Wednesday, October 14, 2009

Trust in Crypto

Some people fear that an encrypted token send through an untrusted operating system is not safe. Well, decrypt this:

<enc:EncryptedData xmlns:enc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element"><enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><enc:EncryptedKey><enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /></enc:EncryptionMethod><ds:KeyInfo><wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">cInCP+uDfNbevxLZEMnZG3ozidc=</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><enc:CipherData><enc:CipherValue>wu7z3ml5LPdisc1F/o2gWP/I/8lgQNnj5PYoRw/CNe6f1kFtvE7Q4zZiNCrqsAJiY115ztR063siJLFiSsyGi9jRTrRuTD3ZZGrlQHedWFbG519UXk14cT6fqqQ3O8b6jXqhVDWpeRn08vKv+K6FS4wI2wKZNH3BUw169VSjz0otC8HSUz5FG8POGhVL0/kkzYmgfhq75jt84iKt2dLVNQEDHvSYraAUOc4GCuMzd0l2TgSqVQ1dJYC9NC9iTyUv0l6GPV8XApdbK/7oKW4e4aNvhhkoyLDP/U6RxLiH/QPD7EEP0vM58LETTWD+R3tViD/A5UMVlVVzF6MMsdRI0Q==</enc:CipherValue></enc:CipherData></enc:EncryptedKey></ds:KeyInfo><enc:CipherData><enc:CipherValue>n4vumLMhKFzn29uSCktg1jEnzBf9yJcgt+OvYa7r3Vi7eLLyL9uGHy3NDIsaAr0qYF/+AyjwIE8aCk0/qMjFiY+O3j/oQLulbU+RHooQm95cesySRs2PlZ6G5nI1lnMDb9SsSFMhSjl2ZTBV6YWJ69kphS8IbQFjuNcnZBW4ARI0A5WGhj36F2zGXAGnJ7BNvVLJLv8zMT3hsmcJ0ZHA2ggN5RJnPEKT56OJkcgNN0mjhhldt35As2qK7NDumv25WB+3BX1DSCFBGkHCiK5pGjKAXu3tudXFt0+ryvDojdVpmbOwypRXjzgqCBZ8gOLMGoyYFVgXINUY59+mqbhv/mIBaOqbmuVV26tCWPWFkvbzMz1jD3fEcws7nKoc69Ceavl1BKWb5Zq+YYr3voHr7g2ZRvBd6me2YTRx6BNIgj8dbplzlD3Bp4HO13tK0rZXpJH1Z2OXfpUd3ZE0T879WJjDA1qcgUswH8F0ER+UG09P2Z2PgK2McFz4ntwTJOSohhipMU0WFRHQr3s+bLr3c78NFZl8FGGZ9rRm/AMhsHPqKuK/WAqmvtMoYdXPTWw5cP5CysgVIdWO+VymKZ4W7LbtZrZRk9hCya6ANmpkckEBSo03p/psqE5X97A43V6XExjP4cQNdwPZw1b8c4UDJzvFFFL69P3HispobxvdlLqI2nxu2tp9M9eyYQDHtqjSdutYjkyolXkrEKoRGAPOoUsUlxnctHd6RmbA825YNywNMG9sXqxIM8ua1BQoEWfRQauFUYxyGQYywqT0MsbVu1N2HSQsc8Dern6kOl0OLd/Z4n1XZI3bMWMCtNe4DrK2OOeG1RY8DPOn8dW+AL/+T2iqVv2d3dNkRXTvkaEl9UXecBe/G6oqtkjjTdSdZ/20ifi9LFejagAtdIQ+crfH12JKyGs5tPVgDtZfJPoAryHAeyqI+0kUsTTVgsJtE1OU/FAXI2naEVCDH26vZOt9QzaXkTgmRAL8X65BaXczJ365QWi/oURNq/q4zSpo/fkRrspIfh9mefhbyssNsGYWHtQO0GOeNzrCfpdRll5f2w8DdEkH3+u0V4c4otf0pMYkhyw007ig1Y7xgY+e1xFP7/fJ0QMa04XDe+NWdgDhT0NJe23ehPgOPFC0Qa4gC5an9V//u1/svnzjrNyKhjfUVQ7ai+xAi7Pla7Irmpr35vX+FjkPzmFyNnfNqRt3+o9rzLHRS4QYTMK00FccP7cirekRK45ni2yLa1wgHBn674owJTje/ugOYsXCdkZEOUbs6LgOMPjUlxUwQpeLj4uw1ycMRNZGNo7zBDHSMZ18ZRxAuP0J2V1s9KiQBLBsodtZ7fyqVYjKQVSeYj7mDlPM6r/4tC+R8k8pEQpnjvQFqhm/MHfZzoaYfO9523J5s5FXMOhO94XK/VdRayvOHNxaK1NV6k2tEpaPXPa4cSorRXBn81yKItis+u1NbE4SBb5CkuTTQnPNJec2/BQQspwWKfbMAs/sptJel4OaZ6x5svyHgijnYTV373V1EcIPDDNzDH/iJGJv/3hhZs0QNP4hO1zU+8RFphDMclM1YtYzruoROL8JW0jMwDC/UyfhKlWLIUSOS8PFE22UCuXpsnbY5ty/Q8CSaIvhNrOodAC8gRKoLGdyEqFt+tk4Fjbty7biuOBgONF8Uh8XeT9jKlRI3FUc4kpC3Pafeg7Os3LuXcxu8CggrRH73Lh4MJQ1Y7IIRsxDPNuJTBzEvsQJdNzPy/t+LA8cNV9OPat5+LXFhd1TH6zwqYC7i3hSCq9NT9spp15cZ0KZJt7FFd8uYwE9AHmy6Jb8NdbAXruwnGIETiiOYvlehGkMcND0aiwx7KIycYwz9quyOh9vYdc0IGvKaBLfbv7TYC89xSuOBqLiiuW4BOLMXxvrdutRPVy5HqLHlfOzaiq+TbljC+dqjJUw3NpViS5pmiP2culW4ZphNROb1Rp+oJLu1E2F6eGUNGBTSlohK6RD7ZaKVvLxU/PH0WNwXqmUY6215MRjH0+yEeKPNR/iq/KOmI9xwN0GB7Qpao1yS71tLnM/Rg6hjOI9X6ynDsTPRiUK+doeDznOfcysObf8Zpjjlp1eRHYCnp9WJNM3IGg/hd53APMUP+qy3wAmsKmLJ88W0qxUefslynIEKZeriARXpjQj46yDGIXYpe9XNBJAVc88+WCA4mIKlolsbtHZwbMccsfVQKiqLqV21Um50IITpLpPY5v1yRwNMf9A9/n72qrolDm8h38xDWPwyrojWs06bz4XMIQF7/lSR2aRE9L78Lp1i5UafNYe3EgnAReZsYWvCAr8Xm7IXyQmgEXh9en28b1t1ZsKNCyvQRRD5IqzSqBswtITRmbjoBfw2EnYcIp0E8vKGAG5zyxphhXCwfjEoRxKuZ7hDPcfGQb++KbPgIl3Ub6sJTX0QoVjBCAYnXvpKaKOQ9zOYN4MVp+lKMcFw0w4j/8IDC8D8O9ZAQhn2Bj6CPjAtEN6mwv4DqQwndNxx3glkOFVvkLBHkRfTvcQRmBcNjeP4RpQyCqMMgIcIRuQFYfQUXy0QxVVbegZHzeYYhe6A5yp3Oz3M87Nn3j5V5puu3kMUtLKIYl0KjKbrBLX8sqtx/BDhd+BuWiFsedmL0kAmRxuh96SoR1E6EzIrIm8s9xLvGRH45oBs5QA9KoSvm/gE2mcYVoe7baZocsrlkWs+xoZDwDAbmPZi16jbnwXxEWfwTBvKQ8vQisIN24O+gJXi7r0dzoRTqIY104yPJmPdIGh0rdGU4AUxtJNhpLujSpteU82M7kAlVhP4IK0UHIfciJ13C4OX0IH8y8shcu4QvZK4Nw98uIBjY3ybjMB9bqZAO2pZM1lk9sdn590L7iA/vjjJ24wAl2Yz2MhgtUKzTfTRzhnje+E10JHKYph/Z+DWO8Ku4vWEgak6m9flfXwrFPkSENTTNHXVKTnvFrdvJtfYAcympLg/tJXmQlrT+kQl2o/jbIcePi6HbtR+YtYWpckkfvU/cvcqWMuiJNHi3ST8vvVoGrypq7aY6MnJPqNTVD1yc3q2ZQxfreevKRktHm8gwGIjyuL7mUOkF4r0dQgWmcpQhS2Ozil5NkVtLdxJmcWeFxv3GZ4Tta2NXIEQexdgjUnAGRQH/CAF/Xi/9fjoM4puZTdlxdx4QRps1Y4DBQ6oCnI67sUdQGtcx7LwCVrLFJc0gKtnVtmEVvYDKPv1E4eIvyPz/6+fjHcYePYmKxPa6dV50g9E6K0832osbdV9klbDsx9AE0B2qkI0akEBuP978Wl5tIUDqC0kMNMp1wt2WTLx7KOrwLQVVUyFx167BGaduxIm/QAj5Jht6tVaAuCrhU3u6qzxZ7GQHtPe9pJCAtEOGNx68TGgaQynIdA0dS2G85XtYAHXI+Yt1D6eoQbQ04sMGiKfdm2E5QRy7lS/lNSQaf3+kNCiTEHmHeaTy4zCpMWvDDaAqtQbM5JNMxa4mkr0mmxOoykIS8CuSkat8+QIzROFEsIc+66qQC4yAJ0bKssZ0tyQ3BQC3D3hAGZoUsg8pUTNcR/i/hT0x5AMCgaU9EMkFFOhFQoVdcUti3tpUSLtpjVheuG5pAHIlGasfnh4iYexWQeF4DDoJRCFUVprFY7VJy4AAvT8qM+3XnraTKbLDncKEx14TDELnXdNgRDYkqt/XKgZ/Y2hNM0zonZHsp/lz8+ISfKJR5LRTjX2Xg+2loHKBIm6ysJ2ukEodwafMhJxPD7KSjJi/qW06WzCG3K1o4D/Q4B6ABjbGY7HXvn+yhz9EdWWECHfN+i2x/Jdh15wRsuS0hRGD0RL7O//mjHtGzJN0w1KqLYJvglUlEVVUtXqKwk/L0NLMW3T8n84kA/LEXL9a1NgQDlpBoP3ZOXqpzFa1rzfZfBkniIgQJT+JaciDpgo0oeo1F4uGRlQ5h5kIL6dXiOchkHEBv7uo0+N4OhRcK6mjHUgzorSwmkocYktW2Szu8gdr8ts6QbtkCM++uNz+v8AP5vO+gUh5b+9I7NWbkWdrqoWAOCw+miT7dPG5jMJ76HYCBFbWJt2iV96cpwiIR4VXH3kMHQBl0E66s75GFmaGUnx51JNXUGavmQASR3vsvrrC8kATb+P/mmTprvikGM7IPgWG1zHTcqLuoHDylVmfGHg0ys9LpqwuUBu7FvFuuftVwl/24RGJrxup3bGjOb3hJ12HSVMJ3NMZxVBIG4FVz7Voi9B8cCi9wPfaacZvc0Vk2itFOJS77nNrKs5XizH80JfWxu1Y/BYYNsMMys42rPpf0Mba/DHUfROLzlH5dg2lKQuuR1aJHLKWZHoQQPKEPu9D/pZKY7Y4T5ImdElXLG</enc:CipherValue></enc:CipherData></enc:EncryptedData>



