1.08k likes | 1.32k Views
Applied Cryptography Week 12. Michael McCarthy. XML Encryption Examples XML Encryption using .NET/C# Web Service Security using Sun’s Application Server. Today’s Topics. XML Encryption. W3C Recommendation 10 December 2002 JSR 105 XMLDSig proposed final draft
E N D
Applied CryptographyWeek 12 Michael McCarthy 95-804 XML Encryption, .NET and Web Services Security Week 12
XML Encryption Examples XML Encryption using .NET/C#Web Service Security using Sun’s Application Server Today’s Topics 95-804 XML Encryption, .NET and Web Services Security Week 12
XML Encryption • W3C Recommendation 10 December 2002 • JSR 105 XMLDSig proposed final draft • JSR 106 XMLEnc is in progress • JWSDP1.5 supports Web Services Security V1.0 • .Net supports XMLEnc out of the box • Some notes from http://www-106.ibm.com/developerworks/library/x-encrypt/index.html by Bilal Siddiqui And “Secure XML” by Eastlake and Niles Addison Wesley 95-804 XML Encryption, .NET and Web Services Security Week 12
General Form 1 <EncryptedData> <CipherData> <CipherValue> cipher text in Base 64 </CipherValue> </CipherData> </EncryptedData> 95-804 XML Encryption, .NET and Web Services Security Week 12
General Form 2 <EncryptedData> <CipherData> <CipherReference> pointer (URL) to cipher text </CipherReference> </CipherData> </EncryptedData> 95-804 XML Encryption, .NET and Web Services Security Week 12
EncryptedData is the core element • Replaces the encrypted element or • Serves as the new document root • May contain a KeyInfo element that describes the key needed for decryption (borrowed from XML Digital Signature) or signature verification 95-804 XML Encryption, .NET and Web Services Security Week 12
General Example (1) <MedInfo> <ID> <Name> <Address> </ID> <Medical>…</Medical> <Financial>…</Financial> </MedInfo> 95-804 XML Encryption, .NET and Web Services Security Week 12
General Example (2) <MedInfo> <ID>….</ID> <EncryptedData> <KeyInfo> <KeyName>Medical </KeyInfo> <CipherData> <CipherValue> cipher text </EncryptedData> 95-804 XML Encryption, .NET and Web Services Security Week 12
General Example (3) <Financial> <EncryptedData> <KeyInfo> <KeyName>Pay </KeyInfo> <CipherData> <CipherValue> cipher text </EncryptedData> </Finacial> </MedInfo> 95-804 XML Encryption, .NET and Web Services Security Week 12
Detailed Example (Listing 1) <purchaseOrder> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> </Order> <Payment> <CardId>123654-8988889-9996874</CardId> <CardName>visa</CardName> <ValidDate>12-10-2004</ValidDate> </Payment> </purchaseOrder> 95-804 XML Encryption, .NET and Web Services Security Week 12
Encrypting the Entire File (Listing 2) <?xml version='1.0' ?> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.isi.edu/in-notes/iana/assignments/media-types/text/xml'> <CipherData> <CipherValue>A23B45C56…</CipherValue> </CipherData> </EncryptedData> IANA = Internet Assigned Numbers Authority a function of The Internet Corporationfor Assigned Names and Numbers 95-804 XML Encryption, .NET and Web Services Security Week 12
Encrypting The Payment (Listing 3) <?xml version='1.0' ?> <PurchaseOrder> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> </Order> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C564587…</CipherValue> </CipherData> </EncryptedData> </PurchaseOrder> One element 95-804 XML Encryption, .NET and Web Services Security Week 12
Encrypting Only the CardId (Listing 4) <?xml version='1.0' ?> <PurchaseOrder> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> </Order> <Payment> <CardId> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Content' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData> </CardId> <CardName>visa</CardName> <ValidDate>12-10-2004</CardName> </Payment> </PurchaseOrder> Element content 95-804 XML Encryption, .NET and Web Services Security Week 12
