Professional Documents
Culture Documents
02-Security & Encryption-CPWR 2
02-Security & Encryption-CPWR 2
02-Security & Encryption-CPWR 2
Mike Taylor
Uniface Solution Specialist Atlanta - June 8th, 2010
Agenda
Encode/encrypt Decode/Decrypt
Project Goal
Provide the ability to encode/encrypt and decode/decrypt data by Uniface 4GL proc functions. Hash functions
MD4, MD5, SHA-1, SHA-2, HMAC
Block ciphers
AES, DES, Triple DES, Blowfish, Twofish
Miscellaneous
Base64, HEX, URL encoding
Hash functions
Return fixed length data which is; infeasible to find the source from a hash.
infeasible to find two different sources with
INPUT
Uniface
HASH
B062B1413B28E83DCBF4E9DB2C51D63E
Use a symmetric key to encrypt and decrypt the data. Operate on fixed-length data called block.
KEY
password
INPUT
Uniface
CIPHER
8A0D1BBFA0C34D
5
Data is divided into blocks (fixed length data) and each block is encrypted separately. Identical plaintext blocks are encrypted into identical cipher text blocks.
REF: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
Modes of operation
Several modes of operation have been invented which allow block ciphers to provide confidentiality. Mode: ECB, CBC, CFB, OFB etc.
Original
ECB mode
other modes
REF: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
7
All modes except ECB require an initialization vector (IV) No need to be secret, but it is important that never reused with the same key
REF: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
8
Block ciphers
AES (RIJNDAEL), DES, TDES (DES_EDE3), DES_EDE2, DESX (DES_XEX3), BLOWFISH, TWOFISH
Misc.
BASE64, HEX, URL URAW, USTRING (only available for $encode)
10
11
12
Notes
Because the return value may contain the null byte (0x00), $encode/$decode returns in the Uniface RAW data type which is binary safe, unless the Algorithm is BASE64, HEX, URL or USTRING, in which case a data is returned as the Uniface String data type (UTF-8). Algorithm USTRING doesnt convert the string from a character set to another.
13
DEMO
14
Agenda
Encode/encrypt Decode/Decrypt
Hash functions Block ciphers
Webservice Security
Server has a certificate
(Supplied by agency or self sign)
Webservice Security
1. Client makes request to a secure webserver 2. Webserver accepts the connections and returns its certificate 3. Client verifies certificate is valid and trusted
Disabled checking with usys$sop_params ign=p Trusted certificates held in usys:ca-bunble.crt Certificate obtained from the website
usys:ca-bundle.crt
Format for ca-bundle.crt
-----BEGIN CERTIFICATE----Certificate Data
-----END CERTIFICATE---------BEGIN CERTIFICATE----Certificate Data -----END CERTIFICATE-----
ca-bundle.crt
Trusted root certificates can be obtained from curl
http://curl.haxx.se/ca/cacert.pem
Click on the Certification Path tab and select the server certificate.
Click View Certificate Click on the Details tab Click on the Copy to file button and click Next > Select Base-64 Encoded X.509 (.CER) and click Next > Enter a filename e.g. server.cer If you have a ca-bundle.crt file in your usys folder, append the contents of
DEMO
20
Restrictions
Client certificates are due soon WS-security not currently supported
Soap headers available from 3gl interface.
soap_pre_request soap_post_request
Thank You
& Questions