Tokenauthenticatie en xml signature in detail

750 views

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
750
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Tokenauthenticatie en xml signature in detail

  1. 1. Tokenauthenticatie& XML Signaturein detail<br />
  2. 2. Tokenauthenticatie<br />smartcard met<br />private key<br />Certificaat<br />QURX_<br />EX990011NL<br />token maken<br />SignedInfo<br /> maken<br />RSA / SHA<br />sig maken<br />signedData<br />SignedInfo<br />SignatureValue<br />Bericht maken<br />SOAP bericht<br />
  3. 3. Transformatie XML 2 SignedData<br />Verstrekkings-<br />Lijstquery<br />QURX_IN990111NL_01.xml<br />signedData.xsl<br />signedData<br />QURX_IN990111NL_01_signedData.xml<br />
  4. 4. VerstrekkingsLijstquery<br />
  5. 5. signedData<br />X.509 Strong Authentication <br />message id<br />nonce<br />unieke indentificatie van bericht<br />(if duplicate removal has already taken place)<br />notBefore & notAfter<br />time to live<br />security semantics can expire<br />time to store & check nonce<br />addressedParty<br />replay against other receivers<br />Koppeling met bericht<br />BSN<br />voor patiëntgerelateerde berichten<br />Trigger Event Id<br />versieonafhankelijk, itt. InteractionId<br />
  6. 6. signedData.xml (pretty print)<br />
  7. 7. Token versus bestand<br />
  8. 8. Whitespace eruit<br />signedData<br />QURX_IN990111NL_01_signedData.xml<br />remove-<br />whitespace-<br />between-<br />elements.xsl<br />signedData<br />QURX_IN990111NL_01_signedData.xml<br />
  9. 9. Exclusive Canonicalization<br />signedData<br />QURX_IN990111NL_01_signedData.xml<br />excc14n<br />(Oxygen gebruikt)<br />signedData<br />excc14n<br />signedData_ excc14n.xml<br />
  10. 10. Exclusive Canonicalization<br />
  11. 11. Exclusive Canonicalization<br />Dubbele quotes ipv. enkele<br />Namespace declaraties vóór attributen<br />Namespaces alfabetisch rangschikken<br />Linefeed, geen carriage return of CR/LF<br />Geen Byte Order Mark<br />UTF-8<br />
  12. 12. Signed Info element<br />signedData<br />excc14n<br />signedData_ excc14n.xml<br />bits<br />SignedInfo<br />template<br />SHA1 hash<br />wsu Id<br />160 bits<br />maken <br />SignedInfo<br />Base64<br />karakters<br />SignedInfo<br />SignedInfo.xml<br />
  13. 13. SHA: Cryptographic hash<br />Wikipedia: A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value. <br />
  14. 14. SHA<br />SHA1 ... SHA256<br />1995: SHA-1 NSA<br />2005: zwaktes in SHA-1 ontdekt<br />2001: SHA-2 (225, 256, 384, 512)<br />2008 – 12: SHA-3, open competitie<br />SHA-1<br />input: message maximum (264 − 1) bits <br />output: 160 bits<br />
  15. 15. Base 64<br />UTF-8: niet alle octets zijn toegestaan!<br />Ergo: binaire data kunnen niet zomaar in XML / UTF-8<br />Oplossing: bits -> karakters<br />RFC2045 (MIME) alfabet: [A-Z][a-z][0-9]+/<br />
  16. 16. SHA + Base64<br />Input (bits)<br />SHA1 (160 bits)<br />4vBP5K5M5llABaWYzxCrKIdjS2I=<br />Base 64<br />
  17. 17. SignedInfo<br />
  18. 18. RSA with SHA<br />SignedInfo<br />(exc c14n)<br />private key<br />bits<br />SHA1 hash<br />400 bits<br />RSA<br />160 bits<br />408 bits<br />ASN.1 DER<br />formaat<br />Base64<br />3021300906<br />052b0e0302<br />1a05000414<br />karakters<br />3031300d06<br />0960864801<br />6503040201<br />05000420<br />SignatureValue<br />SHA 256 -> 464 bits<br />
  19. 19. Sender<br />Receiver<br />“Hello world”<br />“Hello world”<br />SHA-1 hash:<br />5llABaWYz<br />xCrKIdjS...<br />Public key:<br />MIICHzCCAY<br />ygAwIBAgI.....<br />OK<br />Private key:<br />shhhh.....<br />RSA sig value:<br />c9fVK7vYAdv<br />s2DRZVtS...<br />RSA sig value:<br />c9fVK7vYAdv<br />s2DRZVtS...<br />
  20. 20.
  21. 21. Security Services (X.800)<br />Authentication<br />Authorization<br />Data Confidentiality<br />Data Integrity<br />Non-repudiation<br />
  22. 22. Security services<br />
  23. 23. Key usage<br />
  24. 24. SOAP bericht<br />signedData<br />SignedInfo<br />SignatureValue<br />Certificaat<br />verwijzing<br />QURX_<br />EX990011NL<br />Header maken<br />Header maken<br />authentication<br />Tokens<br />wss:Security<br />Bericht maken<br />SOAP bericht<br />
  25. 25. SOAP bericht<br />
  26. 26.
  27. 27. Transformatie XML 2 SignedData<br />Verstrekkings-<br />Lijstquery<br />QURX_IN990111NL_01.xml<br />signedData.xsl<br />signedData<br />QURX_IN990111NL_01_signedData.xml<br />
  28. 28. Whitespace eruit<br />signedData<br />QURX_IN990111NL_01_signedData.xml<br />remove-<br />whitespace-<br />between-<br />elements.xsl<br />signedData<br />QURX_IN990111NL_01_signedData.xml<br />
  29. 29. Exclusive Canonicalization<br />signedData<br />QURX_IN990111NL_01_signedData.xml<br />excc14n<br />(Oxygen gebruikt)<br />signedData<br />excc14n<br />signedData_ excc14n.xml<br />
  30. 30. Signed Info element<br />signedData<br />excc14n<br />signedData_ excc14n.xml<br />bits<br />SignedInfo<br />template<br />SHA1 hash<br />wsu Id<br />160 bits<br />maken <br />SignedInfo<br />Base64<br />karakters<br />SignedInfo<br />SignedInfo.xml<br />
  31. 31. RSA with SHA<br />SignedInfo<br />(exc c14n)<br />private key<br />bits<br />SHA1 hash<br />400 bits<br />RSA<br />160 bits<br />160 bits<br />ASN.1 DER<br />formaat<br />Base64<br />3021300906<br />052b0e0302<br />1a05000414<br />karakters<br />3031300d06<br />0960864801<br />6503040201<br />05000420<br />SignatureValue<br />SHA 256 -> 464 bits<br />
  32. 32. SOAP bericht<br />signedData<br />SignedInfo<br />SignatureValue<br />Certificaat<br />verwijzing<br />QURX_<br />EX990011NL<br />Header maken<br />Header maken<br />authentication<br />Tokens<br />wss:Security<br />Bericht maken<br />SOAP bericht<br />
  33. 33. Tokenauthenticatie<br />smartcard met<br />private key<br />Certificaat<br />QURX_<br />EX990011NL<br />token maken<br />SignedInfo<br /> maken<br />RSA / SHA<br />sig maken<br />signedData<br />SignedInfo<br />SignatureValue<br />Bericht maken<br />SOAP bericht<br />

×