180 likes | 417 Views
An Overview of XML Digital Signatures. Xuemei Wu. Introduction. XML Digital Signatures are digital signatures designed for use in XML transactions. An XML Signature may be applied to the content of one or more resources. Three different types XML Signatures: (a) enveloped
E N D
An Overview of XML Digital Signatures Xuemei Wu
Introduction • XML Digital Signatures are digital signatures designed for use in XML transactions. • An XML Signature may be applied to the content of one or more resources. • Three different types XML Signatures: (a) enveloped (b) enveloping (c) detached signatures
Introduction (cont.) • XML Signature can be used to sign only portions of a XML message. • The use of XML Digital Signatures involves two parts: (a) XML Digital Signatures creation (b) XML Digital Signatures verification.
<Signature ID?> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> (<Reference URI? > (<Transforms>)? <DigestMethod> <DigestValue> </Reference>)+ </SignedInfo> <SignatureValue> (<KeyInfo>)? (<Object ID?>)* </Signature> <Signature> element is the root element <SignedInfo> element is the information that you signed <CanonicalizationMethod> is the algorithm which used to canonicalize the <SignedInfo> <SignatureMethod> is the algorithm which used to convert the <SignedInfo> into the <SignatureValue> <Reference> includes the digest method and resulting digest value <Transforms> is an optional ordered list of processing steps <DigestMethod> is the algorithm applied to the data to obtain the <Digest Value> <KeyInfo> indicates the public key <Object> includes data objects Basic Structure
Enveloped Format <document> <signature> … </signature> </document> Detached Format < signature > … </ signature> Enveloping Format < signature > < document > … </ document > </ signature> Basic Structure (cont.)
<?xml version="1.0" encoding="UTF-8"?> <DocumentRoot> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo Id="myXMLSignature"> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="http://www.xyz.com/updates/2005/Feb-10.xml"> <Transforms> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>1pllwx3rvEPO0vKtNup4NbeVu8kd=</DigestValue> </Reference> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>V6v9a34rTYglRflKiuYxu3VgVKA=</DigestValue> </Reference> <Reference URI=""> Basic Structure (Example)
<Transforms> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>1lCKQWfJg9712sP9o9ekL6o7Mg8=</DigestValue> </Reference> </SignedInfo> <SignatureValue>RTYE1EF2wv7H6YaLC1XoM7qMnU55rMRSYouXKsnL1zDdR2R58WN6XiZPW4exvrq56OuVFHNdJWbtgcuXAkW5wg==</SignatureValue> <KeyInfo> <KeyValue> <RSAKeyValue> <Modulus>pLdP0GGla/imcV1JZve+J881NtZvHD0gcGmkAIdYlM33bHopEhKC7c+rIDSceLx0As+WKaVAcxIJVsfZCtpERP== </Modulus> <Exponent>BQCB</Exponent> </RSAKeyValue> </KeyValue> </KeyInfo> <Object> this test message to be signed is enveloped within the XML signature</Object> </Signature> <data>this test message to be signed is part of the document that envelops the XML signature</data> </DocumentRoot> Basic Structure (Example)
<?xml version="1.0" encoding="UTF-8"?> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="http://www.xyz.com/updates/foobar.html#core"> <Transforms> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>1C3KWAjgF9712sQ9o9ekL6o7oP8=</DigestValue> </Reference> </SignedInfo> <SignatureValue>PEOR1EF2wv7H6YaLC1XoM7qMnU55rMRSYouXKsnL1zDdR2R58WN6XiZQW4exvrq56OuFGHNdJWbtgcuXAkCR5g==</SignatureValue> <KeyInfo> <KeyValue> <RSAKeyValue> <Modulus>opEQ0GGla/imcV1JZve+J881NtZvDH0gcGmkAIdYlM33bHopEhKC7c+rIFJceLx0As+WKaVAcxIJVsfZCtpPRY== </Modulus> <Exponent>POBA</Exponent> </RSAKeyValue> </KeyValue> </KeyInfo> </Signature> Basic Structure (Sign a portion of the resource)
XML Signatures Application • XML Signatures Creation • XML Signatures Verification
XML Signature Creation • Identifying the resources to be signed • Computing the digest of each resource • Signing the document
XML Signature Creation (cont.) • Adding key information - Public key info be put into the <KeyInfo> element. - The step is optional. • Constructing the signature element - Put all the pieces together.
XML Signature Verification • Verifying the digital signature of the <SignedInfo> element - Calculate the digest of the <SignedInfo> element. - Unsign the <SignatureValue> element with public key. - Compare the two values above. • Computing the digests of the references - Recalculate the digests of the references in the <SignedInfo> element - compare them with the digest values specified in <DigestValue>.
Summary • XML Signature is powerful and flexible (a) Three basic formats (b) Any combination of the three basic formats (c) Ability to sign multiple resources (d) Ability to sign a portion or portions of a resource • XML Signature is straightforward to understand and implement • References W3C XML-Signature Syntax and Processing http://www.w3.org/TR/xmldsig-core http://www.w3.org/TR/2002/REC-xmldsig-core-20020212