Date post: | 03-Jan-2016 |
Category: |
Documents |
Upload: | justin-chapman |
View: | 216 times |
Download: | 0 times |
ProtocolsProtocolsPart IIPart II
Brian A. LaMacchiaBrian A. [email protected]@[email protected]@microsoft.com
Portions © 2002-2006, Brian A. LaMacchia. This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability for any purpose. This material is not guaranteed to be error free and is intended for instructional use only.
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 22
AgendaAgenda Finish up session-based Finish up session-based
protocolsprotocols IPSEC Key ManagementIPSEC Key Management
Message-based protocolsMessage-based protocols S/MIMES/MIME XMLDSIG, XMLENC & WS-SecurityXMLDSIG, XMLENC & WS-Security
IPSEC Key IPSEC Key ManagementManagement
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 44
IPSEC Key IPSEC Key ManagementManagement IPSEC Key Management is all IPSEC Key Management is all
about establishing and about establishing and maintaining Security maintaining Security Associations (SAs) between Associations (SAs) between pairs of communicating hostspairs of communicating hosts
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 55
Security Associations Security Associations (SA)(SA) New concept for IP New concept for IP
communicationcommunication SA not a “connection”, but very SA not a “connection”, but very
similarsimilar Establishes trust between Establishes trust between
computerscomputers If securing with IPSEC, need SAIf securing with IPSEC, need SA
IKE protocol negotiates security IKE protocol negotiates security parameters according to policyparameters according to policy
Manages cryptographic keys and Manages cryptographic keys and lifetimelifetime
Enforces trust by mutual Enforces trust by mutual authenticationauthentication
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 66
General idea of IKEv2General idea of IKEv2
It’s just Diffie-Hellman Key It’s just Diffie-Hellman Key Exchange!Exchange!
Alice BobgA mod p, nonceA
{“Alice”, proof I’m Alice}gAB mod p
gB mod p, nonceB
{“Bob”, proof I’m Bob}gAB mod p
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 77
Internet Key Exchange Internet Key Exchange (IKE)(IKE) Resynchronize two ends of an Resynchronize two ends of an
IPsec SAIPsec SA Choose cryptographic keysChoose cryptographic keys Reset sequence numbers to zeroReset sequence numbers to zero Authenticate endpointsAuthenticate endpoints
Simple, right?Simple, right? Design evolved into something very Design evolved into something very
complexcomplex
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 88
IKE ContendersIKE Contenders
Photuris: Signed Diffie-Hellman, Photuris: Signed Diffie-Hellman, stateless cookies, optional stateless cookies, optional hiding endpoint IDshiding endpoint IDs
SKIP: Diffie-Hellman public SKIP: Diffie-Hellman public keys, so if you know someone’s keys, so if you know someone’s public key gpublic key gBB, you automatically , you automatically know a shared secret gknow a shared secret gABAB. Each . Each msg starts with per-msg key S msg starts with per-msg key S encrypted with gencrypted with gABAB
And the winner was...And the winner was...
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 99
ISAKMPISAKMP Internet Security Association and Key Management ProtocolInternet Security Association and Key Management Protocol Gift to the IETF from NSAGift to the IETF from NSA A “framework”, not a protocol. Complex encodings. Flexible yet A “framework”, not a protocol. Complex encodings. Flexible yet
constraining.constraining. Two “phases”. Phase 1 expensive, establishes a session key with Two “phases”. Phase 1 expensive, establishes a session key with
which to negotiate multiple phase 2 sessionswhich to negotiate multiple phase 2 sessions
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1010
Internet Key Exchange Internet Key Exchange (IKE)(IKE) Phase IPhase I
Establish a secure channel Establish a secure channel (ISAKMP SA)(ISAKMP SA)
Authenticate computer identityAuthenticate computer identity Phase IIPhase II
Establishes a secure channel Establishes a secure channel between computers intended for between computers intended for the transmission of data (IPSEC the transmission of data (IPSEC SA)SA)
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1111
Internet Key Exchange Internet Key Exchange (IKE)(IKE) IKEv1 authors tried to fit academic papers (SKEME, OAKLEY) into IKEv1 authors tried to fit academic papers (SKEME, OAKLEY) into
ISAKMPISAKMP Mostly a rewriting of ISAKMP, but not self-contained. Uses ISAKMPMostly a rewriting of ISAKMP, but not self-contained. Uses ISAKMP Since both so badly written, hadn’t gotten thorough reviewSince both so badly written, hadn’t gotten thorough review
Really 3+ specs (ISAKMP, IKE, DOI)Really 3+ specs (ISAKMP, IKE, DOI) Plus a few more (NAT traversal, etc.)Plus a few more (NAT traversal, etc.)
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1212
Imagine 150 pages of Imagine 150 pages of this!this! While Oakley defines “modes”, While Oakley defines “modes”,
ISAKMP defines “phases”. The ISAKMP defines “phases”. The relationship between the two is relationship between the two is very straightforward and IKE very straightforward and IKE presents different exchanges as presents different exchanges as modes which operate in one of modes which operate in one of two phases.two phases.
—RFC 2409—RFC 2409
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1313
IKEIKE
Two phases, like ISAKMPTwo phases, like ISAKMP Phase 1 is 8 protocols!Phase 1 is 8 protocols!
