The subject of XML security is quite over-hyped. The whole idea of XML security can be simply described as applying common-sense security technology to a specific format, known as XML. XML security is classically described as a combination of XML Encryption and XML Digital Signature. We shall review these concepts in this article.
The most interesting part about XML encryption is that we can encrypt an entire document, or its selected portions. This is very difficult to achieve in the non-XML world. We can encrypt one or all of the following portions of an XML document:
- The entire XML document
- An element and all its sub-elements
- The content portion of an XML document
- A reference to a resource outside of an XML document
The steps involved in XML encryption are quite simple, and are as follows:
1. Select the XML to be encrypted (one of the items listed earlier, i.e. all or part of an XML document).
2. Convert the data to be encrypted in a canonical form (optional).
3. Encrypt the result using public key encryption.
4. Send the encrypted XML document to the intended recipient.
The following a sample XML document, containing the details of a credit card of a user
<Name> John Smith <Name/>
<CreditCard Limit=’10000’ Currency=’USD’>
<Number> 1617 1718 0181 9910 </Number>
<Issuer> Master </Issuer>
<Expires> 05/05 </Expires>
We shall not describe the various details of this XML document, and would simply remark that it contains the credit card details, such as the user’s name, credit limit, currency, card number, issuer name and expiry details. Let us assume that we want to encrypt this. When we perform XML encryption, a standard tag called as EncryptedData comes into picture. As we have mentioned before, we can choose to encrypt selected portions of the XML document, or we can encrypt it as a whole. For illustration purposes, we shall see what happens when we encrypt only the actual credit card details (such as its number, issuer and expiry details). The result is shown in the figure below. We can see that the encrypted text is embedded inside the tag CipherData. This is another standard tag in XML encryption.
<Name> John Smith </Name>
<CreditCard Limit=’10000’ Currency=’USD’>
<EncryptedData Type =
As we can see, the credit card details are now encrypted, and therefore, cannot be read/changed. The fact that we have encrypted the contents of the XML document is signified by using the xmlenc#Content value. If we had encrypted the full CreditCard element, this would have been changed to xmlenc#Element.
XML Digital Signature
As we can see, a digital signature is calculated over the complete message. It cannot be calculated only for specific portions of a message. The simple reason for this is that the first step in a digital signature creation is the calculation of the message digest over the whole message. Many practical situations demand that users be able to sign only specific portions of a message. For instance, in a purchase request, the purchase manager may want to authorize only the quantity portion, whereas the accounting manager may want to sign only the rate portion. In such cases, XML digital signatures can be used. This technology treats a message or a document as consisting of many elements, and provide for the signing of one or more such elements. This makes the signature process flexible and more practical in nature.
The XML digital signature specification defines a number of XML elements, which describe the characteristics of an XML signature. These are tabulated below.
|SignedInfo||Contains the signature itself (i.e. the output of the signing process).|
|CanonicalizationMethod||Specifies the algorithm used to canonicalize the SignedInfo element, before it is digested as a part of the signature creation.|
|SignatureMethod||Specifies the algorithm used to transform the canonicalized SignedInfo element into the SignatureValue element. This is a combination of a message digest algorithm and key-dependent algorithm.|
|Reference||Includes the mechanism used for calculating the nessage digest and the resulting digest value over the original data.|
|KeyInfo||Indicates a key that can be used to validate the digital signature. This can consist of digital certificates, key names, key agreement algorithms used, etc.|
|Transforms||Specifies the operations performed before calculating the digest, such as compression, encoding, etc.|
|DigestMethod||Specifies the algorithm used to calculate the message digest.|
|DigestValue||Contains the message digest of the original message.|
Page 1 of 2
The steps in performing XML digital signatures are as follows.
1. Create a SignedInfo elementwith SignatureMethod, CanonicalizationMethod and References.
2. Canonicalize the XML document.
3. Calculate the SignatureValue, depending on the algorithms specified in the SignedInfo element.
4. Create the digital signature (i.e. Signature element), which also include sthe SignedInfo, KeyInfo and SignatureValue
A simplistic example of a XML digital signature is shown below. We shall also explain the important aspects of the signature.
Let us discuss the contents of the digital signature in brief.
- <Signature> … </Signature> – This block identifies the start and end of the XML digital signature.
- <SignedInfo> … </SignedInfo> – This block specifies the algorithm used: firstly for calculating the message digest (which is SHA-1, in this case) and then for preparing the XML digital signature. (which is RSA, in this case).
- <SignatureValue> … </SignatureValue> – This block contains the actual XML digital signature.
XML digital signatures can be classified into three types: enveloped, enveloping and detached.
- In the enveloped XML digital signatures, the signature is inside the original document (which is being digitally signed).
- In the enveloping XML digital signatures, the original document is inside the signature.
- A detached digital signature has no enveloping concept at all, it is separate from the original document.
This idea is shown below.
<Signature> … </Signature>
To summarize, XML security can be very easily understood by applying the basic knowledge of security concepts in the context of XML.
About the author :
Atul Kahate is Head – Technology Practice, PrimeSourcing (the The Global IT Services business from i-flex solutions limited). He has authored 16 books on Information Technology, 2 on cricket, and over 1500 articles on both of these in various newspapers/journals. He can be reached at akahate at gmail dot com.
Page 2 of 2