Applied cryptography
Download
1 / 93

Applied Cryptography - PowerPoint PPT Presentation


  • 109 Views
  • Uploaded on

Applied Cryptography. Michael McCarthy. “SOAP is going to open up a whole new avenue for security vulnerabilities” Bruce Schneier, June 2000. SSL Web Applications. Server Authentication Client Authentication Configuring Tomcat for SSL Writing a SSL servlet for a browser

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Applied Cryptography' - bayle


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Applied cryptography

Applied Cryptography

Michael McCarthy

Applied Cryptography


“SOAP is going to open up a whole new avenue

for security vulnerabilities”

Bruce Schneier, June 2000

Applied Cryptography


Ssl web applications
SSL Web Applications

  • Server Authentication

  • Client Authentication

  • Configuring Tomcat for SSL

  • Writing a SSL servlet for a browser

  • Writing a SSL JAXM servlet for a SOAP client

  • XML Key Management

Applied Cryptography


Ssl overview
SSL Overview

  • Performs secret key exchange like Diffie-Hellman

  • Data is encrypted with the exchanged key

  • Clients do not need to provide a certificate but may be required

  • to by the server

  • Client authentication is typically done in the application layer

  • Servers must provide a certificate

  • Normally uses RSA

Applied Cryptography


Writing a simple ssl client
Writing a simple SSL Client

  • All SSL client must have a truststore

  • If a client is to be verified by the server then the client needs

  • a keystore as well as a trustore

  • The truststore

    • - holds trusted certificates (signed public keys of CA’s)

    • - is in the same format as a keystore

    • - is an instance of Java’s KeyStore class

    • - is used by the client to verify the certificate sent by the

    • server

    • may be shared with others

Applied Cryptography


Creating a truststore
Creating a Truststore

  • Use keytool –genkey to create an RSA key pair

  • Use keytool –export to generate a self-signed RSA

  • certificate (holding no private key)

  • (3) Use keytool –import to place the certificate into a truststore

Applied Cryptography


1 use keytool genkey to create an rsa key pair
(1) Use keytool –genkey to create an RSA key pair

D:\McCarthy\www\95-804\examples\keystoreexamples>

keytool -genkey -alias mjm -keyalg RSA -keystore mjmkeystore

Enter keystore password: sesame

What is your first and last name?

[Unknown]: Michael McCarthy

What is the name of your organizational unit?

[Unknown]: Heinz School

What is the name of your organization?

[Unknown]: CMU

Applied Cryptography


What is the name of your City or Locality?

[Unknown]: Pittsburgh

What is the name of your State or Province?

[Unknown]: PA

What is the two-letter country code for this unit?

[Unknown]: US

Is CN=Michael McCarthy, OU=Heinz School, O=CMU,

L=Pittsburgh, ST=PA, C=US correct?

[no]: yes

Enter key password for <mjm>

(RETURN if same as keystore password): <RT>

Applied Cryptography


D:\McCarthy\www\95-804\examples\keystoreexamples>dir /w

Volume in drive D has no label.

Volume Serial Number is 486D-D392

Directory of D:\McCarthy\www\95-804\examples\keystoreexamples

[.] [..] mjmkeystore

Applied Cryptography


2 use keytool export to generate a self signed rsa certificate holding no private key
(2) Use keytool –export to generate a self-signed RSA certificate (holding no private key)

D:\McCarthy\www\95-804\examples\keystoreexamples>

keytool -export -alias mjm -keystore mjmkeystore -file mjm.cer

Enter keystore password: sesame

Certificate stored in file <mjm.cer>

D:\McCarthy\www\95-804\examples\keystoreexamples>dir /w

Volume in drive D has no label.

Volume Serial Number is 486D-D392

Directory of D:\McCarthy\www\95-804\examples\keystoreexamples

[.] [..] mjm.cer mjmkeystore

Applied Cryptography


3 use keytool import to place the certificate into a truststore
(3) Use keytool –import to place the certificate into a truststore

D:\McCarthy\www\95-804\examples\keystoreexamples>

keytool -import -alias mjm -keystore mjm.truststore -file mjm.cer

Enter keystore password: sesame

Owner:

CN=Michael McCarthy, OU=Heinz School, O=CMU, L=Pittsburgh,

ST=PA, C=US

Issuer:

CN=Michael McCarthy, OU=Heinz School, O=CMU, L=Pittsburgh,

ST=PA, C=US

Applied Cryptography


Serial number: 3e60f3ce truststore

Valid from:

Sat Mar 01 12:54:22 EST 2003 until: Fri May 30 13:54:22 EDT 2003

Certificate fingerprints:

MD5:

80:F4:73:23:4C:B4:32:4C:5F:E0:8A:B1:4D:1E:A3:0D

SHA1:

19:06:31:54:72:ED:B8:D5:B3:CF:38:07:66:B5:78:1A:34:16:56:07

Trust this certificate? [no]: yes

Certificate was added to keystore

Applied Cryptography


D:\McCarthy\www\95-804\examples\keystoreexamples>dir /w truststore

Volume in drive D has no label.

Volume Serial Number is 486D-D392

Directory of D:\McCarthy\www\95-804\examples\keystoreexamples

[.] [..] mjm.cer mjm.truststore mjmkeystore

5 File(s) 2,615 bytes

mjmkeystore will be placed in the server’s directory

SSL will send the associated certificate to the client

mjm.truststore will be placed in the client’s directory

Applied Cryptography


File organization
File Organization truststore

D:\McCarthy\www\95-804\examples\keystoreexamples>tree /f

Directory PATH listing

Volume serial number is 0012FC94 486D:D392

D:.

├───clientcode

│ mjm.truststore

| Client.java

└───servercode

mjmkeystore

Server.java

Applied Cryptography


Client java
Client.java truststore

import java.io.*;

import javax.net.ssl.*;

import java.net.*;

import javax.net.*;

public class Client {

public static void main(String args[]) {

int port = 6502;

try {

// tell the system who we trust

System.setProperty("javax.net.ssl.trustStore","mjm.truststore");

Applied Cryptography


// get an SSLSocketFactory truststore

SocketFactory sf = SSLSocketFactory.getDefault();

// an SSLSocket "is a" Socket

Socket s = sf.createSocket("localhost",6502);

PrintWriter out = new PrintWriter(s.getOutputStream());

BufferedReader in = new

BufferedReader(

new InputStreamReader(

s.getInputStream()));

out.write("Hello server\n");

out.flush();

String answer = in.readLine();

System.out.println(answer);

Applied Cryptography


out.close(); truststore

in.close();

}

catch(Exception e) {

System.out.println("Exception thrown " + e);

}

}

}

Applied Cryptography


Server java
Server.java truststore

// Server side SSL

import java.io.*;

import java.net.*;

import javax.net.*;

import javax.net.ssl.*;

import java.security.*;

public class Server {

// hold the name of the keystore containing public and private keys

static String keyStore = "mjmkeystore";

// password of the keystore (same as the alias)

static char keyStorePass[] = "sesame".toCharArray();


public static void main(String args[]) { truststore

int port = 6502;

SSLServerSocket server;

try {

// get the keystore into memory

KeyStore ks = KeyStore.getInstance("JKS");

ks.load(new FileInputStream(keyStore), keyStorePass);

// initialize the key manager factory with the keystore data

KeyManagerFactory kmf =

KeyManagerFactory.getInstance("SunX509");

kmf.init(ks,keyStorePass);

Applied Cryptography


// initialize the SSLContext engine truststore

// may throw NoSuchProvider or NoSuchAlgorithm exception

// TLS - Transport Layer Security most generic

SSLContext sslContext = SSLContext.getInstance("TLS");

// Inititialize context with given KeyManagers, TrustManagers,

// SecureRandom defaults taken if null

sslContext.init(kmf.getKeyManagers(), null, null);

// Get ServerSocketFactory from the context object

ServerSocketFactory ssf = sslContext.getServerSocketFactory();

Applied Cryptography


// Now like programming with normal server sockets

ServerSocket serverSocket = ssf.createServerSocket(port);

System.out.println("Accepting secure connections");

Socket client = serverSocket.accept();

System.out.println("Got connection");

BufferedWriter out = new BufferedWriter(

new OutputStreamWriter(

client.getOutputStream()));

BufferedReader in = new BufferedReader(

new InputStreamReader(

client.getInputStream()));

Applied Cryptography


String msg = in.readLine();

System.out.println("Got message " + msg);

out.write("Hello client\n");

out.flush();

in.close();

out.close();

}

catch(Exception e) {

System.out.println("Exception thrown " + e);

}

}

}

Applied Cryptography


On the server
On the server

D:\McCarthy\www\95-804\examples\keystoreexamples\servercode>

java Server

Accepting secure connections

Got connection

Got message Hello server

Applied Cryptography


On the client
On the client

D:\McCarthy\www\95-804\examples\keystoreexamples\clientcode>

java Client

Hello client

Applied Cryptography


What we have so far
What we have so far…

The Client

Has a list of public keys it trusts

in the file mjm.truststore

Has no public/private key pair

of its own

The Server

Has no list of trusted

public keys in a

truststore

Has a public/private

key pair of its own

Applied Cryptography


For client authentication we need
For client authentication we need

  • To generate a key pair for the client

  • Extract a client certificate from the key pair

  • Copy the certificate to the server

  • Import this certificate into the server's truststore

  • Have the server code trust the truststore

  • Have the client code know about its own keys

Applied Cryptography


1 generate a key pair for the client
(1) Generate a key pair for the client

D:\McCarthy\www\95-804\examples\keystoreexamples3\client>

keytool -genkey -alias mjmclient

-keyalg RSA -keystore mjmclientkeystore

Enter keystore password: sesame

What is your first and last name?

[Unknown]: Michael J. McCarthy

What is the name of your organizational unit?

[Unknown]: Heinz School

What is the name of your organization?

[Unknown]: CMU

Applied Cryptography


What is the name of your City or Locality?

[Unknown]: Pittsburgh

What is the name of your State or Province?

[Unknown]: PA

What is the two-letter country code for this unit?

[Unknown]: US

Is CN=Michael J. McCarthy, OU=Heinz School,

O=CMU, L=Pittsburgh, ST=PA, C=US correct?

[no]: yes

Enter key password for <mjmclient>

(RETURN if same as keystore password):<RT>

Created mjmclientkeystore

Applied Cryptography


2 extract a client certificate from the key pair
(2) Extract a client certificate from the key pair

D:\McCarthy\www\95-804\examples\keystoreexamples3\client>

keytool -export -alias mjmclient -keystore mjmclientkeystore

-file mjmclient.cer

Enter keystore password: sesame

Certificate stored in file <mjmclient.cer>

Created mjmclient.cer

Applied Cryptography


3 copy the certificate to the server
(3) Copy the certificate to the server

D:\McCarthy\www\95-804\examples\keystoreexamples3\server>dir

03/05/03 12:25p 602 mjmclient.cer

03/01/03 12:54p 1,363 mjmkeystore

03/05/03 01:49p 2,670 Server.class

03/05/03 01:48p 2,740 Server.java

Applied Cryptography


4 import the certificate into the server s truststore
(4) Import the certificate into the server's truststore

D:\McCarthy\www\95-804\examples\keystoreexamples3\server>

keytool -import -alias mjmclient -keystore mjmclient.trustore

-file mjmclient.cer

Enter keystore password: sesame

Owner: CN=Michael J. McCarthy, OU=Heinz School,

O=CMU, L=Pittsburgh, ST=PA, C=US

Issuer: CN=Michael J. McCarthy, OU=Heinz School,

O=CMU, L=Pittsburgh, ST=PA, C=US

Applied Cryptography


Serial number: 3e663114

Valid from: Wed Mar 05 12:17:08 EST 2003 until:

Tue Jun 03 13:17:08 EDT 2003

Certificate fingerprints:

MD5: 8F:87:63:CD:0B:BD:FA:E7:21:7C:0C:B0:C2:CC:2C:14

SHA1: 4A:C8:ED:BB:1A:C4:B9:32:A5:37:03:2F:4C:A3:3C:34:A3:33:9B:C8

Trust this certificate? [no]: yes

Certificate was added to keystore

Applied Cryptography


D:\McCarthy\www\95-804\examples\keystoreexamples3\ server>dir

Volume in drive D has no label.

Volume Serial Number is 486D-D392

Directory of server

03/05/03 12:25p 602 mjmclient.cer

03/05/03 12:35p 668 mjmclient.trustore

03/01/03 12:54p 1,363 mjmkeystore

03/01/03 10:40p 2,942 Server.class

03/01/03 10:40p 3,798 Server.java

9 File(s) 18,184 bytes

Applied Cryptography


5 have the server code trust the truststore
(5) Have the server code trust the truststore

// Server side SSL

import java.io.*;

import java.net.*;

import javax.net.*;

import javax.net.ssl.*;

import java.security.*;

public class Server {

// hold the name of the keystore containing public and private keys

static String keyStore = "mjmkeystore";

// password of the keystore (same as the alias)

static char keyStorePass[] = "sesame".toCharArray();


public static void main(String args[]) {

int port = 6502;

SSLServerSocket server;

try {

// get the keystore into memory

KeyStore ks = KeyStore.getInstance("JKS");

ks.load(new FileInputStream(keyStore), keyStorePass);

// initialize the key manager factory with the keystore data

KeyManagerFactory kmf =

KeyManagerFactory.getInstance("SunX509");

kmf.init(ks,keyStorePass);

Applied Cryptography


// tell the system who we trust, we trust the client's certificate

// in mjmclient.truststore

System.setProperty("javax.net.ssl.trustStore",

"mjmclient.truststore");

// initialize the SSLContext engine

// may throw NoSuchProvider or NoSuchAlgorithm exception

// TLS - Transport Layer Security most generic

SSLContext sslContext = SSLContext.getInstance("TLS");

// Inititialize context with given KeyManagers, TrustManagers,

// SecureRandom

// defaults taken if null

sslContext.init(kmf.getKeyManagers(), null, null);

Applied Cryptography


// Get ServerSocketFactory from the context object certificate

ServerSocketFactory ssf = sslContext.getServerSocketFactory();

// Now almost like programming with normal server sockets

ServerSocket serverSocket = ssf.createServerSocket(port);

((SSLServerSocket)serverSocket).setNeedClientAuth(true);

System.out.println("Accepting secure connections");

Socket client = serverSocket.accept();

System.out.println("Got connection");

PrintWriter out = new

PrintWriter(client.getOutputStream(),true);

BufferedReader in = new

BufferedReader(

new InputStreamReader(

client.getInputStream()));


String fromClient = in.readLine(); certificate

System.out.println(fromClient);

out.println("Hello client\n");

out.flush();

in.close();

out.close();

System.out.println("Data sent");

}

catch(Exception e) {

System.out.println("Exception thrown " + e);

}

}

}

Applied Cryptography


6 have the client code know about its own keys
(6) Have the client code know about its own keys certificate

import java.net.*;

import java.io.*;

import javax.net.ssl.*;

import javax.security.cert.X509Certificate;

import java.security.KeyStore;

public class Client {

public static void main(String args[]) {

int port = 6502;

// tell the system who we trust

System.setProperty("javax.net.ssl.trustStore","mjm.truststore");

Applied Cryptography


try { certificate

SSLSocketFactory factory = null;

try {

SSLContext ctx;

KeyManagerFactory kmf;

KeyStore ks;

char[] passphrase = "sesame".toCharArray();

ctx = SSLContext.getInstance("TLS");

kmf = KeyManagerFactory.getInstance("SunX509"); ks = KeyStore.getInstance("JKS");

ks.load(new FileInputStream("mjmclientkeystore"),

passphrase);

kmf.init(ks, passphrase);

ctx.init(kmf.getKeyManagers(), null, null);

factory = ctx.getSocketFactory();

} catch (Exception e) { throw new IOException(e.getMessage()); }

Applied Cryptography


SSLSocket s = (SSLSocket)factory.createSocket("localhost", port);

s.startHandshake();

PrintWriter out = new PrintWriter(s.getOutputStream());

BufferedReader in = new BufferedReader(

new InputStreamReader(

s.getInputStream()));

out.write("Hello server\n");

out.flush();

String answer = in.readLine();

System.out.println(answer);

out.close();

in.close();

}

catch(Exception e) {

System.out.println("Exception thrown " + e); }

}

}

Applied Cryptography


Testing
Testing port);

D:…\server>

java Server

Accepting secure connections

Got connection

Hello server

Data sent

D:\…\client>java Client

Hello client

Applied Cryptography


Testing after deleting the server s truststore
Testing after deleting the port);server’s truststore

D:…\server>java Server

Accepting secure connections

Got connection

Exception thrown javax.net.ssl.SSLHandshakeException:

Couldn't find trusted certificate

D:\…\client>java Client

Exception thrown javax.net.ssl.SSLHandshakeException:

Received fatal alert: certificate_unknown

Applied Cryptography


Testing after deleting the client s truststore
Testing after deleting the port);client’s truststore

D:..\server\java Server

Accepting secure connections

Got connection

Exception thrown javax.net.ssl.SSLHandshakeException:

Received fatal alert: certificate_unknown

D:\…\client>java Client

Exception thrown javax.net.ssl.SSLHandshakeException:

Couldn't find trusted certificate

Applied Cryptography


Configuring tomcat for ssl
Configuring Tomcat for SSL port);

The web server needs a certificate so that the client

can identify the server.

The certificate may be signed by a Certificate Authority

or it may be self-signed.

The web server needs a private key as well.

Applied Cryptography


D:\McCarthy\www\95-804\examples\SSLAndTomcat> port);

keytool -genkey -keyalg RSA -alias tomcat -keystore .keystore

Enter keystore password: sesame

What is your first and last name?

[Unknown]: localhost

What is the name of your organizational unit?

[Unknown]: Heinz School

What is the name of your organization?

[Unknown]: CMU

What is the name of your City or Locality?

[Unknown]: Pgh.

What is the name of your State or Province?

[Unknown]: PA

Generate public and

private keys for

Tomcat

The keystore file is

called .keystore

Applied Cryptography


What is the two-letter country code for this unit? port);

[Unknown]: US

Is CN=localhost, OU=Heinz School, O=CMU, L=Pgh.,

ST=PA, C=US correct?

[no]: yes

Enter key password for <tomcat>

(RETURN if same as keystore password):<RT>

D:\McCarthy\www\95-804\examples\SSLAndTomcat>

Applied Cryptography


Use admin tool to tell tomcat about ssl
Use admin tool to tell Tomcat about SSL port);

  • Startup Tomcat

  • Run the admin server with http://localhost:8080/admin

  • Log in with your user name and password

  • Select Service (Java Web Service Developer Pack)

  • Select Create New Connector from the drop down list

  • in the right pane

  • (6) In the type field enter HTTPS

  • (7) In the port field enter 8443

  • (8) Enter complete path to your .keystore file

  • (9) Enter keystore password

  • (10) Select SAVE and then Commit Changes

Tell Tomcat

about .keystore

Applied Cryptography


Testing1
Testing port);

Shutdown Tomcat.

Visit Tomcat from a browser.

Use https://localhost:8443/

You can also visit your other installed web apps through

https.

Applied Cryptography





Protecting a servlet
Protecting A Servlet port);

The servlet should test the protocol to ensure that it

is being accessed through https.

A simple servlet that takes votes over SSL…

Applied Cryptography


Voterservlet java
VoterServlet.java port);

// VoterServlet.java -- Handle the voting form sent by index.html

import java.io.*;

import javax.servlet.*;

import javax.servlet.http.*;

public class VoterServlet extends HttpServlet {

public void doPost(HttpServletRequest req,

HttpServletResponse response)

throws ServletException,

IOException {

doGet(req, response);

}

Applied Cryptography


public void doGet(HttpServletRequest req, port);

HttpServletResponse response)

throws ServletException,

IOException

{

String scheme = req.getScheme();

if(scheme.equals("https")) {

String newPresident = req.getParameter("president");

System.out.println("Got Connection");

response.setContentType("text/html");

PrintWriter out = response.getWriter();

Applied Cryptography


String docType = port);

"<!DOCTYPE HTML PUBLIC \"//W3C//DTD HTML 4.0 ";

docType += "Transitional//EN\">\n";

out.println(docType +

"<HTML>\n" +

"<HEAD><TITLE>Presidential Servlet" +

"</TITLE></HEAD>\n" +

"<BODY>\n" +

"<H1>The new president is "+

newPresident + "</H1>\n" +

"</BODY></HTML>");

}

}

}

Applied Cryptography


Index html
index.html port);

<html>

<head>

<title>Democracy</title>

</head>

<body BGCOLOR="WHITE">

<form action="https://localhost:8443/VoteServlet/VoterServlet/">

<dl>

<dt> Please Vote </dt>

<dd><Input type = "Radio" name = "president" value= "Bush">

<b>George W. Bush</b>

<dd><Input type = "Radio" name = "president“

value = "Gore"> Al Gore

<dd><Input type = "Radio" name = "president“

value = "Buchanan"> Pat Buchanan

Applied Cryptography


<dd><Input type = "Radio" name = "president" port);

value = "Nader"> Ralph Nader

<p> <input type = "submit">

</dl>

</form>

</body>

</html>

Applied Cryptography




File organization1
File Organization port);

D:\MCCARTHY\WWW\95-804\EXAMPLES\PRESIDENT

│ build.properties build.properties contains app.path=/VoteServlet

│ build.xml holds ant program

├───build build directory created by ant compile

│ │ index.html the html file asking for a vote

│ │

│ └───WEB-INF

│ │

│ │ web.xml deployment descriptor

│ │

│ ├───classes

│ │ VoterServlet.class the compiled servlet

│ │

│ └───lib

Applied Cryptography


├───src src directory holds servlet

│ VoterServlet.java servlet

└───web

│ index.html the html file asking for vote

└───WEB-INF

│ web.xml the deployment descriptor that maps

│ a URL pattern to the servlet

└───classes

Applied Cryptography


Web xml deployment descriptor
Web.xml deployment descriptor src directory holds servlet

D:\McCarthy\www\95-804\examples\president\web\WEB-INF>

type web.xml

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app

PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"

"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">

<web-app>

<servlet>

<servlet-name>VoteForPres</servlet-name>

<servlet-class>VoterServlet</servlet-class>

<load-on-startup/>

</servlet>

Applied Cryptography


<servlet-mapping> src directory holds servlet

<servlet-name>VoteForPres</servlet-name>

<url-pattern>/VoterServlet/*</url-pattern>

</servlet-mapping>

</web-app>

Applied Cryptography


Build properties
Build.properties src directory holds servlet

D:\McCarthy\www\95-804\examples\president>

type build.properties

# Context path to install this application on

app.path=/VoteServlet

# Tomcat 4 installation directory

catalina.home=d:/jwsdp-1_0_01

# Established when installing the JWSDP

manager.username=XXXXXXRequired and case sensitive

manager.password=XXXXXXRequired and case sensitive

Applied Cryptography


Send vote with soap over https server authentication
Send Vote With SOAP over HTTPS (Server Authentication) src directory holds servlet

Use Java API for XML Messaging (JAXM)

Work with a new kind of servlet

The input is a SOAP message and the output is a SOAP

Message

Tomcat has a keystore (.keystore) that sends certificates

self-signed by localhost

The client trusts certificates signed by localhost

Applied Cryptography


Note src directory holds servlet

There may be sever copies of the file java.security on your

system. Make sure they all contain the line:

security.provider.n=com.sun.net.ssl.internal.ssl.Provider

Applied Cryptography


Output first
Output First src directory holds servlet

Server Side

D:..\examples\SOAPAndSSL\server>shutdown

D:..\examples\SOAPAndSSL\server>startup

D:..\examples\SOAPAndSSL\server>ant install

Buildfile: build.xml

prepare:

compile:

install:

[install] OK - Installed application at context path /Vote

[install]

BUILD SUCCESSFUL

Total time: 1 minute 33 seconds

D:\McCarthy\www\95-804\examples\SOAPAndSSL\server>

Applied Cryptography


Output first soap client
Output First – SOAP Client src directory holds servlet

Client Side

D:..\examples\SOAPAndSSL\client>java VotingClient Nixon

Sending the following message

<?xml version="1.0" encoding="UTF-8"?>

<soap-env:Envelope

xmlns:soap-env=

"http://schemas.xmlsoap.org/soap/envelope/">

<soap-env:Header/>

<soap-env:Body>Nixon

</soap-env:Body>

</soap-env:Envelope>

Applied Cryptography


providers com.sun.net.ssl.internal.www.protocol src directory holds servlet

Got back the following response

<?xml version="1.0" encoding="UTF-8"?>

<soap-env:Envelope

xmlns:soap-env=

"http://schemas.xmlsoap.org/soap/envelope/">

<soap-env:Header/>

<soap-env:Body>Vote for Nixon accepted

</soap-env:Body>

</soap-env:Envelope>The result is Vote for Nixon accepted

D:..\examples\SOAPAndSSL\client>

Applied Cryptography


A soap client using ssl
A SOAP CLIENT Using SSL src directory holds servlet

// VotingClient.java

// for wrapping a SOAP document

import javax.xml.soap.*;

// for sending the SOAP document

import javax.xml.messaging.*;

// Standard Java imports

import java.io.*;

import java.net.URL;

import java.util.Iterator;

import java.math.*;

import java.security.*;

Applied Cryptography


// For writing the XML document src directory holds servlet

import org.apache.xml.serialize.XMLSerializer; // not standard

import org.apache.xml.serialize.OutputFormat; // not standard

import org.xml.sax.InputSource;

public class VotingClient {

// Establish a connection and a message factory

private SOAPConnectionFactory soapConnectionFactory;

private MessageFactory messageFactory;

Applied Cryptography


public VotingClient() throws SOAPException { src directory holds servlet

// get connection factory

soapConnectionFactory = SOAPConnectionFactory.newInstance();

// get a message factory

messageFactory = MessageFactory.newInstance();

// set system property to point to our provider

System.setProperty("java.protocol.handler.pkgs",

"com.sun.net.ssl.internal.www.protocol");

}

public String castVote(String candidate) throws IOException,

SOAPException {

// invoke web service

SOAPMessage result = sendInVote(candidate);

return handleResult(result);

}

Applied Cryptography


private SOAPMessage sendInVote(String candidate) { src directory holds servlet

SOAPMessage soapResponse = null;

try {

// get a SOAPConnection from the factory

SOAPConnection soapConnection =

soapConnectionFactory.createConnection();

// get a SOAPMessage from the factory

SOAPMessage soapRequest = messageFactory.createMessage();

// Establish the truststore of who this client trusts

System.setProperty("javax.net.ssl.trustStore","tomcat.truststore");

// establish a url endpoint for the SSL request

URLEndpoint urlEndpoint = new URLEndpoint(

"https://localhost:8443/Vote/VotingServlet");


// place a vote in the SOAP body src directory holds servlet

SOAPPart sp = soapRequest.getSOAPPart();

SOAPEnvelope se = sp.getEnvelope();

SOAPBody sb = se.getBody();

SOAPHeader sh = se.getHeader();

sb.addTextNode(candidate);

System.out.println("Sending the following message");

soapRequest.writeTo(System.out);

soapResponse = soapConnection.call(soapRequest, urlEndpoint);

System.out.println("Got back the following response");

soapResponse.writeTo(System.out);

soapConnection.close();


} src directory holds servlet

catch(SOAPException se) {

System.out.println("I found the SOAP exception" + se);

}

catch(IOException ioe) {

System.out.println("IO Exception thrown");

}

return soapResponse;

}

Applied Cryptography


private String handleResult(SOAPMessage fromVotingServlet) src directory holds servlet

throws SOAPException {

Text value;

try {

SOAPPart sr = fromVotingServlet.getSOAPPart();

SOAPEnvelope sre = sr.getEnvelope();

SOAPBody srb = sre.getBody();

SOAPHeader srh = sre.getHeader();

Iterator iter = srb.getChildElements();

value = (Text)iter.next();

}

Applied Cryptography


catch(Exception er) { src directory holds servlet

System.out.println("Exception in handleResult()" + er);

return null;

}

return (String)(value.getValue());

}

public static void main(String a[]) throws Exception {

VotingClient vc = new VotingClient();

String result = vc.castVote(a[0]);

System.out.println("The result is " + result);

}

}

Applied Cryptography


Soap servlet using ssl
SOAP Servlet Using SSL src directory holds servlet

// JAXM servlet VotingServlet.java

// Takes a vote from the SOAP body and returns a SOAP response

// to the client

import java.io.IOException;

import java.util.Iterator;

import javax.servlet.*;

import javax.xml.messaging.*;

import javax.xml.soap.*;

import java.util.*;

Applied Cryptography


public class VotingServlet extends JAXMServlet implements src directory holds servlet

ReqRespListener {

// we need to create a return message

private MessageFactory messageFactory;

// onMessage hit on each visit

public SOAPMessage onMessage( SOAPMessage messageIn ) {

try {

// read data from input message

SOAPPart inSoapPart = messageIn.getSOAPPart();

SOAPEnvelope inSoapEnvelope = inSoapPart.getEnvelope();

SOAPBody inSoapBody = inSoapEnvelope.getBody();

Applied Cryptography


Iterator it = inSoapBody.getChildElements(); src directory holds servlet

Text content = (Text)it.next();

System.out.println("Collected vote for " +content.getValue());

// Build SOAP response

messageFactory = MessageFactory.newInstance();

SOAPMessage messageOut = messageFactory.createMessage();

SOAPPart soapPart = messageOut.getSOAPPart();

SOAPEnvelope soapEnvelope = soapPart.getEnvelope();

SOAPBody soapBody = soapEnvelope.getBody();

Applied Cryptography


soapBody.addTextNode( src directory holds servlet

"Vote for " + content.getValue() + " accepted");

return messageOut;

}

catch(NullPointerException np) {

System.out.println("Null pointer all bets are off");

return null;

}

catch(SOAPException s) {

System.out.println("Voting Servlet SOAP Exception");

return null;

}

catch(Exception e) {

System.out.println("exception " + e);

return null;

}}}

Applied Cryptography


Send Vote With SOAP over HTTPS src directory holds servlet

(Client & Server Authentication)

What we have so far:

SOAP Client SOAP Server

-- has a truststore but no -- has a file called

keys of its own .keystore holding

keys

We need to:

-- give the client some keys -- set the server to trust

those keys

Applied Cryptography


Client authentication
Client Authentication src directory holds servlet

  • Generate a key set for the client

  • Generate a certificate from the keys

  • Place the certificate in the server’s keystore

  • Tell Tomcat to authenticate clients

  • Tell the client to load its keys for SSL

Applied Cryptography


1 generate a key set for the client
(1) Generate a key set for the client src directory holds servlet

D:..\examples\SOAPAndSSL\client>

keytool -genkey -alias mjm -keyalg RSA -storepass sesame

-keystore client.keystore

What is your first and last name?

