Security Week 12
57
//store public only RSA key params in XMLStreamWriter fileRsaExcludePrivateParams =
new StreamWriter(rsaExcludePrivateParamsFilename);
fileRsaExcludePrivateParams.Write(rsa.ToXmlString(false));
fileRsaExcludePrivateParams.Close();
//let the user know what happenedConsole.WriteLine(
"RSA parameters written to:\n\t" + rsaIncludePrivateParamsFilename + "\n\t" +rsaExcludePrivateParamsFilename);
}
The sender needs the public keys.
Two files written.
95-804 XML Encryption, .NET and Web Services Security Week 12
58
public void DecryptXmlDocument(String encryptedFilename,String rsaIncludePrivateParamsFilename,String keyFilename,String decryptedFilename,byte [] IV)
{//load encrypted XML documentXmlDocument xmlDoc = new XmlDocument();xmlDoc.PreserveWhitespace = true;xmlDoc.Load(encryptedFilename);
//get creditinfo node ciphertext bytes to decryptXmlElement xmlEncryptedData =
(XmlElement)xmlDoc.SelectSingleNode("invoice/EncryptedData");
Decrypt – get the document and find the encrypted elementusing XPath.
95-804 XML Encryption, .NET and Web Services Security Week 12
59
XmlElement xmlCipherValue = (XmlElement)xmlEncryptedData.SelectSingleNode("CipherData/CipherValue");
byte[] creditinfoCipherbytes = Convert.FromBase64String( xmlCipherValue.InnerText);
//load XML key documentXmlDocument xmlKeyDoc = new XmlDocument();xmlKeyDoc.PreserveWhitespace = true;xmlKeyDoc.Load(keyFilename);
//get encrypted session key bytesXmlElement xmlKeyCipherValue =
(XmlElement)xmlKeyDoc.SelectSingleNode("EncryptedKey/CipherData/CipherValue");
byte[] xmlKeyCipherbytes = Convert.FromBase64String( xmlKeyCipherValue.InnerText);
Get the encryptedsymmetric key..
..as an array of bytes
Get encryptedbytes
95-804 XML Encryption, .NET and Web Services Security Week 12
60
//Get RSA private key to decrypt the session key StreamReader fileRsaParams = new StreamReader(
rsaIncludePrivateParamsFilename);
String rsaIncludePrivateParamsXML = fileRsaParams.ReadToEnd();
fileRsaParams.Close();
//RSA decrypt 3DES session keyRSACryptoServiceProvider rsa =
new RSACryptoServiceProvider();rsa.FromXmlString(rsaIncludePrivateParamsXML);
byte[] keyPlainBytes = rsa.Decrypt(xmlKeyCipherbytes, false);
//create 3DES algorithm object for bulk encryptionTripleDESCryptoServiceProvider tripleDES =
new TripleDESCryptoServiceProvider();
Get the RSAPrivate key
Decrypt the sessionkey
Prepare to use DESdecryption
95-804 XML Encryption, .NET and Web Services Security Week 12
61
//establish crypto stream using 3DES algorithmMemoryStream ms = new MemoryStream(
creditinfoCipherbytes);CryptoStream cs = new CryptoStream(
ms,tripleDES.CreateDecryptor(keyPlainBytes, IV),CryptoStreamMode.Read);
//read creditinfo plaintext from crypto streambyte[] creditinfoPlainbytes =
new Byte[creditinfoCipherbytes.Length];cs.Read(
creditinfoPlainbytes, 0, creditinfoPlainbytes.Length);
cs.Close();ms.Close();
String creditinfoPlaintext = Encoding.UTF8.GetString(creditinfoPlainbytes);
Operate on theSensitive data
Now it’s in theclear
95-804 XML Encryption, .NET and Web Services Security Week 12
62
//Create a document fragment. XmlDocumentFragment docFrag = xmlDoc.CreateDocumentFragment(); //Set the contents of the document fragment. docFrag.InnerXml = creditinfoPlaintext;
//Add the children of the document fragment to the //original document. xmlDoc.DocumentElement.AppendChild(docFrag);
Console.WriteLine("Display the modified XML..."); Console.WriteLine(xmlDoc.OuterXml);
XmlElement invoiceTag = (XmlElement)xmlDoc.SelectSingleNode("invoice");
invoiceTag.ReplaceChild(docFrag,xmlEncryptedData);
Rebuild the encrypted document
95-804 XML Encryption, .NET and Web Services Security Week 12
63
//write decrypted XML node to fileStreamWriter fileplaintext =
new StreamWriter(decryptedFilename);fileplaintext.Write(xmlDoc.OuterXml);
fileplaintext.Close();
//let the user know what happenedConsole.WriteLine(
"Decrypted XML credit info written to:\n\t" + decryptedFilename);
}}
95-804 XML Encryption, .NET and Web Services Security Week 12
64
Web Services SecurityUsing Sun’s Application Server
User Authentication (Security token propagation)Message integrity
Message ConfidentialitySOAP Communications
95-804 XML Encryption, .NET and Web Services Security Week 12
65
What is Web Services Security About?
