applied cryptography
Download
Skip this Video
Download Presentation
Applied Cryptography

Loading in 2 Seconds...

play fullscreen
1 / 93

Applied Cryptography - PowerPoint PPT Presentation


  • 116 Views
  • Uploaded on

Applied Cryptography. Michael McCarthy. “SOAP is going to open up a whole new avenue for security vulnerabilities” Bruce Schneier, June 2000. SSL Web Applications. Server Authentication Client Authentication Configuring Tomcat for SSL Writing a SSL servlet for a browser

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Applied Cryptography' - bayle


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
applied cryptography

Applied Cryptography

Michael McCarthy

Applied Cryptography

slide2

“SOAP is going to open up a whole new avenue

for security vulnerabilities”

Bruce Schneier, June 2000

Applied Cryptography

ssl web applications
SSL Web Applications
  • Server Authentication
  • Client Authentication
  • Configuring Tomcat for SSL
  • Writing a SSL servlet for a browser
  • Writing a SSL JAXM servlet for a SOAP client
  • XML Key Management

Applied Cryptography

ssl overview
SSL Overview
  • Performs secret key exchange like Diffie-Hellman
  • Data is encrypted with the exchanged key
  • Clients do not need to provide a certificate but may be required
  • to by the server
  • Client authentication is typically done in the application layer
  • Servers must provide a certificate
  • Normally uses RSA

Applied Cryptography

writing a simple ssl client
Writing a simple SSL Client
  • All SSL client must have a truststore
  • If a client is to be verified by the server then the client needs
  • a keystore as well as a trustore
  • The truststore
    • - holds trusted certificates (signed public keys of CA’s)
    • - is in the same format as a keystore
    • - is an instance of Java’s KeyStore class
    • - is used by the client to verify the certificate sent by the
    • server
    • may be shared with others

Applied Cryptography

creating a truststore
Creating a Truststore
  • Use keytool –genkey to create an RSA key pair
  • Use keytool –export to generate a self-signed RSA
  • certificate (holding no private key)
  • (3) Use keytool –import to place the certificate into a truststore

Applied Cryptography

1 use keytool genkey to create an rsa key pair
(1) Use keytool –genkey to create an RSA key pair

D:\McCarthy\www\95-804\examples\keystoreexamples>

keytool -genkey -alias mjm -keyalg RSA -keystore mjmkeystore

Enter keystore password: sesame

What is your first and last name?

[Unknown]: Michael McCarthy

What is the name of your organizational unit?

[Unknown]: Heinz School

What is the name of your organization?

[Unknown]: CMU

Applied Cryptography

slide8

What is the name of your City or Locality?

[Unknown]: Pittsburgh

What is the name of your State or Province?

[Unknown]: PA

What is the two-letter country code for this unit?

[Unknown]: US

Is CN=Michael McCarthy, OU=Heinz School, O=CMU,

L=Pittsburgh, ST=PA, C=US correct?

[no]: yes

Enter key password for <mjm>

(RETURN if same as keystore password): <RT>

Applied Cryptography

slide9

D:\McCarthy\www\95-804\examples\keystoreexamples>dir /w

Volume in drive D has no label.

Volume Serial Number is 486D-D392

Directory of D:\McCarthy\www\95-804\examples\keystoreexamples

[.] [..] mjmkeystore

Applied Cryptography

2 use keytool export to generate a self signed rsa certificate holding no private key
(2) Use keytool –export to generate a self-signed RSA certificate (holding no private key)

D:\McCarthy\www\95-804\examples\keystoreexamples>

keytool -export -alias mjm -keystore mjmkeystore -file mjm.cer

Enter keystore password: sesame

Certificate stored in file <mjm.cer>

D:\McCarthy\www\95-804\examples\keystoreexamples>dir /w

Volume in drive D has no label.

