1 Thuy, Le Huu | Pentalog VN Web Services Security

2 Agenda Cryptography Concepts – Cryptographic Algorithms Cryptographic Operations – Data Privacy – Data Integrity, Authenticity, and Non-repudiation Basics of Digital Certificates and Certificate Authority – What is a Digital Certificate – Certificate Purposes Create Your Own Certificate and CA WS Security Implementation Using Apache CXF and Spring

3 Cryptography Concepts Cryptography is the art and science of keeping data secure. Cryptographic services help ensure data privacy, maintain data integrity, authenticate communicating parties, and prevent repudiation (when a party refutes having sent a message). Three major areas of concern: privacy, authentication, and integrity are addressed using Cryptography.

4 Cryptography Concepts Basic encryption allows you to store information or to communicate with other parties while preventing non- involved parties from understanding the stored information or understanding the communication Encryption transforms understandable text (plaintext) into an unintelligible piece of data (ciphertext). Decryption restores the understandable text from the unintelligible data Both functions involve a mathematical formula (the algorithm) and secret data (the key).

5 Cryptographic Algorithms Symmetric key algorithm – With a secret or symmetric key algorithm, the key is a shared secret between two communicating parties. Encryption and decryption both use the same key

6 Cryptographic Algorithms Asymmetric key algorithm – One of the keys, the private key, is kept secret and not shared with anyone. The other key, the public key, is not secret and can be shared with anyone

7 Cryptographic Algorithms

8 Cryptographic Operations Data Privacy – Encryption/Decryption Field/Message level encryption: The user application completely controls key generation, selection, distribution, and what data to encrypt Session level encryption: SSL or HTTPS is such sesion level encryption Link Level encryption: Usually by specialized hardware. Bank ATM networks may implement hardware encryption – Translate The translate operation is used to decrypt data from encryption under one key to encryption under another key. This is done in one step to avoid exposing the plaintext data within the application program

9 Cryptographic Operations Data Integrity, Authenticity, and Non-repudiation – Hash (Message Digest)

10 Cryptographic Operations Data Integrity, Authenticity, and Non-repudiation – HMAC (Hash MAC), MAC (Message Authentication Code)

11 Cryptographic Operations Data Integrity, Authenticity, and Non-repudiation – Sign/Verify

12 Basics of Digital Certificates and Certificate Authority What is a Digital Certificate – Digital certificates are electronic credentials that are used to assert the online identities of individuals, computers, and other entities on a network. – Digital certificates function similarly to identification cards such as passports and drivers licenses. – Most commonly they contain a public key and the identity of the owner. They are issued by certification authorities (CAs) that must validate the identity of the certificate-holder both before the certificate is issued and when the certificate is used. – Common uses include business scenarios requiring authentication, encryption, and digital signing

13 Digital Certificate

14 Digital Certificate

15 Certificate Purposes Encryption. A certificate with this purpose will contain cryptographic keys for encryption and decryption. Signature. A certificate with this purpose will contain cryptographic keys for signing data only. Signature and encryption. A certificate with this purpose covers all primary uses of a certificate’s cryptographic key, including encryption of data, decryption of data, initial logon, or digitally signing data. Signature and smartcard logon. A certificate with this purpose allows for initial logon with a smart card, and digitally signing data; it cannot be used for data encryption.

16 Create Your Own Certificate and CA Java Keytool: Generate a Key Pair, Your Self-Signed Certificate OpenSSL: Set Up a Certificate Authority keytool -genkey -alias client -keystore /pressf5/ClientKeyStore.jks -keyalg RSA -sigalg SHA1withRSA //password: client-pass and key-pass keytool -genkey -alias server -keystore /pressf5/ServerKeyStore.jks -keyalg RSA -sigalg SHA1withRSA //password: server-pass and key-pass keytool -export -alias client -file /pressf5/certfile.cer -keystore /pressf5/ClientKeyStore.jks keytool -export -alias server -file /pressf5/scertfile.cer -keystore /pressf5/ServerKeyStore.jks keytool -import -alias server -file /pressf5/scertfile.cer -keystore /pressf5/ClientKeyStore.jks keytool -import -alias client -file /pressf5/certfile.cer -keystore /pressf5/ServerKeyStore.jks openssl x509 -signkey cakey.pem -req -days in careq.pem -out caroot.cer -extensions v3_ca

17 WS Security Implementation Apache CXF for server both Soap and Rest – UsernameToken – Timestamp – Signature – Encrypt Deploy on Tomcat Server – HTTP – SSL/HTTPS Intergrated with Spring Apache CXF client for Soap, Jersey for client Rest

18 Link Reference SOAP SERVICE – – REST SERVICE – – e.cxf.systests/cxf-systests-rs- security/2.5.2/org/apache/cxf/systest/jaxrs/security/bob.prope rties?av=f e.cxf.systests/cxf-systests-rs- security/2.5.2/org/apache/cxf/systest/jaxrs/security/bob.prope rties?av=f – – secure-restful-web-services-using-jersey-client secure-restful-web-services-using-jersey-client

19 Thank You