|Google Accessing KML resource without any protection|
- User accesses the maps application, which will have overlays mentioned as KML Url(which is located in the web server).
- Google Maps server accesses the KML Url directly from the server (not via the browser)
- The KML request reaches our own server and the server returns the KML content. This is the reason why the KML should be accessible from the Internet directly.
|Google accessing the KML resource with cryptography based protection|
- User accesses the maps application, which will have overlays mentioned as KML Url.
- The web/app server upon request for the map application, forms the crypto token to be included as part of the KML Url. This token is just a representation of the user identity (loginId of the user), valid from and valid to timestamps. The reason for including these two timestamps is to establish a unique token for every request and also to introduce the expiry of the token, so that the same request cannot be replayed after the token is expired. The web server has to establish some secret key for the symmetric encryption.An example of the token:
tokenBuffer = concat(userId, “:”, validFrom, “:”, validTo) //”:” is used as a delimiter
token = base64encoding(AESCipher(tokenBuffer, symmetricKey)) //using AES for this example
This token will be appended as a query string to the KML url. Instead directly accessing the KML file, here we use a component (a servlet, PHP script or similar) for KML request processing. If the KML Url is http://
:then this Url will become http:// /test.kml : /webapp/KMLController?token= &kmlFile=test.kml
- The maps application responds to the browser with the maps HTML+JavaScirpt along with the KML Url containing the token.
- Upon request, the Google maps server sends a request to our web server’s KML Controller component to process a request for the KML file. The KML file name is passed as part of the query string.
- When KML controller receives the request for KML file content, it performs the following steps:
- It first extracts the token, which is available as part of the query string.
- This token is decrypted using the same symmetric key to get the clear text of the token.
- Extract the token values using the delimiter. In this step we get the user id, valid from and valid to values.
- Do the access control checks and validate the timestamps.
- If everything is fine send the KML content in the response with proper mimetype, i.e. application/vnd.google-earth.kml+xml for KML files and application/vnd.google-earth.kmz for KMZ files. (KML file name is available as part of the query string).
- If any of the steps failed, send proper response code (401, 403, 400 etc).
- Send the response back to the Google server’s HTTP request.
- Google server parses the KML if the KML is sent properly. Otherwise, it ignores the errors.
- Book "Beginning Cryptography with Java" by David Hook
- Icons used in the above drawings are taken from the following site: