SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Addict
    Join Date
    Mar 2006
    Posts
    200
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Decrypt XML sent encrypted. I have certificate.

    I am working on Single Sign On project. The identity provider is sending the SAMLResponse form variable BASE64 Encoded and I am able to verify the digital signature sent in the SAMLResponse Assertion XML document. So far so good.

    Now the issue is that, some part of the Assertion XML document is encrypted(see below) and they are sending the employee id in this encrypted element like this,

    I have modified the actual values in some elements.

    Code:
    <saml:EncryptedAttribute>
       <xenc:EncryptedData Id="_67767" Type="http://www.w3.org/2001/04/xmlenc#Element"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;
          <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>;
             <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">;
                <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey&quot...; URI="#_23232"/>
             </ds:KeyInfo>
             <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;
                <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;something
                </xenc:CipherValue>
             </xenc:CipherData>
       </xenc:EncryptedData>
    
       <xenc:EncryptedKey Id="_idhere" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;
          <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>;
             <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;
             <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;cipher value here
             </xenc:CipherValue>
             </xenc:CipherData>
          <xenc:ReferenceList>
          <xenc:DataReference URI="#_uri here"/>
          </xenc:ReferenceList>
       </xenc:EncryptedKey>
    
    </saml:EncryptedAttribute>xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>;<xenc:CipherData" target="_blank">http://www.w3.org/2001/04/xmlenc#"/>;<xe... xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;certificate sent here</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#_uri here"/></xenc:ReferenceList></xenc:EncryptedKey>
    </saml:EncryptedAttribute>
    I have been asked to get employee id from this encrypted xml text. What happens is that once you decrypt, you get an xml structure and you can easily find employee_id by parsing.

    Do you know how information in this encrypted XML can be decrypted? If you can suggest an algorithm or java method, then that will be great also. Once I have the decrypted xml part, then its easy to parse the xml to extract the employee_id.

    FYI, the clients certificate is with me and I have imported it into the keystore using java keytool. I am using this certificate to verifiy the digital signature in the assertion XML document.

    Also, I am using a java program to verify the digital signature. If you want, I can email that.

    Thanks,

  2. #2
    SitePoint Wizard
    Join Date
    Apr 2007
    Posts
    1,381
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Um... where's the encrypted part you're talking about?

  3. #3
    SitePoint Addict
    Join Date
    Mar 2006
    Posts
    200
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    I modified the encrypted values... Do you need to see those?

    Code:
     <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;
      <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;something
       </xenc:CipherValue>
      </xenc:CipherData>
    Code:
    <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">;cipher value here
     </xenc:CipherValue>
    Let me know.

  4. #4
    SitePoint Wizard
    Join Date
    Apr 2007
    Posts
    1,381
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I think you're referring to SSL when you meant by certificate. If SSL handshake is sucessful it should automatically decrypt it for you. No reason to have encrypted value within normal xml messages. Sure, it may give additional security but you already have SSL encrypt/decrypt. NO need to encrypt the encrypted messages... Still the fact that you are receiving the response means that ssl is working correctly... If they did encrypt the value into xml, you gotta find what encoding algorithm they use.. weird solutions if this is true

  5. #5
    SiteP0int Weazle hooknc's Avatar
    Join Date
    Dec 2004
    Location
    Socialist Republic of Boulder
    Posts
    937
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by sg707 View Post
    weird solutions if this is true
    I could possibly see a few situations where companies would want to encrypt both the message and the data values...

    To protect sensitive data from an ssl man in the middle attack is the biggest one...

    Try to use ssl, which will stop all hops (except for the first and last) from reading the package and then encrypt the data inside in case someone is snooping on the first or last hops.

    Any other cases?
    baby steps... baby steps...

  6. #6
    SitePoint Addict
    Join Date
    Mar 2006
    Posts
    200
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    guys thanks for the reply,

    The problem is that the client would not change anything at there end. So any alternative method is not feasible.

    I need solution for decrypting data from that encrypted xml and as sg707 suggested, we need to know algorithm used by client.

    FYI,

    To explain how XML encryption works with asymmetric keys (public key encryption).

    Sender === client

    Receiver === me

    The usual way of doing public key encryption is that the sender encrypts data with the receiver's public key. The receiver can then decrypt it with the private key, thus ensuring privacy. However, encrypting an entire data stream using asymmetric keys is very expensive, so instead a symmetric (shared) key is generated by the sender. This key is then encrypted with the receiver's public key, and the data stream is then encrypted with the symmetric key.

    The asymmetric keys are usually created with the RSA algorithm while a popular choice for symmetric keys is 128 bit AES. In an encrypted XML structure, the data looks like this:

    Sample CODE:

    <xenc:EncryptedData xmlnsenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <xenc:EncryptedKey>
    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
    <xenc:CipherData>
    <xenc:CipherValue>
    W6U2DRN11Y/dbIMCEP....
    </xenc:CipherValue>
    </xenc:CipherData>
    </xenc:EncryptedKey>
    </ds:KeyInfo>
    <xenc:CipherData>
    <xenc:CipherValue>
    uK3fL7fFC/Y6GbXLwmFmLZcla8...
    </xenc:CipherValue>
    </xenc:CipherData>
    </xenc:EncryptedData>

    In other words, the EncryptedData element (which is a standard XML encryption element) contains a KeyInfo which holds the encrypted symmetric key and a CipherData element which contains data encrypted with the symmetric key. The first element tells us that the symmetric data is encrypted with 128 bit AES, and EncryptedData/KeyInfo/EncryptedKey/EncryptionMethod says that the key itself is encrypted with RSA.

    All this means that when encrypting an XML element, two keys must be used: A randomly generated, and the receiver's public key.

    Now when I receive the samlResponse i.e. the full xml Assertion document , I would

    1. decrypt the symmetric key using my certificate's private key
    2. Use this symmetric key to decrypt xml and get the employee id.

    So anyone got suggestions??? I need those badly. :-)


    Thanks,


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •