Author: Joseph Reagle
Audience: WWW2002
Question: The status/design of XML Signatures and Encryption
References:
Cryptography Introduction
Hash (fingerprint, digest): evenly and randomly maps variable length data into a
smaller fixed size such that it's "one-way" (hard to find a data object for a
given hash result) and "collision-free" (hard to find two data objects with the
same hash result).
Secret Key Cryptography (symmetric): the key used for processing is kept as a
secret between the parties.
Public Key Cryptography (asymmetric): a private/public key pair (inverse of each
other) are used to sign (via the private key) and encrypt (via the public key).
Signature: a private key is applied to some data (or its hash)
-
authenticity (a specific key was used),
-
integrity (the document has been changed),
-
and non-repudiation (possessor of the key can not deny it was used.)
Encryption: One often uses a public key (easy to obtain) to send a symmetric key
(efficient) for a "session" of communication.
XML Security Introduction*
-
There is a requirement to ensure the integrity (via signature) and
confidentiality (via encryption) of parts of XML documents.
-
Operating on a "bucket of bits" is easy. Operating on parts of XML documents
requires the identification and processing of XML in both an abstract (data
model) and consistently serialized (octets) manner.
-
These activities are not only applications using XML, they also must address
questions about XML, such as selecting subsets of a document, and then
canonicalizing them.
-
This is different from access control, authentication and authorization which
have fewer issues with XML, but face tricky questions about semantics.
XML Security Scenario*
-
FatBrain creates a form that will be filled in by a Alice and sent on to
EasyPay.
-
FatBrain signs all of the form except for shipping address and credit card
information, which is filled in by Alice.
-
Alice fills in the form, encrypts the payment authorization element in a key
shared with EasyPay, and returns it to FatBrain.
-
FatBrain processes the form and confirms the integrity of the order (the book
title and price) and passes the encrypted credit card info to EasyPay.
This protocol is faulty, but it demonstrates the use of selective signing and
encryption.
dsig:Status*
-
The specification must describe how to use XML syntax to represent a signature
over digital content (and XML content in particular).
-
XML-signatures are generated from a hash over a list of references and the
digest value of the references' content.
-
The meaning of a signature is simple: The XML-signature syntax associates
the content of resources listed with a key via a strong one-way transformation.
-
The "P3P Assurance Profile" Note explores the question of adding semantics
to signatures.
dsig:Syntax*
<Signature>
<SignedInfo>
<CanonicalizationMethod/>?
<SignatureMethod/>
<Reference (URI=)? >
<Transforms/>?
<DigestMethod/>
<DigestValue/>
</Reference>+
</SignedInfo>
<SignatureValue/>
<KeyInfo/>?
<Object/>*
</Signature>
dsig:Features*
dsig:KeyInfo
-
KeyInfo permits extensible content; though we provide DSA, RSA, X509, PGP, and
SPKI structures (different algorithms and protocols often require different
types of keys).
-
KeyInfo structures is being used by XML Encryption and other XML security
specifications.
dsig:Algorithms
[s04] <SignatureMethod
Algorithm="http://www.w3.org/2000/02/xmldsig#dsa"/>
-
Algorithm identifiers are URIs: extensible, with a few (patent unencumbered)
required to implement:
Type
|
Algorithm
|
Requirements
|
Algorithm URI
|
Digest
|
SHA1
|
REQUIRED
|
http://www.w3.org/2000/09/xmldsig#sha1
|
Encoding
|
Base64
|
REQUIRED
|
http://www.w3.org/2000/09/xmldsig#base64
|
MAC
|
HMAC-SHA1
|
REQUIRED
|
http://www.w3.org/2000/09/xmldsig#hmac-sha1
|
Signature
|
DSAwithSHA1
(DSS)
|
REQUIRED
|
http://www.w3.org/2000/09/xmldsig#dsa
|
Canonicalization
|
Canonical XML
|
REQUIRED
|
http://www.w3.org/TR/2000/WD-xml-c14n-20000907
|
Others
|
XPath
|
RECOMMENDED
|
http://www.w3.org/TR/1999/REC-xpath-19991116
|
xenc:Status*
-
Describe how to use XML to represent a digitally encrypted Web resources
including XML, and portions thereof. Presently limited to elements and content
(not attribute values).
-
Provide for the separation of encryption information from
encrypted data, and support reference mechanisms for addressing encryption
information from encrypted data sections and vice versa.
-
Provide for super-encryption (capable of encrypting XML with portions already
encrypted)
-
Provide for the secure communication of a session key for subsequent
(efficient) communication.
xenc:Example*
In the encrypted version of an XML instance, the <EncryptedData>
element will appear in place of an encrypted element or its content.
Before:
|
After Rodents are encrypted
|
<Animals>
<Cat/>
<Rodents>
<Rabbit/>
<Mouse/>
</Rodents>
<Dog/>
<Animals>
|
<Animals>
<Cat/>
<EncryptedData xmlns="">
<CipherData>M3MXCV...
</CipherData>
</EncryptedData>
<Dog/>
<Animals>
|
xenc:Syntax*
<EncryptedData Id="" Type="">
<EncryptionMethod/>?
<ds:KeyInfo>?
<enc:EncryptedKey/>?
...
</ds:KeyInfo>?
<CipherData URI="">iamscrambled</CipherData>
</EncryptedData>
xenc:Features*
-
Element (and element content) encryption.
-
Uses structures and features of XML Signature wherever possible.
-
Uses XML Schema to describe content model.
-
Can be used with XML Signature such that a recipient knows which encrypted
blocks were encrypted before and after signature creation: she needs
to leave those encrypted before signature generation untouched for the
signature to validate.
xenc:Algorithms
-
Algorithm identifiers are URIs: extensible, with a few (patent unencumbered)
required to implement:
Type
|
Algorithm
|
Requirements
|
Block Encryption
|
AES/3DES
|
REQUIRED
|
Key Transport
|
AES-RSA-OEAP
3DES-RSA-v1.5
|
REQUIRED
|
MAC
|
AES/3DES with SHA1
|
OPTIONAL
|
Signature
|
XML Signature
|
OPTIONAL
|
(Exclusive) Canonicalization
|
Canonical XML
|
OPTIONAL
|
Compression et al
|
n/a
|
|