Cloud Security Authors: Liz McMillan, Pat Romanski, Elizabeth White, Yeshim Deniz, Terry Ray

Related Topics: Industrial IoT, Cloud Security

Industrial IoT: Article

Using the IBM XML Security Suite

Using the IBM XML Security Suite

With Web services moving to the forefront at a very rapid pace, components will share their data. SOAP, an XML derivative, will be used to exchange data between the services, and XML is the glue that will hold the e-commerce and Web-based solutions together. That powerful glue, however, presents a problem: security.

Purchasing, payment, and even banking will perform functions easily over the Internet using XML. But the XML document needs to be secured just like any other data. This two-part series examines two ways to deal with XML security: encryption and, in Part 2, signatures.

There are two levels of XML encryption. One involves encrypting the complete document; the other, a specific element and all child nodes below it.

Any encryption should be a well-known algorithm that should be tested and resistant to known plain-text attacks. Standards such as those promulgated by the World Wide Web Consortium married to well-known algorithms like RSA will create resistance to such attacks.

W3C Working Drafts
The W3C was created to lead the World Wide Web to its full potential by developing common protocols that promote its evolution and ensure its interoperability. The W3C has earned international recognition for its contributions to the growth of the Web. XML 1.0 was introduced as the first step toward the next-generation Web. Since XML 1.0, a number of recommendations have been added, including XML Encryption known as XMLenc.

The goal of the XMLenc Working Group is to develop a process for encrypting/decrypting XML documents and portions thereof. The mission is to provide an XML syntax to represent (1) the encrypted content and (2) the information that enables an intended recipient to decrypt it.

Before an XML document can be secured using the W3C standard, it must be well formed or a valid XML document.

IBM XML Security Suite IBM has developed an alpha release of XML security tools, the XML Security Suite, which provides security features such as digital signature, element-wise encryption, and access control to Internet business-to-business transactions. Currently, the release contains an experimental implementation of a proposal of the W3C XML Encryption spec. These tools can be downloaded from www.alphaworks.ibm.com/tech/xmlsecuritysuite.

Sun has placed code in its Java Cryptography Extension that prevents you from using other providers once it's installed. Also, Sun's JCE provides only a few algorithms, and RSA encryption is noticeably lacking - in fact, it's not there. As the IBM JCE provides more algorithms than Sun - mainly the RSA algorithm - this is the JCE I'll use here. You can download it by clicking the WebSphere developer downloads at www.ibm.com/websphere. It's packaged with the IBM JDK.

It's imperative that you follow the instructions for installing any JCE or you'll get some very popular exceptions, such as "NoSuchAlgorithmException," "Algorithm RSA not available," "Cannot set up certs for trusted CAs."

DOM Parsers
I'll use Sun's Java XML parser, JAXP, which is available from Sun at www.javasoft.com/xml.

Setting Up the Keystore
Keytool, an application shipped with the JDK, manages the keystores and can even generate certificates. A keystore is a collection of certificates and keys. Depending on the solution, a keystore can be stored in memory, in a file, even in a database. Java uses the java.security.KeyStore package to generate a keystore for memory. Keys and certificates are stored as entries in a keystore and referenced by their alias name. Keystores use passwords to control access to private keys.

You can create your keys statically by using the keytool command found in your {javahome}/bin directory.

An example of creating an RSA key for use in our sample would be as follows:

Keytool -genkey -keyalg RSA -storepass
xmlpass -keystore xml.keystore -alias -mykey
-dname 'CN=Joseph Smith, OU= Enterprise Solutions Group,
O=BMC Software, L=Herndon, ST=Va, C=US'
The -idname option specifies an X.500 Distinguished Name. X.500 Distinguished Names identify entities for X.509 certificates.

As you can see, that's quite a long string to have to type in and can be prone to erroneous data. I tend to like the way keytool prompts you if you don't supply all of the necessary information. Try just entering:

Keytool -genkey -keyalg RSA -keystore xml.keystore -alias -mykey

A few things to note: if you don't specify a keystore, the default keystore for Windows 2000 will be located at Documents and Settings\{username}\.keystore; on Linux the location might be similar to \home\{username}.keystore.

To retrieve the keystore, get an instance of it using the KeyStore.getInstance(), passing the keystore type as an argument. For now, the default keystore implementation is called "JKS", for Java keystore.

Configuring the Security Suite
Using the IBM Security Suite to encrypt XML documents can be done in multiple ways. For simplicity, I'm going to demonstrate how to encrypt the XML document dynamically. To do this, I create an XML document in memory. This document will contain information needed for encrypting the XML document. This is where things can get hairy, and I strongly recommend you read the W3C Encryption Syntax and Processing documentation, which details how to encrypt data in an XML-conforming manner. More important, it details the elements that will be used in place of the chosen elements for encryption.

Three elements will be used for this example of XML Encryption:

  • EncryptionData: The core element in the syntax
  • EncryptionMethod: The encryption algorithm applied to the data contained in this element
  • CipherText: A mandatory element that provides the encrypted data

    Again, I can't stress enough the advisability of reading the W3C Encryption Syntax and Processing documentation. It details these elements and others with regard to various forms of encryption.

    With the element-level encryption feature of the IBM XML Security Suite, you can choose which elements of an XML document you want to encrypt. You may encrypt more than one element and still leave the remainder of the XML document intact.

    One of the initial steps in the development process is to configure the XML Security Suite. Looking at the javadocs provided with the Security Suite toolkit, you'll see that there are classes for the specific elements nested in the com.ibm.xml.enc package. Included with those classes is an XEncryption class.