Volume Serial Number is 486D-D392

Directory of D:\McCarthy\www\95-804\examples\keystoreexamples

[.] [..] mjm.cer mjmkeystore

Applied Cryptography

3 use keytool import to place the certificate into a truststore
(3) Use keytool –import to place the certificate into a truststore

D:\McCarthy\www\95-804\examples\keystoreexamples>

keytool -import -alias mjm -keystore mjm.truststore -file mjm.cer

Enter keystore password: sesame

Owner:

CN=Michael McCarthy, OU=Heinz School, O=CMU, L=Pittsburgh,

ST=PA, C=US

Issuer:

CN=Michael McCarthy, OU=Heinz School, O=CMU, L=Pittsburgh,

ST=PA, C=US

Applied Cryptography

slide12

Serial number: 3e60f3ce

Valid from:

Sat Mar 01 12:54:22 EST 2003 until: Fri May 30 13:54:22 EDT 2003

Certificate fingerprints:

MD5:

80:F4:73:23:4C:B4:32:4C:5F:E0:8A:B1:4D:1E:A3:0D

SHA1:

19:06:31:54:72:ED:B8:D5:B3:CF:38:07:66:B5:78:1A:34:16:56:07

Trust this certificate? [no]: yes

Certificate was added to keystore

Applied Cryptography

slide13

D:\McCarthy\www\95-804\examples\keystoreexamples>dir /w

Volume in drive D has no label.

Volume Serial Number is 486D-D392

Directory of D:\McCarthy\www\95-804\examples\keystoreexamples

[.] [..] mjm.cer mjm.truststore mjmkeystore

5 File(s) 2,615 bytes

mjmkeystore will be placed in the server’s directory

SSL will send the associated certificate to the client

mjm.truststore will be placed in the client’s directory

Applied Cryptography

file organization
File Organization

D:\McCarthy\www\95-804\examples\keystoreexamples>tree /f

Directory PATH listing

Volume serial number is 0012FC94 486D:D392

D:.

├───clientcode

│ mjm.truststore

| Client.java

└───servercode

mjmkeystore

Server.java

Applied Cryptography

client java
Client.java

import java.io.*;

import javax.net.ssl.*;

import java.net.*;

import javax.net.*;

public class Client {

public static void main(String args[]) {

int port = 6502;

try {

// tell the system who we trust

System.setProperty("javax.net.ssl.trustStore","mjm.truststore");

Applied Cryptography

slide16

// get an SSLSocketFactory

SocketFactory sf = SSLSocketFactory.getDefault();

// an SSLSocket "is a" Socket

Socket s = sf.createSocket("localhost",6502);

PrintWriter out = new PrintWriter(s.getOutputStream());

BufferedReader in = new

BufferedReader(

new InputStreamReader(

s.getInputStream()));

out.write("Hello server\n");

out.flush();

String answer = in.readLine();

System.out.println(answer);

Applied Cryptography

slide17

out.close();

in.close();

}

catch(Exception e) {

System.out.println("Exception thrown " + e);

}

}

}

Applied Cryptography

server java
Server.java

// Server side SSL

import java.io.*;

import java.net.*;

import javax.net.*;

import javax.net.ssl.*;

import java.security.*;

public class Server {

// hold the name of the keystore containing public and private keys

static String keyStore = "mjmkeystore";

// password of the keystore (same as the alias)

static char keyStorePass[] = "sesame".toCharArray();

slide19

public static void main(String args[]) {

int port = 6502;

SSLServerSocket server;

try {

// get the keystore into memory

KeyStore ks = KeyStore.getInstance("JKS");

ks.load(new FileInputStream(keyStore), keyStorePass);

// initialize the key manager factory with the keystore data

KeyManagerFactory kmf =

KeyManagerFactory.getInstance("SunX509");

kmf.init(ks,keyStorePass);

Applied Cryptography

slide20

// initialize the SSLContext engine

// may throw NoSuchProvider or NoSuchAlgorithm exception

// TLS - Transport Layer Security most generic

SSLContext sslContext = SSLContext.getInstance("TLS");

// Inititialize context with given KeyManagers, TrustManagers,

// SecureRandom defaults taken if null

sslContext.init(kmf.getKeyManagers(), null, null);

// Get ServerSocketFactory from the context object

ServerSocketFactory ssf = sslContext.getServerSocketFactory();

Applied Cryptography

slide21

// Now like programming with normal server sockets

ServerSocket serverSocket = ssf.createServerSocket(port);

System.out.println("Accepting secure connections");

Socket client = serverSocket.accept();

System.out.println("Got connection");

BufferedWriter out = new BufferedWriter(

new OutputStreamWriter(

client.getOutputStream()));

BufferedReader in = new BufferedReader(

new InputStreamReader(

client.getInputStream()));

Applied Cryptography

slide22

String msg = in.readLine();

System.out.println("Got message " + msg);

out.write("Hello client\n");

out.flush();

in.close();

out.close();

}

catch(Exception e) {

System.out.println("Exception thrown " + e);

