XML Signatures for widgets

The WebApps working group has published a first working draft of the Widgets 1.0: Digital Signatures recommendation. This is normally neither my working nor my research area. But this recommendation makes already use of XML Signature 1.1 and is a really cool and obvious usage scenario for XML Signatures. Since the widgets are based on XML there is no better possibility to sign this data than using XML Signatures. Maybe this is the killer (end user) application for XML Signatures that has been missing so far…

Eye on EclipseCon 2009

EclipseCon 2009 is over, and it has been great! A lot of things to learn, and even more people to meet. This was my first EclipseCon, and it couldn't have been any better!

Monday started with some great tutorials: Building Commercial-Quality Eclipse Plug-ins in the morning and Advanced Eclipse Rich Client Platform in the afternoon. I'm developing Eclipse plug-ins for about five years now, but still discovered some new stuff (and got some ideas about getting P2 working). Since JCrypTool didn't make it to the open source RCP finals, there was no tension for me while attending the Eclipse Community Awards (Apache Directory Studio totally deserved the first place). The PowerPoint karaoke was a lot of fun!

The following days always contained a good mixture of interesting sessions, from e4 over PDE to the Web Tools Platform and various other talks (I'm not going into detail here). And of course some excellent keynotes, of which I enjoyed The Darwin among the IDEs on Thursday the most. Hopefully we will see some of the ideas announced here in the future. Although I have to admit that I am not a fan of developing everything in the browser. The moment one tab crashes all your browser data is gone. Maybe this will change as well as soon as all tabs are using their own processes. But how will two or more browser instances, each with 250 MB, 500 MB or even more memory usage (remember, we are talking about a complete IDE in the browser), affect the system or even work?

Our Web Tools Platform Incubator session took place on Wednesday at 10:10 am. We ended up in the Grand Ballroom B. 31 people attended (thanks to RFID tracking (hopefully not my passport)). I expected some more, but OK, two brand new incubator projects, the community has still to grow around them. The slides from my session Incubating XML Security Tools are available for download on my home page and of course at gPublication (the conversion killed some of the slides, so better use the one on my home page).

As the statistics show, a little more than 1000 people attended EclipseCon this year. I met the people I intended to meet, and many, many more. And I collected some interesting ideas for XML Security Tools enhancements, which I will look at in detail in the next weeks. So stay tuned.

Yet another XML Security Tools build

A new XML Security Tools build (I20090315175418) is available for download: http://build.eclipse.org/webtools/committers. This version contains a lot of changes and several bug fixes: Signature/ Encryption is now possible over selections or XPath expressions again (there has been a nasty bug which resulted into a WRONG_DOCUMENT_ERR). All quick functionality is working, including the support for the latest keystore extensions that have been added to XML Security Tools a little while ago.

And the integration into the rest of the Web Tools Platform was extended. XML Security is no longer a separate category in the preferences: it is now a child entry in the XML category. The same happened to the XML Signatures view, which is now a child entry in the XML category.

A whole bunch of new XML Security working drafts

The W3C XML Security Working Group has released eight first public working drafts last week, from updated XML Encryption 1.1 and XML Signature 1.1 specifications to even some new ones. Among others, these drafts include revisions to XML Signature and XML Encryption to support new algorithms and a new document proposing simplifications to the XML Signature Transform model to enhance performance and security.

XML Signature Best Practices experienced some updates to match the latest recommendations. XML Security Derived Keys, XML Signature Properties, XML Security Algorithm Cross-Reference and XML Security Use Cases and Requirements are completely new specifications.

XML Signature Syntax and Processing Version 1.1
This version mostly replaces more or less unsafe algorithms like SHA-1 with SHA-256 or higher (well, SHA-1 is not replaced, it is still a required algorithm, but SHA-256 is required too). Additionally elliptic curve cryptography has arrived in the recommendations in form of the ECPublicKey element and of course the matching algorithms. And we are confronted with a new digital signature namespace http://www.w3.org/2009/xmldsig11#. Check out the diff-marked version for all changes.

XML Encryption Syntax and Processing Version 1.1
Some updates on required and recommended algorithms too. Elliptic Curve Diffie-Hellman is now a required Key Agreement algorithm. Not too many changes here; and I couldn’t find a diff-marked version.

XML Security Derived Keys
This completely new specification defines a derived key XML type and associated elements, both used in XML Signature and XML Encryption.