* User Authentication (Security token propagation)* Message integrity* Message Confidentiality* SOAP Communications
95-804 XML Encryption, .NET and Web Services Security Week 12
66
Web Services Security
• Web Services Security Language (WSS)
• SOAP extension • Supports multiple security token formats such as X509 certificates
and Kerberos tickets and is extensible.• WS-Security does not imply that a particular protocol is secure
95-804 XML Encryption, .NET and Web Services Security Week 12
67
Web Services Security Definitions (from the
Specification)Claim - A claim is a statement that a client makes (e.g. name, identity, key, group, privilege, capability, etc).Security Token - A security token represents a collection of claims.Signed Security Token - A signed security token is a security token that is asserted and cryptographically endorsed by a specific authority (e.g. an X.509 certificate or a Kerberos ticket).A claim can be either endorsed or unendorsed by a trusted authority. A set of endorsed claims is usually represented as a signed security token that is digitally signed or encrypted by the authority. An X.509 certificate, claiming the binding between one's identity and public key, is an example of a signed security token.
95-804 XML Encryption, .NET and Web Services Security Week 12
68
Web Services Security Main Elements
<Security> Root - may be present several times for different receivers
<UserNameToken> Used for sending basic authentication <UserName> Required for the UserNameToken element <Password> Used with an underlying secure transport (e.g. SSL)
<SecurityTokenReference> The claims may exist somewhere else. This element may point to an X509 Certtificate
<BinarySecurityToken Id=... EncodingType=... ValueType=.../>
95-804 XML Encryption, .NET and Web Services Security Week 12
69
A Bit of Web Services Security Syntax
<S:Envelope> <S:Header> ... <Security S:actor="..." S:mustUnderstand="..."> ... </Security> ... </S:Header> ... </S:Envelope>
Makes extensive use of XML Encryption and XML Digital Signature standards.
95-804 XML Encryption, .NET and Web Services Security Week 12
70
An Example Web Services Security Implementation
Examples running with:• JDK1.5• Sun Application Server &• JWSDP1.5 • Security issues handled with configuration files
95-804 XML Encryption, .NET and Web Services Security Week 12
71
package simple;
import javax.xml.rpc.*;import javax.xml.namespace.QName;
public class TestClient {
private static final QName portName = new QName("http://xmlsoap.org/Ping", "Ping");
TestClient.java (SOAP Client)
This web service clientwants to execute the Ping web service.
95-804 XML Encryption, .NET and Web Services Security Week 12
72
public static void main(String[] args) throws Exception { // Get access to the client side proxy PingService pingService = new PingService_Impl();
// build an endpoint from system properties
String serviceHost = System.getProperty("endpoint.host"); String servicePort = System.getProperty("endpoint.port"); String serviceURLFragment = System.getProperty("service.url"); String serviceURL = "http://" + serviceHost + ":" + servicePort + serviceURLFragment;
95-804 XML Encryption, .NET and Web Services Security Week 12
73
System.out.println("Service URL=" + serviceURL);
// Use pingService to get a client side stub PingPort_Ping_Stub stub = (PingPort_Ping_Stub) (pingService.getPing());
// set the URL of the web service stub._setProperty( javax.xml.rpc.Stub.ENDPOINT_ADDRESS_PROPERTY, serviceURL);
// make the call System.out.println("About to ping"); stub.ping(new TicketType(null, "SUNW"), "Hello!"); System.out.println("Ping complete"); }}
95-804 XML Encryption, .NET and Web Services Security Week 12
74
PingImpl.java (Server side)
package simple;
import java.io.*;
import javax.xml.rpc.*;import javax.xml.rpc.ServiceException;import javax.xml.rpc.server.ServiceLifecycle;import javax.xml.rpc.server.ServletEndpointContext;
import javax.servlet.ServletContext;
import com.sun.xml.rpc.server.http.ServletEndpointContextImpl;import com.sun.xml.rpc.server.TieBase;import com.sun.xml.rpc.spi.runtime.Tie;
import com.sun.xml.wss.SubjectAccessor;
