XML security

XML security




The subject of XML security is quite over-hyped. The whole idea of XML security can be simply described as applying common-sense security technology to a specific format, known as XML. XML security is classically described as a combination of XML Encryption and XML Digital Signature. We shall review these concepts in this article.
XML Encryption
The most interesting part about XML encryption is that we can encrypt an entire document, or its selected portions. This is very difficult to achieve in the non-XML world. We can encrypt one or all of the following portions of an XML document:

* The entire XML document
* An element and all its sub-elements
* The content portion of an XML document
* A reference to a resource outside of an XML document

The steps involved in XML encryption are quite simple, and are as follows:

1. Select the XML to be encrypted (one of the items listed earlier, i.e. all or part of an XML document).
2. Convert the data to be encrypted in a canonical form (optional).
3. Encrypt the result using public key encryption.
4. Send the encrypted XML document to the intended recipient.

The following a sample XML document, containing the details of a credit card of a user



John Smith

1617 1718 0181 9910
Master
05/05



We shall not describe the various details of this XML document, and would simply remark that it contains the credit card details, such as the user’s name, credit limit, currency, card number, issuer name and expiry details. Let us assume that we want to encrypt this. When we perform XML encryption, a standard tag called as EncryptedData comes into picture. As we have mentioned before, we can choose to encrypt selected portions of the XML document, or we can encrypt it as a whole. For illustration purposes, we shall see what happens when we encrypt only the actual credit card details (such as its number, issuer and expiry details). The result is shown in the figure below. We can see that the encrypted text is embedded inside the tag CipherData. This is another standard tag in XML encryption.



John Smith

http://www.w3.org/2001/04/xmlenc#Content’ xmlns=’http://www.w3.org/2001/04/xmlenc#’>

D7T60UB67





As we can see, the credit card details are now encrypted, and therefore, cannot be read/changed. The fact that we have encrypted the contents of the XML document is signified by using the xmlenc#Content value. If we had encrypted the full CreditCard element, this would have been changed to xmlenc#Element.

XML Digital Signature
As we can see, a digital signature is calculated over the complete message. It cannot be calculated only for specific portions of a message. The simple reason for this is that the first step in a digital signature creation is the calculation of the message digest over the whole message. Many practical situations demand that users be able to sign only specific portions of a message. For instance, in a purchase request, the purchase manager may want to authorize only the quantity portion, whereas the accounting manager may want to sign only the rate portion. In such cases, XML digital signatures can be used. This technology treats a message or a document as consisting of many elements, and provide for the signing of one or more such elements. This makes the signature process flexible and more practical in nature.