Encrypting Non-XML Data (Listing 5) <?xml version='1.0' ?> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlen#' Type='http://www.isi.edu/in-notes/iana/assignments/media-types/jpeg' > <CipherData> <CipherValue>A23B45C56…</CipherValue> </CipherData> </EncryptedData> 95-804 XML Encryption, .NET and Web Services Security Week 12
Sending a public key (listing 6) <?xml version='1.0' ?> <SecureCommunicationDemonstration> <EncryptedKey CarriedKeyName="Muhammad Imran" xmlns='http://www.w3.org/2001/04/xmlenc#'> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyValue>1asd25fsdf2dfdsfsdfds2f1sd23 </ds:KeyValue> </ds:KeyInfo> </EncryptedKey> </SecureCommunicationDemonstration> This key is in the clear. 95-804 XML Encryption, .NET and Web Services Security Week 12
Receiving a Secret Key Encrypted with a Public Key (listing 7) <?xml version='1.0' ?> <SecureCommunicationDemonstration> <EncryptedKey CarriedKeyName="Imran Ali" xmlns='http://www.w3.org/2001/04/xmlenc#'> <EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <CipherData> <CipherValue>xyza21212sdfdsfs7989fsdbc </CipherValue> </CipherData> </EncryptedKey> </SecureCommunicationDemonstration> This key is encrypted. It’s name is Imran Ali. 95-804 XML Encryption, .NET and Web Services Security Week 12
Data Encrypted to Secret Key (Listing 8) <?xml version='1.0' ?> <<SecureCommunicationDemonstration> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> <CardName>Visa</CardName> <ExpDate>10-10-2005</ExpDate> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc '/> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>Imran ali</ds:KeyName> </ds:KeyInfo> <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData> </Order> </SecureCommunicationDemonstration> An element is encrypted with the Imran Ali key. 95-804 XML Encryption, .NET and Web Services Security Week 12
Pointing to encrypted data (listing 9) <?xml version='1.0' ?> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type= 'http://www.w3.org/2001/04/xmlenc#Element'> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>Imran ali</ds:KeyName </ds:KeyInfo> <CipherData> <CipherReference URI="www.waxsys.com/secureData/waxFile.txt"/> </CipherData> </EncryptedData> The external source is encrypted with the Imran Ali key. 95-804 XML Encryption, .NET and Web Services Security Week 12
Point to a distant encrypted element (Listing 10) <?xml version='1.0' ?> <EncryptedData ID="Enc-Data" xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Element' > <CipherReference URI="http://www.waxsys.com/EncFile.xml" > <Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC- xpath-19991116"> <wax:XPath xmlns:wax="http://www.waxsys.com/xpathNS"> PruchaseOrder/EncryptedData [@Id="Imran-Enc-Data"] </wax:XPath> </ds:Transform> </Transforms> </CipherReference> </EncryptedData> XPath is being used to point to the exact element that is encrypted. 95-804 XML Encryption, .NET and Web Services Security Week 12
An Example Output Using IBM’s XSS4J <?xml version="1.0" encoding="UTF-8"?> <EncryptedData xmlns= "http://www.w3.org/2001/04/xmlenc#" Id="Test" Type="http://www.isi.ed u/in-notes/iana/assignments/media-types/text/xml"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <KeyName>ImranAli</KeyName> </ds:KeyInfo> <CipherData> <CipherValue>cipher text</CipherValue> </CipherData> </EncryptedData> A key name is provided for decryption. 95-804 XML Encryption, .NET and Web Services Security Week 12
XML Encryption using .NET/C#.NET Example 95-804 XML Encryption, .NET and Web Services Security Week 12
Hybrid Encryption • The way it’s done today • Bulk encryption using symmetric (session) keys – fast • Symmetric key exchange problem solved by encrypting the session key with the receivers public key 95-804 XML Encryption, .NET and Web Services Security Week 12
.Net Crypto API Example • The receiver builds an RSA key pair • The public key of the receiver is used by the sender to encrypt a symmetric session key • The encrypted session key along with the encrypted elements are sent to the receiver • The receiver decrypts the session key using her private RSA key • She then decrypts the encrypted element using the symmetric session key 95-804 XML Encryption, .NET and Web Services Security Week 12
