SlideShare ist ein Scribd-Unternehmen logo

Tokenauthenticatie en xml signature in detail

Als PPTX, PDF herunterladen
Marc de Graauw
Marc de Graauw
TechnologieNews & Politik
1 von 33
Tokenauthenticatie& XML Signaturein detail
Tokenauthenticatie smartcard met private key Certificaat QURX_ EX990011NL token maken SignedInfo maken RSA / SHA sig maken signedData SignedInfo SignatureValue Bericht maken SOAP bericht
Transformatie XML 2 SignedData Verstrekkings- Lijstquery QURX_IN990111NL_01.xml signedData.xsl signedData QURX_IN990111NL_01_signedData.xml
VerstrekkingsLijstquery
signedData X.509 Strong Authentication message id nonce unieke indentificatie van bericht (if duplicate removal has already taken place) notBefore & notAfter time to live security semantics can expire time to store & check nonce addressedParty replay against other receivers Koppeling met bericht BSN voor patiëntgerelateerde berichten Trigger Event Id versieonafhankelijk, itt. InteractionId
signedData.xml (pretty print)
Token versus bestand
Whitespace eruit signedData QURX_IN990111NL_01_signedData.xml remove- whitespace- between- elements.xsl signedData QURX_IN990111NL_01_signedData.xml
Exclusive Canonicalization signedData QURX_IN990111NL_01_signedData.xml excc14n (Oxygen gebruikt) signedData excc14n signedData_ excc14n.xml
Exclusive Canonicalization
Exclusive Canonicalization Dubbele quotes ipv. enkele Namespace declaraties vóór attributen Namespaces alfabetisch rangschikken Linefeed, geen carriage return of CR/LF Geen Byte Order Mark UTF-8
Signed Info element signedData excc14n signedData_ excc14n.xml bits SignedInfo template SHA1 hash wsu Id 160 bits maken SignedInfo Base64 karakters SignedInfo SignedInfo.xml
SHA: Cryptographic hash Wikipedia: A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value.
SHA SHA1 ... SHA256 1995: SHA-1 NSA 2005: zwaktes in SHA-1 ontdekt 2001: SHA-2 (225, 256, 384, 512) 2008 – 12: SHA-3, open competitie SHA-1 input: message maximum (264 − 1) bits output: 160 bits
Base 64 UTF-8: niet alle octets zijn toegestaan! Ergo: binaire data kunnen niet zomaar in XML / UTF-8 Oplossing: bits -> karakters RFC2045 (MIME) alfabet: [A-Z][a-z][0-9]+/
SHA + Base64 Input (bits) SHA1 (160 bits) 4vBP5K5M5llABaWYzxCrKIdjS2I= Base 64
SignedInfo
RSA with SHA SignedInfo (exc c14n) private key bits SHA1 hash 400 bits RSA 160 bits 408 bits ASN.1 DER formaat Base64 3021300906 052b0e0302 1a05000414 karakters 3031300d06 0960864801 6503040201 05000420 SignatureValue SHA 256 -> 464 bits
Sender Receiver “Hello world” “Hello world” SHA-1 hash: 5llABaWYz xCrKIdjS... Public key: MIICHzCCAY ygAwIBAgI..... OK Private key: shhhh..... RSA sig value: c9fVK7vYAdv s2DRZVtS... RSA sig value: c9fVK7vYAdv s2DRZVtS...
Security Services (X.800) Authentication Authorization Data Confidentiality Data Integrity Non-repudiation
Security services
Key usage
SOAP bericht signedData SignedInfo SignatureValue Certificaat verwijzing QURX_ EX990011NL Header maken Header maken authentication Tokens wss:Security Bericht maken SOAP bericht
SOAP bericht
Transformatie XML 2 SignedData Verstrekkings- Lijstquery QURX_IN990111NL_01.xml signedData.xsl signedData QURX_IN990111NL_01_signedData.xml
Whitespace eruit signedData QURX_IN990111NL_01_signedData.xml remove- whitespace- between- elements.xsl signedData QURX_IN990111NL_01_signedData.xml
Exclusive Canonicalization signedData QURX_IN990111NL_01_signedData.xml excc14n (Oxygen gebruikt) signedData excc14n signedData_ excc14n.xml
Signed Info element signedData excc14n signedData_ excc14n.xml bits SignedInfo template SHA1 hash wsu Id 160 bits maken SignedInfo Base64 karakters SignedInfo SignedInfo.xml
RSA with SHA SignedInfo (exc c14n) private key bits SHA1 hash 400 bits RSA 160 bits 160 bits ASN.1 DER formaat Base64 3021300906 052b0e0302 1a05000414 karakters 3031300d06 0960864801 6503040201 05000420 SignatureValue SHA 256 -> 464 bits
SOAP bericht signedData SignedInfo SignatureValue Certificaat verwijzing QURX_ EX990011NL Header maken Header maken authentication Tokens wss:Security Bericht maken SOAP bericht
Tokenauthenticatie smartcard met private key Certificaat QURX_ EX990011NL token maken SignedInfo maken RSA / SHA sig maken signedData SignedInfo SignatureValue Bericht maken SOAP bericht