}

}

}

Applied Cryptography

on the server
On the server

D:\McCarthy\www\95-804\examples\keystoreexamples\servercode>

java Server

Accepting secure connections

Got connection

Got message Hello server

Applied Cryptography

on the client
On the client

D:\McCarthy\www\95-804\examples\keystoreexamples\clientcode>

java Client

Hello client

Applied Cryptography

what we have so far
What we have so far…

The Client

Has a list of public keys it trusts

in the file mjm.truststore

Has no public/private key pair

of its own

The Server

Has no list of trusted

public keys in a

truststore

Has a public/private

key pair of its own

Applied Cryptography

for client authentication we need
For client authentication we need
  • To generate a key pair for the client
  • Extract a client certificate from the key pair
  • Copy the certificate to the server
  • Import this certificate into the server\'s truststore
  • Have the server code trust the truststore
  • Have the client code know about its own keys

Applied Cryptography

1 generate a key pair for the client
(1) Generate a key pair for the client

D:\McCarthy\www\95-804\examples\keystoreexamples3\client>

keytool -genkey -alias mjmclient

-keyalg RSA -keystore mjmclientkeystore

Enter keystore password: sesame

What is your first and last name?

[Unknown]: Michael J. McCarthy

What is the name of your organizational unit?

[Unknown]: Heinz School

What is the name of your organization?

[Unknown]: CMU

Applied Cryptography

slide28

What is the name of your City or Locality?

[Unknown]: Pittsburgh

What is the name of your State or Province?

[Unknown]: PA

What is the two-letter country code for this unit?

[Unknown]: US

Is CN=Michael J. McCarthy, OU=Heinz School,

O=CMU, L=Pittsburgh, ST=PA, C=US correct?

[no]: yes

Enter key password for <mjmclient>

(RETURN if same as keystore password):<RT>

Created mjmclientkeystore

Applied Cryptography

2 extract a client certificate from the key pair
(2) Extract a client certificate from the key pair

D:\McCarthy\www\95-804\examples\keystoreexamples3\client>

keytool -export -alias mjmclient -keystore mjmclientkeystore

-file mjmclient.cer

Enter keystore password: sesame

Certificate stored in file <mjmclient.cer>

Created mjmclient.cer

Applied Cryptography

3 copy the certificate to the server
(3) Copy the certificate to the server

D:\McCarthy\www\95-804\examples\keystoreexamples3\server>dir

03/05/03 12:25p 602 mjmclient.cer

03/01/03 12:54p 1,363 mjmkeystore

03/05/03 01:49p 2,670 Server.class

03/05/03 01:48p 2,740 Server.java

Applied Cryptography

4 import the certificate into the server s truststore
(4) Import the certificate into the server\'s truststore

D:\McCarthy\www\95-804\examples\keystoreexamples3\server>

keytool -import -alias mjmclient -keystore mjmclient.trustore

-file mjmclient.cer

Enter keystore password: sesame

Owner: CN=Michael J. McCarthy, OU=Heinz School,

O=CMU, L=Pittsburgh, ST=PA, C=US

Issuer: CN=Michael J. McCarthy, OU=Heinz School,

O=CMU, L=Pittsburgh, ST=PA, C=US

Applied Cryptography

slide32

Serial number: 3e663114

Valid from: Wed Mar 05 12:17:08 EST 2003 until:

Tue Jun 03 13:17:08 EDT 2003

Certificate fingerprints:

MD5: 8F:87:63:CD:0B:BD:FA:E7:21:7C:0C:B0:C2:CC:2C:14

SHA1: 4A:C8:ED:BB:1A:C4:B9:32:A5:37:03:2F:4C:A3:3C:34:A3:33:9B:C8

Trust this certificate? [no]: yes

Certificate was added to keystore

Applied Cryptography

slide33

D:\McCarthy\www\95-804\examples\keystoreexamples3\server>dir

Volume in drive D has no label.

Volume Serial Number is 486D-D392

Directory of server

03/05/03 12:25p 602 mjmclient.cer

03/05/03 12:35p 668 mjmclient.trustore

03/01/03 12:54p 1,363 mjmkeystore

03/01/03 10:40p 2,942 Server.class

03/01/03 10:40p 3,798 Server.java

9 File(s) 18,184 bytes

Applied Cryptography

5 have the server code trust the truststore
(5) Have the server code trust the truststore

// Server side SSL

import java.io.*;

import java.net.*;

import javax.net.*;

import javax.net.ssl.*;

import java.security.*;

public class Server {

// hold the name of the keystore containing public and private keys

static String keyStore = "mjmkeystore";

// password of the keystore (same as the alias)

static char keyStorePass[] = "sesame".toCharArray();

slide35

public static void main(String args[]) {

int port = 6502;

SSLServerSocket server;

try {

// get the keystore into memory

KeyStore ks = KeyStore.getInstance("JKS");

ks.load(new FileInputStream(keyStore), keyStorePass);

// initialize the key manager factory with the keystore data

KeyManagerFactory kmf =

KeyManagerFactory.getInstance("SunX509");

kmf.init(ks,keyStorePass);

Applied Cryptography

slide36

// tell the system who we trust, we trust the client\'s certificate

// in mjmclient.truststore

System.setProperty("javax.net.ssl.trustStore",

"mjmclient.truststore");

// initialize the SSLContext engine

// may throw NoSuchProvider or NoSuchAlgorithm exception

// TLS - Transport Layer Security most generic

SSLContext sslContext = SSLContext.getInstance("TLS");

// Inititialize context with given KeyManagers, TrustManagers,

// SecureRandom

// defaults taken if null

sslContext.init(kmf.getKeyManagers(), null, null);

Applied Cryptography

slide37

// Get ServerSocketFactory from the context object

ServerSocketFactory ssf = sslContext.getServerSocketFactory();

// Now almost like programming with normal server sockets

ServerSocket serverSocket = ssf.createServerSocket(port);

((SSLServerSocket)serverSocket).setNeedClientAuth(true);

System.out.println("Accepting secure connections");

Socket client = serverSocket.accept();

System.out.println("Got connection");

PrintWriter out = new

PrintWriter(client.getOutputStream(),true);

BufferedReader in = new

BufferedReader(

new InputStreamReader(

client.getInputStream()));

slide38

String fromClient = in.readLine();

System.out.println(fromClient);

out.println("Hello client\n");

out.flush();

in.close();

out.close();

System.out.println("Data sent");

}

catch(Exception e) {

System.out.println("Exception thrown " + e);

}

}

}

Applied Cryptography

6 have the client code know about its own keys
(6) Have the client code know about its own keys

import java.net.*;

import java.io.*;

import javax.net.ssl.*;

import javax.security.cert.X509Certificate;

import java.security.KeyStore;

public class Client {

public static void main(String args[]) {

int port = 6502;

// tell the system who we trust

System.setProperty("javax.net.ssl.trustStore","mjm.truststore");

Applied Cryptography

slide40

try {

SSLSocketFactory factory = null;

try {

SSLContext ctx;

KeyManagerFactory kmf;

KeyStore ks;

char[] passphrase = "sesame".toCharArray();

ctx = SSLContext.getInstance("TLS");

kmf = KeyManagerFactory.getInstance("SunX509"); ks = KeyStore.getInstance("JKS");

ks.load(new FileInputStream("mjmclientkeystore"),

passphrase);

kmf.init(ks, passphrase);

ctx.init(kmf.getKeyManagers(), null, null);

factory = ctx.getSocketFactory();

} catch (Exception e) { throw new IOException(e.getMessage()); }

Applied Cryptography

slide41

SSLSocket s = (SSLSocket)factory.createSocket("localhost", port);

s.startHandshake();

PrintWriter out = new PrintWriter(s.getOutputStream());

BufferedReader in = new BufferedReader(

new InputStreamReader(

s.getInputStream()));

out.write("Hello server\n");

out.flush();

String answer = in.readLine();

System.out.println(answer);

out.close();

in.close();

}

catch(Exception e) {

System.out.println("Exception thrown " + e); }

}

}

Applied Cryptography

testing
Testing

D:…\server>

java Server

Accepting secure connections

Got connection

Hello server

Data sent

D:\…\client>java Client

Hello client

Applied Cryptography

testing after deleting the server s truststore
Testing after deleting the server’s truststore

D:…\server>java Server

Accepting secure connections

Got connection

Exception thrown javax.net.ssl.SSLHandshakeException:

Couldn\'t find trusted certificate

D:\…\client>java Client

Exception thrown javax.net.ssl.SSLHandshakeException:

Received fatal alert: certificate_unknown

Applied Cryptography

testing after deleting the client s truststore
Testing after deleting the client’s truststore

D:..\server\java Server

Accepting secure connections

Got connection

Exception thrown javax.net.ssl.SSLHandshakeException:

Received fatal alert: certificate_unknown

D:\…\client>java Client

Exception thrown javax.net.ssl.SSLHandshakeException:

Couldn\'t find trusted certificate

Applied Cryptography

configuring tomcat for ssl
Configuring Tomcat for SSL

The web server needs a certificate so that the client

can identify the server.

