Encryption and Security

Mike Taylor
Uniface Solution Specialist Atlanta - June 8th, 2010

Agenda
Encode/encrypt Decode/Decrypt

Hash functions Block ciphers

Calling webservices with a certificate

Project Goal

Provide the ability to encode/encrypt and decode/decrypt data by Uniface 4GL proc functions. Hash functions
MD4, MD5, SHA-1, SHA-2, HMAC

Block ciphers
AES, DES, Triple DES, Blowfish, Twofish

Miscellaneous
Base64, HEX, URL encoding

Hash functions
Return fixed length data which is; infeasible to find the source from a hash.
infeasible to find two different sources with

the same hash.

INPUT
Uniface

HASH
B062B1413B28E83DCBF4E9DB2C51D63E

Block ciphers (1)

Use a symmetric key to encrypt and decrypt the data. Operate on fixed-length data called block.

KEY

password

INPUT
Uniface

CIPHER
8A0D1BBFA0C34D
5

Block ciphers (2)

Data is divided into blocks (fixed length data) and each block is encrypted separately. Identical plaintext blocks are encrypted into identical cipher text blocks.

REF: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation

Modes of operation

Several modes of operation have been invented which allow block ciphers to provide confidentiality. Mode: ECB, CBC, CFB, OFB etc.

Original

ECB mode

other modes

REF: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
7

Initialization Vector (IV)

All modes except ECB require an initialization vector (IV) No need to be secret, but it is important that never reused with the same key

REF: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
8

New proc functions

$encode and $decode
Syntax:

$encode/$decode(Algorithm, Source{, Key{, Mode, IV}})

Algorithm: Encode/encryption algorithm

Source: Source data

Key: Secret key for a block cipher Mode: Modes of operation

IV: Initialization Vector

$encode / $decode (1)

$encode/$decode(Algorithm, Source{, Key{, Mode, IV}})
Algorithm:
Hash functions (only available for $encode)
MD4, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, HMAC_MD5, HMAC_SHA1

Block ciphers
AES (RIJNDAEL), DES, TDES (DES_EDE3), DES_EDE2, DESX (DES_XEX3), BLOWFISH, TWOFISH

Misc.
BASE64, HEX, URL URAW, USTRING (only available for $encode)
10

$encode / $decode (2)

$encode/$decode(Algorithm, Source{, Key{, Mode, IV}})
Source: Any text or raw data. Key: Required for block ciphers and HMAC.
Should be a specific length.
AES (16/24/32), DES (8), TDES (24), DESX (24) BLOWFISH (4 56), TWOFISH (16/24/32)

11

$encode / $decode (3)

$encode/$decode(Algorithm, Source{, Key{, Mode, IV}})
Mode: Modes of operation ECB, CBC, CFB, OFB, CTR, CBC_CTS
Default = ECB

IV: Initialization Vector Required for all modes except ECB.

12

Notes

Because the return value may contain the null byte (0x00), $encode/$decode returns in the Uniface RAW data type which is binary safe, unless the Algorithm is BASE64, HEX, URL or USTRING, in which case a data is returned as the Uniface String data type (UTF-8). Algorithm USTRING doesnt convert the string from a character set to another.

13

DEMO

14

Agenda
Encode/encrypt Decode/Decrypt
Hash functions Block ciphers

Calling webservices with a certificate

Webservice Security
Server has a certificate
(Supplied by agency or self sign)

The webserver also has a certificate

Signed by the server certificate

Webservice Security
1. Client makes request to a secure webserver 2. Webserver accepts the connections and returns its certificate 3. Client verifies certificate is valid and trusted

Disabled checking with usys$sop_params ign=p Trusted certificates held in usys:ca-bunble.crt Certificate obtained from the website

usys:ca-bundle.crt
Format for ca-bundle.crt
-----BEGIN CERTIFICATE----Certificate Data
-----END CERTIFICATE---------BEGIN CERTIFICATE----Certificate Data -----END CERTIFICATE-----

Certificate Data is encoded Base-64 Encoded X.509 (PEM)

ca-bundle.crt
Trusted root certificates can be obtained from curl
http://curl.haxx.se/ca/cacert.pem

Owner sends you their certificate Servers certificate can be obtained in IE by

Request the URL Click on the padlock icon View the certificate

Click on the Certification Path tab and select the server certificate.
Click View Certificate Click on the Details tab Click on the Copy to file button and click Next > Select Base-64 Encoded X.509 (.CER) and click Next > Enter a filename e.g. server.cer If you have a ca-bundle.crt file in your usys folder, append the contents of

server.cer to it in a text editor, otherwise copy to ca-bundle.crt. Click Finish

DEMO

20

Restrictions
Client certificates are due soon WS-security not currently supported
Soap headers available from 3gl interface.
soap_pre_request soap_post_request

Thank You
& Questions