Wednesday, October 14, 2009

Trust in Crypto

Some people fear that an encrypted token send through an untrusted operating system is not safe. Well, decrypt this:

<enc:EncryptedData xmlns:enc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element"><enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><enc:EncryptedKey><enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /></enc:EncryptionMethod><ds:KeyInfo><wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">cInCP+uDfNbevxLZEMnZG3ozidc=</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><enc:CipherData><enc:CipherValue>wu7z3ml5LPdisc1F/o2gWP/I/8lgQNnj5PYoRw/CNe6f1kFtvE7Q4zZiNCrqsAJiY115ztR063siJLFiSsyGi9jRTrRuTD3ZZGrlQHedWFbG519UXk14cT6fqqQ3O8b6jXqhVDWpeRn08vKv+K6FS4wI2wKZNH3BUw169VSjz0otC8HSUz5FG8POGhVL0/kkzYmgfhq75jt84iKt2dLVNQEDHvSYraAUOc4GCuMzd0l2TgSqVQ1dJYC9NC9iTyUv0l6GPV8XApdbK/7oKW4e4aNvhhkoyLDP/U6RxLiH/QPD7EEP0vM58LETTWD+R3tViD/A5UMVlVVzF6MMsdRI0Q==</enc:CipherValue></enc:CipherData></enc:EncryptedKey></ds:KeyInfo><enc:CipherData><enc:CipherValue>n4vumLMhKFzn29uSCktg1jEnzBf9yJcgt+OvYa7r3Vi7eLLyL9uGHy3NDIsaAr0qYF/+AyjwIE8aCk0/qMjFiY+O3j/oQLulbU+RHooQm95cesySRs2PlZ6G5nI1lnMDb9SsSFMhSjl2ZTBV6YWJ69kphS8IbQFjuNcnZBW4ARI0A5WGhj36F2zGXAGnJ7BNvVLJLv8zMT3hsmcJ0ZHA2ggN5RJnPEKT56OJkcgNN0mjhhldt35As2qK7NDumv25WB+3BX1DSCFBGkHCiK5pGjKAXu3tudXFt0+ryvDojdVpmbOwypRXjzgqCBZ8gOLMGoyYFVgXINUY59+mqbhv/mIBaOqbmuVV26tCWPWFkvbzMz1jD3fEcws7nKoc69Ceavl1BKWb5Zq+YYr3voHr7g2ZRvBd6me2YTRx6BNIgj8dbplzlD3Bp4HO13tK0rZXpJH1Z2OXfpUd3ZE0T879WJjDA1qcgUswH8F0ER+UG09P2Z2PgK2McFz4ntwTJOSohhipMU0WFRHQr3s+bLr3c78NFZl8FGGZ9rRm/AMhsHPqKuK/WAqmvtMoYdXPTWw5cP5CysgVIdWO+VymKZ4W7LbtZrZRk9hCya6ANmpkckEBSo03p/psqE5X97A43V6XExjP4cQNdwPZw1b8c4UDJzvFFFL69P3HispobxvdlLqI2nxu2tp9M9eyYQDHtqjSdutYjkyolXkrEKoRGAPOoUsUlxnctHd6RmbA825YNywNMG9sXqxIM8ua1BQoEWfRQauFUYxyGQYywqT0MsbVu1N2HSQsc8Dern6kOl0OLd/Z4n1XZI3bMWMCtNe4DrK2OOeG1RY8DPOn8dW+AL/+T2iqVv2d3dNkRXTvkaEl9UXecBe/G6oqtkjjTdSdZ/20ifi9LFejagAtdIQ+crfH12JKyGs5tPVgDtZfJPoAryHAeyqI+0kUsTTVgsJtE1OU/FAXI2naEVCDH26vZOt9QzaXkTgmRAL8X65BaXczJ365QWi/oURNq/q4zSpo/fkRrspIfh9mefhbyssNsGYWHtQO0GOeNzrCfpdRll5f2w8DdEkH3+u0V4c4otf0pMYkhyw007ig1Y7xgY+e1xFP7/fJ0QMa04XDe+NWdgDhT0NJe23ehPgOPFC0Qa4gC5an9V//u1/svnzjrNyKhjfUVQ7ai+xAi7Pla7Irmpr35vX+FjkPzmFyNnfNqRt3+o9rzLHRS4QYTMK00FccP7cirekRK45ni2yLa1wgHBn674owJTje/ugOYsXCdkZEOUbs6LgOMPjUlxUwQpeLj4uw1ycMRNZGNo7zBDHSMZ18ZRxAuP0J2V1s9KiQBLBsodtZ7fyqVYjKQVSeYj7mDlPM6r/4tC+R8k8pEQpnjvQFqhm/MHfZzoaYfO9523J5s5FXMOhO94XK/VdRayvOHNxaK1NV6k2tEpaPXPa4cSorRXBn81yKItis+u1NbE4SBb5CkuTTQnPNJec2/BQQspwWKfbMAs/sptJel4OaZ6x5svyHgijnYTV373V1EcIPDDNzDH/iJGJv/3hhZs0QNP4hO1zU+8RFphDMclM1YtYzruoROL8JW0jMwDC/UyfhKlWLIUSOS8PFE22UCuXpsnbY5ty/Q8CSaIvhNrOodAC8gRKoLGdyEqFt+tk4Fjbty7biuOBgONF8Uh8XeT9jKlRI3FUc4kpC3Pafeg7Os3LuXcxu8CggrRH73Lh4MJQ1Y7IIRsxDPNuJTBzEvsQJdNzPy/t+LA8cNV9OPat5+LXFhd1TH6zwqYC7i3hSCq9NT9spp15cZ0KZJt7FFd8uYwE9AHmy6Jb8NdbAXruwnGIETiiOYvlehGkMcND0aiwx7KIycYwz9quyOh9vYdc0IGvKaBLfbv7TYC89xSuOBqLiiuW4BOLMXxvrdutRPVy5HqLHlfOzaiq+TbljC+dqjJUw3NpViS5pmiP2culW4ZphNROb1Rp+oJLu1E2F6eGUNGBTSlohK6RD7ZaKVvLxU/PH0WNwXqmUY6215MRjH0+yEeKPNR/iq/KOmI9xwN0GB7Qpao1yS71tLnM/Rg6hjOI9X6ynDsTPRiUK+doeDznOfcysObf8Zpjjlp1eRHYCnp9WJNM3IGg/hd53APMUP+qy3wAmsKmLJ88W0qxUefslynIEKZeriARXpjQj46yDGIXYpe9XNBJAVc88+WCA4mIKlolsbtHZwbMccsfVQKiqLqV21Um50IITpLpPY5v1yRwNMf9A9/n72qrolDm8h38xDWPwyrojWs06bz4XMIQF7/lSR2aRE9L78Lp1i5UafNYe3EgnAReZsYWvCAr8Xm7IXyQmgEXh9en28b1t1ZsKNCyvQRRD5IqzSqBswtITRmbjoBfw2EnYcIp0E8vKGAG5zyxphhXCwfjEoRxKuZ7hDPcfGQb++KbPgIl3Ub6sJTX0QoVjBCAYnXvpKaKOQ9zOYN4MVp+lKMcFw0w4j/8IDC8D8O9ZAQhn2Bj6CPjAtEN6mwv4DqQwndNxx3glkOFVvkLBHkRfTvcQRmBcNjeP4RpQyCqMMgIcIRuQFYfQUXy0QxVVbegZHzeYYhe6A5yp3Oz3M87Nn3j5V5puu3kMUtLKIYl0KjKbrBLX8sqtx/BDhd+BuWiFsedmL0kAmRxuh96SoR1E6EzIrIm8s9xLvGRH45oBs5QA9KoSvm/gE2mcYVoe7baZocsrlkWs+xoZDwDAbmPZi16jbnwXxEWfwTBvKQ8vQisIN24O+gJXi7r0dzoRTqIY104yPJmPdIGh0rdGU4AUxtJNhpLujSpteU82M7kAlVhP4IK0UHIfciJ13C4OX0IH8y8shcu4QvZK4Nw98uIBjY3ybjMB9bqZAO2pZM1lk9sdn590L7iA/vjjJ24wAl2Yz2MhgtUKzTfTRzhnje+E10JHKYph/Z+DWO8Ku4vWEgak6m9flfXwrFPkSENTTNHXVKTnvFrdvJtfYAcympLg/tJXmQlrT+kQl2o/jbIcePi6HbtR+YtYWpckkfvU/cvcqWMuiJNHi3ST8vvVoGrypq7aY6MnJPqNTVD1yc3q2ZQxfreevKRktHm8gwGIjyuL7mUOkF4r0dQgWmcpQhS2Ozil5NkVtLdxJmcWeFxv3GZ4Tta2NXIEQexdgjUnAGRQH/CAF/Xi/9fjoM4puZTdlxdx4QRps1Y4DBQ6oCnI67sUdQGtcx7LwCVrLFJc0gKtnVtmEVvYDKPv1E4eIvyPz/6+fjHcYePYmKxPa6dV50g9E6K0832osbdV9klbDsx9AE0B2qkI0akEBuP978Wl5tIUDqC0kMNMp1wt2WTLx7KOrwLQVVUyFx167BGaduxIm/QAj5Jht6tVaAuCrhU3u6qzxZ7GQHtPe9pJCAtEOGNx68TGgaQynIdA0dS2G85XtYAHXI+Yt1D6eoQbQ04sMGiKfdm2E5QRy7lS/lNSQaf3+kNCiTEHmHeaTy4zCpMWvDDaAqtQbM5JNMxa4mkr0mmxOoykIS8CuSkat8+QIzROFEsIc+66qQC4yAJ0bKssZ0tyQ3BQC3D3hAGZoUsg8pUTNcR/i/hT0x5AMCgaU9EMkFFOhFQoVdcUti3tpUSLtpjVheuG5pAHIlGasfnh4iYexWQeF4DDoJRCFUVprFY7VJy4AAvT8qM+3XnraTKbLDncKEx14TDELnXdNgRDYkqt/XKgZ/Y2hNM0zonZHsp/lz8+ISfKJR5LRTjX2Xg+2loHKBIm6ysJ2ukEodwafMhJxPD7KSjJi/qW06WzCG3K1o4D/Q4B6ABjbGY7HXvn+yhz9EdWWECHfN+i2x/Jdh15wRsuS0hRGD0RL7O//mjHtGzJN0w1KqLYJvglUlEVVUtXqKwk/L0NLMW3T8n84kA/LEXL9a1NgQDlpBoP3ZOXqpzFa1rzfZfBkniIgQJT+JaciDpgo0oeo1F4uGRlQ5h5kIL6dXiOchkHEBv7uo0+N4OhRcK6mjHUgzorSwmkocYktW2Szu8gdr8ts6QbtkCM++uNz+v8AP5vO+gUh5b+9I7NWbkWdrqoWAOCw+miT7dPG5jMJ76HYCBFbWJt2iV96cpwiIR4VXH3kMHQBl0E66s75GFmaGUnx51JNXUGavmQASR3vsvrrC8kATb+P/mmTprvikGM7IPgWG1zHTcqLuoHDylVmfGHg0ys9LpqwuUBu7FvFuuftVwl/24RGJrxup3bGjOb3hJ12HSVMJ3NMZxVBIG4FVz7Voi9B8cCi9wPfaacZvc0Vk2itFOJS77nNrKs5XizH80JfWxu1Y/BYYNsMMys42rPpf0Mba/DHUfROLzlH5dg2lKQuuR1aJHLKWZHoQQPKEPu9D/pZKY7Y4T5ImdElXLG</enc:CipherValue></enc:CipherData></enc:EncryptedData>