The certificate may be signed by a Certificate Authority

or it may be self-signed.

The web server needs a private key as well.

Applied Cryptography

slide46

D:\McCarthy\www\95-804\examples\SSLAndTomcat>

keytool -genkey -keyalg RSA -alias tomcat -keystore .keystore

Enter keystore password: sesame

What is your first and last name?

[Unknown]: localhost

What is the name of your organizational unit?

[Unknown]: Heinz School

What is the name of your organization?

[Unknown]: CMU

What is the name of your City or Locality?

[Unknown]: Pgh.

What is the name of your State or Province?

[Unknown]: PA

Generate public and

private keys for

Tomcat

The keystore file is

called .keystore

Applied Cryptography

slide47

What is the two-letter country code for this unit?

[Unknown]: US

Is CN=localhost, OU=Heinz School, O=CMU, L=Pgh.,

ST=PA, C=US correct?

[no]: yes

Enter key password for <tomcat>

(RETURN if same as keystore password):<RT>

D:\McCarthy\www\95-804\examples\SSLAndTomcat>

Applied Cryptography

use admin tool to tell tomcat about ssl
Use admin tool to tell Tomcat about SSL
  • Startup Tomcat
  • Run the admin server with http://localhost:8080/admin
  • Log in with your user name and password
  • Select Service (Java Web Service Developer Pack)
  • Select Create New Connector from the drop down list
  • in the right pane
  • (6) In the type field enter HTTPS
  • (7) In the port field enter 8443
  • (8) Enter complete path to your .keystore file
  • (9) Enter keystore password
  • (10) Select SAVE and then Commit Changes

Tell Tomcat

about .keystore

Applied Cryptography

testing1
Testing

Shutdown Tomcat.

Visit Tomcat from a browser.

Use https://localhost:8443/

You can also visit your other installed web apps through

https.

Applied Cryptography

protecting a servlet
Protecting A Servlet

The servlet should test the protocol to ensure that it

is being accessed through https.

A simple servlet that takes votes over SSL…

Applied Cryptography

voterservlet java
VoterServlet.java

// VoterServlet.java -- Handle the voting form sent by index.html

import java.io.*;

import javax.servlet.*;

import javax.servlet.http.*;

public class VoterServlet extends HttpServlet {

public void doPost(HttpServletRequest req,

HttpServletResponse response)

throws ServletException,

IOException {

doGet(req, response);

}

Applied Cryptography

slide55

public void doGet(HttpServletRequest req,

HttpServletResponse response)

throws ServletException,

IOException

{

String scheme = req.getScheme();

if(scheme.equals("https")) {

String newPresident = req.getParameter("president");

System.out.println("Got Connection");

response.setContentType("text/html");

PrintWriter out = response.getWriter();

Applied Cryptography

slide56

String docType =

"<!DOCTYPE HTML PUBLIC \"//W3C//DTD HTML 4.0 ";

docType += "Transitional//EN\">\n";

out.println(docType +

"<HTML>\n" +

"<HEAD><TITLE>Presidential Servlet" +

"</TITLE></HEAD>\n" +

"<BODY>\n" +

"<H1>The new president is "+

newPresident + "</H1>\n" +

"</BODY></HTML>");

}

}

}

Applied Cryptography

index html
index.html

<html>

<head>

<title>Democracy</title>

</head>

<body BGCOLOR="WHITE">

<form action="https://localhost:8443/VoteServlet/VoterServlet/">

<dl>

<dt> Please Vote </dt>

<dd><Input type = "Radio" name = "president" value= "Bush">

<b>George W. Bush</b>

<dd><Input type = "Radio" name = "president“

value = "Gore"> Al Gore

<dd><Input type = "Radio" name = "president“

value = "Buchanan"> Pat Buchanan

Applied Cryptography

slide58

<dd><Input type = "Radio" name = "president"

