XML Security Standards

TroubleshootingTips

LANGUAGES: All .NET Languages

ASP.NET VERSIONS: All

XMLSecurity Standards

XMLSignatures

By Don Kiely

BecauseXML is proliferating applications both on the Internet and the workstation,there are many initiatives under way to apply security technologies to XMLdata. In this article and the next, I'll cover a couple of the initiatives thatare in various states of development to make XML more secure: XML Signature andXML Encryption.

XMLSignature

A commonway to protect data, dating back long before XML took over the world, was toattach an encrypted signature to a set of data. The data might be encrypted aswell, but that wasn't necessary. The idea is that the signature would encryptidentity information about the person signing the data, as well as some sort ofhash or checksum of the data. If the data is changed, the encrypted hash wouldno longer match a hash generated from the changed data. Mathematically, this isalmost impossible to defeat.

To makedigital signatures more usable with XML, the W3C is developing theXML-Signature Syntax and Processing specification, commonly called XMLSignature, or just XML-Sig. You can use digital signatures with any kind ofdata, including XML, so why a special specification? The reason is because ofthe different ways to write XML so that, as far as an XML parser is concerned,the data is exactly equivalent. For example, take these two lines of code:

Bothforms indicate that the element has no content, and a parserdoesn't parse either any differently from the other. However, hashes made fromthe two lines will be completely different. Yet the data is the same.Whitespace differences cause the same kind of problems. Digital signaturesweren't created to handle these kinds of variations in data.

So XMLSignature defines both an XML syntax to use when attaching a signature to XMLdata, as well as ways of normalizing the structure of the data. Anotherspecification from the W3C, Canonical XML, describes a normalization scheme forXML that allows reliable signing.

Here isan example of an XML signature, detached from the data that it protects (withonly a subset of the encrypted data to save space):

  xmlns="http://www.w3.org/2000/09/xmldsig#">        Algorithm=    "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>     Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>       "http://www.w3.org/TR/2000/REC-xhtml1-20000126/">        Algorithm=    "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>        Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>   j6lwx3rvEPO0vKtMup4NbeVu8nk=           MC0CFFrVLtRlk=...            ...   ...   ...   ...            This XMLsignature contains several parts, some of which are optional depending on theusage: The element defines which of severalcanonicalization algorithms was used to normalize the data. Implementations ofXML Signature must support some required algorithms, and the spec provides foruse of other algorithms. The element provides information about the encryptionmethods used for the signature, and will vary so that the consuming applicationwill know how to decrypt the signature. The element specifies the method used to create what isusually a hash of the XML data being protected. Most of the time this will bethe SHA1 method defined by the US government, because that is the only methodthat an XML Signature implementation must support. The element contains the actual digest value. Theactual digital signature is contained within the element. Ifyou need to include any additional information, such as a timestamp or serialnumber of cryptographic hardware used for encryption, you can include a element.   XMLsignatures provide integrity, message authentication, and/or signerauthentication services for data of any type, whether located within the XMLthat includes the signature, or elsewhere.   Don Kiely is senior technology consultantfor Information Insights, a business and technology consultancy in Fairbanks,AK. E-mail him at mailto:[email protected].