An Overview of XML Digital Signatures

1
An Overview of XML Digital Signatures

• Xuemei Wu

2
Introduction

• XML Digital Signatures are digital signatures
  designed for use in XML transactions.
• An XML Signature may be applied to the content of
  one or more resources.
• Three different types XML Signatures
• (a) enveloped
• (b) enveloping
• (c) detached signatures

3
Introduction (cont.)

• XML Signature can be used to sign only portions
  of a XML message.
• The use of XML Digital Signatures involves two
  parts
• (a) XML Digital Signatures creation
• (b) XML Digital Signatures verification.

4
Basic Structure

• ltSignature ID?gt
• ltSignedInfogt
• ltCanonicalizationMethod/gt
• ltSignatureMethod/gt
• (ltReference URI? gt
• (ltTransformsgt)?
• ltDigestMethodgt
• ltDigestValuegt
• lt/Referencegt)
• lt/SignedInfogt
• ltSignatureValuegt
• (ltKeyInfogt)?
• (ltObject ID?gt)
• lt/Signaturegt

• ltSignaturegt element is the root element
• ltSignedInfogt element is the information that you
  signed
• ltCanonicalizationMethodgt is the algorithm which
  used to canonicalize the ltSignedInfogt
• ltSignatureMethodgt is the algorithm which used to
  convert the ltSignedInfogt into the
  ltSignatureValuegt
• ltReferencegt includes the digest method and
  resulting digest value
• ltTransformsgt is an optional ordered list of
  processing steps
• ltDigestMethodgt is the algorithm applied to the
  data to obtain the ltDigest Valuegt
• ltKeyInfogt indicates the public key
• ltObjectgt includes data objects

5
Basic Structure (cont.)

• Enveloped Format
• ltdocumentgt
• ltsignaturegt
• lt/signaturegt
• lt/documentgt
• Detached Format
• lt signature gt
• lt/ signaturegt

• Enveloping Format
• lt signature gt
• lt document gt
• lt/ document gt
• lt/ signaturegt

6
Basic Structure (Example)

• lt?xml version"1.0" encoding"UTF-8"?gt
• ltDocumentRootgt
• ltSignature xmlns"http//www.w3.org/2000/09/xmldsi
  g"gt
• ltSignedInfo Id"myXMLSignature"gt
• ltCanonicalizationMethod Algorithm"http//www.w3.
  org/TR/2001/REC-xml-c14n-20010315"/gt
• ltSignatureMethod Algorithm"http//www.w3.org/200
  0/09/xmldsigrsa-sha1" /gt
• ltReference URI"http//www.xyz.com/updates/2005/F
  eb-10.xml"gt
• ltTransformsgt
• lt/Transformsgt

• ltDigestMethod Algorithm"http//www.w3.org/2000/09
  /xmldsigsha1" /gt
• ltDigestValuegt1pllwx3rvEPO0vKtNup4NbeVu8kdlt/Digest
  Valuegt
• lt/Referencegt
• ltReference URI""gt
• ltTransformsgt
• ltTransform Algorithm"http//www.w3.org/2000/09/xm
  ldsigenveloped-signature"/gt
• lt/Transformsgt
• ltDigestMethod Algorithm"http//www.w3.org/2000/09
  /xmldsigsha1"/gt
• ltDigestValuegtV6v9a34rTYglRflKiuYxu3VgVKAlt/DigestV
  aluegt
• lt/Referencegt
• ltReference URI""gt

7
Basic Structure (Example)

• ltTransformsgt
• lt/Transformsgt
• ltDigestMethod Algorithm"http//www.w3.org/2000/09
  /xmldsigsha1"/gt
• ltDigestValuegt1lCKQWfJg9712sP9o9ekL6o7Mg8lt/DigestV
  aluegt
• lt/Referencegt
• lt/SignedInfogt
• ltSignatureValuegtRTYE1EF2wv7H6YaLC1XoM7qMnU55rMRSYo
  uXKsnL1zDdR2R58WN6XiZPW4exvrq56OuVFHNdJWbtgcuXAkW5
  wglt/SignatureValuegt
• ltKeyInfogt
• ltKeyValuegt
• ltRSAKeyValuegt