The RSA Public key in XML <RSAKeyValue> <Modulus>z9zv0HMRK44BrjYIQtmKlDkA6WnQCIVOYmOjy/eKhFqXJM024JybC/5hOCQoYRRo5iYRopIV4gBZUBSolxgk8jIr38iO84lDoSisPl3ikcob/aCuhPe8jSl4zbKpiJ+rqQE8rSNJ3XDPDVIiRoDbSRbn04x210tjYNMbePw0RQk=</Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue> These are not arbitrary tags. This representation is part of the XMLDSig standard. 95-804 XML Encryption, .NET and Web Services Security Week 12
The RSA Public/Private Key data in XML <RSAKeyValue> <!– defined by XMLDSig <Modulus> z9zv0HMRK44BrjYIQtmKlDkA6WnQCIVOYmOjy/eKhFqXJM024JybC/5hOCQoYRRo5iYRopIV4gBZUBSolxgk8jIr38iO84lDoSisPl3ikcob/aCuhPe8jSl4zbKpiJ+rqQE8rSNJ3XDPDVIiRoDbSRbn04x210tjYNMbePw0RQk= </Modulus> <Exponent>AQAB</Exponent> 95-804 XML Encryption, .NET and Web Services Security Week 12
<P> 54xO9DFJ4Mydzqrq8/0mcWInv4pU+bJHx1W1TYiybkRs7TchIq56z1JSgedh SxYvGHfHKzDcdplK2PHC9Aik2w== </P> <Q> 5dBTIHj9btkq9Nss0ZC04OyRGjssKJs8+Y89MOhs9BB1YNnk6Ci6PqV8F2P 8FwcSFLXb5+II7nuvRTGS5enQ6w== </Q> <D> sLBBOZNWGQvQ6eEMDKcWYQBDgiVrrJKEGqZ P6WU13WOT7rhx2WPFd+B3i11Q5ZSPxnK9ss8y wrVBNg0ZcbYYUC+g6fYsfylKv1Lbpxr9h002syvR jmyywRcD9+TfvrVhOe27QYJKlE/QX4SHSgnTxq 4qkmHdTxZRtoRGGLdZ8XE= </D> </RSAKeyValue> 95-804 XML Encryption, .NET and Web Services Security Week 12
The Encrypted Session Key <EncryptedKey CarriedKeyName="My 3DES Session Key"> <!– name of session key <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <ds:KeyInfo> <!– use this key to decrypt the session key <KeyName>My Private Key</KeyName> </ds:KeyInfo> 95-804 XML Encryption, .NET and Web Services Security Week 12
<CipherData> <CipherValue> <!– session key encrypted Shy7Nzo/ctBPAhwubFiAYpNNB2CuM4TpCUozP2oQZrEMT03O EzspgkBaItai8ImBUiSUT1KlPCbawG2edz40ISgJ+G+Sl4m6ZNm L0//gqs4/7eUyLY0rSFeCnW9hKU/hr0r4wDJaKiI+hS68OTHeBBc GLCyFEPSCQXeqbnvqQBo= </CipherValue> </CipherData> </EncryptedKey> 95-804 XML Encryption, .NET and Web Services Security Week 12
The Original Invoice <invoice> <items> <item> <desc>Deluxe corncob pipe</desc> <unitprice>14.95</unitprice> <quantity>1</quantity> </item> </items> 95-804 XML Encryption, .NET and Web Services Security Week 12
<creditinfo> <cardnumber>0123456789</cardnumber> <expiration>01/06/2005</expiration> <lastname>Finn</lastname> <firstname>Huckleberry</firstname> </creditinfo> </invoice> 95-804 XML Encryption, .NET and Web Services Security Week 12
The Encrypted Invoice <invoice> <items> <item> <desc>Deluxe corncob pipe</desc> <unitprice>14.95</unitprice> <quantity>1</quantity> </item> </items> 95-804 XML Encryption, .NET and Web Services Security Week 12
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"> <ds:KeyInfo> <!– use this session key for decryption <KeyName>My 3DES Session Key</KeyName> </ds:KeyInfo> <CipherData> <CipherValue> ZS0og/w6JtPj0BDtU4XiAS3ybUsqh4tvp4ItoNO8ZzWUSVl8290HH VG2MfbjPSr00dCftHpaBd8GBgHOUSqG6wiia3EYy8Bgz7y6NeQ6 zFu9i3J34Fy+uWETjmkROE/mg+RU0IxQTkcDWQVfUq6TECNafP 9voSvbOGTNbt87Rb0BDcjbAWWLjKkOT6KOOVwfq60TJxmmkxF onqwVAY2ARlm/yBqvbo2BHux5fvZFZBF5jCPZPkuOClYZVXpY3wVB </CipherValue> </CipherData> </EncryptedData> </invoice> 95-804 XML Encryption, .NET and Web Services Security Week 12
The C# Code (from Thorsteinson and Ganesh) //XMLEncryption.cs //NOTE: must add a project reference to System.Security using System; using System.IO; using System.Text; using System.Xml; using System.Security.Cryptography; using System.Security.Cryptography.Xml; 95-804 XML Encryption, .NET and Web Services Security Week 12
The receiver creates RSA keys and places them in two files – one for the receiver and one for the sender. class XMLEncryption { static void Main(string[] args) { //create participants Sender sender = new Sender(); Receiver receiver = new Receiver(); //establish public and private RSA key information receiver.EstablishXmlRsaParameters( "RsaIncludePrivateParams.xml", "RsaExcludePrivateParams.xml"); 95-804 XML Encryption, .NET and Web Services Security Week 12