Empfohlen

Apple tree
Apple treeApple tree
Apple treeBehta Mirjany
 
Road map to tap global opportunities feb 2015
Road map to tap global opportunities feb 2015Road map to tap global opportunities feb 2015
Road map to tap global opportunities feb 2015CA George Kurian
 
Project mercury
Project mercuryProject mercury
Project mercurymstcmath
 
Lynx
LynxLynx
LynxAimeeJ
 
Branded Facebook Landing Pages
Branded Facebook Landing PagesBranded Facebook Landing Pages
Branded Facebook Landing Pagesmarcogiordano
 
Informe conclusiones think tank aplicaciones móviles y turismo
Informe conclusiones think tank aplicaciones móviles y turismoInforme conclusiones think tank aplicaciones móviles y turismo
Informe conclusiones think tank aplicaciones móviles y turismoTurismo.as
 
Turismo.as, Winning Tourism Strategist
Turismo.as, Winning Tourism StrategistTurismo.as, Winning Tourism Strategist
Turismo.as, Winning Tourism StrategistTurismo.as
 
Apollo- Megan O'Neil
Apollo- Megan O'NeilApollo- Megan O'Neil
Apollo- Megan O'Neilmstcmath
 

Empfohlen

Apple tree
Apple treeApple tree
Apple treeBehta Mirjany
 
Road map to tap global opportunities feb 2015
Road map to tap global opportunities feb 2015Road map to tap global opportunities feb 2015
Road map to tap global opportunities feb 2015CA George Kurian
 
Project mercury
Project mercuryProject mercury
Project mercurymstcmath
 
Lynx
LynxLynx
LynxAimeeJ
 
Branded Facebook Landing Pages
Branded Facebook Landing PagesBranded Facebook Landing Pages
Branded Facebook Landing Pagesmarcogiordano
 
Informe conclusiones think tank aplicaciones móviles y turismo
Informe conclusiones think tank aplicaciones móviles y turismoInforme conclusiones think tank aplicaciones móviles y turismo
Informe conclusiones think tank aplicaciones móviles y turismoTurismo.as
 
Turismo.as, Winning Tourism Strategist
Turismo.as, Winning Tourism StrategistTurismo.as, Winning Tourism Strategist
Turismo.as, Winning Tourism StrategistTurismo.as
 
Apollo- Megan O'Neil
Apollo- Megan O'NeilApollo- Megan O'Neil
Apollo- Megan O'Neilmstcmath
 
Elektronische handtekening in de zorg
Elektronische handtekening in de zorgElektronische handtekening in de zorg
Elektronische handtekening in de zorgMarc de Graauw
 
Authentication and signatures overview
Authentication and signatures overviewAuthentication and signatures overview
Authentication and signatures overviewMarc de Graauw
 
Identiteit in de ict
Identiteit in de ictIdentiteit in de ict
Identiteit in de ictMarc de Graauw
 
Reliable messaging
Reliable messagingReliable messaging
Reliable messagingMarc de Graauw
 
Overzicht aorta
Overzicht aortaOverzicht aorta
Overzicht aortaMarc de Graauw
 
Hl7v3 schema issues
Hl7v3 schema issuesHl7v3 schema issues
Hl7v3 schema issuesMarc de Graauw
 
Hl7v3 and web services
Hl7v3 and web servicesHl7v3 and web services
Hl7v3 and web servicesMarc de Graauw
 
XML tekortkomingen en pluspunten
XML tekortkomingen en pluspuntenXML tekortkomingen en pluspunten
XML tekortkomingen en pluspuntenMarc de Graauw
 
