Author: Joseph Reagle
Audience: WWW2002
Question: The status/design of XML Signatures and Encryption
References:
Cryptography Introduction
Hash (fingerprint, digest): evenly and randomly maps variable length data
into a smaller fixed size such that it's "one-way" (hard to find a data
object for a given hash result) and "collision-free" (hard to find two data
objects with the same hash result).
Secret Key Cryptography (symmetric): the key used for processing is kept
as a secret between the parties.
Public Key Cryptography (asymmetric): a private/public key pair (inverse
of each other) are used to sign (via the private key) and encrypt (via the
public key).
Signature: a private key is applied to some data (or its hash)
- authenticity (a specific key was used),
- integrity (the document has been changed),
- and non-repudiation (possessor of the key can not deny it was
used.)
Encryption: One often uses a public key (easy to obtain) to send a
symmetric key (efficient) for a "session" of communication.
XML Security Introduction*
- There is a requirement to ensure the integrity (via signature) and
confidentiality (via encryption) of parts of XML
documents.
- Operating on a "bucket of bits" is easy. Operating on parts of XML
documents requires the identification and processing of XML in both an
abstract (data model) and consistently serialized (octets) manner.
- These activities are not only applications using XML, they also must
address questions about XML, such as selecting subsets of a document, and
then canonicalizing them.
- This is different from access control, authentication and authorization
which have fewer issues with XML, but face tricky questions about
semantics.
XML Security Scenario*
- BookStore creates a form that will be filled in by a Alice and sent on
to EasyPay.
- BookStore signs all of the form except for shipping address and credit
card information, which is filled in by Alice.
- Alice fills in the form, encrypts the payment authorization element in
a key shared with EasyPay, and returns it to BookStore.
- BookStore processes the form and confirms the integrity of the order
(the book title and price) and passes the encrypted credit card info to
EasyPay.
This protocol is faulty, but it demonstrates the use of selective signing
and encryption.
dsig:Status*
- The specification must describe how to use XML syntax to represent a
signature over digital content (and XML content in particular).
- XML-signatures are generated from a hash over a list of references and
the digest value of the references' content.
- The meaning of a signature is simple: The XML-signature syntax
associates the content of resources listed with a key via a strong
one-way transformation.
- The "P3P Assurance Profile" Note explores the question of adding
semantics to signatures.
dsig:Syntax*
<Signature>
<SignedInfo>
<CanonicalizationMethod/>?
<SignatureMethod/>
<Reference (URI=)? >
<Transforms/>?
<DigestMethod/>
<DigestValue/>
</Reference>+
</SignedInfo>
<SignatureValue/>
<KeyInfo/>?
<Object/>*
</Signature>
dsig:Features*
dsig:KeyInfo
- KeyInfo permits extensible content; though we provide DSA, RSA, X509,
PGP, and SPKI structures (different algorithms and protocols often
require different types of keys).
- KeyInfo structures is being used by XML Encryption and other XML
security specifications.
dsig:Algorithms
[s04] <SignatureMethod
Algorithm="http://www.w3.org/2000/02/xmldsig#dsa"/>
- Algorithm identifiers are URIs: extensible, with a few (patent
unencumbered) required to implement:
| Type |
Algorithm |
Requirements |
Algorithm URI |
| Digest |
SHA1 |
REQUIRED |
http://www.w3.org/2000/09/xmldsig#sha1 |
| Encoding |
Base64 |
REQUIRED |
http://www.w3.org/2000/09/xmldsig#base64 |
| MAC |
HMAC-SHA1 |
REQUIRED |
http://www.w3.org/2000/09/xmldsig#hmac-sha1 |
| Signature |
DSAwithSHA1
(DSS) |
REQUIRED |
http://www.w3.org/2000/09/xmldsig#dsa |
| Canonicalization |
Canonical XML |
REQUIRED |
http://www.w3.org/TR/2000/WD-xml-c14n-20000907 |
| Others |
XPath |
RECOMMENDED |
http://www.w3.org/TR/1999/REC-xpath-19991116 |
xenc:Status*
- Describe how to use XML to represent a digitally encrypted Web
resources including XML, and portions thereof. Presently limited to
elements and content (not attribute values).
- Provide for the separation of
encryption information from encrypted data, and support reference
mechanisms for addressing encryption information from encrypted data
sections and vice versa.
- Provide for super-encryption (capable of encrypting XML with portions
already encrypted)
- Provide for the secure communication of a session key for subsequent
(efficient) communication.
xenc:Example*
In the encrypted version of an XML instance, the
<EncryptedData> element will appear in place of an encrypted
element or its content.
| Before: |
After Rodents are encrypted |
<Animals>
<Cat/>
<Rodents>
<Beaver/>
<Mouse/>
</Rodents>
<Dog/>
<Animals>
|
<Animals>
<Cat/>
<EncryptedData xmlns="">
<CipherData>M3MXCV...
</CipherData>
</EncryptedData>
<Dog/>
<Animals>
|
xenc:Syntax*
<EncryptedData Id="" Type="">
<EncryptionMethod/>?
<ds:KeyInfo>?
<enc:EncryptedKey/>?
...
</ds:KeyInfo>?
<CipherData URI="">iamscrambled</CipherData>
</EncryptedData>
xenc:Features*
- Element (and element content) encryption.
- Uses structures and features of XML Signature wherever possible.
- Can be used with XML Signature such that a recipient knows which
encrypted blocks were encrypted before and after signature
creation: she needs to leave those encrypted before signature generation
untouched for the signature to validate.
xenc:Algorithms
- Algorithm identifiers are URIs: extensible, with a few (patent
unencumbered) required to implement:
| Type |
Algorithm |
Requirements |
| Block Encryption |
AES/3DES |
REQUIRED |
| Key Transport |
AES-RSA-OEAP
3DES-RSA-v1.5 |
REQUIRED |
| MAC |
AES/3DES with SHA1 |
OPTIONAL |
| Signature |
XML Signature |
OPTIONAL |
| (Exclusive) Canonicalization |
Canonical XML |
OPTIONAL |
| Compression et al |
n/a |
|