Tokenauthenticatie en xml signature in detail

Tokenauthenticatie&

XML Signaturein detail

Tokenauthenticatie

signedData SignedInfo SignatureValue

Certificaat

RSA / SHAsig maken

Bericht maken

SOAP bericht

QURX_EX990011NL

token makenSignedInfomaken

smartcard metprivate key

Transformatie XML 2 SignedData

Verstrekkings-Lijstquery

signedData.xsl

signedData

QURX_IN990111NL_01.xml

QURX_IN990111NL_01_signedData.xml

VerstrekkingsLijstquery

signedData

• X.509 Strong Authentication– message id

• nonce• unieke indentificatie van bericht• (if duplicate removal has already taken place)

– notBefore & notAfter• time to live• security semantics can expire• time to store & check nonce

– addressedParty• replay against other receivers

• Koppeling met bericht– BSN

• voor patiëntgerelateerde berichten

– Trigger Event Id• versieonafhankelijk, itt. InteractionId

signedData.xml (pretty print)

Token versus bestand

Whitespace eruit

signedData

remove-whitespace-between-elements.xsl

signedData QURX_IN990111NL_01_signedData.xml

Exclusive Canonicalization

signedData

excc14n(Oxygen gebruikt)

signedDataexcc14n

signedData_ excc14n.xml

• Dubbele quotes ipv. enkele

• Namespace declaraties vóór attributen

• Namespaces alfabetisch rangschikken

• Linefeed, geen carriage return of CR/LF

• Geen Byte Order Mark

• UTF-8

Signed Info element

signedDataexcc14n

Base64

SignedInfo

SignedInfotemplate

maken SignedInfo

SignedInfo.xml

SHA1 hash

160 bits

karakters

wsu Id

SHA: Cryptographic hashWikipedia: A cryptographic hash function is a deterministic procedure that

takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to

the data will change the hash value.

• SHA1 ... SHA256

– 1995: SHA-1 NSA

– 2005: zwaktes in SHA-1 ontdekt

– 2001: SHA-2 (225, 256, 384, 512)

– 2008 – 12: SHA-3, open competitie

• SHA-1

– input: message maximum (264 − 1) bits

– output: 160 bits

Base 64

• UTF-8: niet alle octets zijn toegestaan!

• Ergo: binaire data kunnen niet zomaar in XML / UTF-8

• Oplossing: bits -> karakters

• RFC2045 (MIME) alfabet: [A-Z][a-z][0-9]+/

SHA + Base64

4vBP5K5M5llABaWYzxCrKIdjS2I=

Input (bits)

SHA1 (160 bits)

Base 64

SignedInfo

RSA with SHA

SignedInfo(exc c14n)

ASN.1 DERformaat

SHA1 hash

160 bits

400 bits

Base64

SignatureValue

408 bits

karakters

3021300906052b0e03021a05000414

3031300d060960864801650304020105000420

SHA 256 -> 464 bits

private key

“Hello world”

SHA-1 hash:5llABaWYzxCrKIdjS...

RSA sig value:c9fVK7vYAdvs2DRZVtS...

Private key:shhhh.....

Public key:MIICHzCCAYygAwIBAgI.....

“Hello world”

RSA sig value:c9fVK7vYAdvs2DRZVtS...

Sender Receiver

Security Services (X.800)

• Authentication

• Authorization

• Data Confidentiality

• Data Integrity

• Non-repudiation

Security services

Secure connection

Authentication Token

Digital

Signature

Authentication √ √ √

Authorization

Confidentiality √

Integrity √ √

Non-repudiation √

Naam Key Usage omschrijving

Toepassing Key usage hexadecimaal

authenticiteit-certificaat

digitalSignature tokenauthenticatie

handtekening-certificaat

NonRepudiation elektronische handtekening

vertrouwelijkheidcertificaat

keyEncipherment, dataEncipherment, keyAgreement

(OR'ed 0x20, 0x10, 0x08)

Key usage

SOAP bericht

signedData SignedInfo

Header maken

SignatureValueCertificaatverwijzing

authenticationTokens

Header maken

wss:Security

Bericht maken

SOAP bericht

QURX_EX990011NL

SOAP bericht

Functie Algoritme URI

Signature RSA+SHA-1 <SignatureMethod Algorithm=

"http://www.w3.org/2000/09/xml

dsig#rsa-sha1"/>

Digest SHA-1 <DigestMethod Algorithm=

dsig#sha1"/>

Signature RSA+SHA-256 <SignatureMethod Algorithm=

dsig-more#rsa-sha256"/>

Digest SHA-256 <DigestMethod Algorithm=

enc#sha256"/>

Transformatie XML 2 SignedData

Verstrekkings-Lijstquery

signedData.xsl

signedData

QURX_IN990111NL_01.xml

Whitespace eruit

signedData

remove-whitespace-between-elements.xsl

signedData QURX_IN990111NL_01_signedData.xml

signedData

excc14n(Oxygen gebruikt)

signedDataexcc14n

Signed Info element

signedDataexcc14n

Base64

SignedInfo

SignedInfotemplate

maken SignedInfo

SignedInfo.xml

SHA1 hash

160 bits

karakters

wsu Id

RSA with SHA

SignedInfo(exc c14n)

ASN.1 DERformaat

SHA1 hash

160 bits

400 bits

Base64

SignatureValue

160 bits

karakters

3021300906052b0e03021a05000414

3031300d060960864801650304020105000420

SHA 256 -> 464 bits

private key

SOAP bericht

signedData SignedInfo

Header maken

SignatureValueCertificaatverwijzing

authenticationTokens

Header maken

wss:Security

Bericht maken

SOAP bericht

QURX_EX990011NL

Tokenauthenticatie

signedData SignedInfo SignatureValue

Certificaat

RSA / SHAsig maken

Bericht maken

SOAP bericht

QURX_EX990011NL

token makenSignedInfomaken

smartcard metprivate key

Tokenauthenticatie en xml signature in detail

Technology

ASHIMA KALRA INTRODUCTION OF XML INTRODUCTION OF XML XML FEATURES XML FEATURES XML SYNTAX XML SYNTAX XML ELEMENTS XML ELEMENTS XML ATTRIBUTES

Implementing PDF-based eIDAS trust services · • e-Signature: • Only for natural persons • Assimilation to handwritten signature ... XAdES EN319 132 ASiC ... • XML format

Secure Systems Research Group - FAU A Pattern for XML Signature Presented by Keiko Hashizume

HMRC NCTX XML Channel API - … · detail in this document (and the WSDL file) ... 2.4 Error Handling NCTS XML Channel-specific errors identified for each Web Service operation are

TS 101 903 - V1.3.2 - XML Advanced Electronic Signatures ...uri.etsi.org/01903/v1.3.2/ts_101903v010302p.pdf · 7 ETSI TS 101 903 V1.3.2 (2006-03) Currently, the IETF W3C XML-Signature

XML Signature

Product Specifications OFFICE SOLUTIONSstandardbusinessmachines.com/files/copier_iR_ADV_C5000Srs_Sp_Sh… · (Digital Signature), PDF (Reader Extensions), Office Open XML (OCR) I-Fax

B2B ELECTRONIC INVOICE - ARXivar · 1. Sending an XML invoice to IX FE 2. Monitoring and checking of the XML ˜le and mandatory ˜elds 3. Signature and transmission of invoice to

Digital Signature with Hashing and XML Signature …ceur-ws.org/Vol-566/E3_DigitalHashing.pdfE3 - 4 A Principal may be a process, a user, or an organization that is responsible for

XML Signature Syntax and Processing (Second Edition)

XML Booking Confirm From - INTTRA€¦ · Customer booking requests, via INTTRA‟s version of XML Confirmation Version 2.1. The following sections provide detail information regarding

XML Signature 2.0 Strawman Proposal

LNCS 4607 - A Method for Model Based Design of Rich ...€¦ · The XML Events is an events syntax for XML that provides XML-based lan- ... low level detail operations are to be performed

This project was supported by -DBGrant No. 2009-BX-K105 … Reference Architecture REST... · Message Integrity Nonstandard using digital signature WS-I Security Profile 1.1 XML Signature

Experience with XML Signature and Recommendations for future Development Prateek Mishra, Sep, 2007

PDF, ASiC and XML signature vulnerabilities

OVAL Definition Tutorial - NIST€¦ · TestsTests ObjectsObjects StatesStates VariablesVariables DefinitionsDefinitions Digital Signature XML Example. 15 Generator Section Information

Implementasi XML Signature pada Dokumen XML untuk ... XML Signature.pdf · XML documents have a structured format and they are machine-useable and human-readable. This causes the

XML Signature - unimi.it

How To Break XML Signature and XML Encryption...•SAML (Single Sign-On) •Custom applications •There are more attacks coming soon 27 XML Signature Wrapping - Conclusion OWASP Overview