ArxICT_security2009-01

Download Report

Transcript ArxICT_security2009-01

By
Bahaa Zaid
[email protected]
2009-01-13
Agenda
 Introduction to Security
 Java Security
 XML Security
 WS-Security
Introduction to Security
 Cryptography
 Symmetric-Key Cryptography
 Public-Key Cryptography
 Public Key Infrastructure
 Cryptographic Hash Function
 Digital Signature
Cryptography
 Is the practice and study of hiding information
 Encryption is the process of transforming information
(plaintext) using an algorithm (cipher) to make it
unreadable to anyone (ciphertext) except those
possessing special knowledge (key).
 Decryption is to make the encrypted information
readable again.
Symmetric-Key Cryptography
 Symmetric-key cryptography refers to encryption
methods in which both the sender and receiver share the
same key. This was the only kind of encryption publicly
known until June 1976.
 Examples are DES, 3DES, Blowfish, RC4…
Symmetric-Key Cryptography
Plaintext
Cipher
Ciphertext
Ciphertext
Cipher
Plaintext
Public-Key Cryptography
 Public-Key Cryptography, also known as Asymmetric
Cryptography, is a form of cryptography in which the key
used to encrypt a message differs from the key used to
decrypt it. In public key cryptography, a user has a pair of
cryptographic keys—a Public Key and a Private Key.
 Examples are RSA and ElGamal.
Public-Key Cryptography
 A big random number is
used to create a key pair.
When the keys have
been made the big
random number is
thrown away. Without
knowledge of the
random number it
should be "impossible"
to create the private key
from the public key.
Public-Key Cryptography
 A message encrypted
with a recipient's public
key cannot be decrypted
by anyone except the
recipient possessing the
corresponding private
key.
Public Key Infrastructure
 Public Key Infrastructure (PKI) is an arrangement that
binds public keys with respective user identities by means
of a Certificate Authority (CA).
 CA is an example of Trusted Third Party (TTP).
 A CA is an entity which issues Public Key Certificate for
use by other parties.
Public Key Infrastructure
 The most common certificate standard is the ITU-T X.509.
 A Public Key Certificate is an electronic document which
incorporates a Digital Signature to bind together a public
key with an identity — information such as the name of a
person or an organization, their address, and so forth.
 A Public Key Certificate is the Public Key of an individual
added to it his/her Identity and signed by a CA.
 The certificate can be used to verify that a Public Key
belongs to an individual .
Public Key Infrastructure
 A Certificate Chain is a sequence of certificates, where
each certificate in the chain is signed by the subsequent
certificate. The last certificate in the chain is normally
a self-signed Certificate - a certificate that signs itself
(Root Certificate).
 It’s an example of Chain Of Trust.
signs
CA Cert
(Root Cert)
signs
Company
CA
signs
App Cert
Cryptographic Hash Function
 A Cryptographic Hash Function is an algorithm that takes
an arbitrary block of data and returns a fixedsize bit string, the Hash Value or Message Digest, such
that an accidental or intentional change to the data will
almost certainly change the Hash Value.
 Examples are MD5, SHA-1 and SHA-256.
 Applications are Message Integrity Verification, Digital
Signatures, …
Cryptographic Hash Function
 The ideal hash function has four main properties:
 It is easy to compute the hash for any given data,
 It is extremely difficult to construct a text that has a given
hash,
 It is extremely difficult to modify a given text without
changing its hash, and
 It is extremely unlikely that two different messages will
have the same hash.
Digital Signature
 For messages sent through an insecure channel, a
properly implemented Digital Signature gives the receiver
reason to believe the message was sent by the claimed
sender.
 Digital Signature gives both Authentication and Integrity.
Digital Signature
Java Security
 Sun’s website says:
“Java security technology includes a large set of APIs,
tools, and implementations of commonly used security
algorithms, mechanisms, and protocols. The Java security
APIs span a wide range of areas, including cryptography,
public key infrastructure, secure communication,
authentication, and access control.”
 Platform Security is built-in language security features
enforced by the Java compiler and virtual machine for
example Bytecode verification, Secure class loading .
Java Security
 Access Control is a comprehensive policy and permissions
API that allows the developer to create and administer
applications requiring fine-grained access to securitysensitive resources.
 Java includes APIs for Cryptography , Secure
Communications (e.g. TLS) and PKI.
 Java Security is Extensible i.e. Java provide the interfaces
and the implementation is provided by a Security
Provider, JRE has a default provider (SUN provider).
Unlimited Strength Policy Files
 By default, JRE is restricted to a particular Encryption
Algorithms and Key Lengths (Strong Encryption).
 This restriction is in place so that the JRE and Java
Applications that use Encryption can be freely imported
by countries whose government restrict the use of
Cryptography.
 There are no restrictions in Egypt. So, you can download
the Unlimited Strength Policy Files from Sun’s website
and install it to enable unlimited encryption.
Example: Computing The Hash of a
byte[]
MessageDigest msgDigest =
MessageDigest.getInstance("MD5");
msgDigest.update(plainText); //byte[]
byte[] digest = msgDigest.digest();
Example: Private Key Crypto
KeyGenerator keyGen =
KeyGenerator.getInstance("DES");
keyGen.init(56);
Key key = keyGen.generateKey();
…
Cipher cipher =
