Introduction to XML Encryption
The EXtensible Markup Language (XML) is at the center stage of the modern world of technology. XML forms the backbone of upcoming technologies such as web services. Almost every aspect of Internet programming is concerned with XML.So there is a need for XML security which can be achieved by XML encryption. The most interesting part of XML encryption is that we can encrypt the entire document or its selected portions. This is very difficult to achieve in the Non XML world.
Below is the list of portions of the XML document.
- The entire XML document.
- An element and all its sub-elements.
- The content portion of the XML document.
- A reference to a resource outside of an XML document.
We can encrypt one or all of the above portions.
The steps involved in XML encryption are as follows.
- Select the XML which needs to be encrypted (all parts of the XML document or one of the items listed in the above section)
- Convert the data which needs to be encrypted in canonical form. This step is optional.
- Using the public key, encrypt the result.
- Send the result, i.e. encrypted XML, to the intended recipient.
XML Digital Signature
A digital signature is calculated over the complete message; it cannot be calculated only for specific portions of the message. The simple reason for this is that the first step in digital signature creation is the calculation of the message digest over the whole message. However, many practical situations demand that users be able to sign only specific portions of the message. For example, the purchase manager may want to authorize only the quantity portion in a purchase request, whereas the accounting manager may want to sign only the rate portion. In such cases, an XML digital signature can be used. This technology treats messages or documents as consisting of many elements and provides for signing one or more such elements. This makes the XML digital signature process flexible and more practical.
XML digital signature specification defines a number of XML elements which describe characteristics of XML signature, which are as follows
- Signedinfo: It contains the output of the signing process.
- Canonicalization method: It specifies the algorithm which is used to canonicalize the Signedinfo element before it is digested as a part of the signature creation.
- Signature method: It specifies the algorithm which is used to transform the canonicalize the Signedinfo element into the Signature Value element. This is a combination of the message-digest algorithm and the key-dependent algorithm.
- Reference: It includes the mechanism which is used to calculate message digest and the resulting digest value over the original data.
- KeyInfo: It includes a key that can be used to validate the digital signature. This can consist of a digital certificate, key names, key agreement algorithms, etc.
- Transform: It specifies the operation performed before calculating the digest, such as encoding, compression, etc.
- Digest method: It specifies the algorithm which is used for calculating the message digest.
- Digest value: It contains a message digest of the original message.
Steps involved in XML digital signature are as follows
- Create Signedinfo element with SignatureMethod, CanonicalizationMethod, and references.
- Canonicalize the XML document.
- Calculate SignatureValue depending on the algorithms specified in the SignedInfo element.
- Create the digital signature, which also includes the Signedinfo and SignatureValue elements.
XML digital signature Classification
XML digital signature is classified into three types which are as follows
- Enveloped XML digital signature: In this type, the signature is inside the original document.
- Enveloping XML digital signature: In this type, the original document is inside the signature.
- Detached XML digital signature: In this type, the signature has no enveloping concept at all; it is separate from the original document.
XML key management specification
XML Key management specification (XKMS) is an initiative of W3C which aims is to delegate the trust-related decision in XML encryption/signature process to one or more specified trust processors. This allows businesses to manage XML encryption and digital signature to be managed quite easily. This also resolves the issue of the difference between different PKI vendor implementations.
XKMS was jointly proposed by Microsoft, VeriSign, and web methods. It is backed by many other strong parties, including Baltimore, Entrust, HP, IBM, Iona, RSA, etc.
XKMS specifies Protocols for distributing and registering public keys and works very well with XML encryption and XML signatures. XKMS consists of two parts, namely X-KISs and X-KRSs
- X-KISS: It stands doe XML key information service specification, which specifies a protocol for trust service that resolves the public key information in documents that conform to the XML signature standard. This protocol allows the client of such service to delegate some or all of the tasks needed to process an XML signature element. The underlying PKI can be based on different specifications such as X.509 Or PGP (Pretty Good Privacy), and yet X-KISs shields the application from these differences.
- X-KRSS: Ut stands for XML key registration service specification, which defines a protocol for web service that accepts the registration of public key information. Once registered, the public key can be used in relation to other web services, including X-KISS. This protocol can also be used to later retrieve the private key. In addition, the protocol has provisions for authentication of the applicant and proof of possession of the private key.
Conclusion – XML Encryption
Since various organizations have used XML for any purpose, its been mandatory to encrypt the XML to secure its data. Here in this article, we have discussed the XML encryption and its importance with the digital signature.
This is a guide to XML Encryption. Here we discuss the encryption of XML and digital signature along with its importance. You may also look at the following articles to learn more –