Tuesday, November 5, 2024

Digital Signatures in XML

XML Digital Signatures provide the security services of data integrity, authentication, and nonrepudiation.

In a simple shorthand notation, the structures of DSIG signatures have four elements. Elements appear zero or more times if followed by “*”, zero or once if followed by”?”, and once or more if followed by “+”. When not followed by a symbol, elements appear only once.

When removing attributes and contents in the notation it becomes an example of a signature object using three of its four elements.

The signature object contains the cryptographic hash of any signed information, and a reference to the information itself. The signed information may be an arbitrary document. However, often, it will be an XML object. The ability to sign only specific elements of XML documents is one of the most important features of DSIG. It lets the unsigned parts of the XML document be enhanced, modified, or removed for privacy or efficiency, keeping the signature valid.

DSIG signatures may contain either the signed XML object contained in the XML object, or detached from the signed object or document. When the signed XML object envelops the signature, the enveloped signature value itself is not included in the signature calculation and validation computation. For this you use the enveloped-signature transform, removing the whole signature element in which it is contained from the digest calculation.

Public key digital signatures that provide nonrepudiation, such as RSA, are computationally intensive operations; therefore, DSIG also allows shared-key authentication that provides authentication but nonrepudiation. Collision resistant hashing of the signed content is also used to save computational requirements.

Generating DSIG signatures:

1. Identity resources to be signed.

2. Calculating the digest value and composing reference elements for each resource.

3. Composing the signed info element from all references.

4. Computing value of signature method over identity resources to be signed element by applying algorithms like DSA, RSA-SHA1, etc

5. Composing the signature elements with signedInfo, signature value, identity key used to sign, and other optional objects like signature properties.

An XML DSIG may contain multiple reference elements in the same document

DSIG signatures may contain either the signed XML object contained in the XML object, or detached from the signed object or document. When the signed XML object envelops the signature, the enveloped signature value itself is not included in the signature calculation and validation computation. For this you use the enveloped-signature transform, removing the whole signature element in which it is contained from the digest calculation.

Public key digital signatures that provide nonrepudiation, such as RSA, are computationally intensive operations; therefore, DSIG also allows shared-key authentication that provides authentication but nonrepudiation. Collision resistant hashing of the signed content is also used to save computational requirements.

Generating DSIG signatures:

1. Identity resources to be signed.

2. Calculating the digest value and composing reference elements for each resource.

3. Composing the signed info element from all references.

4. Computing value of signature method over identity resources to be signed element by applying algorithms like DSA, RSA-SHA1, etc

5. Composing the signature elements with signedInfo, signature value, identity key used to sign, and other optional objects like signature properties.

An XML DSIG may contain multiple reference elements in the same document.

Pawan Bangar, Technical Director, Birbals, #1047,Sector 42-b, Chandigarh. www.ebirbals.com, www.birbals.com

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles