1 / 29

XML-DSIG’99

Richard D. Brown GlobeSet, Inc. Austin TX - U.S. Proposal for XML Digital Signature. XML-DSIG’99. Motivations Objectives Specification Process Driving Requirements Syntax Proposal Conclusion. Summary. XML enables production and exchange of structured data, but this is not sufficient.

etoile
Download Presentation

XML-DSIG’99

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Richard D. Brown GlobeSet, Inc. Austin TX - U.S. Proposal for XML Digital Signature XML-DSIG’99

  2. Motivations Objectives Specification Process Driving Requirements Syntax Proposal Conclusion Summary

  3. XML enables production and exchange of structured data, but this is not sufficient. The usefulness of such structured data depends upon our ability to assess its origin and authenticity. Existing binary syntaxes are not satisfactory for building authentication in XML applications. These syntaxes tend to externalize signature from the application logic. The lack of XML cryptography standard is a real show stopper for our industry. Slow down development and adoption of XML applications. Rapid proliferation of proprietary and limited solutions. Motivations

  4. Define syntax and procedures for the computation, verification, and encoding of digital signatures using XML Signing XML document and element Using XML for signing WEB resources Objectives

  5. Specification Process

  6. Specification Process

  7. Specification Process

  8. Ease signature support in XML applications and propose an XML alternative to binary syntaxes Support for digital signatures and authentication codes Support for certificate-based and account-based authentication schemes Authentication of internal and external resources Authentication of part or totality of a document Support for composite documents Support for extended signature functionality such as co-signature, endorsement, etc... Requirements

  9. <Signature> <Manifest> (authenticated attributes) </Manifest> <Value> (encoded signature value) </Value> </Signature> Syntax Basics <Certificates> (certificate information blocks) </Certificates>

  10. Signature Manifest <Manifest> (resources information block) (other authenticated attributes) (originator information block) (recipient information block) (key-agreement algorithm information block) (signature algorithm information block) </Manifest>

  11. <Resources> <Resource> <Locator href=‘resource locator’/> <ContentInfo type=‘type qualifier’/> <Digest> (encoded digest value) </Digest> </Resource> … </Resources> Resources

  12. <Attributes> <Attribute type=‘resource locator’ critical=‘boolean/> (ANY attribute value) </Attribute> … </Attributes> Attributes

  13. <OriginatorInfo> (ANY identification information blocks) (ANY keying material information block) </OriginatorInfo> <RecipientInfo> (ANY identification information blocks) (ANY keying material information block) </RecipientInfo> Originator and Recipient

  14. <KeyAgreementAlgorithm> (algorithm information block) </KeyAgreementAlgorithm> <SignatureAlgorithm> (algorithm information block) </SignatureAlgorithm> Signature and Key-agreement

  15. Enabling signature in XML applications Encapsulating arbitrary content Implementing endorsement Supporting composite documents Enabling one-pass processing Signature Principles

  16. <AppDoc xmlns:dsig=‘signature DTD URI’> <AppElement id=‘authenticated’> … </AppElement> <dsig:Signature> ... <dsig:Resource> <dsig:Locator href=‘#authenticated’/> … </dsig:Signature> </AppDoc> Signature in XML Applications

  17. <dsig:Package id=‘authenticated’> <dsig:ContentInfo type=‘type qualifier’/> <dsig:Value encoding=‘scheme’> (encoded value) </dsig:Value> </dsig:Package> Encapsulating Arbitrary Content

  18. <dsig:Signature id=‘signature’> ... </dsig:Signature> <dsig:Signatue id=‘counter-signature’> ... <dsig:Resource> <dsig:Locator href=‘#signature’/> … </dsig:Signature> Implementing Endorsement

  19. <dsig:Resources id=‘shared-resources’> ... </dsig:Resources> <dsig:Signature> ... <dsig:Resource> <dsig:Locator href=‘#shared-resources’/> ... </dsig:Signature> <dsig:Signature> ... <dsig:Resource> <dsig:Locator href=‘#shared-resources’/> ... </dsig:Signature> Supporting Composite Documents

  20. <dsig:DigestAlgorithms> <dsig:Algorithm id=‘SHA1’ type=‘urn:nist-gov:sha1’/> <dsig:Algorithm id=‘MD5’ type=‘urn:rsasdi-com:md5’/> </dsig:DigestAlgorithms> <AppElement id=‘authenticated’ dsig:eval=‘SHA1 MD5’> … </AppElement> <dsig:Signature> ... <dsig:Resource> <dsig:Locator href=‘#authenticated’/> <dsig:Digest> <dsig:Algorithm type=‘urn:nist-gov:sha1’/> ... </dsig:Signature> Enabling One-Pass Processing

  21. Element Definition Supported Algorithms Algorithms

  22. Algorithm Element <!ELEMENT Algorithm (Parameter*)> <!ATTLIST Algorithm id ID #IMPLIED type CDATA #REQUIRED > <!ELEMENT Parameter ANY> <!ATTLIST Parameter type CDATA #REQUIRED >

  23. Algorithm Element <dsig:Algorithm id=‘DSA-XHASH-SHA1’ type=‘urn:nist-gov:dsa’> <dsig:Parameter type=‘digest-algorithm’> <dsig:Algorithm type=‘urn:globeset-com:xhash’> <dsig:Parameter type=‘digest-algorithm’> <dsig:Algorithm type=‘urn:nist-gov:SHA1’/> </dsig:Parameter> </dsig:Parameter> </dsig:Algorithm> <dsig:Algorithm id=‘DSA-XHASH-SHA1’ type=‘urn:xmldsig:dsa-xhash-sha1’/>

  24. Supported Algorithms • Digest Algorithms • Key-agreement Algorithms • Key-exchange Algorithms • Signature Algorithms

  25. Digest Algorithms • Surface String Digest Algorithms • NIST SHA1 • Canonical Digest Algorithms • IBM DOM-HASH • GlobeSet XHASH

  26. Key-agreement Algorithms • RSA Laboratories PKCS12 PBE

  27. Key-exchange Algorithms • Static Diffie Hellman

  28. Signature Algorithms • Authentication Codes • IETF HMAC • Public-key Signature Algorithms • NIST DSA • RSA Labs RSA Encryption T1 • ? ECDSA

  29. Conclusion • Current Proposal • A good start • Enter phase 3 • Next • First Implementations • Standard Body • Formalization

More Related