    Now I need to set up the EncryptionMethod objects to be used and assign the algorithm. The algorithm determines the contents of the node-list within the EncryptionMethod. Algorithm is a mandatory attribute holding a URI identifying it. I'll set up two such objects:

    encMethodDES = new EncryptionMethod();

    encMethodRSA = new EncryptionMethod();

    The first object sets an EncryptionMethod element to your EncryptedData element because the former element is referenced during the encryption operation so it will know how to encrypt an XML element with a generated key. That EncryptedMethod will use the Triple DES algorithm.

    The second object is set up because the key is encrypted according to the algorithm specified in the EncryptionMethod element set to the EncryptedKey element, which will use the RSA algorithm.

    Once I create the EncryptedData object, I call the method EncryptedData.setType() to indicate that the encrypted data represents an XML element before encryption. I also want to call EncryptedData.setEncryptionMethod() to set the EncryptionMethod used for the encryption:

    encData = new EncryptedData();
    Next comes the simple procedure of creating the KeyInfo object and adding the keyname to it. This object contains a method of identifying the key that was used in the encryption process. mykey is the name of the alias we created earlier using the keytool.

    keyInfo = new KeyInfo(); keyInfo.addKeyName('mykey');
    The last step in the Security Suite configuration is to set up the EncryptedKey object. The EncryptedKey is used to transport the encryption keys from the originator to a known recipient. To do this, a key transport algorithm is used: RSA, using v1.5 padding. The EncryptedKey object is told about the KeyInfo object and the EncryptionMethod used to encrypt the key:

    encKey = new EncryptedKey(); encKey.setEncryptionMethod(encMethRSA); encKey.setKeyInfo(keyInfo);
    Because we're constructing an XML document in memory, I need to call createElement for the EncryptedData and the EncryptedKey. These methods will return elements to be used later.

    Encrypting the Elements
    Once I determine which element I want to encrypt in the XML document, I call the encryptAndReplace method and tell it not only to encrypt the data, but to replace the current element with the encrypted element. This is achieved by calling:

    (Element elem, boolean contentOnly,
    Element encDataElement, Key key,
    Element encKey);
    I'll pass the objects that were configured earlier. Because the attribute of the EncryptionData is "Element", the Security Suite follows the rules of the W3C and replaces the element to be encrypted with an <EncryptedData> element. After encryption, you'll notice two <CipherText> tags: one for the <EncryptedKey>, the other for the <EncryptedData>. The <CipherText> for the <EncryptedKey> is mandatory and contains the encrypted key data. The <CipherText> used for the <EncryptedData> is the data you requested to be encrypted.

    Decrypting the Elements
    For decrypting we need to focus on the keystore information. To accomplish this, create a KeyInfoResolverforKeyStore object passing in the keystore. After that, the resolver needs the password and alias to determine which key to retrieve from the keystore. Once that's been done, I let an XEncryption object know about the resolver by invoking setKeyInfoResolver:

    KeyInfoResolverForKeyStore kiRes = new KeyInfoResolverForKeyStore(store);
    kiRes.put(keyAlias, keyPass);
    After that's all done, we want to retrieve a list of all the matched element nodes that use the <EncryptedData> element. I'll use the DomUtil static method getElementsByTagNameNS(). Traverse through the node-list that's passed back from getElementsByTagNameNS() and extract the elements from it. Those elements will be passed to the XEncryption.decryptAndReplace();.

    I'd like to thank Takeshi Imamura for his help and direction with the XML Security Suite.


  • W3C XML Encryption specification: www.w3.org/2000/09/xmldsig, www.w3.org/Encryption/2001/
  • JSR 106 XML Digital Encryption API: http://jcp.org/jsr/detail/106.jsp
  • Java Cryptography Extension: www.javasoft.com/products/jce
  • IBM alphaWorks: http://alphaworks.ibm.com
  • More Stories By Joseph Smith

    Joseph Smith, a senior software
    engineer with over 13 years of
    experience,has been designing and
    developing Web-based soulutions for
    the last five years.

    Comments (1) View Comments

    Share your thoughts on this story.

    Add your comment
    You must be signed in to add a comment. Sign-in | Register

    In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

    Most Recent Comments
    E1 Bridge 12/22/01 07:07:00 PM EST

    IBM and Microsoft together published SOAP Security Extensions: Digital Signature, W3C notes on 2/06/2001. Why it is not used?

    IoT & Smart Cities Stories
    Disruption, Innovation, Artificial Intelligence and Machine Learning, Leadership and Management hear these words all day every day... lofty goals but how do we make it real? Add to that, that simply put, people don't like change. But what if we could implement and utilize these enterprise tools in a fast and "Non-Disruptive" way, enabling us to glean insights about our business, identify and reduce exposure, risk and liability, and secure business continuity?
    In this Women in Technology Power Panel at 15th Cloud Expo, moderated by Anne Plese, Senior Consultant, Cloud Product Marketing at Verizon Enterprise, Esmeralda Swartz, CMO at MetraTech; Evelyn de Souza, Data Privacy and Compliance Strategy Leader at Cisco Systems; Seema Jethani, Director of Product Management at Basho Technologies; Victoria Livschitz, CEO of Qubell Inc.; Anne Hungate, Senior Director of Software Quality at DIRECTV, discussed what path they took to find their spot within the tec...
    The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
    Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
    DXWorldEXPO LLC announced today that Telecom Reseller has been named "Media Sponsor" of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
    "Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
    "Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
    DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
    The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...
    René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...