Presentation is loading. Please wait.

Presentation is loading. Please wait.

XML Signature Prabath Siriwardena Director, Security Architecture.

Published byEdward Banks Modified over 9 years ago

Similar presentations

Presentation on theme: "XML Signature Prabath Siriwardena Director, Security Architecture."— Presentation transcript:

1 XML Signature Prabath Siriwardena Director, Security Architecture

2 XML Security Integrity and non-repudiation XML Signature by W3C http://www.w3.org/TR/xmldsig-core/ Confidentiality of XML documents XML Encryption by W3C http://www.w3.org/TR/xmlenc-core/

3 XML-Signature A joint standard by IETF and W3C for digitally signing all of an XML document, part of an XML document or even an external object. XML Signature applies to any resource addressable by an URI – including non-xml content. First security standard to reach recommendation status WS-Security, XKMS, SAML all depend on XML Signature

4 XML-Signature Multiple XML Signatures can be able to exist over the static content of a web resource.

5 XML-Signature

6 QUESTION 1 What do we actually sign with an XML Signature ?

7 XML-Signature - Types – Enveloping Signature – Enveloped Signature – Detached Signature

8 XML-Signature - Enveloping - Wraps item that is being signed within the element - element points to an element within the element Signature

9 XML-Signature - Enveloping …. …….. Signature

10 XML-Signature - Enveloping Signature ipbs0UyafkdRIcfIo9zyZLce+CE= BSChZzMdH1kHVbKL+EyNorZXcEZ9ekL+cf/VW8ejhItfZoXOZQVNnw==... A text in a box

11 XML-Signature - Enveloped - element points to a parent element outside the element Signed XML Content Signature

12 XML-Signature - Enveloped Text …. Signature

13 XML-Signature - Enveloped Signature Some simple text f+pDsT3LzyKV9Sg6rdK5bBrQlbo= QNoLqAc0KYDmomJA3LvXhCf6vpuN/wh9R4y42QylvJCko9gRDhpHAA==...

14 XML-Signature - Detached - Points to an XML element or binary file out side the elements hierarchy - element points neither a child nor a parent - Can point to an element within the same document or to another resource completely outside the current XML document. Signature

15 XML-Signature - Detached Signed XML Content Signature

16 QUESTION 2 Which signature type is used in WS-Security?

17 QUESTION 3 Provide a practical example for enveloped signature ? And why it’s needed there ?

18 XML-Signature

19 XML-Signature -

20 XML-Signature -

21 XML syntax permits a number of options (e.g., which form of empty elements to use, whether to use single or double quotes for attribute values, the order of attributes in a start tag, places where white space is considered insignificant, etc.), it is quite easy to create documents that are physically different and yet logically equivalent.

22 The purpose of Canonical XML is to define an algorithm by which a particular physical representation of an XML document can be reliably and repeatedly reduced to its canonical (simplest) form. When the same algorithm is applied to physically different representations to produce their canonical forms, documents can be compared at this logical level.

23 Canonical XML (or Inclusive XML Canonicalization)(XMLC14N) Exclusive XML Canonicalization(EXCC14N)

24 The Canonical XML is used for XML where the context doesn't change while the Exclusive XML was designed for canonicalization where the context might change.

25 XML-Signature (Example) Signature Some simple text f+pDsT3LzyKV9Sg6rdK5bBrQlbo= QNoLqAc0KYDmomJA3LvXhCf6vpuN/wh9R4y42QylvJCko9gRDhpHAA==...