Two “modes”: aggressive (3 msgs), Two “modes”: aggressive (3 msgs), and main (6 msgs)and main (6 msgs)
Main does more, like hiding Main does more, like hiding endpoint identifiersendpoint identifiers
Phase 2 known as “quick mode”Phase 2 known as “quick mode” So 9 protocols (8 for phase 1, + So 9 protocols (8 for phase 1, +
phase 2)phase 2)
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1414
General Idea of Aggressive General Idea of Aggressive ModeMode
Alice BobI’m Alice, gA mod p, nonceA
proof I’m Alice
I’m Bob, gB mod p, proof I’m Bob, nonceB
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1515
General Idea of Main General Idea of Main ModeMode
Alice Bob
gA mod p, nonceA
{“Alice”, proof I’m Alice} key variant-dependent
gB mod p, nonceB
crypto suites I support
crypto suites I choose
{“Bob”, proof I’m Bob}
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1616
Main-Mode-Preshared Main-Mode-Preshared key Skey S
Alice Bob
gA mod p, nonceA
{“Alice”, proof I’m Alice} f(S,gAB)
gB mod p, nonceB
crypto suites I support
crypto suites I choose
{“Bob”, proof I’m Bob} f(S,gAB)
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1717
General idea of Quick General idea of Quick ModeMode
IKE-SA, Y, Ni, traffic, SPIA, [gA mod p]
IKE-SA, Y, ack
IKE-SA, Y, Nr, traffic, SPIB, [gB mod p]
Alice Bob
New key is PRF(current key, gAB | Ni | Nr )
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1818
IPSEC IPSEC Bundling/WrappingBundling/Wrapping Multiple IPSEC transforms may Multiple IPSEC transforms may
be wrapped successively be wrapped successively around a single IP datagramaround a single IP datagram Example: IPSEC transport sent Example: IPSEC transport sent
over an IPSEC tunnelover an IPSEC tunnel
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1919
Sending in Transport Sending in Transport ModeMode
ApplicationApplication
TransportTransport
IPIP
PhysicalPhysical
IPSecIPSec
PhysicalPhysical IPIP IPSecIPSec TCPTCPApplicationApplication
DataData
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2020
Sending in Tunnel Sending in Tunnel ModeMode
PhysicalPhysical IPIP IPSecIPSec TCPTCPApplicationApplication
DataData
IPIP IPSecIPSec TCPTCPApplicationApplication
DataData
InnerInnerIPIP
IPSecIPSec TCPTCPApplicationApplication
DataDataIPSecIPSec
OuterOuterIPIP
PhysicalPhysical
IPIP
PhysicalPhysical
IPSecIPSec IPIP
PhysicalPhysical
IPSecIPSec
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2121
Receiving in Tunnel Receiving in Tunnel ModeMode
PhysicalPhysical IPIP IPSecIPSec TCPTCPApplicationApplication
DataData
IPIP IPSecIPSec TCPTCPApplicationApplication
DataData
InnerInnerIPIP
IPSecIPSec TCPTCPApplicationApplication
DataDataIPSecIPSec
OuterOuterIPIP
PhysicalPhysical
IPIP
PhysicalPhysical
IPSecIPSec IPIP
PhysicalPhysical
IPSecIPSec
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2222
Receiving in Transport Receiving in Transport ModeMode
ApplicationApplication
TransportTransport
IPIP
PhysicalPhysical
IPSecIPSec
PhysicalPhysical IPIP IPSecIPSec TCPTCPApplicationApplication
DataData
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2323
What is Network Address What is Network Address Translation (NAT) ?Translation (NAT) ?
Network Address Translation Network Address Translation (NAT)(NAT) Dynamically modifies source addressDynamically modifies source address Dynamically recomputes interior Dynamically recomputes interior
UDP/TCP checksums UDP/TCP checksums Port Address Translation (PAT)Port Address Translation (PAT)
Dynamically modifies TCP/UDP Dynamically modifies TCP/UDP source address and portsource address and port
Dynamically recomputes interior Dynamically recomputes interior UDP/TCP checksumsUDP/TCP checksums
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2424
10.0.0.3, 1185, 23 =172.31.249.14
TCPIP Stack
NATs Rewrite Address/Port NATs Rewrite Address/Port PairsPairs
KernelUser
10.0.0.2, 1185, 23 =172.31.249.1410.0.0.2131.107.1.7D
SNAT Intercept
10.0.0.2131.107.1.7D
S 10.0.0.2131.107.1.7D
S
172.31.249.14131.107.1.7D
S 172.31.249.14131.107.1.7D
S
Translation Table
Kernel mode
firewall hook
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2525
IPSEC AH and NATIPSEC AH and NAT Change in address or port will cause Change in address or port will cause
message integrity check to fail message integrity check to fail Packet will be rejected by destination Packet will be rejected by destination
IPSECIPSEC AH cannot be used with NAT or PAT AH cannot be used with NAT or PAT
devicesdevices
DataDataTCP HdrTCP HdrAH HdrAH HdrOrig IP HdrOrig IP Hdr
Message Integrity Check coverage (except for mutable fields)Message Integrity Check coverage (except for mutable fields)
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2626
IPSEC ESP and NATIPSEC ESP and NAT Can change IP header in special Can change IP header in special
cases onlycases only Special TCP/UDP ignores pseudo header Special TCP/UDP ignores pseudo header
used in checksum calculationused in checksum calculation Port information encrypted!Port information encrypted! Can’t change ESP header because Can’t change ESP header because
integrity hash coverageintegrity hash coverage
DataDataTCP HdrTCP HdrESP HdrESP HdrOrig IP HdrOrig IP Hdr ESP TrailerESP Trailer ESP AuthESP Auth
encryptedencrypted
integrity hash coverageintegrity hash coverage
Message-based Message-based ProtocolsProtocols
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2828
Message-Based Message-Based ProtocolsProtocols ““Session” vs. “Message”Session” vs. “Message”
Synchronous vs. AsynchronousSynchronous vs. Asynchronous In message-based protocols, we In message-based protocols, we
cannot assume we have the cannot assume we have the luxury of being able to luxury of being able to negotiate ciphersuites, negotiate ciphersuites, parameter values, etc.parameter values, etc.
In the common scenario, each In the common scenario, each message is a “fire-and-forget” message is a “fire-and-forget” communicationcommunication Each message has to contain Each message has to contain
enough information to allow the enough information to allow the recipient to decrypt it.recipient to decrypt it.
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2929
Message-Based Message-Based ProtocolsProtocols There are lots of message-There are lots of message-
based protocolsbased protocols Examples: RPC, routing table Examples: RPC, routing table
updatesupdates The most common scenario to The most common scenario to
date, though, is e-maildate, though, is e-mail Digitally signed for sender Digitally signed for sender
authentication and integrity authentication and integrity protectionprotection
Encrypted for confidentialityEncrypted for confidentiality
S/MIMES/MIME
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3131
Secure MIMESecure MIMEWhat is S/MIME?What is S/MIME?