If you succeed I'll fetch you a beer at IIW2009b.

3 comments:

cmort said...

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="uuid-F7DCFD8A-8F94-CDDD-12A1-22F43368C92D" Issuer="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" IssueInstant="2009-10-14T21:53:42Z"><saml:Conditions NotBefore="2009-10-14T21:48:41Z" NotOnOrAfter="2009-10-14T22:03:41Z"><saml:AudienceRestrictionCondition><saml:Audience>https://xmldap.org/relyingparty/</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="givenname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"><saml:AttributeValue>Axel</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="surname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"><saml:AttributeValue>Nennker</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"><saml:AttributeValue>axel@nennker.de</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="privatepersonalidentifier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"><saml:AttributeValue>RzhleWpmN0xUWUdvNmdIcmJ3TExvYnhtTUw2WDlIdkEzMFd5a2xWTG9pbz0=</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><dsig:Reference URI="#uuid-F7DCFD8A-8F94-CDDD-12A1-22F43368C92D"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="saml" /></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><dsig:DigestValue>LVa3VLOZq/UHMwJN+XdmjBy0yHQ=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>OaoIEjDcNWcLv2rvFwr3/B8LTy1dAka/A92Yzy8Ere2Q+lxO0Vd9NCW+frva8p09vCf6z55D7qRlhQoHKCTZo5PgVseOmZjj6Y/CCjJOVekCawrA2cw91QnWMcOOgXiu9alfydOd+UFuFxXmr+Fa/ae8qdzAqdcYUzLWCQC4DG484OE9YxBiId5x7umupQaoz5zeNdbjeh6ywFw1Ks7NEQ/HAX52iujKFNoOiz5b9KnKOEq+HIi1qG2hIgzatYwt/nKTqqlqpuSO8BqSVzkxtDYsamI3yK0Tswd6GzqSBlyHbZXhvxtXLYwlKYEe1n4qc9MUJTfcht7qTDNolac+HA==</dsig:SignatureValue><dsig:KeyInfo><dsig:KeyValue><dsig:RSAKeyValue><dsig:Modulus>jCeH1PfaxQwjN2gNzsiZVYY+cBtrNNXmVcWMe0Om94u3lSZhKbVr/JLdXsJEu8ojZiaYkR+Run9k4XeIQTHFnBe7PIzP7cbOpCMtoLNzRGYfrL3v+5FC6nonQG+HM26QyhJp1zsvaXv+vAYigMrsXMWv37srMpbTmcpM5djUJmbFWOkEUN7Prad8Qc7dH1zsNAfldsMt3OyMb665OOi/UJQJQyq0g9Jsd8j9JXVUOZO95lrENQ7QFuRHcOTeIvY3bi+VU+CJluVATsG+BgjWiO74AvoeZUim54/KVTb1wnW4iS9U+9nNdyTawCTy6WAqny3a1C5Hg3TnJ1rnxAzd7Q==</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></dsig:KeyValue></dsig:KeyInfo></dsig:Signature></saml:Assertion>


You owe me a beer!

Unknown said...

Copying the assertion out of the server log is no decryption. And people who have authorized access to the private key of RP (xmldap.org) are no attackers. But I am happy to fetch you a beer. BTW: I am in San Francisco next week too.

Paul Madsen said...

I did the math on the back of an <Envelope> so may be a bit off but I think the plaintext is

'Windows 7 is here'

Paul

p.s. No cheap American beer please