XML Signature Properties
Signature properties are nothing new. Up to now it is possible to define any signature property one desires. This is still possible in the future, but this new recommendation will define some commonly used ones. Four properties are defined so far: Profile, Role, Expires and ReplayProtect. I guess we will see some more in the final recommendation…

XML Security Algorithm Cross-Reference
Another new document. And a really, really good idea! This reference contains all algorithms and their corresponding URI used in all XML Security recommendations. Bookmark this page, and never use an incorrect URI again!

XML Signature Best Practices
A collection of best practices, mostly security related, for implementers and users of the XML Signature recommendations. Not everything will be useful in every environment, but clearly this document points into the right direction of making a complex recommendation more practical in the daily usage.

XML Security Use Cases and Requirements
This document summarizes use cases and requirements driving revisions to XML Signature, XML Encryption and XML Canonicalization. Not that interesting for XML Security users.

XML Signature Transform Simplification: Requirements and Design
I like the idea behind this document. Basically it recommends replacing the current reference processing model with a simpler one. And simplicity is always good for security (and for performance). What may(!) happen is an extended Reference element with Selection, Transform and Canonicalization child elements. The Selection element chooses what is to be signed. The Transform element makes sure that you only sign what you see (it has a limited number of transformations that for). And finally the Canonicalization element is used to produce the input for the hash. So the reference processing may change a little bit in the future.

New XML Security Tools build available

A new XML Security Tools version (I20090307153956) is available for download. This version contains a lot of bugfixes and enhancements:

XML Signatures view is fully sortable.
XML Encryption wizard is much easier to use and provides more user feedback (error and information messages). The keys are now stored password protected in a standard Java KeyStore. Old keys will not be usable any more (sorry, but I had to break with it some time).
Cheat Sheets for verification, encryption and decryption were updated.
– And of course a lot (really a lot) of clean up work and code improvements under the covers.

This is not yet an official release. We will set up a release plan during EclipseCon, so please be patient a little more…

(J)CrypTool in the news

The German magazine Datenschutz und Datensicherheit is publishing an article (in the March 2009 edition) about the most famous e-learning tool on cryptography and cryptanalysis: CrypTool. Yes, the J is missing here on purpose so far, JCrypTool still needs some time to grow and mature. The article is named CrypTool – Ein Open-Source-Projekt in der Praxis. Beside the original CrypTool it covers CrypTool 2.0 (the .net variant) and of course JCrypTool too. I was interviewed for this part, so the article contains a lot of my thoughts, views and ideas about the JCrypTool open source project.

There is no online version available yet, but the CrypTool home page will provide a pdf as soon as the team is allowed to do so.

Working on JCrypTool 1.0.0 Milestone 5

Only short time after releasing milestone 4a, we are already working on milestone 5. This version will be available sometime this summer (probably around August). It will be based on Eclipse 3.5, so we keep our promise to always update to the latest Eclipse version. Planning is not completed yet; we are still looking for new cool and yet missing features. What will be included is a command line tool. This interface gives you the possibility to access any cryptographic operation (as long as the plug-in supports it) via a console in JCrypTool (like the console in the IDE for example) or via the command line of your operating system without launching JCrypTool (we haven't decided that yet, what is your opinion?). So that's a feature interesting for power users who just want to encrypt or sign a file as fast as possible. Another important thing will be an Action View, which will keep track of your crypto operations (cascades). So it's like a macro recorder, including the possibility to save, open, export and import those files. In its final version the cascade will be editable too.

And of course there will be more documentation, I promise! Not only for end users, but for developers too. This includes cheat sheets and tutorials for complete JCrypTool beginners. I know there is a gap at the moment. And documentation has been on our to-do list for quite a while now. We know it is important (for every project, but for an e-learning software even more), but it is a lot of work too. And developing new features is much more fun…

You are invited to propose new features and improvements. Or even better, you can develop them yourself and extend JCrypTool the way you like. Do not hesitate to contact me with ideas, bug reports or feature requests. Or use our home page for other contact options.

JCrypTool 1.0.0 Milestone 4a released

We released JCrypTool 1.0.0 Milestone 4a today! This is a maintenance release especially for Milestone 4, which was released a couple of weeks ago. Since Milestone 4 contained a lot of bugs and other inconsistencies we decided to release a refreshed version. As a bonus this version is based on the Eclipse spring maintenance release (3.4.2) that has been published a couple of days ago.

Milestone 4 users should update their installation by downloading the new version or by using the update manager (search for updates). Users of older versions should directly update to Milestone 4a and skip any previously released version.