26 QUESTION 4 How about JSON ? Can there be multiple physical representations of the same logical JSON document ?

27 QUESTION 5 What are the differences between Inclusive Canonicalization and Exclusive Canonicalization.

28 XML-Signature -

29 The SignatureMethod is the algorithm that is used to convert the canonicalized SignedInfo into the SignatureValue.

30 - http://www.w3.org/2000/09/xmldsig#dsa-sha1 - http://www.w3.org/2000/09/xmldsig#rsa-sha1 - http://www.w3.org/2000/09/xmldsig#hmac- sha1

31 QUESTION 6 What are the differences between RSA and DSA ?

32 QUESTION 7 Would HMAC-SHA1 provide both the integrity of a message and the non-repudiation ?

33 XML-Signature (Example) Signature Some simple text f+pDsT3LzyKV9Sg6rdK5bBrQlbo= QNoLqAc0KYDmomJA3LvXhCf6vpuN/wh9R4y42QylvJCko9gRDhpHAA==...

34 XML-Signature -

35 Points to the elements which are being signed. Any element inside the same XML document starts from “#”.

36 XML-Signature (Example-1) Signature ipbs0UyafkdRIcfIo9zyZLce+CE= BSChZzMdH1kHVbKL+EyNorZXcEZ9ekL+cf/VW8ejhItfZoXOZQVNnw==... A text in a box

37 XML-Signature (Example-2) Signature Some simple text f+pDsT3LzyKV9Sg6rdK5bBrQlbo= QNoLqAc0KYDmomJA3LvXhCf6vpuN/wh9R4y42QylvJCko9gRDhpHAA==...

38 QUESTION 8 How do we reference an XML element in an external XML document ?

39 XML-Signature -

40 - receive the results of dereferencing the and alter the result in some way. - A simple can be an Xpath statement that causes the signature to apply only to a part of an XML document. - Multiple transforms can appear under a working in a pipe-line fashion. -

41 QUESTION 9 What is the difference between CanonicalizationMethod and the Transforms ?

42 XML Signature spec defines five Transforms 1. Canonicalization 2. Base-64 3. XPath Filtering 4. Enveloped Signature Transform 5. XSLT Transform

43 - Normalize the XML, so that regardless of physical inconsistencies, two logically equivalent XML documents will become physically bit to bit to equivalent. Canonicalization

44 -Maps binary data into text -http://www.w3.org/2000/09/xmldsig#base64 Base-64

45 -Commonly used when we want to sign just a fragment of an XML document. -http://www.w3.org/TR/1999/REC-xpath-19991116 XPath Filtering

46 - Commonly used in Enveloped Signatures where the parent element is to be signed. - Need to remove the Signature element from the element being signed before validation. http://www.w3.org/2000/09/xmldsig#enveloped-signature Enveloped Signature Transform

47 QUESTION 10 Provide an example for Enveloped Signature Transformation and explain why its needed?

48 - A good practice is to sign what actually the signer sees. - Used to sign XML documents when an XSL is involved. - http://www.w3.org/TR/1999/REC-xslt-19991116 XSLT Transform

49 XML-Signature -

50 - Algorithm to calculate the digest of the element/resource pointed by the -

51 QUESTION 11 Explain two digest methods with similarities and differences.

52 - Contains Base-64 encoded value of the digest f+pDsT3LzyKV9Sg6rdK5bBrQlbo=

53 QUESTION 12 Why do we have to base64 encode the digest value ?

54 XML-Signature

55 The Base-64 resulting value of encrypting the digest of the element.

56 QUESTION 13 Where do we specify the digest method to create the digest of the SignedInfo ?

57 XML-Signature

58 This is an optional element in the XML Signature, if no KeyInfo – it is expected that we what the validation key is.

59

60 A unique name to identify the associated key.

61

62 Actual key it self embedded in XML.

63

64 - Used to reference a key that is stored in a separate location. -If multiple signatures use the same key, we can keep the KeyInfo structure in a standalone element with a unique ID and refer to using of each -Either or both the ds:KeyName and RetrievalMethod could be used to identify the same key. Sally Doe

65

66 - Provides either an identifier to look to look up an X509 certificate or the X509 certificate it self. - A certificate chain can also be contained in X509Data

67

68 Can point to the PGP key or can contain the key it self.

69

70 Similar to PGPData point to the key or contains key it self.

71 XML-Signature

72 - Can put anything you want. - Typically includes one of the following three 1. XML fragment or a base-64 encoded binary object – Enveloping Signature 2. A element 3. A element

73 ….

