Article

Home » Client-side Coding » XML, XSLT & Web Services » Getting Started with XML Security

Getting Started with XML Security

Page: 1 2 3 4 5 6 7 8 9 10 11 12 Next

XML Security

XML Security standards provide a set of technical standards to meet security requirements. These standards are designed to conform to common XML paradigms. The XML Security standards leverage existing XML standards and also enhance XML standards as follows:

  1. The XML Security standards define XML vocabularies for representing security information, using XML technologies, such as XML Schema, for definition. An example is the <KeyInfo> element defined in the XML Digital Signature recommendation for carrying signing or encryption key information. This definition is used in a number of the specifications. The specifications define a shared meaning for the XML vocabularies.

  2. The XML Security standards use other existing XML standards where possible to leverage current XML efforts. For example, XML Digital Signature allows XPath expressions to extract portions of XML for processing (Defined in [ XMLDigSig ] and extended in [ XPathFilter ]).

  3. The XML Security standards are designed to offer the flexibility and extensibility aspects of XML. They allow security to be applied to XML documents, to XML elements and element content, as well as to arbitrary binary documents. They support extending the XML vocabularies through the use of XML namespaces and extensible XML Schema definitions.

  4. XML Security technologies may be applied to end-end security, which is especially important when XML messages are routed through a number of processing intermediaries. Persistent security is associated with the content, rather than with a transport pipe. The security remains with the content. XML Security technologies may be used in conjunction with transport security technologies, such as SSL/TLS, as well.

  5. XML Security technologies reuse existing cryptographic and security technologies whenever possible, without reinventing the wheel. For example, X.509 V3 certificates [ X509Cert ] are used without redefinition when needed - they are simply encoded in a text format. Existing algorithms, such as the SHA1 digest algorithm, are also brought into the XML Security standards world by associating unique URI identifiers with them and defining how they may be used in the XML Security processing models.

The following sections present an overview of the core XML Security standards that are designed to provide XML-compatible technology to meet security requirements. This is followed by some important XML security standards for applying this technology to areas like Web Services and Digital Rights Management.

Core XML Security Standards

The core XML Security standards are:

  1. XML Digital Signature for integrity and signatures,

  2. XML Encryption for confidentiality,

  3. XML Key Management (XKMS) for key management,

  4. Security Assertion Markup Language (SAML) for making authentication and authorization assertions, and

  5. XML Access Control Markup Language (XACML) for stating authorization rules.

The XML Digital Signature recommendation is particularly important; since, as the first XML Security recommendation, it established an approach as well as some vocabulary shared by the other standards. (The <KeyInfo> element defined in the XML Digital Signature recommendation is an element used by other standards, for example.) Signature functionality is also critical for content integrity, so XML Digital Signatures are also incorporated in the other security standards.

Each standard defines the XML vocabulary necessary for describing the security information required for that aspect of security, as well as the processing rules necessary to understand how to apply the standard.

Integrity & Signatures: XML Digital Signature (XML DigSig)

Purpose and Benefits

Digital signatures are useful for two purposes:

  1. To provide persistent content integrity, and

  2. To create and verify portable electronic signatures

Persistent integrity enables the user of content to detect unexpected changes to the content, whether malicious or accidental. Unlike a simple checksum, a digital signature associates a digest of the content with the signer of the content using a cryptographic technique. A digest is a digital "fingerprint", a short fixed-length value that is unique to the content and impractical to determine without the content. Using a cryptographic technique with the digest makes it hard for anyone other than the original signer to change the content without detection. Persistent integrity offers the benefit that content is not only protected in transit, but also when stored and processed.

Electronic signatures offer the digital equivalent of handwritten signatures and may be used for a variety of purposes such as content approval, receipt confirmation, and contract agreement. Using digital signatures makes it possible to move business workflows online, without requiring manual approval steps. This can reduce the delays, costs and inconveniences caused by geographic separation and time zone differences. Digital signatures use cryptographic techniques to construct signatures that are stronger and more portable than other techniques for creating "electronic signatures".

Features

The XML Digital signature recommendation defines mechanisms to support the full range of digital signature creation and verification, including the ability to sign and verify:

  1. Entire XML documents as well as element and element content portions of XML documents,

  2. Arbitrary documents, including binary documents,

  3. Compound documents including multiple documents and/or XML elements and element contents,

  4. Properties to be included with a signature,

  5. Counter-signatures (signatures that include other signatures)

In addition, the XML Signature recommendation supports the application of multiple XML Signatures to an XML document or to different sections of a document, supporting a variety of use cases. The XML Digital Signature specification and related specifications (XML Canonicalization) also define techniques so that signature verification can be robust even with variations allowed in XML, such as whitespace. The reason for the concern is that cryptographic algorithms are concerned with exact text, yet XML allows some flexibility. Canonicalization is used to reduce variations so that all XML Security applications can interoperate.

An XML <Signature> element may be handled in different ways, based on the desired application. It may be placed in a document apart from what is signed. This is known as a "detached" signature, and is used when signing non-XML content. When XML content is signed, the <Signature> element may be added to the XML. This is convenient, since signatures may then be bundled within the content and remain embedded with it, making it easy to keep track of them. When placed in an XML document, the <Signature> element may be added to the document being signed under the document element (an "enveloped" signature). In some cases, it is useful to place the content being signed within the <Signature> element, an example being a signature property (an "enveloping" signature).

If a signature is added to the <PatientRecord> as an enveloped signature, for example, the <Signature> element would be a child of the <PatientRecord> as follows:

<PatientRecord xmlns="http://www.medical.org/">  
   <Name>John Doe</Name>  
   <Account> 123456 </Account>  
   <Visit date="10pm March 10, 2002">  
       <Diagnosis> Broken second metacarpal </Diagnosis>  
   </Visit>  
   <Signature xmlns='http://www.w3.org/2000/09/xmldsig#'>  
       ...    
   </Signature>  
</PatientRecord>
Example 2 - Enveloped Signature

When a signature is added to a document as part of the document, it changes the document. To verify the signature, it is necessary to compare the original document without the signature. The XML Digital Signature recommendation defines a mechanism for removing the <Signature> as part of the verification process.

Another possibility is to create a new XML document with a <Signature> document element and to place the signed element as a child of the <Signature> element. This is usually reserved for information associated with a signature, such as the purpose of the signature, for example:

<Signature xmlns='http://www.w3.org/2000/09/xmldsig#'>  
   <SignedInfo> ... </SignedInfo>  
   <SignatureValue> ... </SignatureValue>  
   <Object>  
       <SignatureProperties>  
           <p:Purpose xmlns:p="http://www.myexample.com/schemas">  
             Approval  
           </p:Purpose>  
       </SignatureProperties>  
   </Object>  
</Signature>
Example 3 - Enveloping Signature

If you liked this article, share the love:
Print-Friendly Version Suggest an Article

Sponsored Links

Topics

SitePoint Jobs

ยป We're Hiring!

SitePoint Newsletters

Get all the latest tips on Advanced Design and Layout by signing up to all of SitePoint’s informative newsletters.

HTML   Plain


View Our Privacy Policy
Sample Our Newsletter Archives

Follow SitePoint on...

Related Forum Discussions

Related Forum: Databases

  1. How can I relate this two tables?
  2. How Does Indexing Work?
  3. help with this Select statment...
  4. Count of users who authenticated this month
  5. SQL Server: MS Exchange as a linked server?