value = "Nader"> Ralph Nader

<p> <input type = "submit">

</dl>

</form>

</body>

</html>

Applied Cryptography

file organization1
File Organization

D:\MCCARTHY\WWW\95-804\EXAMPLES\PRESIDENT

│ build.properties build.properties contains app.path=/VoteServlet

│ build.xml holds ant program

├───build build directory created by ant compile

│ │ index.html the html file asking for a vote

│ │

│ └───WEB-INF

│ │

│ │ web.xml deployment descriptor

│ │

│ ├───classes

│ │ VoterServlet.class the compiled servlet

│ │

│ └───lib

Applied Cryptography

slide62

├───src src directory holds servlet

│ VoterServlet.java servlet

└───web

│ index.html the html file asking for vote

└───WEB-INF

│ web.xml the deployment descriptor that maps

│ a URL pattern to the servlet

└───classes

Applied Cryptography

web xml deployment descriptor
Web.xml deployment descriptor

D:\McCarthy\www\95-804\examples\president\web\WEB-INF>

type web.xml

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app

PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"

"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">

<web-app>

<servlet>

<servlet-name>VoteForPres</servlet-name>

<servlet-class>VoterServlet</servlet-class>

<load-on-startup/>

</servlet>

Applied Cryptography

slide64

<servlet-mapping>

<servlet-name>VoteForPres</servlet-name>

<url-pattern>/VoterServlet/*</url-pattern>

</servlet-mapping>

</web-app>

Applied Cryptography

build properties
Build.properties

D:\McCarthy\www\95-804\examples\president>

type build.properties

# Context path to install this application on

app.path=/VoteServlet

# Tomcat 4 installation directory

catalina.home=d:/jwsdp-1_0_01

# Established when installing the JWSDP

manager.username=XXXXXXRequired and case sensitive

manager.password=XXXXXXRequired and case sensitive

Applied Cryptography

send vote with soap over https server authentication
Send Vote With SOAP over HTTPS (Server Authentication)

Use Java API for XML Messaging (JAXM)

Work with a new kind of servlet

The input is a SOAP message and the output is a SOAP

Message

Tomcat has a keystore (.keystore) that sends certificates

self-signed by localhost

The client trusts certificates signed by localhost

Applied Cryptography

slide67
Note

There may be sever copies of the file java.security on your

system. Make sure they all contain the line:

security.provider.n=com.sun.net.ssl.internal.ssl.Provider

Applied Cryptography

output first
Output First

Server Side

D:..\examples\SOAPAndSSL\server>shutdown

D:..\examples\SOAPAndSSL\server>startup

D:..\examples\SOAPAndSSL\server>ant install

Buildfile: build.xml

prepare:

compile:

install:

[install] OK - Installed application at context path /Vote

[install]

BUILD SUCCESSFUL

Total time: 1 minute 33 seconds

D:\McCarthy\www\95-804\examples\SOAPAndSSL\server>

Applied Cryptography

output first soap client
Output First – SOAP Client

Client Side

D:..\examples\SOAPAndSSL\client>java VotingClient Nixon

Sending the following message

<?xml version="1.0" encoding="UTF-8"?>

<soap-env:Envelope

xmlns:soap-env=

"http://schemas.xmlsoap.org/soap/envelope/">

<soap-env:Header/>

<soap-env:Body>Nixon

</soap-env:Body>

</soap-env:Envelope>

Applied Cryptography

slide70

providers com.sun.net.ssl.internal.www.protocol

Got back the following response

<?xml version="1.0" encoding="UTF-8"?>

<soap-env:Envelope

xmlns:soap-env=

"http://schemas.xmlsoap.org/soap/envelope/">

<soap-env:Header/>

<soap-env:Body>Vote for Nixon accepted

</soap-env:Body>

</soap-env:Envelope>The result is Vote for Nixon accepted

D:..\examples\SOAPAndSSL\client>

Applied Cryptography

a soap client using ssl
A SOAP CLIENT Using SSL

// VotingClient.java

// for wrapping a SOAP document

import javax.xml.soap.*;

// for sending the SOAP document

import javax.xml.messaging.*;

// Standard Java imports

import java.io.*;

import java.net.URL;

import java.util.Iterator;

import java.math.*;

import java.security.*;

Applied Cryptography

slide72

// For writing the XML document

import org.apache.xml.serialize.XMLSerializer; // not standard

import org.apache.xml.serialize.OutputFormat; // not standard

import org.xml.sax.InputSource;

public class VotingClient {

// Establish a connection and a message factory

private SOAPConnectionFactory soapConnectionFactory;

private MessageFactory messageFactory;

Applied Cryptography

slide73

public VotingClient() throws SOAPException {

// get connection factory

soapConnectionFactory = SOAPConnectionFactory.newInstance();

// get a message factory

messageFactory = MessageFactory.newInstance();