Secure Multipurpose Internet Secure Multipurpose Internet Mail ExtensionsMail Extensions
Initially designed by RSA-led Initially designed by RSA-led vendor consortium in 1995vendor consortium in 1995
S/MIME messaging and S/MIME S/MIME messaging and S/MIME certificate handling are Internet certificate handling are Internet RFC’sRFC’s Widely supported format for Widely supported format for
secure secure e-mail messagese-mail messages
Uses X.509v3 certificatesUses X.509v3 certificates
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3232
Scenario AssumptionsScenario Assumptions
Each participant has two public-Each participant has two public-private key pairs: one for signing private key pairs: one for signing messages and one for receiving messages and one for receiving encrypted messages from othersencrypted messages from others ““Separation of duty” – separate keys Separation of duty” – separate keys
(with separate controls) for separate (with separate controls) for separate usesuses
Encryption key archival/escrow/recoveryEncryption key archival/escrow/recovery For now, we assume key distribution For now, we assume key distribution
isn’t a problem for participantsisn’t a problem for participants If I want to send you a message, I can If I want to send you a message, I can
obtain a copy of your encryption public obtain a copy of your encryption public key that I trust.key that I trust.
If you want to verify a message I signed, If you want to verify a message I signed, you can obtain a copy of my public you can obtain a copy of my public signing key that you trust.signing key that you trust.
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3333
Encrypting MessagesEncrypting Messages
How do we want to encrypt How do we want to encrypt messages?messages?
We have public keys for We have public keys for recipients, so we could recipients, so we could repeatedly apply PK-encryption repeatedly apply PK-encryption to portions of the messageto portions of the message Recall that we can only RSA-Recall that we can only RSA-
encrypt messages M with |M| ≤ |n|encrypt messages M with |M| ≤ |n| Plus, public key encryption is Plus, public key encryption is
relatively slow, so we’d like to use relatively slow, so we’d like to use it efficientlyit efficiently
Idea: use PK to convey a Idea: use PK to convey a random symmetric “session” random symmetric “session” key to recipientskey to recipients
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3434
Encrypting MessagesEncrypting Messages
We use symmetric encryption We use symmetric encryption with randomly-generated with randomly-generated session keys to encrypt session keys to encrypt message bodiesmessage bodies Since symmetric encryption is fast Since symmetric encryption is fast
and messages may be arbitrarily and messages may be arbitrarily largelarge
We use public-key encryption to We use public-key encryption to encrypt the session keys to encrypt the session keys to message recipientsmessage recipients
We send both encrypted We send both encrypted message and session key as a message and session key as a unit to recipients…unit to recipients…
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3535
Message
AliceAliceAliceAlice
m
Sym.
Message EncryptionMessage Encryption
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3636
Decrypting MessagesDecrypting Messages
Message decryption is just the Message decryption is just the reverse from encryptionreverse from encryption
Recipients use their private Recipients use their private encryption key to decrypt the encryption key to decrypt the session key for the messagesession key for the message
Recipients then use the session Recipients then use the session key to symmetrically decrypt key to symmetrically decrypt the message body.the message body.
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3737
Sym.
m
BobBobBobBob
Message DecryptionMessage Decryption
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3838
Signing MessagesSigning Messages
How do we want to sign How do we want to sign messages?messages?
Each user has a signing key Each user has a signing key pair, but again we can only sign pair, but again we can only sign values that are at most the values that are at most the same size as our signing public same size as our signing public key moduluskey modulus So we can’t sign the entire So we can’t sign the entire
message directly, and repeated message directly, and repeated signing of parts of the message signing of parts of the message would open us up to attackswould open us up to attacks
Idea: Sign a Idea: Sign a hashhash of the of the messagemessage
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3939
Signing MessagesSigning Messages To sign a message, we first To sign a message, we first
choose a cryptographic hash choose a cryptographic hash function H() to use with our function H() to use with our signature algorithmsignature algorithm Normally defined as part of a Normally defined as part of a
signing ciphersuitesigning ciphersuite We apply the hash function H to We apply the hash function H to
the exact sequence of bytes that the exact sequence of bytes that forms our message (usually forms our message (usually including header info)including header info)
We sign the hash valueWe sign the hash value We append the signed hash We append the signed hash
value to the message.value to the message.
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4040
m Hash Hash FunctionFunction
Hash Hash ValueValue
AliceAliceAliceAlice
Signed Signed HashHash
m
Message
Digital SignaturesDigital SignaturesProvide Authentication and Provide Authentication and IntegrityIntegrity
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4141
Verifying SignaturesVerifying Signatures To verify a signed message, the To verify a signed message, the
recipient has to do three things:recipient has to do three things:1.1. Independently compute the hash value Independently compute the hash value
of the signed portion of the messageof the signed portion of the message2.2. Verify that the signature on the Verify that the signature on the
message came from the sender (by message came from the sender (by applying the sender’s public signing applying the sender’s public signing key)key)
This yields the hash value signed by This yields the hash value signed by the senderthe sender
3.3. Compare the independently-computed Compare the independently-computed hash value with the one the sender hash value with the one the sender signedsigned
If the hash values are equal, then If the hash values are equal, then the message has not been modified the message has not been modified since it was signed.since it was signed.
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4242
mm
Message
BobBobBobBob
Verifying SignaturesVerifying Signatures
HashHashFunctionFunction
HashHashValueValue
HashHashValueValue
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4343
More Complex More Complex SignaturesSignatures A single signer acknowledging A single signer acknowledging
understanding or commitment to understanding or commitment to different concepts or agreements different concepts or agreements within one document.within one document.
Multiple signers signing unique Multiple signers signing unique content within the same document.content within the same document.
Multiple signers “co-signing” the Multiple signers “co-signing” the same content within the same same content within the same document.document.
Multiple signers, one signing Multiple signers, one signing content the other “counter-signing” content the other “counter-signing” the prior signature.the prior signature.