95-804 XML Encryption, .NET and Web Services Security Week 12
75
import javax.security.auth.Subject;import java.util.Set;import java.util.Iterator;
public class PingImpl implements PingPort, ServiceLifecycle {
Object context = null;
public void init(Object context) throws ServiceException { this.context = context; }
// --- implementation of main operation takes a ticket and a message public String ping(TicketType ticket, String message) {
System.out.println("The message is here : " + message); Subject clientSubject = null; try { clientSubject = SubjectAccessor.getRequesterSubject(context); } catch(Exception e) { e.printStackTrace(); }
95-804 XML Encryption, .NET and Web Services Security Week 12
76
if (clientSubject != null) { Set principals = clientSubject.getPrincipals(); for (Iterator it = principals.iterator(); it.hasNext();) { System.out.println("Client Principals:" + it.next()); } } else { System.out.println("Client Principal not set"); }
return message + “ Mike!”; }
public String ping0(TicketType ticket, String message) { return ping(ticket, message); }
95-804 XML Encryption, .NET and Web Services Security Week 12
77
/* (non-Javadoc) * @see javax.xml.rpc.server.ServiceLifecycle#destroy() */ public void destroy() { // Do nothing } }
95-804 XML Encryption, .NET and Web Services Security Week 12
78
<!-- dump-client.xml client side configuration file - NO Security Version--><xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config"> <xwss:Service> <xwss:SecurityConfiguration dumpMessages="true"/> </xwss:Service> <xwss:SecurityEnvironmentHandler> com.sun.xml.wss.sample.SecurityEnvironmentHandler </xwss:SecurityEnvironmentHandler></xwss:JAXRPCSecurity>
95-804 XML Encryption, .NET and Web Services Security Week 12
79
To Run
Install JDK1.5 (with RSA support)
Install Sun’s Application Server PE8
Install JWSDP1.5
Start up the application server
asadmin start-domain domain1
C:\Sun\jwsdp-1.5\xws-security\samples\simple>asant run-sample
95-804 XML Encryption, .NET and Web Services Security Week 12
80
No Security SOAP Going to Service
Running the simple.TestClient program.... Service URL=http://localhost:8080/securesimple/Ping About to ping Apr 9, 2005 10:17:52 AM com.sun.xml.wss.filter.DumpFilter process INFO: ==== Sending Message Start ==== <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns0:Ping> <ns0:ticket>SUNW</ns0:ticket> <ns0:text>Hello!</ns0:text> </ns0:Ping> </env:Body> </env:Envelope>
95-804 XML Encryption, .NET and Web Services Security Week 12
81
SOAP Response <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns0:PingResponse> <ns0:text>Hello! Mike!</ns0:text> </ns0:PingResponse> </env:Body> </env:Envelope> Ping complete
95-804 XML Encryption, .NET and Web Services Security Week 12
82
Configure the client to sign<!-- sign-client.xml – Same tags as before except the part in blue --><xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Service> <xwss:SecurityConfiguration dumpMessages="true"> <!-- Note that in the <Sign> operation, a Timestamp is exported in the security header and signed by default. --> <xwss:Sign> <xwss:X509Token certificateAlias="xws-security-client"/> </xwss:Sign>
95-804 XML Encryption, .NET and Web Services Security Week 12
83
<!-- Signature requirement. No target is specified, hence the soap body is expected to be signed. Also, by default, a Timestamp is expected to be signed. --> <xwss:RequireSignature/> </xwss:SecurityConfiguration> </xwss:Service>
<xwss:SecurityEnvironmentHandler> com.sun.xml.wss.sample.SecurityEnvironmentHandler </xwss:SecurityEnvironmentHandler>
</xwss:JAXRPCSecurity>
95-804 XML Encryption, .NET and Web Services Security Week 12
84
Tell server to check the signature
<!-- sign-server tells the server to check the signature Server-side config --><xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Service> <xwss:SecurityConfiguration dumpMessages="true"> <xwss:Sign/> <xwss:RequireSignature/> </xwss:SecurityConfiguration> </xwss:Service>
<xwss:SecurityEnvironmentHandler> com.sun.xml.wss.sample.SecurityEnvironmentHandler </xwss:SecurityEnvironmentHandler>
</xwss:JAXRPCSecurity>
95-804 XML Encryption, .NET and Web Services Security Week 12
85
Signed SOAP Request
Service URL=http://localhost:8080/securesimple/Ping About to ping Apr 9, 2005 11:27:18 AM com.sun.xml.wss.filter.DumpFilter process INFO: ==== Sending Message Start ====
<?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
95-804 XML Encryption, .NET and Web Services Security Week 12
86
<env:Header> <wsse:Security xmlns:wsse= "http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1"> <wsse:BinarySecurityToken xmlns:wsu= "http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType= "http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType= "http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="Id5125092215767425665"> MIIDWTCCAsKgAwIBAgIBAjANBgkqhkiG 9w0BAQQFADB0MQswCQYDVQQGEwJ OQTELMAkGA1UECBMC large truncation for slides </wsse:BinarySecurityToken>
95-804 XML Encryption, .NET and Web Services Security Week 12
87
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#Id4800076074773895559"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/ xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>WU8ei/UnbaccmyhdcgqIWlbTUKA= </ds:DigestValue> </ds:Reference>
95-804 XML Encryption, .NET and Web Services Security Week 12
88
<ds:Reference URI="#Id-6392346557835507110"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>eOcD6/Dw0Ap+UHFoVhtVwWE/yD4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> R/K5w3J5/kTTyh7zV4uNDQztfFDYPXxjWnuKRLnjcIcc6ekBrPJkjwcfA CiOXXp7r8/jThn1nevpWxV7qf3O955iGpjxiPuzJXh7QoUJXRlddt3CVO o2+377JO5Gl08PnyEj6ucFnIX26mKXo1urccys YEPBABPlFS07ACEkXGU= </ds:SignatureValue>
95-804 XML Encryption, .NET and Web Services Security Week 12
89
<ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#Id5125092215767425665" ValueType="http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-6392346557835507110"> <wsu:Created>2005-04-09T15:27:03Z</wsu:Created> <wsu:Expires>2005-04-09T15:32:03Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> </env:Header>
95-804 XML Encryption, .NET and Web Services Security Week 12
90
<env:Body xmlns:wsu= "http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id4800076074773895559"> <ns0:Ping> <ns0:ticket>SUNW</ns0:ticket> <ns0:text>Hello!</ns0:text> </ns0:Ping> </env:Body> </env:Envelope>
95-804 XML Encryption, .NET and Web Services Security Week 12
91
SOAP Response <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Header> <wsse:Security xmlns:wsse= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1"> <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="Id-2811617958072086928">MIIDWTCCAsKgAwIBAgIBATANBgkqhki G9w0BAQQFADB0MQswCQYDVQQGEw TkExCzAJBgNVBAcTAk5BMQswCQYDV Truncated for slides </wsse:BinarySecurityToken>
95-804 XML Encryption, .NET and Web Services Security Week 12
92
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#Id-2759303837586178391"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>+wIvYh7do417KoMegTdIsceVwa4=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#Id-6781605803276963"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>LmLfuY64iaJ1GNm2tYFVxbGrFO8=</ds:DigestValue> </ds:Reference> </ds:SignedInfo>
95-804 XML Encryption, .NET and Web Services Security Week 12
93
<ds:SignatureValue> kSzWeh29OTfPhYl1/+8RM2z2puuWXrfJLU6k+8MlC0PRYljt279NzSVgWUuKsCjYEggAtY6OEKIC hvNp18NQ3Im2NOb35vsFCzc4GQkIm8jn70TF9YF+vEYx5xX39f7mV96YMuwWfebYAAS/AEOnx/zh /YNfPT6l5oSdd2l5OzI= </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#Id-2811617958072086928" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-6781605803276963"> <wsu:Created>2005-04-09T15:27:44Z</wsu:Created> <wsu:Expires>2005-04-09T15:32:44Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> </env:Header>
95-804 XML Encryption, .NET and Web Services Security Week 12
94
<env:Body xmlns:wsu= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-2759303837586178391"> <ns0:PingResponse> <ns0:text>Hello! Mike!</ns0:text> </ns0:PingResponse> </env:Body> </env:Envelope>
95-804 XML Encryption, .NET and Web Services Security Week 12
95