Versioning theory
Versioning theoryVersioning theory
Versioning theoryMarc de Graauw
 
Versiecontrole in de keten
Versiecontrole in de ketenVersiecontrole in de keten
Versiecontrole in de ketenMarc de Graauw
 
Unicode
UnicodeUnicode
UnicodeMarc de Graauw
 
Luister niet naar de gebruiker
Luister niet naar de gebruikerLuister niet naar de gebruiker
Luister niet naar de gebruikerMarc de Graauw
 
Overzicht hl7v3
Overzicht hl7v3Overzicht hl7v3
Overzicht hl7v3Marc de Graauw
 
THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelTHE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelreely ones
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxEasyPrinterHelp
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeCzechDreamin
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKUXDXConf
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
 

Weitere ähnliche Inhalte

Mehr von Marc de Graauw

Elektronische handtekening in de zorg
Elektronische handtekening in de zorgElektronische handtekening in de zorg
Elektronische handtekening in de zorgMarc de Graauw
 
Authentication and signatures overview
Authentication and signatures overviewAuthentication and signatures overview
Authentication and signatures overviewMarc de Graauw
 
Hl7v3 and web services
Hl7v3 and web servicesHl7v3 and web services
Hl7v3 and web servicesMarc de Graauw
 
XML tekortkomingen en pluspunten
XML tekortkomingen en pluspuntenXML tekortkomingen en pluspunten
XML tekortkomingen en pluspuntenMarc de Graauw
 
Versiecontrole in de keten
Versiecontrole in de ketenVersiecontrole in de keten
Versiecontrole in de ketenMarc de Graauw
 
Luister niet naar de gebruiker
Luister niet naar de gebruikerLuister niet naar de gebruiker
Luister niet naar de gebruikerMarc de Graauw
 

Mehr von Marc de Graauw (13)

Elektronische handtekening in de zorg
Elektronische handtekening in de zorgElektronische handtekening in de zorg
Elektronische handtekening in de zorg
 
Authentication and signatures overview
Authentication and signatures overviewAuthentication and signatures overview
Authentication and signatures overview
 
Identiteit in de ict
Identiteit in de ictIdentiteit in de ict
Identiteit in de ict
 
Reliable messaging
Reliable messagingReliable messaging
Reliable messaging
 
Overzicht aorta
Overzicht aortaOverzicht aorta
Overzicht aorta
 
Hl7v3 schema issues
Hl7v3 schema issuesHl7v3 schema issues
Hl7v3 schema issues
 
Hl7v3 and web services
Hl7v3 and web servicesHl7v3 and web services
Hl7v3 and web services
 
XML tekortkomingen en pluspunten
XML tekortkomingen en pluspuntenXML tekortkomingen en pluspunten
XML tekortkomingen en pluspunten
 
Versioning theory
Versioning theoryVersioning theory
Versioning theory
 
Versiecontrole in de keten
Versiecontrole in de ketenVersiecontrole in de keten
Versiecontrole in de keten
 
Unicode
UnicodeUnicode
Unicode
 
Luister niet naar de gebruiker
Luister niet naar de gebruikerLuister niet naar de gebruiker
Luister niet naar de gebruiker
 
Overzicht hl7v3
Overzicht hl7v3Overzicht hl7v3
Overzicht hl7v3
 

Kürzlich hochgeladen

THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelTHE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelreely ones
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxEasyPrinterHelp
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeCzechDreamin
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKUXDXConf
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...FIDO Alliance
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureFemke de Vroome
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoUXDXConf
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityScyllaDB
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsUXDXConf
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 

Kürzlich hochgeladen (20)

THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelTHE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreel
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptx
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, Ocado
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 

Tokenauthenticatie en xml signature in detail

  • 2. Tokenauthenticatie smartcard met private key Certificaat QURX_ EX990011NL token maken SignedInfo maken RSA / SHA sig maken signedData SignedInfo SignatureValue Bericht maken SOAP bericht
  • 3. Transformatie XML 2 SignedData Verstrekkings- Lijstquery QURX_IN990111NL_01.xml signedData.xsl signedData QURX_IN990111NL_01_signedData.xml
  • 5. signedData X.509 Strong Authentication message id nonce unieke indentificatie van bericht (if duplicate removal has already taken place) notBefore & notAfter time to live security semantics can expire time to store & check nonce addressedParty replay against other receivers Koppeling met bericht BSN voor patiëntgerelateerde berichten Trigger Event Id versieonafhankelijk, itt. InteractionId
  • 8. Whitespace eruit signedData QURX_IN990111NL_01_signedData.xml remove- whitespace- between- elements.xsl signedData QURX_IN990111NL_01_signedData.xml
  • 9. Exclusive Canonicalization signedData QURX_IN990111NL_01_signedData.xml excc14n (Oxygen gebruikt) signedData excc14n signedData_ excc14n.xml
  • 11. Exclusive Canonicalization Dubbele quotes ipv. enkele Namespace declaraties vóór attributen Namespaces alfabetisch rangschikken Linefeed, geen carriage return of CR/LF Geen Byte Order Mark UTF-8
  • 12. Signed Info element signedData excc14n signedData_ excc14n.xml bits SignedInfo template SHA1 hash wsu Id 160 bits maken SignedInfo Base64 karakters SignedInfo SignedInfo.xml
  • 13. SHA: Cryptographic hash Wikipedia: A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value.
  • 14. SHA SHA1 ... SHA256 1995: SHA-1 NSA 2005: zwaktes in SHA-1 ontdekt 2001: SHA-2 (225, 256, 384, 512) 2008 – 12: SHA-3, open competitie SHA-1 input: message maximum (264 − 1) bits output: 160 bits
  • 15. Base 64 UTF-8: niet alle octets zijn toegestaan! Ergo: binaire data kunnen niet zomaar in XML / UTF-8 Oplossing: bits -> karakters RFC2045 (MIME) alfabet: [A-Z][a-z][0-9]+/
  • 16. SHA + Base64 Input (bits) SHA1 (160 bits) 4vBP5K5M5llABaWYzxCrKIdjS2I= Base 64
  • 18. RSA with SHA SignedInfo (exc c14n) private key bits SHA1 hash 400 bits RSA 160 bits 408 bits ASN.1 DER formaat Base64 3021300906 052b0e0302 1a05000414 karakters 3031300d06 0960864801 6503040201 05000420 SignatureValue SHA 256 -> 464 bits
  • 19. Sender Receiver “Hello world” “Hello world” SHA-1 hash: 5llABaWYz xCrKIdjS... Public key: MIICHzCCAY ygAwIBAgI..... OK Private key: shhhh..... RSA sig value: c9fVK7vYAdv s2DRZVtS... RSA sig value: c9fVK7vYAdv s2DRZVtS...
  • 20.
  • 21. Security Services (X.800) Authentication Authorization Data Confidentiality Data Integrity Non-repudiation
  • 24. SOAP bericht signedData SignedInfo SignatureValue Certificaat verwijzing QURX_ EX990011NL Header maken Header maken authentication Tokens wss:Security Bericht maken SOAP bericht
  • 26.
  • 27. Transformatie XML 2 SignedData Verstrekkings- Lijstquery QURX_IN990111NL_01.xml signedData.xsl signedData QURX_IN990111NL_01_signedData.xml
  • 28. Whitespace eruit signedData QURX_IN990111NL_01_signedData.xml remove- whitespace- between- elements.xsl signedData QURX_IN990111NL_01_signedData.xml
  • 29. Exclusive Canonicalization signedData QURX_IN990111NL_01_signedData.xml excc14n (Oxygen gebruikt) signedData excc14n signedData_ excc14n.xml
  • 30. Signed Info element signedData excc14n signedData_ excc14n.xml bits SignedInfo template SHA1 hash wsu Id 160 bits maken SignedInfo Base64 karakters SignedInfo SignedInfo.xml
  • 31. RSA with SHA SignedInfo (exc c14n) private key bits SHA1 hash 400 bits RSA 160 bits 160 bits ASN.1 DER formaat Base64 3021300906 052b0e0302 1a05000414 karakters 3031300d06 0960864801 6503040201 05000420 SignatureValue SHA 256 -> 464 bits
  • 32. SOAP bericht signedData SignedInfo SignatureValue Certificaat verwijzing QURX_ EX990011NL Header maken Header maken authentication Tokens wss:Security Bericht maken SOAP bericht
  • 33. Tokenauthenticatie smartcard met private key Certificaat QURX_ EX990011NL token maken SignedInfo maken RSA / SHA sig maken signedData SignedInfo SignatureValue Bericht maken SOAP bericht