EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Using TElX509Certificate from smart card for authentification to a WS

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#13469
Posted: 05/26/2010 15:41:35
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Quote
Eugene Mayevski wrote:
... so if you have a certificate in, say, TElPKCS11CertStorage, then you just need to copy it to TElMEmoryCertStorage, and then pass this TElMEmoryCertStorage to TElMEssageSigner. SecureBlackbox will care about the underlying key so this approach will work right for you .
Quote
Eugene Mayevski wrote:
... so if you have a certificate in, say, TElPKCS11CertStorage, then you just need to copy it to TElMEmoryCertStorage, and then pass this TElMEmoryCertStorage to TElMEssageSigner. SecureBlackbox will care about the underlying key so this approach will work right for you .


Ho,
one more final question:

On the client,Im using encryption with server's public key from the x509 certificate to encrypt the request,I encrypt the whole SOAP body.
Since I have this .cer in the win keystpore,I can use regular X509 certificates loaded from win store and encrypt with its public key
Then my plan is to sign the whole request with private from the certificate using your library and attach this certificate in the soap header.

When the server gets the requestit will first validate the signature and then decrypt the message.
IS this OK or should i first sign the request with client private key and then encrypt it with servers public key???
#13471
Posted: 05/27/2010 02:06:09
by Eugene Mayevski (EldoS Corp.)

When you sign using PKCS#7, the certificate is included into the product (i.e. signed data), you need to carry it additionally.


As for the sequence of operations, it depends on whether you care about revealing the signature. Of course, signing ahead of encryption makes the signature itself not visible until one decrypts the external packet.


Sincerely yours
Eugene Mayevski
#13489
Posted: 05/28/2010 05:25:42
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Quote
Eugene Mayevski wrote:
When you sign using PKCS#7, the certificate is included into the product (i.e. signed data), you need to carry it additionally.


As for the sequence of operations, it depends on whether you care about revealing the signature. Of course, signing ahead of encryption makes the signature itself not visible until one decrypts the external packet.


You mena it isnt included in the product??

Can I encrypt/decrypt data(xml or string) with TELX509Certificate2's private or public key using AES instead of DES?
#13490
Posted: 05/28/2010 06:01:45
by Eugene Mayevski (EldoS Corp.)

Quote
Tomislav Jakopović wrote:
You mena it isnt included in the product??


Sorry, that was a typo. Let's say it this way "Signed data packet includes the data, the signature and the public part of certificate(s) used to make this signature". So the signed data packet is the only thing you send - you don't need to send the certificate separately. You can create a so-called detached signature, which will produce a detached signature packet - only the signature and certificates included. The original data remains unchanged. Maybe this mode will work for you even better.

Quote
Tomislav Jakopović wrote:
Can I encrypt/decrypt data(xml or string) with TELX509Certificate2's private or public key using AES instead of DES?


Of course, why not? The only drawback is that some systems still don't have AES support in CryptoAPI.


Sincerely yours
Eugene Mayevski
#13494
Posted: 05/28/2010 08:16:26
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Quote
Eugene Mayevski wrote:
Quote
Tomislav Jakopović wrote:
You mena it isnt included in the product??


Sorry, that was a typo. Let's say it this way "Signed data packet includes the data, the signature and the public part of certificate(s) used to make this signature". So the signed data packet is the only thing you send - you don't need to send the certificate separately. You can create a so-called detached signature, which will produce a detached signature packet - only the signature and certificates included. The original data remains unchanged. Maybe this mode will work for you even better.

Quote
Tomislav Jakopović wrote:
Can I encrypt/decrypt data(xml or string) with TELX509Certificate2's private or public key using AES instead of DES?


Of course, why not? The only drawback is that some systems still don't have AES support in CryptoAPI.


I see thanks.

My idea is the following: I have written soap extensions to be used to intercept web services methods call before they are serialized/deserialized.

In these methods I would like to get the certificate from the token,sign this xml soap message. It doesnt mattter if the signature is detached or not. After that, I would like to encrypt the whole message(signed xml is still an xml?) with the public key of the person/server Im sending to. I would prefer to use AES ,becouse from what I understand,RSA encryption doesnt work on large data.
This encrypted data would then be sent to the other side.

On the other side,SOAP extension would intercept the message before it is serialized into an object, used its private key from his certificate, and decrypt the message. This would transform the byte[] into signed xml. It would then use the certificate from the signed data to verify the signature. If something failed it would raise an soap exception.

Upon success, the signature would be removed(this can be an option,i dont know where the certificate and the hash are saved-in header or body) and the request would be deserialized into object.

Now,is this possible, and do you have examples how to sign and encrypt/decrypt data?

My main concern is using different classes for signature/encryption/decryption on the client vs server side. On cliend side,the certificate used for signing is on the crypto token, and I would use TElX509certificate2 object for this, and on the server side I use keys/certificates stored in local windows store.

Can you please provide some examples how to do that and is it possible, and how good is the level of protection for this solution?
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 9628 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!