Developer

Secure your XML documents with signatures

With XML signatures, you can be confident that information you transmit reaches its destination--and that what gets there is exactly what you sent. Learn why and how as we look at the details of this security feature for XML.


Security is a major concern for anyone who uses the Internet for sharing and transmitting data and transactions. As XML has become a key technology in implementing online transactions, the problem of keeping XML data safe from prying eyes is all the more important. Let's look at an overview of XML Signature, a relatively new technology that addresses the issue of securing XML documents.

What is an electronic signature?
When sending XML documents over a network, specifically a public network like the Internet, you run the risk of exposing the data in the document. The data in most XML documents is usually represented as text values that can easily be snooped on an unsecured network connection. One method for securing the transmission of XML documents is to send them via secured network connections using protocols such as Secure Sockets Layer (SSL). However, signatures can provide a layer of protection not available in SSL: the ability to authenticate that the data received is the data sent regardless of the transmission protocol.

The technology behind XML Signature allows the user to authenticate that a document is from the source it says it's from. Signing a digital document is similar to signing a hard-copy document. Your signature is yours alone. More importantly, it's much more difficult (nearly impossible) to forge a digital signature, which uses encryption to create a key based on the content being signed. If the content changes by only a single bit, the key will be entirely different. By using a strong one-way transformation based on public key encryption, the recipient is able to determine the validity of the signature.

Getting it into XML
The XML Signature protocol does more than simply create a digital signature based on content. The protocol also includes the specifications for including signatures within XML documents, the structure for the signature, and processing and validation rules. A document can be signed either in whole or in part and may include multiple signatures. The signatures can be included in the document being signed, or they can be placed in external documents.

The signature itself is just XML data. Here's a short example:
<Signature Id="someXMLSig" xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
    <Reference URI="http://www.techrepublic.com/dummy.xml/">
     <Transforms>
       <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
      </Transforms>
      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
   </Reference>
  </SignedInfo>
  <SignatureValue>JK34sH6sHy88dj...</SignatureValue>
  <KeyInfo>
    <KeyValue>
      <DSAKeyValue>
        <P>...</P><Q>...</Q><G>...</G><Y>...</Y>
      </DSAKeyValue>
    </KeyValue>
  </KeyInfo>
</Signature>


This is a signature for a document called http://www.techrepublic.com/dummy.xml. The <SignedInfo> element contains information about what is being signed. It describes the content referenced by the signature and the method used to create the signature. The <SignatureValue> element contains the actual signature using base64 encoding. The <KeyInfo> element contains information about the key used to verify the signature. This could include information about how to obtain a public key that would verify the authenticity of the digital signature.

Secure at last
Using the Internet to perform XML transactions can be tricky when it comes to securing the data being traded. The XML Signature process can help alleviate some security concerns by creating XML-based digital signatures, which can be used to guarantee the authenticity of the data being sent.

Is Internet security an issue for you?
Have you had a project where the security of information transmitted over the Internet was an issue? How did you resolve the problem? Send us an e-mail with your thoughts and experiences or post a comment below.

 

Editor's Picks