[Unknown]: Michael McCarthy

What is the name of your organizational unit?

[Unknown]: Heinz School

What is the name of your organization?

[Unknown]: CMU

What is the name of your City or Locality?

[Unknown]: Pittsburgh


What is the name of your State or Province? src directory holds servlet

[Unknown]: PA

What is the two-letter country code for this unit?

[Unknown]: US

Is CN=Michael McCarthy, OU=Heinz School, O=CMU,

L=Pittsburgh, ST=PA, C=US correct?

[no]: yes

Enter key password for <mjm> <RT>

(RETURN if same as keystore password):

Applied Cryptography


2 generate a certificate from the keys
(2) Generate a certificate from the keys src directory holds servlet

D:..\examples\SOAPAndSSL\client>

keytool -export -alias mjm -storepass sesame -file client.cer

-keystore client.keystore

Certificate stored in file <client.cer>

D:..examples\SOAPAndSSL\client>

Applied Cryptography


3 place the client s certificate into the server s keystore
(3) src directory holds servletPlace the client’s certificate into the server’s keystore

  • Copy client.cer over to the server

  • Add client.cer to the server’s keystore

D:..\examples\SSLAndTomcat>

keytool -import -v -trustcacerts -alias mjmservercert

-file client.cer -keystore .keystore -storepass sesame

Owner: CN=Michael McCarthy, OU=Heinz School,

O=CMU, L=Pittsburgh, ST=PA, C=US

Issuer: CN=Michael McCarthy, OU=Heinz School,

O=CMU, L=Pittsburgh, ST=PA, C=US

Serial number: 3e7396d6


Valid from: Sat Mar 15 16:10:46 EST 2003 src directory holds servlet

until: Fri Jun 13 17:10:46 EDT 2003

Certificate fingerprints:

MD5: CB:49:42:25:DC:FF:B8:0C:02:0F:31:29:B4:E8:B1:00

SHA1: D8:8E:AA:B6:55:17:39:1B:CF:14:24:A9:0E:65:E4:29:52:30:

4C:E4

Trust this certificate? [no]: y

Certificate was added to keystore

[Saving .keystore]

D..\examples\SSLAndTomcat>

Applied Cryptography


4 tell tomcat to authenticate clients
(4) Tell Tomcat to authenticate clients src directory holds servlet

Client

authentiaction

Server’s

keystore

Applied Cryptography


5 tell the client to load its keys for ssl
(5) Tell the client to load its keys for SSL src directory holds servlet

//Almost the same client as before…

public VotingClient() throws SOAPException {

// get connection factory

soapConnectionFactory =

SOAPConnectionFactory.newInstance();

// get a message factory

messageFactory = MessageFactory.newInstance();

Applied Cryptography


But with the following
But with the following src directory holds servlet

// use Sun's reference implementation of a URL handler for

// the https protocol

System.setProperty("java.protocol.handler.pkgs",

"com.sun.net.ssl.internal.www.protocol");

// Establish the truststore of who this client trusts

System.setProperty("javax.net.ssl.trustStore","tomcat.truststore");

// Establish the keystore of this client

System.setProperty("javax.net.ssl.keyStore","client.keystore");

System.setProperty("javax.net.ssl.keyStorePassword","sesame");

// dynamically register SUN's SSL provider

Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

}


XMK Key Management Specification src directory holds servlet

Holds keys, certificates and certificate revocation list

XKMS

PKI HOST

Register key

Revoke Certificate

Recover Key

X-KRSS

XML Key Registration

Service Specification

Verify signature

X-KISS

XML Key Information

Service Specification

(SOAP)

(SOAP)





Signer

Verifier

Signed document

(SOAP)

Signer generates key pair or

requests the pair from the PKI host

 Key registration request

 Certificate sent to Signer

 Signed document sent to Verifier

 Verifier requests certificate from PKI host

 Key and certificate sent to Verifier

 The Signer may request that a

certificate be revoked

 The Signer may request copy

of lost keys

Applied Cryptography


ad