Encrypting and authenticating XML data [Part 2]

After get some understanding on encrypting and authentication on xml on XML web services. Now we getting to know more about the XML signature and also some summarize of XML encrypting and authenticating.

xml authentication

XML Signature Standard
The W3C XML Signature standard provides a specification for creating and using digital signatures in XML. You use XML Signature to provide authentication when transmitting documents. You can use XML Signature with any content, including XML data. You can sign just a portion of a document, in the same way that you can encrypt just part of it.

Authenticating XML documents is difficult, however, because their structure may change even when the data in them does not. Most digital signature methods treat the structure of a document as significant when generating the unique value, or message digest, that can be used to validate the document’s authenticity To address this, the W3C uses XML Canonicalization. This specification defines how to generate a canonical form of an XML document. This is a highly formalized version of the XML document. Two XML documents that differ textually as a result of comments, empty tags, or line breaks for example, but have the same logical structure will produce identical canonical documents.

The basic structure of a digital signature is as follows, where ? indicates zero or one occurrence and * indicates zero or more occurrences:

<Signature ID?>
<SignedInfo>
<CanonicalizationMethod/>
<SignatureMethod/>
(<Reference URI? >
(<Transforms>)?
<DigestMethod>
<DigestValue>
</Reference>)+
</SignedInfo>
<SignatureValue>
(<KeyInfo>)?
(<Object ID?>)*
</Signature>

Signature is the root element, and its ID attribute is an optional one used to identify the signature. The mandatory SignedInfo element represents the data that is signed. Then the CanonicalizationMethod element provides the canonicalization algorithm that has been applied to the signed data. The Reference element provides a reference to the data object being signed. This element contains the Transforms, DigestMethod, and DigestValue child elements, which describe how the signed data object has been compiled. The KeyInfo element enables you to obtain the key to validate the signature. Note that, although this element is qualified when used in encryption, it does not need to be qualified when used with digital signatures because it is part of the digital signature namespace.

The following is an example of a signature:

<Signature Id=”ENTSecureSig”
xmlns=”http://www.w3.org/2000/09/xmldsig#”>
<SignedInfo>
<CanonicalizationMethod Algorithm=
“http://www.w3.org/TR/2001/REC-xml-c14n-20010315″/>
<SignatureMethod Algorithm=
“http://www.w3.org/2000/09/xmldsig#dsa-sha1″/>
<Reference URI=
“http://www.w3.org/TR/2000/REC-xhtml1-20000126/”>
<DigestMethod Algorithm=
“http://www.w3.org/2000/09/xmldsig#sha1″/>
<DigestValue>
j6lwx3rvEPO0vKtMup4NbeVu8nk=
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>MC0CFFrVLtRlk=…</SignatureValue>
<KeyInfo>
<KeyValue>
<DSAKeyValue>
<P>…</P><Q>…</Q><G>…</G><Y>…</Y>
</DSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>

The Signature element declares the XML Signature namespace. The Reference element identifies the W3C XHTML specification as the object that’s being signed in this case. The DigestMethod element’s Algorithm attribute indicates that the SHA-1 algorithm was used to generate a hash, or message digest of this, the value of which is indicated in DigestValue. Everything within the SignedInfo element is canonicalized according to the Canonical XML specification indicated by the CanonicalizationMethod element. Then the DSA algorithm specified by the Algorithm attribute in SignatureMethod is used to produce the SignatureValue, which is the digest of everything in the SignedInfo element. KeyInfo specifies what key should be used to validate this signature – in this case, DSA keys. The P, Q, G, and Y elements are used only with DSAKeyValue and specify DSA public key values.

For this signature to be validated, the contents of SignedInfo must be canonicalized, and then processed with the algorithm specified in SignatureMethod using the public key supplied by KeyInfo. If the value this produces matches the one in SignatureValue, the signature is valid. For the signed data to be validated, its unsigned version is retrieved using the Reference URI, processed according to DigestMethod, and compared to the value in DigestValue.

As a summary on Encrypting and authenticating of XML data, XML Encryption enables you to encrypt an entire document, a specific element, or the content of a specific element. It also facilitates the transmission of data between more than two parties and ensures end-to-end security rather than party-to-party security. XML Signature provides authentication when using web services. It enables users to receive data that is signed by the sender and to verify the integrity of the data.

XML Encryption encrypts data using the following elements – EncryptedData, CipherData, CipherValue, CipherReference, and EncryptionMethod. These elements are in the http://www.w3.org/2001/04/xmlenc# namespace. XML encryption is key-based and can be asymmetric or symmetric.

The W3C XML Signature standard provides a specification for creating and using digital signatures in XML. You can sign just a portion of a document, in the same way that you can encrypt just part of it. XML Signature relies on XML Canonicalization to generate a canonical form of an XML document. This ensures that the data in a document can still be verified even if its structure changes.

One Response to “Encrypting and authenticating XML data [Part 2]”

  1. etomyam March 16, 2010 at 1:21 pm #

    hi,
    although the article is too technical for average joe like me but I’m sure it has better benefit..going to read it again slowly.. 😀

Leave a Reply