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4444
Co-SigningCo-Signing
Alice and Bob want to sign the same Alice and Bob want to sign the same message “in parallel”message “in parallel”
mHash Hash
FunctionFunction
Hash Hash ValueValue
AliceAliceAliceAlice
Signed Signed Hash 2Hash 2
m
Co-SignedMessage
BobBobBobBob
To-be-signed To-be-signed MessageMessage
Signed Signed Hash 1Hash 1
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4545
Counter-SigningCounter-Signing Alice and Bob want to sign the same Alice and Bob want to sign the same
message “in series” (Alice first, then message “in series” (Alice first, then Bob)Bob)
m Hash Hash FunctionFunction
Hash Hash ValueValue
AliceAliceAliceAlice
AliceAliceSigned HashSigned Hash
m
MessageSigned by Alice
Hash Hash FunctionFunction
Hash Hash ValueValue
BobBobBobBob
BobBobSigned HashSigned Hash
m
Counter-Signed MessageCounter-Signed Message
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4646
PKCS #7/CMS PKCS #7/CMS StructureStructureCMSCMS
VersionVersion
Digest AlgorithmDigest Algorithm
ContentContent
CertificatesCertificates
CRLsCRLs
Signer InfosSigner Infos
Signer Info 1Signer Info 1
Signer Info 2Signer Info 2
Signer Info 3Signer Info 3
Signer InfoSigner Info
VersionVersion
Serial NumberSerial Number
Digest AlgorithmDigest Algorithm
Authenticated AttributesAuthenticated Attributes
Unauthenticated AttributesUnauthenticated Attributes
Digital SignatureDigital Signature
Countersignatures go hereCountersignatures go here
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4747
Limitations of the CMS Limitations of the CMS formatformat The CMS standard only covers The CMS standard only covers
“wrapped” signatures“wrapped” signatures Signatures where the signed Signatures where the signed
content is enclosed by the content is enclosed by the signature objectsignature object
Signing assumes you start with Signing assumes you start with a bytestream that is completely a bytestream that is completely immutableimmutable This is the safest assumption, but This is the safest assumption, but
sometimes it’s overly conservativesometimes it’s overly conservative Example: CR-LF rewriting and Example: CR-LF rewriting and
tab/whitespace conversions for tab/whitespace conversions for text.text.
Message security for Message security for XML objects: XML objects: XMLDSIG, XMLENC & XMLDSIG, XMLENC & WS-SecurityWS-Security
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4949
What is XML?What is XML?
<Address><Address>
<Street>1 Microsoft <Street>1 Microsoft Way</Street>Way</Street>
<City>Redmond</City><City>Redmond</City>
<State>WA</State><State>WA</State>
<ZipCode>98052</ZipCode><ZipCode>98052</ZipCode>
</Address></Address>
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5050
What is XML?What is XML? XML is a W3C standard for XML is a W3C standard for
describing “markup languages”describing “markup languages” XML == “eXtensible Markup XML == “eXtensible Markup
Language” Language” Had its roots in SGML (of which Had its roots in SGML (of which
HTML is an offshoot)HTML is an offshoot) Now, though, XML has really Now, though, XML has really
become a standard means of become a standard means of representing data structures in representing data structures in text.text. ““XML provides a text-based XML provides a text-based
means to describe and apply a means to describe and apply a tree-based structure to tree-based structure to information.” -- Wikipediainformation.” -- Wikipedia
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5151
Securing XMLSecuring XML
As XML’s popularity grew, so As XML’s popularity grew, so did the need to secure XML did the need to secure XML objects (trees of XML elements)objects (trees of XML elements)
How should we sign & encrypt How should we sign & encrypt XML?XML?
One possibility: just treat an One possibility: just treat an XML object as a byte sequence XML object as a byte sequence and use S/MIMEand use S/MIME It’s just a sequence of characters, It’s just a sequence of characters,
so we can Unicode encode that so we can Unicode encode that sequence, hash it, encrypt it and sequence, hash it, encrypt it and wrap it in S/MIMEwrap it in S/MIME
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5252
Securing XMLSecuring XML
Using S/MIME works, but it has some Using S/MIME works, but it has some drawbacks:drawbacks:1.1. The result of signing or encrypting an The result of signing or encrypting an
XML object is now some binary blob, XML object is now some binary blob, not an XML object, so signing & not an XML object, so signing & encrypting this way doesn’t “play nice” encrypting this way doesn’t “play nice” with the XML ecosystemwith the XML ecosystem
2.2. An XML object isn’t a piece of text – An XML object isn’t a piece of text – that text is just a representation of the that text is just a representation of the objectobject
There are many equivalent There are many equivalent representations of an XML objectrepresentations of an XML object
3.3. There are semantically-neutral There are semantically-neutral transforms allowed on XML transforms allowed on XML representations that should not break representations that should not break signatures.signatures.
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5353
Signing & Encrypting Signing & Encrypting XMLXML Thus, there was a need to Thus, there was a need to
develop a standard for signing develop a standard for signing & encrypting XML objects& encrypting XML objects July 1999: work began on July 1999: work began on
XMLDSIG, a standard for signing XMLDSIG, a standard for signing XML objects and representing XML objects and representing signatures as XMLsignatures as XML
Summer 2000: work began on Summer 2000: work began on XMLENC, a standard for XMLENC, a standard for encrypting data and representing encrypting data and representing the ciphertext and associated key the ciphertext and associated key information as XMLinformation as XML
XMLDSIGXMLDSIG
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5555
The XMLDSIG StandardThe XMLDSIG Standard
XMLDSIG is an IETF/W3C joint XMLDSIG is an IETF/W3C joint standard for XML Digital standard for XML Digital SignaturesSignatures Signatures are represented as XML Signatures are represented as XML
objectsobjects Signed content may be XML Signed content may be XML
documents, document fragments, documents, document fragments, or any binary streamor any binary stream
Baseline standard for further Baseline standard for further security work on XML Web Services security work on XML Web Services (WS-Security)(WS-Security)
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5656
Major Requirements and Major Requirements and Key Features of XMLDSIGKey Features of XMLDSIG XMLDSIG supports three methods XMLDSIG supports three methods
of signing an XML elementof signing an XML element Wrapped, Detached and EmbeddedWrapped, Detached and Embedded
XMLDSIG signatures can be over an XMLDSIG signatures can be over an entire XML document or a fragment entire XML document or a fragment (sub-part) of a document(sub-part) of a document
XMLDSIG has to support the fact XMLDSIG has to support the fact that an XML object might have that an XML object might have multiple representationsmultiple representations Some modifications to the text must be Some modifications to the text must be
allowed and not break the signatureallowed and not break the signature XMLDSIG has to support signatures XMLDSIG has to support signatures
over groups or collections of XML over groups or collections of XML objectsobjects
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5757
Wrapped SignaturesWrapped Signatures Wrapped Wrapped
signatures include signatures include the signed content the signed content within the XMLDSIG within the XMLDSIG structurestructure
Similar in format to Similar in format to a CMS (S/MIME) a CMS (S/MIME) messagemessage
Useful if the Useful if the amount of to-be-amount of to-be-signed data is smallsigned data is small Note: the signed Note: the signed
content’s schema is content’s schema is not preserved at not preserved at top-leveltop-level
XMLDSIG Signature
SignedInfo
Includes pointer to Signed content
Signed Content
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5858
Detached SignaturesDetached Signatures Detached Detached
signatures signatures separate the separate the signature from the signature from the signed contentsigned content Signature travels Signature travels
in a separate XML in a separate XML documentdocument
Useful when you Useful when you want to sign non-want to sign non-XML dataXML data E.g. audio/visual E.g. audio/visual
data streamdata stream
XMLDSIG Signature
SignedInfo
Includes pointer to Signed content
Signed Content(separate XML resource)
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5959
Embedded SignaturesEmbedded Signatures
New mechanism New mechanism unique to unique to XMLDSIGXMLDSIG
Standard way to Standard way to embed an embed an XMLDSIG XMLDSIG signature within signature within another XML another XML documentdocument
Signed document Signed document carries the carries the signature inside signature inside itselfitself
XMLDSIG Signature
SignedInfo
Includes pointer to Signed content
Signed Content
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6060
Signing Portions of Signing Portions of DocsDocs A key feature of XMLDSIG is its A key feature of XMLDSIG is its
ability to sign selected portions ability to sign selected portions of documentsof documents Instead of hashing the entire Instead of hashing the entire
document, identify & hash only document, identify & hash only those sections requiring protectionthose sections requiring protection
““Transform processing model”Transform processing model”
Tra
nsf
orm
1
Input Content
Tra
nsf
orm
2
Tra
nsf
orm
n
... To-be-signedContent
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6161
Alice Bob
Alice completes her part andsends F to Bob so Bob cancomplete his part
On-line form
Alice’s part
Bob’s part
Form F
Bob’s part
Form F
On-line form
Alice’s part
Bob’s part
Form F
Alice starts with a blank form
Bob completes his part and fills out the remainder of the form
Workflow ScenarioWorkflow Scenario
Alice’s sig
On-line form
Alice’s part
Alice’s sig
Bob’s sig
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6262
Canonicalization Canonicalization (C14N)(C14N) XMLDSIG introduced the notion XMLDSIG introduced the notion
of a “canonical form” for an of a “canonical form” for an XML objectXML object C14N is an algorithm that converts C14N is an algorithm that converts
an XML text representation into an XML text representation into its canonical form bytestream.its canonical form bytestream.
All semantically-equivalent All semantically-equivalent representations of an XML object representations of an XML object have the same canonical form have the same canonical form bytestreambytestream That’s the ideal case – in That’s the ideal case – in
practice for various technical practice for various technical reasons we don’t quite get reasons we don’t quite get therethere
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6363
C14N and SigningC14N and Signing
In XMLDSIG, we compute the In XMLDSIG, we compute the digital signature over the hash digital signature over the hash of the canonical form of of the canonical form of whatever we want to signwhatever we want to sign
Input Content
To-be-signedContent
C14N Bytestream
Hash function
Signature Algorithm
0-n Transforms
Signature Value
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6464
Signature
SignedInfo
Identifies the signature algorithm, canonicalization method and the list of signed contents.
KeyInfo (optional)
Information related to the signing key
SignatureValue
The actual signature value, computed over the contents of the SignedInfo element
Object (optional)
Optional sub-element usually used to embed signed content within the signature
Structural OverviewStructural Overview Top-level Top-level
element is element is always a always a <Signature><Signature> <SignedInfo> <SignedInfo>
and and <SignatureVa<SignatureValue> are lue> are required sub-required sub-elementselements
<Keyinfo> <Keyinfo> and <Object> and <Object> are optionalare optional
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6565
SignedInfo
CanonicalizationMethod
Identifies the canonicalization algorithm.
Reference (one or more)
Identify specific content signed by the signature
SignatureMethod
Identifies the digital signature algorithm.
SignedInfo DetailsSignedInfo Details The The
<SignedInfo> <SignedInfo> element element contains a list contains a list <Reference> <Reference> elementselements
Each Each <Reference> <Reference> element element points to a points to a piece of piece of signed signed contentcontent <SignedInfo> <SignedInfo>
is a manifest is a manifest listing all the listing all the contents contents signed by the signed by the signaturesignature
URI (pointer to content)
DigestMethod (hash algorithm for content)
DigestValue (content’s hash value)
Transforms (optional) – Used to select a portion of the URI’s content for signing
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6666
Sample SignatureSample Signature<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo><SignedInfo> <CanonicalizationMethod<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-
20010315" />20010315" /> <SignatureMethod<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-
sha1"/>sha1"/> <Reference URI="http://www.farcaster.com/index.htm"><Reference URI="http://www.farcaster.com/index.htm"> <DigestMethod<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>XoaHIm+jLKnPocR7FX0678DUOqs=</DigestValue><DigestValue>XoaHIm+jLKnPocR7FX0678DUOqs=</DigestValue> </Reference></Reference> </SignedInfo></SignedInfo> <SignatureValue> <SignatureValue>
M5BhlrxPaOEYcCwSZ3WEDR6dfK5id/ef1JWK6OO5PEGHp9/JxrdA2xT5TM5BhlrxPaOEYcCwSZ3WEDR6dfK5id/ef1JWK6OO5PEGHp9/JxrdA2xT5TYr5egArZGdVURpMVGUeViWoeHcGAyMNG9Cmc/I56sYd/TSV/MjLgb/Yr5egArZGdVURpMVGUeViWoeHcGAyMNG9Cmc/I56sYd/TSV/MjLgb/mxq+6Fh/mxq+6Fh/HWtVhjHIG+AdL4lA+ZxxEi147QVVzgCl4+dvIZaGo7oAFneDKv0I=HWtVhjHIG+AdL4lA+ZxxEi147QVVzgCl4+dvIZaGo7oAFneDKv0I=
</SignatureValue></SignatureValue></Signature></Signature>
XMLENCXMLENC
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6868
The XMLENC StandardThe XMLENC Standard
XMLENC is a W3C Standard XMLENC is a W3C Standard defining how to encrypt data defining how to encrypt data and represent the result in XMLand represent the result in XML The data may be arbitrary data The data may be arbitrary data
(including an XML document), an (including an XML document), an XML element, or XML element XML element, or XML element content.content.
