1 / 84

XML Signature

XML Signature. Prabath Siriwardena Director, Security Architecture. XML Security. Integrity and non-repudiation XML Signature by W3C http://www.w3.org/TR/xmldsig-core/ Confidentiality of XML documents XML Encryption by W3C http://www.w3.org/TR/xmlenc-core/. XML-Signature.

fathi
Download Presentation

XML Signature

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XML Signature Prabath Siriwardena Director, Security Architecture

  2. XML Security • Integrity and non-repudiation • XML Signature by W3C • http://www.w3.org/TR/xmldsig-core/ • Confidentiality of XML documents • XML Encryption by W3C • http://www.w3.org/TR/xmlenc-core/

  3. XML-Signature • A joint standard by IETF and W3C for digitally signing all of an XML document, part of an XML document or even an external object. • XML Signature applies to any resource addressable by an URI – including non-xml content. • First security standard to reach recommendation status • WS-Security, XKMS, SAML all depend on XML Signature

  4. XML-Signature • Multiple XML Signatures can be able to exist over the static content of a web resource.

  5. XML-Signature <Signature xmlns=“…../2000/09/xmldsig#”> <SignedInfo /> <SignatureValue /> <KeyInfo /> <Object /> </Signature>

  6. QUESTION 1 What do we actually sign with an XML Signature ?

  7. XML-Signature - Types • Enveloping Signature • Enveloped Signature • Detached Signature

  8. XML-Signature - Enveloping - Wraps item that is being signed within the <Signature> element - <Reference> element points to an element within the <Signature> element Signature

  9. XML-Signature - Enveloping <Signature> <SignedInfo> <Reference URI=“#101” /> </SignedInfo> <SignatureValue>…. </SignatureValue> <KeyInfo>…. </KeyInfo> <Object> <SignedItem id=“101”> …….. </SignedItem> </Object> <Signature> Signature

  10. XML-Signature - Enveloping <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"></ds:SignatureMethod> <ds:Reference URI="#TheFirstObject"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod> <ds:DigestValue>ipbs0UyafkdRIcfIo9zyZLce+CE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>BSChZzMdH1kHVbKL+EyNorZXcEZ9ekL+cf/VW8ejhItfZoXOZQVNnw==</ds:SignatureValue> <ds:KeyInfo> ... </ds:KeyInfo> <ds:Object Id="TheFirstObject"> <InsideObject>A text in a box</InsideObject> </ds:Object> </ds:Signature> Signature

  11. XML-Signature - Enveloped - <Reference> element points to a parent element outside the <Signature> element Signature Signed XML Content

  12. XML-Signature - Enveloped <SignedItem id=“101”> <SignedElement1>Text</SignedElement1> <Signature> <SignedInfo> <Reference URI=“#101” /> </SignedInfo> <SignatureValue>…. </SignatureValue> <KeyInfo>…. </KeyInfo> <Signature> </SignedItem> Signature

  13. XML-Signature - Enveloped <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo">Some simple text <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"></SignatureMethod> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"></Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod> <DigestValue>f+pDsT3LzyKV9Sg6rdK5bBrQlbo=</DigestValue> </Reference> </SignedInfo> <SignatureValue>QNoLqAc0KYDmomJA3LvXhCf6vpuN/wh9R4y42QylvJCko9gRDhpHAA==</SignatureValue> <KeyInfo>...</KeyInfo> </Signature> </apache:RootElement> Signature

  14. XML-Signature - Detached - Points to an XML element or binary file out side the <Signature> elements hierarchy - <Reference> element points neither a child nor a parent - Can point to an element within the same document or to another resource completely outside the current XML document. Signature

  15. XML-Signature - Detached Signature Signed XML Content

  16. QUESTION 2 Which signature type is used in WS-Security?

  17. QUESTION 3 Provide a practical example for enveloped signature ? And why it’s needed there ?

  18. XML-Signature <Signature xmlns=“…../2000/09/xmldsig#”> <SignedInfo /> <SignatureValue /> <KeyInfo /> <Object /> </Signature>

  19. XML-Signature - <SignedInfo /> <SignedInfo> <CanonicalizationMethod /> <SignatureMethod /> <Reference URI > <Transforms /> <DigestMethd /> <DigestValue /> </Reference> </SignedInfo>

  20. XML-Signature - <SignedInfo /> <SignedInfo> <CanonicalizationMethod /> <SignatureMethod /> <Reference URI > <Transforms /> <DigestMethd /> <DigestValue /> </Reference> </SignedInfo>

  21. <CanonicalizationMethod /> XML syntax permits a number of options (e.g., which form of empty elements to use, whether to use single or double quotes for attribute values, the order of attributes in a start tag, places where white space is considered insignificant, etc.), it is quite easy to create documents that are physically different and yet logically equivalent.

  22. <CanonicalizationMethod /> The purpose of Canonical XML is to define an algorithm by which a particular physical representation of an XML document can be reliably and repeatedly reduced to its canonical (simplest) form. When the same algorithm is applied to physically different representations to produce their canonical forms, documents can be compared at this logical level.

  23. <CanonicalizationMethod /> • Canonical XML (or Inclusive XML Canonicalization)(XMLC14N) • Exclusive XML Canonicalization(EXCC14N)

  24. <CanonicalizationMethod /> The Canonical XML is used for XML where the context doesn't change while the Exclusive XML was designed for canonicalization where the context might change.

