Beruflich Dokumente
Kultur Dokumente
• What is security?
• Web security
Programming Mobile Devices
• XML and Web services security
Security • Security in Java, MIDP
Jacek Kopecký
jacek.kopecky@deri.org
Confidentiality, Privacy,
Authorization
Non-repudiation
• Authorization – giving access to peer • Alice wants to send something to Bob, nobody else
• “Alice allows Bob to do certain things” • Revealing as little as possible from communication
to eavesdroppers
• Authenticated (known) peer • Private channel – hides data (usually encryption)
• Allowing or blocking an action • Various levels
• In a bank – access to your account, not others • Encrypted channel from you to mail server
• Encrypted email body, open headers
• Authorization requires authentication
• Privacy goes further
• Anonymizer proxy – hides user identity, behavior
• Non-repudiation
• Alice cannot deny sending something to Bob (digsig)
• Auditing, contracting
1
Intrusion prevention, detection
Web Security Overview
Risk assessment
• Security breaches • HTTP Authentication
• Viruses, worms, trojans etc. • HTTPS
2
XML Encryption XML Encryption
Hiding Whole XML Documents Hiding Elements
<EncryptedData <PaymentInfo xmlns='http://example.org/paymentv2'>
xmlns='http://www.w3.org/2001/04/xmlenc#'> <Name>John Smith</Name>
<CipherData> <EncryptedData
<CipherValue>A23B45C56</CipherValue> Type='http://www.w3.org/2001/04/xmlenc#Element'
</CipherData> xmlns='http://www.w3.org/2001/04/xmlenc#'>
</EncryptedData> <CipherData>
<CipherValue>A23B45C56</CipherValue>
</CipherData>
</EncryptedData>
</PaymentInfo>
XML Encryption
XML Signature
Hiding Element Content
<PaymentInfo xmlns='http://example.org/paymentv2'> • Digest of data, protected with encryption
<Name>John Smith</Name>
<CreditCard Limit='5,000' Currency='USD'> • Creating digital signature (roughly):
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' • Digest the data
Type='http://www.w3.org/2001/04/xmlenc#Content'>
<CipherData>
• Encrypt the digest (with private or shared key)
<CipherValue>A23B45C56</CipherValue> • The encrypted result is the signature
</CipherData>
</EncryptedData>
</CreditCard>
</PaymentInfo>
3
XML Key Management,
Web Services Security
XACML, SAML
• XKMS – XML Key Management Specification • WS-Security specification
• Distributing and registering public keys • Puts all the above together in SOAP
• Minimizing complexity of using XML Signature • Runtime specifications
• WS-SecurityPolicy
• XACML – eXtensible Access Control Markup • Describes security policies of Web services
Language
• Design/deployment-time
• Authorization policies
• SAML – Security Assertion Markup Language
• Authentication, transfer of authentication and authorization
decisions
4
Java Security API Java Security API
Creating Digital Signatures Verifying Digital Signatures
PrivateKey privatekey = PublicKey publickey =
(PrivateKey)KeyTools.readFromFile(filePrivate); (PublicKey)KeyTools.readFromFile(filePublic);
Signature signature = Signature.getInstance("DSA"); Signature signature = Signature.getInstance("DSA");
signature.initSign(privatekey); signature.initVerify(publickey);
int n = 0; int n = 0;
byte [] bytes = new byte [1000]; byte [] bytes = new byte [1000];
while ((n = inputstream.read(bytes)) > -1) while ((n = inputstream.read(bytes)) > -1)
{ {
signature.update(bytes, 0, n); signature.update(bytes, 0, n);
} }
bytes [] signdata = signature.sign(); boolean result = signature.verify(signdata);
5
Summary
• Security is a complex topic
• Nothing is totally secure – price trade-off
• Social engineering, brute force, physical force
• Web security solves authentication and
confidentiality
• XML security adds non-repudiation, authorization,
identity federation
• XML security also applies to Web services