Top Banner
WEB SECURITY USING XML ENCRYPTION Based on the Apache XML Security Project. By Ajeya Krishnamurthy


Feb 03, 2016




WEB SECURITY USING XML ENCRYPTION. Based on the Apache XML Security Project. By Ajeya Krishnamurthy. Presentation Overview. Introduction XML Signature XML Encryption and Decryption The JCE ( Java Cryptography Extensions ) Code Overview Future work. Introduction. - PowerPoint PPT Presentation

  • WEB SECURITY USING XML ENCRYPTIONBased on the Apache XML Security Project. By Ajeya Krishnamurthy

  • Presentation Overview Introduction XML Signature XML Encryption and Decryption The JCE ( Java Cryptography Extensions ) Code Overview Future work

  • IntroductionThe XML Signature technology was developed by the XML-DSig Charter an IETF/W3C charter in response to the June16 2000 e-sign act, which made digital signatures legallybinding. XML Signatures allow you to sign only specified sections of a document. This contrasts to non-XML Signatures that require you to sign all of a document. XML Signatures are not limited to XML documents and can be applied to all types of electronic data, for example, HTML and GIF files.

  • IntroductionBasics of cryptography

    Confidentiality - Protecting data from prying eyes while in transit over an insecure communications channel like the Internet Integrity - Provides communicating parties with the assurance that a message was not modified while in transit Non-repudiation - The recipient should be able to prove that a message actually originated with the purported sender and is not a forgery

  • Canonical XMLCanonical XML normalizes the physical representation of XML, creating a standard for signature processing. Before the signature digest is created for a document, it is transformed to canonical XML. Then, when the received document is checked for data integrity, it is transformed to canonical XML before a digest is created for it.Different XML applications may represent XML differently. The digest calculation is sensitive to changes in the physical representation of the XML.

  • XML Signature XML Signatures are human readable and platform independent Unlike non-XML digital signatures, XML Signatures include processing information ( ex: Algorithm used to generate the signature ) XML allows signing only portions of the document. Advantages?

  • XML Signature Types Enveloped - The XML Signature is included in the XML document. It is contained within a child element of the XML document Enveloping - The XML document is included in the XML Signature. It is contained within a a child element of the XML Signature Detached - The XML Signature is included in a separate document from the signed document. The location of the signed document is referenced in the XML Signature. This type of signature is used for non-XML documents

  • XML Signature structure

  • XML Signature structure ( ) ()

  • XML Encryption Enables encryption of specified portions of a document, leaving the rest of the document in its original form Does not support the encryption of attributes Both symmetric and asymmetric encryption can be used The ability to encrypt partial documents is unique to XML encryption.

  • XML Encryption InteroperabilityXML encryption is interoperable with XML Signature. However, if you want to encrypt and sign a document, you must always encrypt the document before you sign it. This is because the digest, generated for the digital signature, may give clues about the unencrypted content of a document.

  • XML Encryption structure iamscrambled

  • The Java Cryptography ExtensionThe JCE and the JCA are APIs provided by Java for cryptography. Tutorials are available at

  • XMLSignatureFactory. XMLSignatureFactory is a standard FactorySingleton. The main purpose is to create allelements of a XMLSignature It can be instantiated by: XMLSignatureFactory.getInstance() XMLSignatureFactory.getInstance(DOM,new ()); XMLSignatureFactory.getInstance(DOM,);Class XMLSignatureFactory -- Main class used to create all elements required for a signatureCode Overview

  • Code OverviewMain class for interaction


    Important methodssign(XMLSignContext signContext)validate(XMLValidateContextvalidateContext)Class XMLSignature

  • XMLSignatureFactory fac = XMLSignatureFactory.getInstance();Reference ref =fac.newReference(",fac.newDigestMethod(DigestMethod.SHA1, null));Code Overview Creating the signatureThis creates a new XMLSignatureFactory instanceAnd this creates a reference to be signed. The reference contains a URI pointing to the data that we wish to sign.

  • SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod (CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS,null),fac.newSignatureMethod(SignatureMethod.DSA_SHA1,null),Collections.singletonList(ref));Code OverviewThis creates the SignedInfo object we needXMLSignature signature = fac.newXMLSignature(si, null);And this creates a new Signature object. Code Overview Creating the signature

  • Code OverviewNow we generate the key pair using the JCA. Document doc =dbf.newDocumentBuilder().newDocument();DOMSignContext signContext = newDOMSignContext(kp.getPrivate(), doc);

    //Sign the URL. The XML-Signature structure is//appended to the documentsignature.sign(signContext); KeyPair kp = And then we create the document object and sign itCode Overview Creating the signature

  • Code Overview Verifying the signature1: Create a XMLSignature from XML

    2: Setup a KeySelector

    3: Create a XMLValidateContext

    4: Validate the Signature

  • // Parse the documentDocument doc = dbf.newDocumentBuilder().parse(newFileInputStream(args[0]));// Find Signature element. This only checks for a// Signature root element.Node signatureNode =doc.getElementsByTagNameNS(XMLSignature.XMLNS,"Signature").item(0);// Create a XMLSignatureFactoryXMLSignatureFactory fac =XMLSignatureFactory.getInstance();Code Overview Verifying the signature

  • // Create a KeySelectorKeySelector ks =KeySelector.singletonKeySelector(key);// Create a XMLValidateContextDOMValidateContext valContext = newDOMValidateContext(ks, signatureNode);// Unmarshal the XMLSignatureXMLSignature signature =fac.unmarshalXMLSignature(valContext);// Validate the XMLSignature (generated above)boolean coreValidity =signature.validate(valContext);Code Overview Verifying the signature

  • Code Overview Encryption Designed to have fewest possible dependencies


    Xalan Xerces Commons Logging Cryptographic service provider

  • 1: Specify key algorithm

    2: Initialize KeyCipher

    3: Generate encryption key

    4: Specify encryption algorithm

    5: Initialize XMLCipher

    6: EncryptSteps to encrypt dataCode Overview Encryption

  • Code Overview Encryption // get algorithmString algo =XMLCipher.TRIPPELDES_KeyWrap;

    // construct XMLCipherXMLCipher c = XMLCipher.getInstance(algo);1: Specify key algorithm2: Initialize KeyCipher

  • Code Overview Encryption KeyGenerator kg =KeyGenerator.getInstance(DESede);SecretKey sk = kg.generateKey();byte[] kb = sk.getEncoded();3: Generate encryption key4: Specify encryption algorithmXMLCipher keyCipher =XMLCipher.getInstance(algo);Key symmKey = //as in generate keyencryption keykeyCipher.init(XMLCipher.WRAP_MODE, symmKey);EncryptedKey encryptedKey =keyCipher.encryptKey(document, symmKey);

  • XMLCipher xmlCipher =XMLCipher.getInstance(XMLCipher.AES_128)xmlCipher.init(XMLCipher.ENCRYPT_MODE,symmKey);Code Overview Encryption 5: Initialize XMLCipherEncryptedData d = xmlCipher.getEncryptedData();KeyInfo keyInfo = new KeyInfo(document);keyInfo.add(encryptedKey);d.setKeyInfo(keyInfo);Prepare for encryption

  • xmlCipher.doFinal(document,rootElement,true);6: EncryptCode Overview Encryption

  • Code Overview Decryption 1: Get the element that need to be decrypted

    2: Get the key

    3: DecryptSteps involved in Decryption

  • Code Overview Decryption // Get the element that need to bedecryptedElement e = (Element)document.getElementsByTagNameNS(EncryptionSpecNS, ENCRYPTEDDATA).item(0);// Get the keyKey kek = loadKeyEncryptionKey();Prepare for encryption

  • XMLCipher xmlCipher = XMLCipher.getInstance();xmlCipher.init(XMLCipher.DECRYPT_MODE, null);xmlCipher.setKEK(kek);xmlCipher.doFinal(document,encryptedDataElement);Now perform DecryptionCode Overview Decryption

  • Future WorkThe Apache foundation will focus next on the XKMS for this project. Currently, the Java API is complete and robust. The C++ library is still evolving.

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.