Mike Taylor Uniface Solution Specialist Atlanta - June 8 th , 2010 Encryption and Security
Mike TaylorUniface Solution SpecialistAtlanta - June 8th, 2010
Encryption and Security
Agenda
Encode/encrypt – Decode/DecryptHash functions
Block ciphers
Calling webservices with a certificate
3
Project Goal Provide the ability to encode/encrypt and
decode/decrypt data by Uniface 4GL proc functions. Hash functions
MD4, MD5, SHA-1, SHA-2, HMAC
Block ciphers AES, DES, Triple DES, Blowfish, Twofish
Miscellaneous Base64, HEX, URL encoding
4
Hash functionsReturn fixed length data which is;
infeasible to find the source from a hash.
infeasible to find two different sources with the same hash.
INPUT HASH
B062B1413B28E83DCBF4E9DB2C51D63EUniface
5
Block ciphers (1)
Use a symmetric key to encrypt and decrypt the data.
Operate on fixed-length data called block.
INPUT CIPHER
KEY
8A0D1BBFA0C34DUniface
password
6
Block ciphers (2)
REF: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
Data is divided into blocks (fixed length data) and each block is encrypted separately.
Identical plaintext blocks are encrypted into identical cipher text blocks.
7
Modes of operation
Original ECB mode other modes
REF: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
Several modes of operation have been invented which allow block ciphers to provide confidentiality.
Mode: ECB, CBC, CFB, OFB etc.
8
Initialization Vector (IV)
REF: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
All modes except ECB require an initialization vector (IV)
No need to be secret, but it is important that never reused with the same key
9
New proc functions$encode and $decode
Syntax:
$encode/$decode(Algorithm, Source{, Key{, Mode, IV}}) Algorithm: Encode/encryption algorithm Source: Source data Key: Secret key for a block cipher Mode: Modes of operation IV: Initialization Vector
10
$encode / $decode (1)
$encode/$decode(Algorithm, Source{, Key{, Mode, IV}})Algorithm:Hash functions (only available for $encode)
MD4, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, HMAC_MD5, HMAC_SHA1
Block ciphers AES (RIJNDAEL), DES, TDES (DES_EDE3), DES_EDE2, DESX (DES_XEX3), BLOWFISH, TWOFISH
Misc. BASE64, HEX, URL URAW, USTRING (only available for $encode)
11
$encode / $decode (2)$encode/$decode(Algorithm, Source{, Key{, Mode, IV}})Source:
Any text or raw data.
Key: Required for block ciphers and HMAC.
Should be a specific length.
AES (16/24/32), DES (8), TDES (24), DESX (24)
BLOWFISH (4 – 56), TWOFISH (16/24/32)
12
$encode / $decode (3)$encode/$decode(Algorithm, Source{, Key{, Mode, IV}})Mode: Modes of operation
ECB, CBC, CFB, OFB, CTR, CBC_CTS
Default = ECB
IV: Initialization Vector Required for all modes except ECB.
13
Notes
Because the return value may contain the null byte (0x00), $encode/$decode returns in the Uniface RAW data type which is binary safe, unless the Algorithm is BASE64, HEX, URL or USTRING, in which case a data is returned as the Uniface String data type (UTF-8).
Algorithm USTRING doesn’t convert the string from a character set to another.
14
DEMO
Agenda
Encode/encrypt – Decode/Decrypt– Hash functions
– Block ciphers
Calling webservices with a certificate
Webservice Security
Server has a certificate – (Supplied by agency or self sign)
The webserver also has a certificate – Signed by the server certificate
Webservice Security1. Client makes request to a secure webserver
2. Webserver accepts the connections and returns it’s certificate
3. Client verifies certificate is valid and trusted– Disabled checking with usys$sop_params ign=p
– Trusted certificates held in usys:ca-bunble.crt
– Certificate obtained from the website
usys:ca-bundle.crtFormat for ca-bundle.crt
-----BEGIN CERTIFICATE-----
Certificate Data
-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
Certificate Data
-----END CERTIFICATE-----
Certificate Data is encoded Base-64 Encoded X.509 (PEM)
ca-bundle.crt Trusted root certificates can be obtained from curl
– http://curl.haxx.se/ca/cacert.pem
Owner sends you their certificate Servers certificate can be obtained in IE by
– Request the URL– Click on the padlock icon– View the certificate– Click on the “Certification Path” tab and select the server certificate.– Click “View Certificate”– Click on the “Details” tab– Click on the “Copy to file…” button and click Next >– Select Base-64 Encoded X.509 (.CER) and click Next >– Enter a filename e.g. server.cer– If you have a ca-bundle.crt file in your usys folder, append the contents of server.cer to it in a text editor, otherwise copy to ca-bundle.crt.
– Click Finish
20
DEMO
Restrictions
Client certificates are due soon WS-security not currently supported
– Soap headers available from 3gl interface.
• soap_pre_request • soap_post_request
Thank You& Questions