• ltModulusgtpLdP0GGla/imcV1JZveJ881NtZvHD0gcGmkAIdYl
  M33bHopEhKC7crIDSceLx0AsWKaVAcxIJVsfZCtpERP
• lt/Modulusgt
• ltExponentgtBQCBlt/Exponentgt
• lt/RSAKeyValuegt
• lt/KeyValuegt
• lt/KeyInfogt
• ltObjectgt this test message to be signed is
  enveloped within the XML signaturelt/Objectgt
• lt/Signaturegt
• ltdatagtthis test message to be signed is part of
  the document that envelops the XML
  signaturelt/datagt
• lt/DocumentRootgt

8
Basic Structure (Sign a portion of the resource)

• lt?xml version"1.0" encoding"UTF-8"?gt
• ltSignature xmlns"http//www.w3.org/2000/09/xmldsi
  g"gt
• ltSignedInfogt
• ltCanonicalizationMethod Algorithm"http//www.w3.
  org/TR/2001/REC-xml-c14n-20010315" /gt
• ltSignatureMethod Algorithm"http//www.w3.org/200
  0/09/xmldsigrsa-sha1" /gt
• ltReference URI"http//www.xyz.com/updates/foobar.
  htmlcore"gt
• ltTransformsgt
• lt/Transformsgt
• ltDigestMethod Algorithm"http//www.w3.org/2000/09
  /xmldsigsha1"/gt
• ltDigestValuegt1C3KWAjgF9712sQ9o9ekL6o7oP8lt/DigestV
  aluegt
• lt/Referencegt
• lt/SignedInfogt

• ltSignatureValuegtPEOR1EF2wv7H6YaLC1XoM7qMnU55rMRSYo
  uXKsnL1zDdR2R58WN6XiZQW4exvrq56OuFGHNdJWbtgcuXAkCR
  5glt/SignatureValuegt
• ltKeyInfogt
• ltKeyValuegt
• ltRSAKeyValuegt
• ltModulusgtopEQ0GGla/imcV1JZveJ881NtZvDH0gcGmkAIdYl
  M33bHopEhKC7crIFJceLx0AsWKaVAcxIJVsfZCtpPRY
• lt/Modulusgt
• ltExponentgtPOBAlt/Exponentgt
• lt/RSAKeyValuegt
• lt/KeyValuegt
• lt/KeyInfogt
• lt/Signaturegt

9
XML Signatures Application

• XML Signatures Creation
• XML Signatures Verification

10
XML Signature Creation

• Identifying the resources to be signed
• Computing the digest of each resource
• Signing the document

11
XML Signature Creation (cont.)

• Adding key information
• - Public key info be put into the ltKeyInfogt
  element.
• - The step is optional.
• Constructing the signature element
• - Put all the pieces together.

12
XML Signature Verification

• Verifying the digital signature of the
  ltSignedInfogt element
• - Calculate the digest of the ltSignedInfogt
  element.
• - Unsign the ltSignatureValuegt element with
  public key.
• - Compare the two values above.
• Computing the digests of the references
• - Recalculate the digests of the references in
  the ltSignedInfogt element
• - compare them with the digest values
  specified in ltDigestValuegt.

13
Summary

• XML Signature is powerful and flexible
• (a) Three basic formats
• (b) Any combination of the three basic
  formats
• (c) Ability to sign multiple resources
• (d) Ability to sign a portion or portions of
  a resource
• XML Signature is straightforward to understand
  and implement
• References
• W3C XML-Signature Syntax and Processing
• http//www.w3.org/TR/xmldsig-core
• http//www.w3.org/TR/2002/REC-xmldsig-core
  -20020212

14
Thank You.

• .