The sender creates an XML document. //create original XML document to be encrypted sender.CreateOriginalXmlDocument( "OriginalInvoice.xml"); //create session key and encrypt via RSA public key byte [] IV = sender.CreateAndEncryptXmlSessionKey( "RsaExcludePrivateParams.xml", "SessionKeyExchange.xml"); And generates a symmetric encryption key that is encrypted with the public key of the receiver. E(SK) 95-804 XML Encryption, .NET and Web Services Security Week 12
The sender encrypts sensitive parts of the document. //encrypt original XML document with session key sender.EncryptOriginalXmlDocument( "OriginalInvoice.xml", "RsaExcludePrivateParams.xml", "SessionKeyExchange.xml", // no need "EncryptedInvoice.xml"); //decrypt XML document with session key receiver.DecryptXmlDocument( "EncryptedInvoice.xml", "RsaIncludePrivateParams.xml", "SessionKeyExchange.xml", "DecryptedCreditInfo.xml", IV); } } The receiver decrypts the session key and is then able to decrypt the document. 95-804 XML Encryption, .NET and Web Services Security Week 12
class Sender { public void CreateOriginalXmlDocument(String originalFilename) { //establish the original XML document XmlDocument xmlDoc = new XmlDocument(); xmlDoc.PreserveWhitespace = true; xmlDoc.LoadXml( "<invoice>\n" + " <items>\n" + " <item>\n" + " <desc>Deluxe corncob pipe</desc>\n" + " <unitprice>14.95</unitprice>\n" + " <quantity>1</quantity>\n" + " </item>\n" + " </items>\n" + " <creditinfo>\n" + " <cardnumber>0123456789</cardnumber>\n" + " <expiration>01/06/2005</expiration>\n" + " <lastname>Finn</lastname>\n" + " <firstname>Huckleberry</firstname>\n" + " </creditinfo>\n" + "</invoice>\n"); The sender builds the document the hard way. This part is sensitive. 95-804 XML Encryption, .NET and Web Services Security Week 12
//write original XML document to file StreamWriter file = new StreamWriter(originalFilename); file.Write(xmlDoc.OuterXml); file.Close(); //let the user know what happened Console.WriteLine( "Original XML document written to:\n\t" + originalFilename); } Write the “hand built” XML to a file. 95-804 XML Encryption, .NET and Web Services Security Week 12
The sender creates the session key. public byte [] CreateAndEncryptXmlSessionKey( String rsaExcludePrivateParamsFilename, String keyFilename) { //create the session key for 3DES bulk encryption TripleDESCryptoServiceProvider tripleDES = new TripleDESCryptoServiceProvider(); //access the IV and Key for sender encryption IV = tripleDES.IV; Key = tripleDES.Key; //fetch public only RSA parameters from XML StreamReader fileRsaParams = new StreamReader( rsaExcludePrivateParamsFilename); String rsaExcludePrivateParamsXML = fileRsaParams.ReadToEnd(); fileRsaParams.Close(); Before encrypting the key it needs the public key of the receiver. 95-804 XML Encryption, .NET and Web Services Security Week 12
//RSA encrypt session key RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(); rsa.FromXmlString(rsaExcludePrivateParamsXML); byte[] keyEncryptedBytes = rsa.Encrypt(tripleDES.Key, false); //store encrypted 3DES session key in Base64 string String keyEncryptedString = Convert.ToBase64String( keyEncryptedBytes); //create XML document for 3DES session key exchange XmlDocument xmlKeyDoc = new XmlDocument(); xmlKeyDoc.PreserveWhitespace = true; The sender encrypts the DES session key. And builds an XML document to hold it. 95-804 XML Encryption, .NET and Web Services Security Week 12
//add EncryptedKey element to key XML XmlElement xmlEncryptedKey = xmlKeyDoc.CreateElement("EncryptedKey"); xmlKeyDoc.AppendChild(xmlEncryptedKey); XmlAttribute xmlCarriedKeyName = xmlKeyDoc.CreateAttribute("CarriedKeyName"); xmlCarriedKeyName.Value = "My 3DES Session Key"; xmlEncryptedKey.Attributes.Append( xmlCarriedKeyName); So far we have… <EncryptedKey CarriedKeyName="My 3DES Session Key"> 95-804 XML Encryption, .NET and Web Services Security Week 12
