Scribd Logo
Hochladen

Willkommen bei Scribd!

  • XML Security: K.Saranya KCT

    Hochgeladen von

    Mohan Kct
    14 Ansichten34 Seiten

    Originaltitel

    xml-security.pptx

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PPTX, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden

    Copyright:

    © All Rights Reserved
    Als PPTX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    14 Ansichten34 Seiten

    XML Security: K.Saranya KCT

    Hochgeladen von

    Mohan Kct

    Copyright:

    © All Rights Reserved
    Als PPTX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 34

    XML SECURITY

    K.SARANYA
    KCT
    THREE BASIC SECURITY REQUIREMENT
    FOR E-BUSINESS

    • CONFIDENTIALITY-INFORMATION NOT DISCLOSED TO


    UNAUTHORISED PERSON

    • AUTHENTICATION-ENSURE MSG REALLY COMES FROM


    SENDER

    • DATA INTEGRITY-DATA IS TAMPERED OR NOT


    Cryptography

    • Single key cryptography


    • Secret key

    • Public key cryptography


    • Two keys
    • Private and public key
    Cryptography
    Cryptography

    • confidentiality
    Cryptography

    • Encryption is done with A private key and B public key

    • Decryption is done with B private key and A public key

    • Private key of A can be decoded by public key of A

    • Authentication is done(who sends)


    Cryptography

    Data integrity
    • Ensures message received is msg sent

    • Done through hashing

    • Hash is created for the data and encrypted with data

    • Hash generated if changes then data compromised


    Digital Signature

    • Same as signing a document but digitally

    • For authentication

    • DS + public key crypto


    MANAGING CERTIFICATES AND PRIVATE KEYS

    • CERTIFICATES ENSURING ITS URS PUBLIC KEY


    • CERTIFICATE AUTHORITIES TAKE CARE OF IT
    • HAS LIFE SPAN
    Why is XML special

    • Xml and SOAP accept transport layer security mechanisms

    • SSL and TLS

    • Still security in transport layer not sufficient


    XML DOCUMENT SECURITY ISSUES

    • MISSING ATTRIBUTES DEFAULT VALUE

    • CHARACTER REFERENCE REPLACED WITH CORRESPONDING


    REFERENCE

    • ENTITY REFERENCE REPLACED WITH DECLARED ENTITY

    • ATTRIBUTE VALUES ARE NORMALISED


    SOAP SECURITY ISSUES

    • SOAP SECURITY-HOW DATA FLOWS THROUGH APPLICATION WITHOUT


    EXPOSING DATA

    • MUST NOT MANDATE SPECIFIC TECHNOLOGY OR INFRA

    • NON-CONTENT WHITE SPACE-HASH CALCULATION IS DIFFICULT

    • SURFACE CHANGES MAY BREAK THE SIGNATURE


    CANONICALIZATION

    • A canonical form represents the underlying content of an XML document.

    • XML Canonicalization is the use of an algorithm to generate the canonical


    form of an XML document to ensure security in cases where XML is subject to
    surface representation changes or to processing that discards some
    information not essential to the data represented in the XML.

    • Canonicalization addresses the fact that when XML is read and processed using
    standard XML parsing and processing techniques, some surface representation
    information may be lost or modified.
    CANONICALIZATION

    • The document that results from XML Canonicalization ensures that all
    internal entities and XML namespaces are expanded

    • Entities are replaced with their definitions and the canonical form
    explicitly represents the namespace that an element would otherwise
    inherit.
    CANONICALIZATION

    The steps that take place during the creation of a core canonical form include

    • Encoding the document in the Universal Character Set UTF-8


    • Normalizing line breaks before parsing
    • Normalizing attribute values as if by a validating processor
    • Replacing character and parsed entity references
    • Replacing CDATA sections with their character content
    • Removing the XML declaration and document type declaration (DTD)
    CANONICALIZATION
    The steps that take place during the creation of a core canonical form include

    • Converting empty elements to start-end tag pairs


    • Normalizing white space outside of the document element and within start
    and end tags
    • Retaining all white space in character content (excluding characters
    removed during line-feed normalization)
    • Setting attribute value delimiters to quotation marks
    • Replacing special characters in attribute values and character content by
    character references
    • Removing superfluous namespace declarations from each element
    • Adding default attributes to each element
    XML Security framework
    XML Security framework

    • The W3C is driving three XML security technologies:

    • XML Digital Signature

    • XML Encryption

    • XML Key Management Services


    XML ENCRYPTION

    • XML Encryption supports encrypting specific parts of an XML document.