The result of encrypting data is an The result of encrypting data is an XML Encryption element which XML Encryption element which contains or references the cipher contains or references the cipher data. data.
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6969
Key Features of Key Features of XMLENCXMLENC Wrapped or detached Wrapped or detached
CipherDataCipherData Encrypted data may be enclosed Encrypted data may be enclosed
within the metadata describing within the metadata describing how it was encrypted, or sent how it was encrypted, or sent separatelyseparately
EncryptedKey inside KeyInfoEncryptedKey inside KeyInfo Bulk data encryption keys Bulk data encryption keys
wrapped in recipient public keys wrapped in recipient public keys can be sent along with the data (a can be sent along with the data (a la S/MIME)la S/MIME)
Detached CipherData Detached CipherData references use the same references use the same Transforms structure as Transforms structure as XMLDSIGXMLDSIG
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7070
EncryptedData or EncryptedKey
EncryptionMethod (optional)
Optional element that describes the encryption algorithm used to protect the CipherData.
CipherData
Envelopes or references encrypted data
KeyInfo
Information identifying the key used to encrypt the CipherData
EncryptionProperties (optional)
Optional sub-element
Structural OverviewStructural Overview Top-level element Top-level element
is either is either <EncryptedData> <EncryptedData> or or <EncryptedKey><EncryptedKey>
<EncryptedKey> <EncryptedKey> has two additional has two additional properties over properties over <EncryptedData><EncryptedData> <CipherData> <CipherData>
always contains always contains key materialkey material
An An <EncryptedKey> <EncryptedKey> may appear may appear within an within an <EncryptedData<EncryptedData>’s <KeyInfo> >’s <KeyInfo> element.element.
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7171
XMLENC ExampleXMLENC Example
<?xml version='1.0'?><?xml version='1.0'?><PaymentInfo xmlns='http://example.org/paymentv2'><PaymentInfo xmlns='http://example.org/paymentv2'>
<Name>John Smith</Name><Name>John Smith</Name><CreditCard Limit='5,000' Currency='USD'><CreditCard Limit='5,000' Currency='USD'>
<Number>4019 2445 0277 5567</Number><Number>4019 2445 0277 5567</Number><Issuer>Example Bank</Issuer><Issuer>Example Bank</Issuer><Expiration>04/07</Expiration><Expiration>04/07</Expiration>
</CreditCard></CreditCard></PaymentInfo> </PaymentInfo>
Raw (unencrypted) XML: a Raw (unencrypted) XML: a simple payment structure with simple payment structure with embedded credit card embedded credit card informationinformation
123
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7272
XMLENC Example (1)XMLENC Example (1)
<?xml version='1.0'?><?xml version='1.0'?><PaymentInfo xmlns='http://example.org/paymentv2'><PaymentInfo xmlns='http://example.org/paymentv2'>
<Name>John Smith</Name><Name>John Smith</Name><EncryptedData<EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element’Type='http://www.w3.org/2001/04/xmlenc#Element’ xmlns='http://www.w3.org/2001/04/xmlenc#'>xmlns='http://www.w3.org/2001/04/xmlenc#'>
<CipherData><CipherData><CipherValue>A23B45C56</CipherValue><CipherValue>A23B45C56</CipherValue>
</CipherData></CipherData></EncryptedData></EncryptedData>
</PaymentInfo></PaymentInfo>
Encrypting the entire Encrypting the entire <CreditCard> element including <CreditCard> element including tag & attributestag & attributes
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7373
XMLENC Example (2)XMLENC Example (2)
<?xml version='1.0'?><?xml version='1.0'?><PaymentInfo xmlns='http://example.org/paymentv2'><PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name><Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'><CreditCard Limit='5,000' Currency='USD'> <EncryptedData <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#‘xmlns='http://www.w3.org/2001/04/xmlenc#‘
Type='http://www.w3.org/2001/04/xmlenc#Content’>Type='http://www.w3.org/2001/04/xmlenc#Content’> <CipherData><CipherData> <CipherValue>A23B45C56</CipherValue><CipherValue>A23B45C56</CipherValue> </CipherData></CipherData> </EncryptedData></EncryptedData> </CreditCard></CreditCard></PaymentInfo> </PaymentInfo>
Encrypting the contents of Encrypting the contents of <CreditCard> element<CreditCard> element
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7474
XMLENC Example (3)XMLENC Example (3)
<?xml version='1.0'?><?xml version='1.0'?><PaymentInfo xmlns='http://example.org/paymentv2'><PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name><Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'><CreditCard Limit='5,000' Currency='USD'> <Number><Number> <EncryptedData <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#’xmlns='http://www.w3.org/2001/04/xmlenc#’
Type='http://www.w3.org/2001/04/xmlenc#Content'>Type='http://www.w3.org/2001/04/xmlenc#Content'> <CipherData><CipherData> <CipherValue>A23B45C56</CipherValue><CipherValue>A23B45C56</CipherValue> </</CipherDatCipherData>a> </</EncryptedDatEncryptedData>a> </Number></Number> <Issuer>Example Bank</Issuer><Issuer>Example Bank</Issuer> <Expiration>04/07</Expiration> <Expiration>04/07</Expiration> </CreditCard></CreditCard></PaymentInfo> </PaymentInfo>
Encrypting just the card numberEncrypting just the card number
Web Services & WS-Web Services & WS-SecuritySecurity
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7676
Web Services in One Web Services in One SlideSlide Software components accessible via Software components accessible via
standard “Web” protocolsstandard “Web” protocols Think of them as “remote procedure Think of them as “remote procedure
calls using SOAP/XML messages (over calls using SOAP/XML messages (over HTTP)”HTTP)”
Available to any client that speaks Available to any client that speaks XML, SOAP and the transport XML, SOAP and the transport protocolprotocol Platform independent componentsPlatform independent components
Enables Service-Oriented Enables Service-Oriented Architecture (SOA)-based Architecture (SOA)-based application developmentapplication development
