WEB SECURITY USING XML ENCRYPTION

1
WEB SECURITY USING XML ENCRYPTION
Based on the Apache XML Security Project.
By Ajeya Krishnamurthy
2
Presentation Overview

• Introduction
• XML Signature
• XML Encryption and Decryption
• The JCE ( Java Cryptography Extensions )
• Code Overview
• Future work

3
Introduction
The XML Signature technology was developed by the
XML-DSig Charter an IETF/W3C charter in
response to the June 16 2000 e-sign act, which
made digital signatures legally binding.
XML Signatures allow you to sign only specified
sections of a document. This contrasts to non-XML
Signatures that require you to sign all of a
document.
XML Signatures are not limited to XML documents
and can be applied to all types of electronic
data, for example, HTML and GIF files.
4
Introduction

• Basics of cryptography
• Confidentiality - Protecting data from prying
  eyes while in transit over an insecure
  communications channel like the Internet
• Integrity - Provides communicating parties with
  the assurance that a message was not modified
  while in transit
• Non-repudiation - The recipient should be able
  to prove that a message actually originated with
  the purported sender and is not a forgery

5
Canonical XML
Different XML applications may represent XML
differently. The digest calculation is sensitive
to changes in the physical representation of the
XML.
Canonical XML normalizes the physical
representation of XML, creating a standard for
signature processing. Before the signature digest
is created for a document, it is transformed to
canonical XML. Then, when the received document
is checked for data integrity, it is transformed
to canonical XML before a digest is created for
it.
6
XML Signature

• XML Signatures are human readable and platform
  independent
• Unlike non-XML digital signatures, XML
  Signatures include processing information ( ex
  Algorithm used to generate the signature )
• XML allows signing only portions of the
  document. Advantages?

7
XML Signature Types
Enveloped - The XML Signature is included in the
XML document. It is contained within a child
element of the XML document Enveloping - The XML
document is included in the XML Signature. It is
contained within a a child element of the XML
Signature Detached - The XML Signature is
included in a separate document from the signed
document. The location of the signed document is
referenced in the XML Signature. This type of
signature is used for non-XML documents
8
XML Signature structure
9
XML Signature structure
ltSignature IDgtltSignedInfogtltCanonicalizationMetho
d/gtltSignatureMethod/gt(ltReference
URIgtltDigestMethodgtltDigestValuegtlt/Referencegt)lt/
SignedInfogtltSignatureValuegt(ltKeyInfogt)lt/Signatu
regt
10
XML Encryption

• Enables encryption of specified portions of a
  document, leaving the rest of the document in its
  original form
• Does not support the encryption of attributes
• Both symmetric and asymmetric encryption can be
  used

The ability to encrypt partial documents is
unique to XML encryption.
11
XML Encryption Interoperability
XML encryption is interoperable with XML
Signature. However, if you want to encrypt and
sign a document, you must always encrypt the
document before you sign it. This is because the
digest, generated for the digital signature, may
give clues about the unencrypted content of a
document.
12
XML Encryption structure
ltencEncryptedData Id"" Type""gtltencEncryptionM
ethod/gtltencKeyInfogtltencEncryptedKey/gtltencKey
RetrievalMethod/gtlt/encKeyInfogtltencCipherData
URI""gtiamscrambled lt/encCipherDatagt
lt/encEncryptedDatagt
13
The Java Cryptography Extension
The JCE and the JCA are APIs provided by Java for
cryptography. Tutorials are available at
http//java.sun.com/j2se/1.4.2/docs/guide/security
/jce/JCERefGuide.html
14
Code Overview
Class XMLSignatureFactory -- Main class used to
create all elements required for a signature

• XMLSignatureFactory.
• XMLSignatureFactory is a standard Factory
• Singleton. The main purpose is to create all
• elements of a XMLSignature
• It can be instantiated by
• - XMLSignatureFactory.getInstance()
• - XMLSignatureFactory.getInstance(DOM,
• new ltplaceholder_providergt())
• - XMLSignatureFactory.getInstance(DOM,
• ltplaceholder_providergt)

15
Code Overview
Class XMLSignature

• Main class for interaction
• Creating
• XMLSignatureFactory.newInstance()
• XMLSignatureFactory.
• unmarshalXMLSignature()
• Important methods
• sign(XMLSignContext signContext)
• validate(XMLValidateContext
• validateContext)

