|
|
|
Posted by Aashish Patil (patil_aashish AT emc.com) on March 2007
|
On a recent project, I had to setup single sign-on between three different web applications, two of them not managed by the developer network. Each web application was using a different framework - Java, ASP.NET and ASP (vbscript). Single-sign on was to be implemented using an encrypted cookie, using the Blowfish algorithm for encryption.
The cookie encryption seemed simple. The first task was finding an implementation of Blowfish in vbscript. Surprisingly, that turned out to be quite a challenge. Finally, I found a free implementation in Visual Basic linked from Bruce Schneier's Blowfish site.
Back to the Basics
At this point I thought the cookie encryption/decryption was pretty much wrapped up because we had the algorithm and the shared key. I setup a test environment containing a Java web application in Tomcat and an ASP web application in IIS 6 (on a side note, it turns out that ASP is not enabled by default in IIS 6).
A few minutes into the testing and things did not seem as easy as initially imagined. The two web applications could not decrypt correctly each other's cookies. I was stumped. Both the web applications were using the same key and the same algorithm. Then why was this happening? After 'googling' a bit and not getting any clear answers, I cleared the dust off my copy of 'Applied Cryptography' by Bruce Schneier and started to read some of the fundamental cryptography chapters that I had last read a couple of years back. Back then I had written a simple Blowfish implementation for an internal team at EMC but I had not worked on it since then. After reading a few chapters, it all started coming back to me.
Block Ciphers and Padding
Blowfish is a block cipher. In a block cipher, data is split into fixed size blocks and each block is then encrypted. Thus, encryption takes place at block level - an entire block is encrypted at a time. A block cipher works in different modes - ECB (Electronic Code Book), CBC, OFB, ... For a full list take a look in the above-mentioned book. Based on this little information I set both the implementations (Java and ASP) to work in the same mode. This still did not work.
What was I missing? After spending quite a while(I lost track of the time) debugging vbscript using 'Print' statements (I was editing in Notepad++ and not an IDE) and then later the Java implementation (this was much easier using Eclipse) I realized that the VB implementation was using padding and the Java implementation was not. What is padding? In a block cipher, if the data cannot be split into equal-sized blocks, the last block can be padded off to make it the size of all other blocks. In my case, the Java implementation was not padding off the last block, while the VB version was. Since the Java implementation did not support padding, I eventually ended up using the Blowfish implementation in the Java Crypto API(javax.crypto) which allows a developer to specify various properties of the encryption algorithm such as the mode and padding.
Once the encryption on the Java end had the same configuration as that of the VB implementation, the web applications started successfully decrypting each other's cookies. Given the experience of making the Java and ASP applications talk to each other, the ASP.NET integration was straightforward.
Encoding
An issue I figured out beforehand was of encoding. Once plain text data is encrypted, it is basically a collection of indecipherable bytes. These bytes need to be encoded when the cookie is set. Base64, Hexadecimal are some of the formats in which the encrypted data can be encoded. In our case the bytes were encoded as hexadecimal characters. Thus, the decrypting code first needs to convert the hex string into the equivalent bytes before running the decryption algorithm.
The Importance of a Manual Web Crawl
After I had finished all the work I found this excellent article (http://www.di-mgt.com.au/cryptoCrossPlatform.html) by following one of the links in the Blowfish site. I wish I had found this earlier. That would have saved a whole lot of work.
References
- Applied Cryptography - Bruce Schneier
- Cross-Platform Encryption - http://www.di-mgt.com.au/cryptoCrossPlatform.html
- Blowfish site - http://www.schneier.com/blowfish.html
Comments / Discussion
|