//add the EncryptionMethod element to key XML XmlElement xmlEncryptionMethod = xmlKeyDoc.CreateElement("EncryptionMethod"); xmlEncryptedKey.AppendChild(xmlEncryptionMethod); XmlAttribute xmlAlgorithm = xmlKeyDoc.CreateAttribute("Algorithm"); xmlAlgorithm.Value = "http://www.w3.org/2001/04/xmlenc#rsa-1_5"; xmlEncryptionMethod.Attributes.Append( xmlAlgorithm); <EncryptedKey CarriedKeyName="My 3DES Session Key"> <EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> 95-804 XML Encryption, .NET and Web Services Security Week 12
//add KeyInfo element to key XML XmlElement xmlKeyInfo = xmlKeyDoc.CreateElement( "ds", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#"); xmlEncryptedKey.AppendChild(xmlKeyInfo); //add KeyName element to key XML XmlElement xmlKeyName = xmlKeyDoc.CreateElement("ds", "KeyName", null); xmlKeyName.InnerText = "My Private Key"; xmlKeyInfo.AppendChild(xmlKeyName); <!-- My Private Key will be used to decrypt the session key <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <KeyName>My Private Key</KeyName> </ds:KeyInfo> 95-804 XML Encryption, .NET and Web Services Security Week 12
//add CipherData element to key XML XmlElement xmlCipherData = xmlKeyDoc.CreateElement("CipherData"); xmlEncryptedKey.AppendChild(xmlCipherData); <CipherData> 95-804 XML Encryption, .NET and Web Services Security Week 12
//add CipherValue element to key XML XmlElement xmlCipherValue = xmlKeyDoc.CreateElement("CipherValue"); xmlCipherValue.InnerText = keyEncryptedString; xmlCipherData.AppendChild(xmlCipherValue); <CipherValue>Shy7Nzo/ctBPAhwubFiAYpNNB2CuM4TpC UozP2oQZrEMT03OEzspgkBaItai8ImBUiSUT1KlPCbawG 2edz40ISgJ+G+Sl4m6ZNmL0//gqs4/7eUyLY0rSFeCnW9h KU/hr0r4wDJaKiI+hS68OTHeBBcGLCyFEPSCQXeqbnvq QBo= </CipherValue> </CipherData> </EncryptedKey> 95-804 XML Encryption, .NET and Web Services Security Week 12
//save key XML information xmlKeyDoc.Save(keyFilename); //let the user know what happened Console.WriteLine( "Encrypted Session Key XML written to:\n\t" + keyFilename); return IV; //needed by receiver too } The sender has placed an encrypted session key on file. It includes the name of the decryption key. The receiver can decrypt the session key but needs the IV to use it to decrypt the invoice. 95-804 XML Encryption, .NET and Web Services Security Week 12
public void EncryptOriginalXmlDocument( String originalFilename, String rsaExcludePrivateParamsFilename, String keyFilename, String encryptedFilename) { Document partially encrypted with session key Receiver’s public Key? Encrypted symmetric key file name?? Working code but with some unnecessary parameters. Original XML Document 95-804 XML Encryption, .NET and Web Services Security Week 12
Load the document holding sensitive tag //load XML document to be encrypted XmlDocument xmlDoc = new XmlDocument(); xmlDoc.PreserveWhitespace = true; xmlDoc.Load(originalFilename); //get creditinfo node plaintext bytes to encrypt XmlElement xmlCreditinfo = (XmlElement)xmlDoc.SelectSingleNode( "invoice/creditinfo"); byte[] creditinfoPlainbytes = Encoding.UTF8.GetBytes(xmlCreditinfo.OuterXml); Find the tag using XPath. Get the bytes and include the tag name. 95-804 XML Encryption, .NET and Web Services Security Week 12
//create 3DES algorithm object for bulk encryption TripleDESCryptoServiceProvider tripleDES = new TripleDESCryptoServiceProvider(); Getting ready for symmetric encryption… 95-804 XML Encryption, .NET and Web Services Security Week 12
//establish crypto stream using 3DES algorithm MemoryStream ms = new MemoryStream(); CryptoStream cs = new CryptoStream( ms, tripleDES.CreateEncryptor(Key, IV), CryptoStreamMode.Write); //write creditinfo plaintext to crypto stream cs.Write( creditinfoPlainbytes, 0, creditinfoPlainbytes.Length); cs.Close(); Use the same Key/IV that we encrypted before. These variables are defined outside the methods. Encrypt the sensitive tag with the session key. 95-804 XML Encryption, .NET and Web Services Security Week 12