// set system property to point to our provider

System.setProperty("java.protocol.handler.pkgs",

"com.sun.net.ssl.internal.www.protocol");

}

public String castVote(String candidate) throws IOException,

SOAPException {

// invoke web service

SOAPMessage result = sendInVote(candidate);

return handleResult(result);

}

Applied Cryptography

slide74

private SOAPMessage sendInVote(String candidate) {

SOAPMessage soapResponse = null;

try {

// get a SOAPConnection from the factory

SOAPConnection soapConnection =

soapConnectionFactory.createConnection();

// get a SOAPMessage from the factory

SOAPMessage soapRequest = messageFactory.createMessage();

// Establish the truststore of who this client trusts

System.setProperty("javax.net.ssl.trustStore","tomcat.truststore");

// establish a url endpoint for the SSL request

URLEndpoint urlEndpoint = new URLEndpoint(

"https://localhost:8443/Vote/VotingServlet");

slide75

// place a vote in the SOAP body

SOAPPart sp = soapRequest.getSOAPPart();

SOAPEnvelope se = sp.getEnvelope();

SOAPBody sb = se.getBody();

SOAPHeader sh = se.getHeader();

sb.addTextNode(candidate);

System.out.println("Sending the following message");

soapRequest.writeTo(System.out);

soapResponse = soapConnection.call(soapRequest, urlEndpoint);

System.out.println("Got back the following response");

soapResponse.writeTo(System.out);

soapConnection.close();

slide76

}

catch(SOAPException se) {

System.out.println("I found the SOAP exception" + se);

}

catch(IOException ioe) {

System.out.println("IO Exception thrown");

}

return soapResponse;

}

Applied Cryptography

slide77

private String handleResult(SOAPMessage fromVotingServlet)

throws SOAPException {

Text value;

try {

SOAPPart sr = fromVotingServlet.getSOAPPart();

SOAPEnvelope sre = sr.getEnvelope();

SOAPBody srb = sre.getBody();

SOAPHeader srh = sre.getHeader();

Iterator iter = srb.getChildElements();

value = (Text)iter.next();

}

Applied Cryptography

slide78

catch(Exception er) {

System.out.println("Exception in handleResult()" + er);

return null;

}

return (String)(value.getValue());

}

public static void main(String a[]) throws Exception {

VotingClient vc = new VotingClient();

String result = vc.castVote(a[0]);

System.out.println("The result is " + result);

}

}

Applied Cryptography

soap servlet using ssl
SOAP Servlet Using SSL

// JAXM servlet VotingServlet.java

// Takes a vote from the SOAP body and returns a SOAP response

// to the client

import java.io.IOException;

import java.util.Iterator;

import javax.servlet.*;

import javax.xml.messaging.*;

import javax.xml.soap.*;

import java.util.*;

Applied Cryptography

slide80

public class VotingServlet extends JAXMServlet implements

ReqRespListener {

// we need to create a return message

private MessageFactory messageFactory;

// onMessage hit on each visit

public SOAPMessage onMessage( SOAPMessage messageIn ) {

try {

// read data from input message

SOAPPart inSoapPart = messageIn.getSOAPPart();

SOAPEnvelope inSoapEnvelope = inSoapPart.getEnvelope();

SOAPBody inSoapBody = inSoapEnvelope.getBody();

Applied Cryptography

slide81

Iterator it = inSoapBody.getChildElements();

Text content = (Text)it.next();

System.out.println("Collected vote for " +content.getValue());

// Build SOAP response

messageFactory = MessageFactory.newInstance();

SOAPMessage messageOut = messageFactory.createMessage();

SOAPPart soapPart = messageOut.getSOAPPart();

SOAPEnvelope soapEnvelope = soapPart.getEnvelope();

SOAPBody soapBody = soapEnvelope.getBody();

Applied Cryptography

slide82

soapBody.addTextNode(

"Vote for " + content.getValue() + " accepted");

return messageOut;

}

catch(NullPointerException np) {

System.out.println("Null pointer all bets are off");

return null;

}

catch(SOAPException s) {

System.out.println("Voting Servlet SOAP Exception");

return null;

}

catch(Exception e) {

System.out.println("exception " + e);

return null;

}}}

Applied Cryptography

slide83

Send Vote With SOAP over HTTPS

(Client & Server Authentication)

What we have so far:

SOAP Client SOAP Server

-- has a truststore but no -- has a file called

keys of its own .keystore holding

keys

We need to:

-- give the client some keys -- set the server to trust

those keys

Applied Cryptography

client authentication
Client Authentication
  • Generate a key set for the client
  • Generate a certificate from the keys
  • Place the certificate in the server’s keystore
  • Tell Tomcat to authenticate clients
  • Tell the client to load its keys for SSL

Applied Cryptography

1 generate a key set for the client
(1) Generate a key set for the client

D:..\examples\SOAPAndSSL\client>

keytool -genkey -alias mjm -keyalg RSA -storepass sesame

-keystore client.keystore

What is your first and last name?