If you succeed I'll fetch you a beer at IIW2009b.

3 comments:

cmort said...

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="uuid-F7DCFD8A-8F94-CDDD-12A1-22F43368C92D" Issuer="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" IssueInstant="2009-10-14T21:53:42Z"><saml:Conditions NotBefore="2009-10-14T21:48:41Z" NotOnOrAfter="2009-10-14T22:03:41Z"><saml:AudienceRestrictionCondition><saml:Audience>https://xmldap.org/relyingparty/</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="givenname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"><saml:AttributeValue>Axel</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="surname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"><saml:AttributeValue>Nennker</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"><saml:AttributeValue>axel@nennker.de</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="privatepersonalidentifier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"><saml:AttributeValue>RzhleWpmN0xUWUdvNmdIcmJ3TExvYnhtTUw2WDlIdkEzMFd5a2xWTG9pbz0=</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><dsig:Reference URI="#uuid-F7DCFD8A-8F94-CDDD-12A1-22F43368C92D"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="saml" /></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><dsig:DigestValue>LVa3VLOZq/UHMwJN+XdmjBy0yHQ=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>OaoIEjDcNWcLv2rvFwr3/B8LTy1dAka/A92Yzy8Ere2Q+lxO0Vd9NCW+frva8p09vCf6z55D7qRlhQoHKCTZo5PgVseOmZjj6Y/CCjJOVekCawrA2cw91QnWMcOOgXiu9alfydOd+UFuFxXmr+Fa/ae8qdzAqdcYUzLWCQC4DG484OE9YxBiId5x7umupQaoz5zeNdbjeh6ywFw1Ks7NEQ/HAX52iujKFNoOiz5b9KnKOEq+HIi1qG2hIgzatYwt/nKTqqlqpuSO8BqSVzkxtDYsamI3yK0Tswd6GzqSBlyHbZXhvxtXLYwlKYEe1n4qc9MUJTfcht7qTDNolac+HA==</dsig:SignatureValue><dsig:KeyInfo><dsig:KeyValue><dsig:RSAKeyValue><dsig:Modulus>jCeH1PfaxQwjN2gNzsiZVYY+cBtrNNXmVcWMe0Om94u3lSZhKbVr/JLdXsJEu8ojZiaYkR+Run9k4XeIQTHFnBe7PIzP7cbOpCMtoLNzRGYfrL3v+5FC6nonQG+HM26QyhJp1zsvaXv+vAYigMrsXMWv37srMpbTmcpM5djUJmbFWOkEUN7Prad8Qc7dH1zsNAfldsMt3OyMb665OOi/UJQJQyq0g9Jsd8j9JXVUOZO95lrENQ7QFuRHcOTeIvY3bi+VU+CJluVATsG+BgjWiO74AvoeZUim54/KVTb1wnW4iS9U+9nNdyTawCTy6WAqny3a1C5Hg3TnJ1rnxAzd7Q==</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></dsig:KeyValue></dsig:KeyInfo></dsig:Signature></saml:Assertion>


You owe me a beer!

Axel Nennker said...

Copying the assertion out of the server log is no decryption. And people who have authorized access to the private key of RP (xmldap.org) are no attackers. But I am happy to fetch you a beer. BTW: I am in San Francisco next week too.

Paul Madsen said...

I did the math on the back of an <Envelope> so may be a bit off but I think the plaintext is

'Windows 7 is here'

Paul

p.s. No cheap American beer please