    • The specification is flexible enough to allow the encryption of any of the


    following:

    • The entire XML document


    • An element and all its subelements
    • The content of an XML element
    • A reference to a resource outside the document
    XML ENCRYPTION

    • The steps for XML Encryption include:

    • Selecting the XML to be encrypted (all or part of a document)

    • Converting to canonical form if using entities or namespaces with prefixes

    • Encrypting the resulting canonical form using public-key encryption

    • Sending the encrypted XML to the intended recipient


    XML ENCRYPTION
    XML ENCRYPTION
    XML ENCRYPTION
    XML ENCRYPTION
    XML ENCRYPTION
    XML Digital Signature

    • The XML Digital Signature specification defines both the syntax and rules for
    processing XML digital signatures.

    • Signatures provide integrity, message authentication, and signer authentication


    services for data

    • The XML Digital Signature specification defines a series of XML elements for
    describing details of the signature. Some of these elements and what they
    signify are as follows:
    SignedInfo:
    SignedInfo:

    XML Digital Signature

    •Signed Info: Holds the information that is actually signed.

    •Canonicalization Method: The algorithm used to canonicalize the SignedInfo element


    before it is digested as part of the signature operation.

    •Signature Method: The algorithm used to convert the canonicalized SignedInfo into
    the Signature Value.

    •Reference: Each Reference element includes the method used to compute the
    digital hash and resulting digest value calculated over the identified data object.
    SignedInfo:
    SignedInfo:

    XML Digital Signature

    •KeyInfo: This element indicates the key to be used to validate the signature.

    •Transforms: This element is an optional ordered list of processing steps


    applied to the resource's content before the digest was computed.

    •DigestMethod: This element is the algorithm applied to the data after


    Transforms is applied to yield the DigestValue. The signing of the DigestValue
    is what binds resource content to the signer's key.

    •DigestValue: This element holds the value computed based on the data being
    signed. Changing one character of the data being signed will result in an entirely
    different digest value.
    Steps in Signature generation

    1.Create a SignedInfo element with SignatureMethod,


    CanonicalizationMethod, and Reference(s).

    2.Canonicalize the XML document.

    3.Calculate the SignatureValue based on algorithms specified in


    SignedInfo.

    4.Construct the Signature element that includes SignedInfo, KeyInfo


    (if required), and SignatureValue.
    XKMS

    • XML Key Management Specification (XKMS) uses the web services framework to
    make it easier for developers to secure inter-application communication using
    public key infrastructure (PKI).

    • XKMS is one of the three W3C specifications that define the XML security
    architecture.

    • XKMS is a W3C initiative that targets the delegation of trust processing decisions
    to one or more specialized trust processors, to give businesses an easier way to
    manage digital signatures and data encryption
    XKMS-STRUCTURE

    • XKMS specifies protocols for distributing and registering public keys and is
    suitable for use in conjunction with the proposed standard for XML
    Signature and as a companion standard for XML Encryption

    • XKMS has two parts

    • the XML Key Information Service Specification (X-KISS) and

    • the XML Key Registration Service Specification (X-KRSS).


    X-KISS

    • A basic objective of the protocol design is to minimize the complexity of


    application implementations by allowing them to become clients and
    thereby to be shielded from the complexity and syntax of the underlying
    PKI used to establish trust relationships.

    • X-KISS defines a protocol for a trust service that resolves public-key


    information contained in documents that conform to the XML Signature
    specification
    X-KRSS

    • X-KRSS defines a protocol for a Web service that accepts registration of public-
    key information.

    • Once registered, the public key may be used in conjunction with other Web
    services, including X-KISS

    • client of a conforming service may request that the registration service bind
    information to a public key. The information bound may include a name, an
    identifier, or extended attributes defined by the implementation.
    Guidelines for Signing XML Documents

    Rules for digitally signing XML

    • Content presentation may introduce changes

    • Transformations may alter content.

    Das könnte Ihnen auch gefallen