Tell The Client to Encrypt<xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Service> <xwss:SecurityConfiguration dumpMessages="true"> <!-- Since no targets have been specified below, the contents of the soap body would be encrypted by default. --> <xwss:Encrypt> <xwss:X509Token certificateAlias="s1as"/> </xwss:Encrypt> </xwss:SecurityConfiguration> </xwss:Service>
<xwss:SecurityEnvironmentHandler> com.sun.xml.wss.sample.SecurityEnvironmentHandler </xwss:SecurityEnvironmentHandler>
</xwss:JAXRPCSecurity>
95-804 XML Encryption, .NET and Web Services Security Week 12
96
Tell the server to require encryption
<xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Service> <xwss:SecurityConfiguration dumpMessages="true"> <!-- Encryption requirement. As no target is specified, the contents of the soap body of the request are expected to be encrypted. --> <xwss:RequireEncryption/> </xwss:SecurityConfiguration> </xwss:Service>
<xwss:SecurityEnvironmentHandler> com.sun.xml.wss.sample.SecurityEnvironmentHandler </xwss:SecurityEnvironmentHandler>
</xwss:JAXRPCSecurity>
95-804 XML Encryption, .NET and Web Services Security Week 12
97
Encrypted Request <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1"> <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="Id-6842673312555922560">MIIDWTCCAsKgAwIBAgIBATANBgkqhki G9w0BAQQFADB0MQswCQYDVQQGEw Large truncation for slides
95-804 XML Encryption, .NET and Web Services Security Week 12
98
</wsse:BinarySecurityToken> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <wsse:Reference URI="#Id-6842673312555922560" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>KB79tvoF6Bu7JeL2Re6iGG8 BhdhOFcZiNDJrJNe8lV3GE6 Sk+s453IF3GFpmkmQttPhzH1D HKQ+2nFjIWPdyZObK3cVyDf rox7Ysjbfuo4TNwElHvKtnGVNb cQIGWiwyxHIZCjqCdF8LM8E1 gCZgYSaRh3V48VMlOsfZ8RCR Vjw= </xenc:CipherValue> </xenc:CipherData>
95-804 XML Encryption, .NET and Web Services Security Week 12
99
<xenc:ReferenceList> <xenc:DataReference URI="#Id7870285788177789579"/> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> </env:Header> <env:Body> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="Id7870285788177789579" Type="http://www.w3.org/2001/04/xmlenc#Content"> <xenc:EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <xenc:CipherData> <xenc:CipherValue> SL1G08+bGFaqEOefJWtBpOipgkvs8i7JWNwoGum5TO EyZkStSKav/lYygoC5/ji11rccnQWNq/Tg1eYX52UTalAS Large truncation for slides </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </env:Body> </env:Envelope>
95-804 XML Encryption, .NET and Web Services Security Week 12
100
SOAP Response <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env= "http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns0:PingResponse> <ns0:text>Hello! Mike!</ns0:text> </ns0:PingResponse> </env:Body> </env:Envelope>
95-804 XML Encryption, .NET and Web Services Security Week 12
101
Tell the client to send a username/password
<xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Service> <xwss:SecurityConfiguration dumpMessages="true"> <!-- Default: Digested password will be sent. --> <xwss:UsernameToken name="Ron" password="noR"/> </xwss:SecurityConfiguration> </xwss:Service>
<xwss:SecurityEnvironmentHandler> com.sun.xml.wss.sample.SecurityEnvironmentHandler </xwss:SecurityEnvironmentHandler>
</xwss:JAXRPCSecurity>
95-804 XML Encryption, .NET and Web Services Security Week 12
102
Username/Password Request<?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
95-804 XML Encryption, .NET and Web Services Security Week 12
103
<wsse:UsernameToken> <wsse:Username>Ron</wsse:Username> <wsse:Password>****</wsse:Password> <wsse:Nonce EncodingType= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"> yk/r/wJ0Ny/vbkm9OKpZwR6s </wsse:Nonce> <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> 2005-04-09T20:48:40Z </wsu:Created> </wsse:UsernameToken> </wsse:Security> </env:Header> <env:Body> <ns0:Ping> <ns0:ticket>SUNW</ns0:ticket> <ns0:text>Hello!</ns0:text> </ns0:Ping> </env:Body> </env:Envelope>
95-804 XML Encryption, .NET and Web Services Security Week 12
104
SOAP Response <?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <ns0:PingResponse> <ns0:text>Hello! Mike!</ns0:text> </ns0:PingResponse> </env:Body> </env:Envelope>