Provides a general-purpose, Provides a general-purpose, composable protocol frameworkcomposable protocol framework
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7777
Local ProceduresLocal Procedures
public static float GetQuote(String symbol) {public static float GetQuote(String symbol) { // implementation goes here// implementation goes here // details are hidden from caller// details are hidden from caller}}
public static void Main(String[] args) {public static void Main(String[] args) { float msftPrice = GetQuote(“MSFT”);float msftPrice = GetQuote(“MSFT”); Console.WriteLine("MSFT: {0:F2}",msftPrice);Console.WriteLine("MSFT: {0:F2}",msftPrice);}}
C:\>test.exeC:\>test.exeMSFT: 27.50MSFT: 27.50
Procedures create abstraction Procedures create abstraction boundariesboundaries Callers only care about inputs to & Callers only care about inputs to &
outputs from a procedureoutputs from a procedure
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7878
Quote Request Quote Request MessageMessage<?xml version="1.0" encoding="UTF-8" ?><?xml version="1.0" encoding="UTF-8" ?><SOAP-ENV:Envelope <SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/” envelope/” xmlns:ns1="urn:xmethods-delayed-quotes" xmlns:ns1="urn:xmethods-delayed-quotes" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoxmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" ding/" SOAP-ENV:encodingStyle=SOAP-ENV:encodingStyle=http://http://schemas.xmlsoap.orgschemas.xmlsoap.org/soap/encoding//soap/encoding/>>
<SOAP-ENV:Body><SOAP-ENV:Body> <ns1:getQuote> <ns1:getQuote> <symbol xsi:type="xsd:string">MSFT</symbol> <symbol xsi:type="xsd:string">MSFT</symbol> </ns1:getQuote></ns1:getQuote> </SOAP-ENV:Body></SOAP-ENV:Body></SOAP-ENV:Envelope> </SOAP-ENV:Envelope>
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7979
Quote Response Quote Response MessageMessage<?xml version="1.0" encoding="UTF-8"?><?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope<SOAP-ENV:Envelope
xmlns:SOAP-ENV=xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/http://schemas.xmlsoap.org/soap/envelope/
xmlns:ns1="urn:xmethods-delayed-quotes“xmlns:ns1="urn:xmethods-delayed-quotes“
xmlns:xsd=xmlns:xsd=http://www.w3.org/2001/XMLSchemahttp://www.w3.org/2001/XMLSchema
xmlns:xsi=xmlns:xsi=http://www.w3.org/2001/XMLSchema-instancehttp://www.w3.org/2001/XMLSchema-instance
xmlns:SOAP-ENC=xmlns:SOAP-ENC=http://schemas.xmlsoap.org/soap/encoding/http://schemas.xmlsoap.org/soap/encoding/
SOAP-ENV:encodingStyle="http://SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body><SOAP-ENV:Body>
<ns1:getQuoteResponse><ns1:getQuoteResponse>
<Result xsi:type="xsd:float">27.50</Result><Result xsi:type="xsd:float">27.50</Result>
</ns1:getQuoteResponse></ns1:getQuoteResponse>
</SOAP-ENV:Body></SOAP-ENV:Body>
</SOAP-ENV:Envelope> </SOAP-ENV:Envelope>
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8080
Security RequirementsSecurity Requirements Message-level securityMessage-level security
Confidentiality, integrity and Confidentiality, integrity and authentication for every SOAP request authentication for every SOAP request and responseand response
Web services are asynchronous – no Web services are asynchronous – no “channel”“channel”
InteroperableInteroperable People, systems, applications, and People, systems, applications, and
servicesservices Heterogeneous environmentsHeterogeneous environments
Can be composed with other SOAP Can be composed with other SOAP protocol featuresprotocol features Ex: reliable messaging, transactionsEx: reliable messaging, transactions
Decentralized and dynamicDecentralized and dynamic Arbitrary network topology with no Arbitrary network topology with no
central authoritycentral authority Assume policies change and evolve over Assume policies change and evolve over
timetime Dynamic authorization modelDynamic authorization model
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8181
WS-SecurityWS-Security
Defines a framework for Defines a framework for building security protocolsbuilding security protocols IntegrityIntegrity ConfidentialityConfidentiality Propagation of Propagation of security tokenssecurity tokens
Authorization credentialsAuthorization credentials Framework designed for end-to-Framework designed for end-to-
end security of SOAP messagesend security of SOAP messages From initial sender, through 0-n From initial sender, through 0-n
intermediaries to ultimate intermediaries to ultimate receiverreceiver
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8282
What are security What are security tokens?tokens? Represent claims about Represent claims about
identity, capabilities, privilegesidentity, capabilities, privileges
UsernameToken
X.509 Certificate
KerberosTicket
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8383
Protecting messagesProtecting messages Parts of a message can be Parts of a message can be
signed to ensure integritysigned to ensure integrity Parts of a message can be Parts of a message can be
encrypted to ensure encrypted to ensure confidentialityconfidentiality
Underlying technologies Underlying technologies support pluggable algorithmssupport pluggable algorithms Encryption, Digest, Signature, Encryption, Digest, Signature,
Canonicalization, TransformsCanonicalization, Transforms
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8484
<s:Envelope xmlns:s='http://www.w3.org/2003/05/soap-envelope' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' xmlns:ws='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:ds='http://www.w3.org/2000/09/xmldsig#' > <s:Header> <ws:Security s:mustUnderstand='true' > <ws:BinarySecurityToken wsu:Id='Me' ValueType=‘http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' EncodingType=‘http://dosc.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' > MeIIZFgea4FGiu5cvWEklO8pl... </ws:BinarySecurityToken> . . .
My security token
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8585
. . . <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI='#Body' > <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>uJhGtef54ed91iKLoA...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>FR8yaKmNDePQ7E3Hj...</ds:SignatureValue> . . .