[Unknown]: Michael McCarthy

What is the name of your organizational unit?

[Unknown]: Heinz School

What is the name of your organization?

[Unknown]: CMU

What is the name of your City or Locality?

[Unknown]: Pittsburgh

slide86

What is the name of your State or Province?

[Unknown]: PA

What is the two-letter country code for this unit?

[Unknown]: US

Is CN=Michael McCarthy, OU=Heinz School, O=CMU,

L=Pittsburgh, ST=PA, C=US correct?

[no]: yes

Enter key password for <mjm> <RT>

(RETURN if same as keystore password):

Applied Cryptography

2 generate a certificate from the keys
(2) Generate a certificate from the keys

D:..\examples\SOAPAndSSL\client>

keytool -export -alias mjm -storepass sesame -file client.cer

-keystore client.keystore

Certificate stored in file <client.cer>

D:..examples\SOAPAndSSL\client>

Applied Cryptography

3 place the client s certificate into the server s keystore
(3) Place the client’s certificate into the server’s keystore
  • Copy client.cer over to the server
  • Add client.cer to the server’s keystore

D:..\examples\SSLAndTomcat>

keytool -import -v -trustcacerts -alias mjmservercert

-file client.cer -keystore .keystore -storepass sesame

Owner: CN=Michael McCarthy, OU=Heinz School,

O=CMU, L=Pittsburgh, ST=PA, C=US

Issuer: CN=Michael McCarthy, OU=Heinz School,

O=CMU, L=Pittsburgh, ST=PA, C=US

Serial number: 3e7396d6

slide89

Valid from: Sat Mar 15 16:10:46 EST 2003

until: Fri Jun 13 17:10:46 EDT 2003

Certificate fingerprints:

MD5: CB:49:42:25:DC:FF:B8:0C:02:0F:31:29:B4:E8:B1:00

SHA1: D8:8E:AA:B6:55:17:39:1B:CF:14:24:A9:0E:65:E4:29:52:30:

4C:E4

Trust this certificate? [no]: y

Certificate was added to keystore

[Saving .keystore]

D..\examples\SSLAndTomcat>

Applied Cryptography

4 tell tomcat to authenticate clients
(4) Tell Tomcat to authenticate clients

Client

authentiaction

Server’s

keystore

Applied Cryptography

5 tell the client to load its keys for ssl
(5) Tell the client to load its keys for SSL

//Almost the same client as before…

public VotingClient() throws SOAPException {

// get connection factory

soapConnectionFactory =

SOAPConnectionFactory.newInstance();

// get a message factory

messageFactory = MessageFactory.newInstance();

Applied Cryptography

but with the following
But with the following

// use Sun\'s reference implementation of a URL handler for

// the https protocol

System.setProperty("java.protocol.handler.pkgs",

"com.sun.net.ssl.internal.www.protocol");

// Establish the truststore of who this client trusts

System.setProperty("javax.net.ssl.trustStore","tomcat.truststore");

// Establish the keystore of this client

System.setProperty("javax.net.ssl.keyStore","client.keystore");

System.setProperty("javax.net.ssl.keyStorePassword","sesame");

// dynamically register SUN\'s SSL provider

Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

}

slide93

XMK Key Management Specification

Holds keys, certificates and certificate revocation list

XKMS

PKI HOST

Register key

Revoke Certificate

Recover Key

X-KRSS

XML Key Registration

Service Specification

Verify signature

X-KISS

XML Key Information

Service Specification

(SOAP)

(SOAP)





Signer

Verifier

Signed document

(SOAP)

Signer generates key pair or

requests the pair from the PKI host

 Key registration request

 Certificate sent to Signer

 Signed document sent to Verifier

 Verifier requests certificate from PKI host

 Key and certificate sent to Verifier

 The Signer may request that a

certificate be revoked

 The Signer may request copy

of lost keys

Applied Cryptography

ad