74 - Contains a list of references - elements inside element must be validated in order to accept the signature a valid one. - To validate or not to validate elements inside element is up to the developer decide. - Developers get more granular control over which mater and which does not.

75 <Reference URI=“101” Type=“"http://www.w3.org/2000/09/xmldsig#Man ifest"”> ……

76 Provides a place to put name/value information about the signature it self. ….

77 <Reference URI=“101” Type=“" http://www.w3.org/2000/09/xmldsig#SignatureProperties "”> ……

78 XML-Signature Building Process - Reference Generation - Signature Generation

79 XML-Signature Ref. Generation 1. Obtain the resource specified by the 2. Apply Transforms 3. Calculate the digest for the final output from the Transform algorithm, using the 4. Create the element including all it’s sub elements by populating the 5. Perform the above actions to all the elements found inside

80 XML-Signature Sig. Generation 1.Create the element 2.Canonicalize element using the algorithm specified under 3.Create a hash for the out put of the canonicalization using the specified. 4.Create the with the specified, against the canonicalized, hashed 5.Build the complete element

81 XML-Signature Validation Process - Reference Validation - Signature Validation

82 XML-Signature Ref. Validation 1. Canonicalize the element based on the element. 2. For each element do the following 3. Get the resource pointed out by the 4. Apply Transforms 5. Create a hash using the 6. Find the DigestValue and compare it with the DigestValue returned.

83 XML-Signature Sig. Validation 1. Obtain the key used to sign the message 2. Create a hash of the canonicalized 3. Using the verification key decrypt the 4. Compare the value from 3 with value from 2.

84 lean. enterprise. middleware

Download ppt "XML Signature Prabath Siriwardena Director, Security Architecture."

Similar presentations

Debugging lab 2.

Debugging lab 2.
Advanced XSLT. Branching in XSLT XSLT is functional programming –The program evaluates a function –The function transforms one structure into another.

Advanced XSLT. Branching in XSLT XSLT is functional programming –The program evaluates a function –The function transforms one structure into another.
What is XML? a meta language that allows you to create and format your own document markups a method for putting structured data into a text file; these.

What is XML? a meta language that allows you to create and format your own document markups a method for putting structured data into a text file; these.
XML: Extensible Markup Language

XML: Extensible Markup Language
How to Use XML Security Standards in Real World Aleksey Sanin O’Reilly Open Source Convention July 7 - 11, 2003.

How to Use XML Security Standards in Real World Aleksey Sanin O’Reilly Open Source Convention July , 2003.
XML DIGITAL SIGNATURE ASIM REHMAN YURI ALEGRIA. Introduction What is a digital signature Digital signature provides a mechanism for assuring integrity.

XML DIGITAL SIGNATURE ASIM REHMAN YURI ALEGRIA. Introduction What is a digital signature Digital signature provides a mechanism for assuring integrity.
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
XML Encryption Prabath Siriwardena Director, Security Architecture.

XML Encryption Prabath Siriwardena Director, Security Architecture.
An Introduction to XML Based on the W3C XML Recommendations.

An Introduction to XML Based on the W3C XML Recommendations.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Lecture 5: Email security: PGP Anish Arora CIS694K Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
1 CP3024 Lecture 9 XML revisited, XSL, XSLT, XPath, XSL Formatting Objects.

1 CP3024 Lecture 9 XML revisited, XSL, XSLT, XPath, XSL Formatting Objects.
Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.

Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.
1/4722 January 2003Secure XML XML Security Donald E. Eastlake, III

1/4722 January 2003Secure XML XML Security Donald E. Eastlake, III
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
XML Security in IODEF INCH WG, IETF56 March 19, 2003 Yuri Demchenko.

XML Security in IODEF INCH WG, IETF56 March 19, 2003 Yuri Demchenko.
Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Web services security I

Web services security I
Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.

Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Similar presentations

Ads by Google