Reference to data I want to protect
Digest of data I want to protect
Signature over ds:SignedInfo element
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8686
. . . <ds:KeyInfo> <ws:SecurityTokenReference> <ws:Reference URI='#Me‘ ValueType=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' /> </ws:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </ws:Security> . . . </s:Header> <s:Body wsu:Id='Body' > . . . </s:Body></s:Envelope>
Reference to certificate that can be used to verify signature
Signed data
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8787
Confidentiality example Confidentiality example (Sender)(Sender) I want to send a SOAP message I want to send a SOAP message
and ensure that only you can and ensure that only you can read the content of the bodyread the content of the body I generate a symmetric keyI generate a symmetric key I encrypt that key using your I encrypt that key using your
public keypublic key I encrypt the content of the body I encrypt the content of the body
using the symmetric keyusing the symmetric key I include both the encrypted data I include both the encrypted data
and encrypted key in the messageand encrypted key in the message
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8888
<s:Envelope xmlns:s='http://www.w3.org/2003/05/soap-envelope' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-utility-1.0.xsd' xmlns:ws='http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-secext-1.0.xsd' xmlns:ds='http://www.w3.org/2000/09/xmldsig#' xmlns:xe='http://www.w3.org/2001/04/xmlenc#' > <s:Header> <ws:Security s:mustUnderstand='true' > . . .
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8989
. . . <xe:EncryptedKey Id='Sym' > <xe:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' /> <ds:KeyInfo> <ws:SecurityTokenReference> <ws:KeyIdentifier> aKKuvtdlAnUm+I6+ZTDrUA== </ws:KeyIdentifier> </ws:SecurityTokenReference> </ds:KeyInfo> <xe:CipherData> <xe:CipherValue>bvDfEg6Sh7GbCvDiAl</xe:CipherValue> </xe:CipherData> <xe:ReferenceList> <xe:DataReference URI='#EncBody' /> </xe:ReferenceList> <xe:EncryptedKey> </ws:Security> . . .
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 9090
. . . </s:Header> <s:Body> <xe:EncryptedData Id='EncBody' Type='http://www.w3.org/2001/04/xmlenc#Element' > <xe:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#aes128-cbc' /> <ds:KeyInfo> <ws:SecurityTokenReference> <ws:Reference URI=‘#Sym’ /> </ws:SecurityTokenReference> </ds:KeyInfo> <xe:CipherData> <xe:CipherValue> ABfg5eFdiKmNeQlPsDFoMNb... </xe:CipherValue> </xe:CipherData> </xe:EncryptedData> </s:Body></s:Envelope>
WS-TrustWS-Trust(if we have time)(if we have time)
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 9292
Authorization ModelAuthorization Model Web Services need mechanisms for Web Services need mechanisms for
conveying authorization information conveying authorization information from client to serverfrom client to server ““Is the client authorized to make this type Is the client authorized to make this type
of request and receive the results?”of request and receive the results?” Use Use security tokenssecurity tokens to convey to convey
authorizationsauthorizations Capabilities-based model (sender proves Capabilities-based model (sender proves
he has the right to make the request)he has the right to make the request) Tokens contain Tokens contain claimsclaims that state that state
propertiesproperties Ex: identity, age, state of residenceEx: identity, age, state of residence
Servers need a way to publish their Servers need a way to publish their authorization policiesauthorization policies ““Who is allowed to call this web service?”Who is allowed to call this web service?” Policy describes required claims (and Policy describes required claims (and
semantics)semantics)
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 9393
Security token Security token exampleexample Alice's X.509 certificate is a Alice's X.509 certificate is a
security tokensecurity token Allows a message to claim to be Allows a message to claim to be
from Alicefrom Alice Proof of claim is based on Proof of claim is based on
Alice's private keyAlice's private key Signing part of the message with Signing part of the message with
her private key proves that she her private key proves that she knows the key and is therefore knows the key and is therefore AliceAlice
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 9494
WS-TrustWS-Trust
Defines how to broker trust Defines how to broker trust relationshipsrelationships Some trust relationship has to Some trust relationship has to
exist exist a priori a priori between the two between the two partiesparties
Defines how to exchange Defines how to exchange security tokens security tokens
Defined as an interface Defined as an interface specification for a specification for a Security Security Token ServiceToken Service STS = Token issuerSTS = Token issuer
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 9595
Common PatternsCommon Patterns IssuanceIssuance
Exchanging one set of credentials Exchanging one set of credentials (optionally null) for another(optionally null) for another
RenewalRenewal Renewing previously issued tokensRenewing previously issued tokens
ValidationValidation Verifying tokens and signatures using a Verifying tokens and signatures using a
serviceservice Cancellation/RevocationCancellation/Revocation
Cancelling a previously issued tokenCancelling a previously issued token Challenges/NegotiationsChallenges/Negotiations
How to have secure multi-leg challenges How to have secure multi-leg challenges and negotiations prior to token issuanceand negotiations prior to token issuance
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 9696
ExampleExample I want to have a secure I want to have a secure
conversation with youconversation with you I ask the trust service for a I ask the trust service for a
token to allow me to talk to youtoken to allow me to talk to you The trust service sends me a The trust service sends me a
token containing two copies of token containing two copies of a secret keya secret key One encrypted for meOne encrypted for me One encrypted for youOne encrypted for you
The former is a “proof token”The former is a “proof token” I can use the secret key in it to I can use the secret key in it to
respond to a challenge you give respond to a challenge you give meme
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 9797
ExampleExample
11U/P
TrustTrust
33
T1
55T2
Tru
st
Tru
st
T#
P#
Security tokenSecurity tokenProof tokenProof token
T1
P122
T2
P2
44
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 9898
ChallengesChallenges
Request TokenRequest Token
Issue ChallengeIssue Challenge
Respond to ChallengeRespond to Challenge
Issue Token, authenticateIssue Token, authenticate
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 9999
Getting TokensGetting Tokens
A RequestSecurityToken A RequestSecurityToken message is sent to the trust message is sent to the trust serviceservice
It responds with a It responds with a RequestSecurityTokenResponseRequestSecurityTokenResponse
Contains required security token Contains required security token and associated and associated metadata/attributes/etc.metadata/attributes/etc.
Various bindings definedVarious bindings defined A binding defines wsa:Action A binding defines wsa:Action
values and wst:RequestType values and wst:RequestType valuesvalues E.g. Message types associated E.g. Message types associated
with the “Issue” actionwith the “Issue” action
January 31, 2006January 31, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 100100
Other token Other token characteristicscharacteristics Requester can specify various Requester can specify various
required characteristics of the required characteristics of the security tokensecurity token Key type, sizeKey type, size Whether token is forwardable, Whether token is forwardable,
delegateable etc.delegateable etc. Trust service can then indicate Trust service can then indicate
those characteristics in the those characteristics in the responseresponse