16
Code Overview Creating the signature
This creates a new XMLSignatureFactory instance
XMLSignatureFactory fac XMLSignatureFactory.getI
nstance()
And this creates a reference to be signed. The
reference contains a URI pointing to the data
that we wish to sign.
Reference ref fac.newReference(http//xml.apach
e.org/", fac.newDigestMethod(DigestMethod.SHA1,
null))
17
Code Overview
Code Overview Creating the signature
This creates the SignedInfo object we need
SignedInfo si fac.newSignedInfo( fac.newCanonica
lizationMethod ( CanonicalizationMethod.INCLUSIVE_
WITH_COMMENTS, null), fac.newSignatureMethod(Signa
tureMethod.DSA_SHA1, null), Collections.singletonL
ist(ref))
And this creates a new Signature object.
XMLSignature signature fac.newXMLSignature(si,
null)
18
Code Overview
Code Overview Creating the signature
Now we generate the key pair using the JCA.
KeyPair kp
And then we create the document object and sign it
Document doc dbf.newDocumentBuilder().newDocumen
t() DOMSignContext signContext
new DOMSignContext(kp.getPrivate(), doc) //Sign
the URL. The XML-Signature structure
is //appended to the document signature.sign(signC
ontext)
19
Code Overview Verifying the signature
1 Create a XMLSignature from XML 2 Setup a
KeySelector 3 Create a XMLValidateContext 4
Validate the Signature
20
Code Overview Verifying the signature
// Parse the document Document doc
dbf.newDocumentBuilder().parse(new FileInputStream
(args0)) // Find Signature element. This only
checks for a // Signature root element. Node
signatureNode doc.getElementsByTagNameNS(XMLSign
ature.XMLNS, "Signature").item(0) // Create a
XMLSignatureFactory XMLSignatureFactory fac
XMLSignatureFactory.getInstance()
21
Code Overview Verifying the signature
// Create a KeySelector KeySelector ks
KeySelector.singletonKeySelector(key) //
Create a XMLValidateContext DOMValidateContext
valContext new DOMValidateContext(ks,
signatureNode) // Unmarshal the
XMLSignature XMLSignature signature
fac.unmarshalXMLSignature(valContext) //
Validate the XMLSignature (generated
above) boolean coreValidity signature.validate(v
alContext)
22
Code Overview Encryption

• Designed to have fewest possible dependencies
• Dependencies
• Xalan
• Xerces
• Commons Logging
• Cryptographic service provider

23
Code Overview Encryption
Steps to encrypt data
1 Specify key algorithm 2 Initialize
KeyCipher 3 Generate encryption key 4
Specify encryption algorithm 5 Initialize
XMLCipher 6 Encrypt
24
Code Overview Encryption
1 Specify key algorithm 2 Initialize KeyCipher
// get algorithm String algo XMLCipher.TRIPPELDE
S_KeyWrap // construct XMLCipher XMLCipher c
XMLCipher.getInstance(algo)
25
Code Overview Encryption
3 Generate encryption key 4 Specify
encryption algorithm
KeyGenerator kg KeyGenerator.getInstance(DESede
) SecretKey sk kg.generateKey() byte kb
sk.getEncoded()
XMLCipher keyCipher XMLCipher.getInstance(algo)
Key symmKey //as in generate key encryption
key keyCipher.init(XMLCipher.WRAP_MODE,
symmKey) EncryptedKey encryptedKey
keyCipher.encryptKey(document, symmKey)
26
Code Overview Encryption
5 Initialize XMLCipher
XMLCipher xmlCipher XMLCipher.getInstance(XMLCip
her.AES_128) xmlCipher.init(XMLCipher.ENCRYPT_MODE
, symmKey)
Prepare for encryption
EncryptedData d xmlCipher.getEncryptedData() Ke
yInfo keyInfo new KeyInfo(document) keyInfo.add
(encryptedKey) d.setKeyInfo(keyInfo)
27
Code Overview Encryption
6 Encrypt
xmlCipher.doFinal(document, rootElement, true)
28
Code Overview Decryption
Steps involved in Decryption
1 Get the element that need to be decrypted 2
Get the key 3 Decrypt
29
Code Overview Decryption
Prepare for encryption
// Get the element that need to
be decrypted Element e (Element) document.getEle
mentsByTagNameNS(Encrypti onSpecNS,
ENCRYPTEDDATA).item(0) // Get the key Key kek
loadKeyEncryptionKey()
30
Code Overview Decryption
Now perform Decryption
XMLCipher xmlCipher XMLCipher.getInstance() xml
Cipher.init(XMLCipher.DECRYPT_MODE,
null) xmlCipher.setKEK(kek) xmlCipher.doFinal(do
cument, encryptedDataElement)
31
Future Work
The Apache foundation will focus next on the XKMS
for this project. Currently, the Java API is
complete and robust. The C library is still
evolving.