02-Security & Encryption-CPWR 2

Mike TaylorUniface Solution SpecialistAtlanta - June 8th, 2010

Encryption and Security

Agenda

Encode/encrypt – Decode/DecryptHash functions

Block ciphers

Calling webservices with a certificate

3

Project Goal Provide the ability to encode/encrypt and

decode/decrypt data by Uniface 4GL proc functions. Hash functions

MD4, MD5, SHA-1, SHA-2, HMAC

Block ciphers AES, DES, Triple DES, Blowfish, Twofish

Miscellaneous Base64, HEX, URL encoding

4

Hash functionsReturn fixed length data which is;

infeasible to find the source from a hash.

infeasible to find two different sources with the same hash.

INPUT HASH

B062B1413B28E83DCBF4E9DB2C51D63EUniface

5

Block ciphers (1)

Use a symmetric key to encrypt and decrypt the data.

Operate on fixed-length data called block.

INPUT CIPHER

KEY

8A0D1BBFA0C34DUniface

password

6

Block ciphers (2)

REF: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation

Data is divided into blocks (fixed length data) and each block is encrypted separately.

Identical plaintext blocks are encrypted into identical cipher text blocks.

7

Modes of operation

Original ECB mode other modes

REF: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation

Several modes of operation have been invented which allow block ciphers to provide confidentiality.

Mode: ECB, CBC, CFB, OFB etc.

8

Initialization Vector (IV)

REF: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation

All modes except ECB require an initialization vector (IV)

No need to be secret, but it is important that never reused with the same key

9

New proc functions$encode and $decode

Syntax:

$encode/$decode(Algorithm, Source{, Key{, Mode, IV}}) Algorithm: Encode/encryption algorithm Source: Source data Key: Secret key for a block cipher Mode: Modes of operation IV: Initialization Vector

10

$encode / $decode (1)

$encode/$decode(Algorithm, Source{, Key{, Mode, IV}})Algorithm:Hash functions (only available for $encode)

MD4, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, HMAC_MD5, HMAC_SHA1

Block ciphers AES (RIJNDAEL), DES, TDES (DES_EDE3), DES_EDE2, DESX (DES_XEX3), BLOWFISH, TWOFISH

Misc. BASE64, HEX, URL URAW, USTRING (only available for $encode)

11

$encode / $decode (2)$encode/$decode(Algorithm, Source{, Key{, Mode, IV}})Source:

Any text or raw data.

Key: Required for block ciphers and HMAC.

Should be a specific length.

AES (16/24/32), DES (8), TDES (24), DESX (24)

BLOWFISH (4 – 56), TWOFISH (16/24/32)

12

$encode / $decode (3)$encode/$decode(Algorithm, Source{, Key{, Mode, IV}})Mode: Modes of operation

ECB, CBC, CFB, OFB, CTR, CBC_CTS

Default = ECB

IV: Initialization Vector Required for all modes except ECB.

13

Notes

Because the return value may contain the null byte (0x00), $encode/$decode returns in the Uniface RAW data type which is binary safe, unless the Algorithm is BASE64, HEX, URL or USTRING, in which case a data is returned as the Uniface String data type (UTF-8).

Algorithm USTRING doesn’t convert the string from a character set to another.

14

DEMO

Agenda

Encode/encrypt – Decode/Decrypt– Hash functions

– Block ciphers

Calling webservices with a certificate

Webservice Security

Server has a certificate – (Supplied by agency or self sign)

The webserver also has a certificate – Signed by the server certificate

Webservice Security1. Client makes request to a secure webserver

2. Webserver accepts the connections and returns it’s certificate

3. Client verifies certificate is valid and trusted– Disabled checking with usys$sop_params ign=p

– Trusted certificates held in usys:ca-bunble.crt

– Certificate obtained from the website

usys:ca-bundle.crtFormat for ca-bundle.crt

-----BEGIN CERTIFICATE-----

Certificate Data

-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----

Certificate Data

-----END CERTIFICATE-----

Certificate Data is encoded Base-64 Encoded X.509 (PEM)

ca-bundle.crt Trusted root certificates can be obtained from curl

– http://curl.haxx.se/ca/cacert.pem

Owner sends you their certificate Servers certificate can be obtained in IE by

– Request the URL– Click on the padlock icon– View the certificate– Click on the “Certification Path” tab and select the server certificate.– Click “View Certificate”– Click on the “Details” tab– Click on the “Copy to file…” button and click Next >– Select Base-64 Encoded X.509 (.CER) and click Next >– Enter a filename e.g. server.cer– If you have a ca-bundle.crt file in your usys folder, append the contents of server.cer to it in a text editor, otherwise copy to ca-bundle.crt.

– Click Finish

20

DEMO

Restrictions

Client certificates are due soon WS-security not currently supported

– Soap headers available from 3gl interface.

• soap_pre_request • soap_post_request

Thank You& Questions