Cipher.getInstance("DES/ECB/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] cipherText = cipher.doFinal(plainText);
…
cipher.init(Cipher.DECRYPT_MODE, key);
byte[] newPlainText =
cipher.doFinal(cipherText);
Example: Public Key Crypto
KeyPairGenerator keyGen =
KeyPairGenerator.getInstance("RSA");
keyGen.initialize(1024);
KeyPair key = keyGen.generateKeyPair();
…
Cipher cipher =
Cipher.getInstance("RSA/ECB/PKCS1Padding");
cipher.init(Cipher.ENCRYPT_MODE, key.getPublic());
byte[] cipherText = cipher.doFinal(plainText);
…
cipher.init(Cipher.DECRYPT_MODE, key.getPrivate());
byte[] newPlainText = cipher.doFinal(cipherText);
Example: Digital Signature
KeyPairGenerator keyGen =
KeyPairGenerator.getInstance("RSA");
keyGen.initialize(1024);
KeyPair key = keyGen.generateKeyPair();
…
Signature sig = Signature.getInstance("MD5WithRSA");
sig.initSign(key.getPrivate());
sig.update(plainText);
byte[] signature = sig.sign();
…
sig.initVerify(key.getPublic());
sig.update(plainText);
if (sig.verify(signature)) {…}
Example: Accessing Key Stores
// Creating new one
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(null, null);
…
// Opening Existing one
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream(filename),
"password".toCharArray());
…
// Adding Entry
keyStore.setKeyEntry(
"somealias",privateKey,
"password".toCharArray(),
new Certificate[] {myCert, caCert});
…
Example: Accessing Key Stores
// Get entries
X509Certificate cert = (X509Certificate)
keyStore.getCertificate(“alias");
PrivateKey key = (PrivateKey) keyStore.getKey(
“alias", “password".toCharArray());
…
// Saving to file
keyStore.store(new FileOutputStream(filename),
“password”.toCharArray());
Serializing a Key
Key key = …; // PrivateKey or PublicKey
byte[] encodedKey = key.getEncoded();
…
X509EncodedKeySpec keySpec =
new X509EncodedKeySpec(encodedKey);
KeyFactory keyFactory =
KeyFactory.getInstance("RSA");
PublicKey theKey =
keyFactory.generatePublic(keySpec);
// or
PrivateKey theKey =
keyFactory.generatePrivate(keySpec);
Serializing a Certificate
X509Certificate cert = …;
byte[] encCert = cert.getEncoded();
…
ByteArrayInputStream inputStream =
new ByteArrayInputStream(encCert);
CertificateFactory factory =
CertificateFactory.getInstance("X.509");
X509Certificate theCert = (X509Certificate)
factory.generateCertificate(inputStream);
Example: Generating a Certificate
 Standard Java does not have an X509Certificate
generation API
 BouncyCastle has a class for generating X509Certificate
instance org.bouncycastle.x509.X509V3CertificateGenerator
Example: Generating a Certificate
X509V3CertificateGenerator certGen = new
X509V3CertificateGenerator();
X500Principal myPrincipal = new
X500Principal("CN=Duke, OU=ArxICT, O=Arx, C=EG" );
certGen.setSubjectDN(myPrincipal);
certGen.setIssuerDN(myPrincipal); // Self signed
certGen.setNotBefore(new Date(…));
certGen.setNotAfter(new Date(…));
certGen.setPublicKey(publicKey); // Cert Public Key
certGen.setSignatureAlgorithm("SHA1withRSA");
certGen.setSerialNumber(generateMySerialNumber());
X509Certificate cert =
certGen.generateX509Certificate(privateKey);
XML Signature
 XML Signature (also called XMLDsig, XML-DSig, XML-Sig)
is a W3C recommendation that defines an XML syntax
for digital signatures.
 An XML signature used to sign a resource outside its
containing XML document is called a detached signature;
 If it is used to sign some part of its containing document,
it is called an enveloped signature;
 If it contains the signed data within itself it is called
an enveloping signature.
XML Signature
XML Resource
XML Resource
XML Resource
XML Signature
XML Signature
XML Signature
1
Signed XML
Element
Signed XML
Element
Signed Data
Detached
XML Signature
2
Enveloping
Enveloped
XML Signature
 Implementation:
 Apache XML Security (santuario)
 Standard XML Digital Signature API (JDK 6), also
implemented in Apache XML Security for pre-6 JDKs
XML Signature
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/RECxml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1"/> <Reference URI="#MsgBody">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>W3aSreOicBECRBLSJnchq448fjU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>hG…=</SignatureValue>
<KeyInfo> <SecurityTokenReference
xmlns="http://schemas.xmlsoap.org/ws/2002/04/secext">
<Reference URI="X509Token"/>
</SecurityTokenReference>
</KeyInfo>
</Signature>
XML Signature
// Init the factory
String providerName = System.getProperty("jsr105Provider",
"org.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory fac =
XMLSignatureFactory.getInstance("DOM“,
(Provider)Class.forName(providerName).newInstance());
DOMValidateContext valContext = new DOMValidateContext(new
SimpleKeySelector(merchantPublicKey), nodeList.item(0));
XMLSignature signature = fac.unmarshalXMLSignature(valContext);
boolean coreValidity = signature.validate(valContext);
XML Signature
class SimpleKeySelector extends KeySelector {
private PublicKey publicKey;
public SimpleKeySelector(PublicKey publicKey) {
this.publicKey = publicKey;
}
public KeySelectorResult select(KeyInfo keyInfo, Purpose purpose,
AlgorithmMethod method, XMLCryptoContext context)
throws KeySelectorException {
return new SimpleKeySelectorResult(publicKey);
}
private static class SimpleKeySelectorResult implements KeySelectorResult {
private PublicKey publicKey;
SimpleKeySelectorResult(PublicKey pk) {
this.publicKey = pk;
}
public Key getKey() {
return publicKey;
}
}
}
References
 http://www.wikipedia.org
 http://java.sun.com/javase/technologies/security/
 http://java.sun.com/security/reference/docs/index.html
More Resources
 http://www.ibm.com/developerworks/edu/j-dw-
javasec1-i.html
 http://www.ibm.com/developerworks/edu/j-dwjavasec2-i.html