Overview of XML Signatures

Xml

　　absrtact: This paper introduces the XML signature in a comprehensive way, but it is not explored in depth. My level is limited, mistakes unavoidably, welcome correction, common discussion.

　　Directory:

XML Signature Overview ... 1

Brief introduction... 1

Why XML signatures are required ... 1

Digital signature ... 2

XML Signature Syntax ... 2

Application... 4

Realize... 4

Reference... 4

　　Brief introduction

XML signature is a kind of signature specification based on XML format. It is the first recommended standard specification for XML security aspects of the consortium. XML signatures are designed with multiple objectives that provide "integrity of any data type, message authentication, and/or signer authentication services, whether within the XML containing the signature or elsewhere (which is significant for the development of the Internet)." ”

XML essentially defines XML tags that are used to sign XML documents or other data.

This paper first describes the problem of XML signature resolution, and then from the digital signature principle, XML signature syntax, application and other aspects of the XML signature.

Why XML signatures are required

With the rapid development of the Internet, many security challenges have been brought. The confidentiality of data transmission, integrity, message authentication, data non-repudiation and so on, are in the application need to attach great importance. As stated in the introduction, XML signatures can resolve integrity, message authentication, and non-repudiation (that is, the signer authentication service).

Integrity: Ensuring that data is not tampered with during transmission.

Message authentication: A service that enables data receivers to determine the source of a message.

Non-repudiation: A service that makes data senders unable to deny the behavior of data that they have already sent.

At the same time, XML signature is completely xml-based, which makes its application very convenient. It is also important that it is the recommended standard for the consortium (to know the application on the Internet, the standards are very important).

Digital signatures

Digital signature is a very important field in cryptography, and its application is very extensive.

Cryptography is mainly divided into symmetric and asymmetric two categories, the difference is the encryption key is the same. Asymmetric cryptography, also known as public-private-key cryptography, is a very significant breakthrough in modern cryptography. Asymmetric encryption has a different encryption key, which is generally called a private key and the other is a public key. The private key is private to the user, the public key is advertised through some mechanism, and there is no association between the two (not completely unrelated, which means that one cannot be pushed from another). Because it uses two different keys, it is called asymmetric and can therefore be used for message authentication and non-repudiation.

When digital signatures are applied, the message digest algorithm is commonly used (because the signature is verbose if the original data is encrypted directly). So the summary is calculated first, then the summary is signed. The Message digest algorithm is also an important aspect of cryptography. It is a one-way function that transforms the original data and gets the digest value (typically 512 bits). It is characterized by the inability of an attacker to generate the original data for this digest in reverse response to a digest, which is the key to providing integrity services.

　　The following is a simple application pattern:

Note: The XML Signature specification is the XML signature syntax that includes the summary section, first of all, to see an example:

[from "Xml-signature Syntax and Processing"]

[S01] <signature id= "myfirstsignature" xmlns= "http://www.w3.org/2000/09/xmldsig#" >

[S02] <SignedInfo>

[S03] <canonicalizationmethod algorithm= "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>

[S04] <signaturemethod

algorithm= "Http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>

[S05] <reference

uri= "http://www.w3.org/TR/2000/REC-xhtml1-20000126/" >

[S06] <Transforms>

[S07] <transform algorithm= "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>

[S08] </Transforms>

[S09] <digestmethod algorithm= "Http://www.w3.org/2000/09/xmldsig#sha1"/>

[S10] <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>

[S11] </Reference>

[S12] </SignedInfo>

[S13] <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue>

[S14] <KeyInfo>

[S15A] <KeyValue>

[s15b] <DSAKeyValue>

[S15C] <P>...</P><Q>...</Q><G>...</G><Y>...</Y>

[S15d] </DSAKeyValue>

[S15E] </KeyValue>

[S16] </KeyInfo>

[S17] </Signature>

Starts as a signature label, indicating that it is an XML signature.

2-12 behavior SignedInfo, where the signature object is indicated in the reference and a summary of the original data.

13 Behavior Signature value.

14-16 Behavior KeyInfo label, indicating the public key information used by the signature.

Examples of the labels that appear and the labels that appear are briefly described below.

[More specific descriptions and related XML schemas or DTDs can refer to "xml-signature Syntax and Processing"]

1. Name space

Xmlns:ds= the namespace used by "http://www.w3.org/2000/09/xmldsig#" FOR XML signatures.

2, Signature label

Identifies a full XML signature in a particular environment. Includes child elements <SignedInfo>, <SingatureValue>, <KeyInfo>, and <object>, where the latter two are optional. The attribute has an ID as the identity of the signature.

3, SignedInfo label

One of the most complex tags, indicating the normalization method, data source, Signature algorithm, digest algorithm, digest value, and signature transformation. Includes <CanonicalizationMethod>, <SignatureMethod>, <Reference> three tags, where the Reference tag can have multiple, that is, the signature can specify multiple data sources. The property ID is identified.

3.1. <CanonicalizationMethod> Label

Empty label. Property algorithm Specifies the normalized algorithm in the URI way.

3.2, < SignatureMethod > tags

Empty label. Property algorithm the algorithm that specifies the signature in the URI way.

3.3. <Reference> Label

< digestmethod> and < digestvalue> tags specify the algorithm and value of the digest, respectively. The property ID is an identity, and the URI specifies the data source. < transforms> Specifies the signature transformation, which consists of 0 to multiple <Transform> child tags. Each <Transform> sub tag is a signature transformation. The transformation here refers to a transformation of the data that needs to be signed before the signature. The algorithm property of the <Transform> label specifies the signature transformation algorithm.

4. <KeyInfo> Label

(optional.) Because in practical applications, the context may have implied this information, or both parties through other conventions to pass this information.

Includes <KeyName>, <KeyValue>, <RetrievalMethod>, <X509Data>, <PGPData>, <SPKIData>, <MgmtData> Child labels.

4.1. <KeyName> Label

A simple text identifier for the key name.

4.2. <KeyValue> Label

RSA or DSA public key.

4.3. <RetrievalMethod> label

Allows remote access to key information.

4.4. <X509Data> Label

X.509 certificate data.

4.5. <PGPData> Label

PGP related data.

4.6. <SPKIData> Label

SPKI related data.

4.7. <MgmtData> Label

Key consensus parameters (such as Diffie-hellman parameters, etc.)

5. <Object> Label

For additional information.

Again, here is a brief introduction, a more detailed description of the reference "Xml-signature Syntax and Processing".

　　Application

XML signatures can be used as part of other standard frameworks and, of course, can be applied independently, defining a framework for generating and parsing XML signatures themselves. XML signatures have been widely used in ws-security, as can be found in ws-s content.

　　Realize

A lot of XML signature development packages are now appearing. IBM's XML Security suite and Apache XML security are the main. which implements the XML signature generation and Validation API (Java).

IBM's XML Security Suite:http://www.alphaworks.ibm.com/tech/xmlsecuritysuite/download

The Apache XML security:http://xml.apache.org/security/index.html

Reference:

"XML Security Basics" Tsinghua Press

Http://www.w3.org/Signature/

Http://www.w3.org/TR/xmldsig-core/

http://www-128.ibm.com/developerworks/cn/