An Overview of XML Digital SignaturesIntroductionIntroduction (cont.)Basic StructureBasic Structure (cont.)Basic Structure (Example)Slide 7Basic Structure (Sign a portion of the resource)XML Signatures ApplicationXML Signature CreationXML Signature Creation (cont.)XML Signature VerificationSummaryThank You.An Overview of XML Digital SignaturesXuemei WuIntroduction•XML Digital Signatures are digital signatures designed for use in XML transactions.•An XML Signature may be applied to the content of one or more resources.•Three different types XML Signatures: (a) enveloped (b) enveloping (c) detached signaturesIntroduction (cont.)•XML Signature can be used to sign only portions of a XML message.•The use of XML Digital Signatures involves two parts: (a) XML Digital Signatures creation (b) XML Digital Signatures verification.Basic Structure<Signature ID?> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> (<Reference URI? > (<Transforms>)? <DigestMethod> <DigestValue> </Reference>)+ </SignedInfo> <SignatureValue> (<KeyInfo>)? (<Object ID?>)*</Signature><Signature> element is the root element<SignedInfo> element is the information that you signed<CanonicalizationMethod> is the algorithm which used to canonicalize the <SignedInfo><SignatureMethod> is the algorithm which used to convert the <SignedInfo> into the <SignatureValue><Reference> includes the digest method and resulting digest value<Transforms> is an optional ordered list of processing steps<DigestMethod> is the algorithm applied to the data to obtain the <Digest Value><KeyInfo> indicates the public key<Object> includes data objectsBasic Structure (cont.)•Enveloped Format <document> <signature> … </signature> </document>•Detached Format < signature > … </ signature>•Enveloping Format < signature > < document > … </ document > </ signature>Basic Structure (Example)<?xml version="1.0" encoding="UTF-8"?><DocumentRoot><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo Id="myXMLSignature"><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="http://www.xyz.com/updates/2005/Feb-10.xml"><Transforms></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>1pllwx3rvEPO0vKtNup4NbeVu8kd=</DigestValue> </Reference><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>V6v9a34rTYglRflKiuYxu3VgVKA=</DigestValue></Reference><Reference URI="">Basic Structure (Example)<Transforms></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>1lCKQWfJg9712sP9o9ekL6o7Mg8=</DigestValue></Reference></SignedInfo><SignatureValue>RTYE1EF2wv7H6YaLC1XoM7qMnU55rMRSYouXKsnL1zDdR2R58WN6XiZPW4exvrq56OuVFHNdJWbtgcuXAkW5wg==</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>pLdP0GGla/imcV1JZve+J881NtZvHD0gcGmkAIdYlM33bHopEhKC7c+rIDSceLx0As+WKaVAcxIJVsfZCtpERP==</Modulus><Exponent>BQCB</Exponent></RSAKeyValue></KeyValue></KeyInfo><Object> this test message to be signed is enveloped within the XML signature</Object></Signature><data>this test message to be signed is part of the document that envelops the XML signature</data></DocumentRoot>Basic Structure (Sign a portion of the resource)<?xml version="1.0" encoding="UTF-8"?><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="http://www.xyz.com/updates/foobar.html#core"><Transforms></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>1C3KWAjgF9712sQ9o9ekL6o7oP8=</DigestValue></Reference></SignedInfo><SignatureValue>PEOR1EF2wv7H6YaLC1XoM7qMnU55rMRSYouXKsnL1zDdR2R58WN6XiZQW4exvrq56OuFGHNdJWbtgcuXAkCR5g==</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>opEQ0GGla/imcV1JZve+J881NtZvDH0gcGmkAIdYlM33bHopEhKC7c+rIFJceLx0As+WKaVAcxIJVsfZCtpPRY==</Modulus><Exponent>POBA</Exponent></RSAKeyValue></KeyValue></KeyInfo></Signature>XML Signatures Application•XML Signatures Creation•XML Signatures VerificationXML Signature Creation•Identifying the resources to be signed •Computing the digest of each resource•Signing the documentXML Signature Creation (cont.)•Adding key information - Public key info be put into the <KeyInfo> element. - The step is optional.•Constructing the signature element - Put all the pieces together.XML Signature Verification•Verifying the digital signature of the <SignedInfo> element - Calculate the digest of the <SignedInfo> element. - Unsign the <SignatureValue> element with public key. - Compare the two values above.•Computing the digests of the references - Recalculate the digests of the references in the <SignedInfo> element - compare them with the digest values specified in <DigestValue>.Summary•XML Signature is powerful and flexible (a) Three basic formats (b) Any combination of the three basic formats (c) Ability to sign multiple resources (d) Ability to sign a portion or portions of a resource•XML Signature is straightforward to understand and implement•References W3C XML-Signature Syntax and Processing http://www.w3.org/TR/xmldsig-core http://www.w3.org/TR/2002/REC-xmldsig-core-20020212Thank
View Full Document
Unlocking...