  25. XML-Signature (Example) <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo">Some simple text <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"></SignatureMethod> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"></Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod> <DigestValue>f+pDsT3LzyKV9Sg6rdK5bBrQlbo=</DigestValue> </Reference> </SignedInfo> <SignatureValue>QNoLqAc0KYDmomJA3LvXhCf6vpuN/wh9R4y42QylvJCko9gRDhpHAA==</SignatureValue> <KeyInfo>...</KeyInfo> </Signature> </apache:RootElement> Signature

  26. QUESTION 4 How about JSON ? Can there be multiple physical representations of the same logical JSON document ?

  27. QUESTION 5 What are the differences between Inclusive Canonicalization and Exclusive Canonicalization.

  28. XML-Signature - <SignedInfo /> <SignedInfo> <CanonicalizationMethod /> <SignatureMethod /> <Reference URI > <Transforms /> <DigestMethd /> <DigestValue /> </Reference> </SignedInfo>

  29. <SignatureMethod /> The SignatureMethod is the algorithm that is used to convert the canonicalized SignedInfo into the SignatureValue.

  30. <SignatureMethod /> - http://www.w3.org/2000/09/xmldsig#dsa-sha1 - http://www.w3.org/2000/09/xmldsig#rsa-sha1 - http://www.w3.org/2000/09/xmldsig#hmac-sha1

  31. QUESTION 6 What are the differences between RSA and DSA ?

  32. QUESTION 7 Would HMAC-SHA1 provide both the integrity of a message and the non-repudiation ?

  33. XML-Signature (Example) <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo">Some simple text <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"></SignatureMethod> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"></Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod> <DigestValue>f+pDsT3LzyKV9Sg6rdK5bBrQlbo=</DigestValue> </Reference> </SignedInfo> <SignatureValue>QNoLqAc0KYDmomJA3LvXhCf6vpuN/wh9R4y42QylvJCko9gRDhpHAA==</SignatureValue> <KeyInfo>...</KeyInfo> </Signature> </apache:RootElement> Signature

  34. XML-Signature - <SignedInfo /> <SignedInfo> <CanonicalizationMethod /> <SignatureMethod /> <Reference URI > <Transforms /> <DigestMethd /> <DigestValue /> </Reference> </SignedInfo>

  35. <Reference/> Points to the elements which are being signed. Any element inside the same XML document starts from “#”.

  36. XML-Signature (Example-1) <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"></ds:SignatureMethod> <ds:Reference URI="#TheFirstObject"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod> <ds:DigestValue>ipbs0UyafkdRIcfIo9zyZLce+CE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>BSChZzMdH1kHVbKL+EyNorZXcEZ9ekL+cf/VW8ejhItfZoXOZQVNnw==</ds:SignatureValue> <ds:KeyInfo> ... </ds:KeyInfo> <ds:Object Id="TheFirstObject"> <InsideObject>A text in a box</InsideObject> </ds:Object> </ds:Signature> Signature

  37. XML-Signature (Example-2) <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1" xmlns:foo="http://example.org/#foo">Some simple text <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"></SignatureMethod> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"></Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod> <DigestValue>f+pDsT3LzyKV9Sg6rdK5bBrQlbo=</DigestValue> </Reference> </SignedInfo> <SignatureValue>QNoLqAc0KYDmomJA3LvXhCf6vpuN/wh9R4y42QylvJCko9gRDhpHAA==</SignatureValue> <KeyInfo>...</KeyInfo> </Signature> </apache:RootElement> Signature

  38. QUESTION 8 How do we reference an XML element in an external XML document ?

  39. XML-Signature - <Reference/> <SignedInfo> <CanonicalizationMethod /> <SignatureMethod /> <Reference URI > <Transforms /> <DigestMethd /> <DigestValue /> </Reference> </SignedInfo>

  40. <Transforms/> • - <Transforms/> receive the results of dereferencing the <Reference URI=“”> and alter the result in some way. • - A simple <Transform> can be an Xpath statement that causes the signature to apply only to a part of an XML document. • - Multiple transforms can appear under a <Reference> working in a pipe-line fashion. • - <Transform Algorithm=“” />

  41. QUESTION 9 What is the difference between CanonicalizationMethod and the Transforms ?

  42. <Transforms/> XML Signature spec defines five Transforms 1. Canonicalization 2. Base-64 3. XPath Filtering 4. Enveloped Signature Transform 5. XSLT Transform

  43. <Transforms/> Canonicalization - Normalize the XML, so that regardless of physical inconsistencies, two logically equivalent XML documents will become physically bit to bit to equivalent. <Order> <Items> <item number=100/> <item number=101/> </Items> </Order> <Order> <Items> <item number=100></item> <item number=101></item> </Items> </Order>

  44. <Transforms/> Base-64 • Maps binary data into text • http://www.w3.org/2000/09/xmldsig#base64

  45. <Transforms/> XPath Filtering • Commonly used when we want to sign just a fragment of an XML document. • http://www.w3.org/TR/1999/REC-xpath-19991116

  46. <Transforms/> Enveloped Signature Transform - Commonly used in Enveloped Signatures where the parent element is to be signed. - Need to remove the Signature element from the element being signed before validation. http://www.w3.org/2000/09/xmldsig#enveloped-signature

  47. QUESTION 10 Provide an example for Enveloped Signature Transformation and explain why its needed?

  48. <Transforms/> XSLT Transform - A good practice is to sign what actually the signer sees. - Used to sign XML documents when an XSL is involved. - http://www.w3.org/TR/1999/REC-xslt-19991116

  49. XML-Signature - <Reference/> <SignedInfo> <CanonicalizationMethod /> <SignatureMethod /> <Reference URI > <Transforms /> <DigestMethd /> <DigestValue /> </Reference> </SignedInfo>

  50. <DigestMethod/> • - Algorithm to calculate the digest of the element/resource pointed by the <Reference URI=“”> • - <DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1 />

More Related