XML Security

1
XML Security

• By Rami Amar
• January 2003

2
Introduction

• XML is a growing standard
• Security integration is essential
• XML Security combines legacy cryptographic
  technologies with XML technologies to provide a
  secure environment for users and applications

3
On The Lecture

• P3P Privacy Policies Preferences
• WS Security Security framework for Web Services
• Digital Rights Management (XrML)

• XML Digital Signature Integrity Authentication
• XML Encryption Confidentiality
• XML Key Management Public Key RegistrationValidat
  ion
• SAML Conveying Authentication
• XACML Access Control

4
What Else?

• Some general XML Background
• Some SOAP Background
• Some Security Background

5
So Whats this XML??

• eXtended Markup Language (like
  HTML, just extended)
• Syntax and rules for structuring information
• Anyone can create a vocabulary and use it
• Any application can learn a vocabulary and read
  it
• We tell apart from vocabularies using namespaces

6
Vocabularies? Huh?!

• DTD Document Type Definition
• Defines element tags and attributes
• Can be referenced or included in the document
• Does not support constraints
• Short, simple, and with low overhead

lt?xml version"1.0"?gt lt!DOCTYPE bookstore
lt!ELEMENT bookstore (name,topic)gt lt!ELEMENT
topic (name,book)gt lt!ELEMENT name
(PCDATA)gt lt!ELEMENT book (title,author)gt
lt!ELEMENT title (CDATA)gt lt!ELEMENT author
(CDATA)gt lt!ELEMENT isbn (PCDATA)gt
lt!ATTLIST book isbn CDATA "0"gt gt
ltbookstoregt ltnamegtMike's Storelt/namegt
lttopicgt ltnamegtXMLlt/namegt ltbook
isbn"123-456-789"gt lttitlegtA Guide To DTD's
lt/titlegt ltauthorgtMike Jervislt/authorgt
lt/bookgt lt/topicgtlt/bookstoregt
7
Vocabularies? Huh?!

• Schemas
• Uses an Object Oriented Approach
• Allows definition of complex types and
  constraints
• Powerful, but creates a lot of overhead.

ltxsdcomplexType name"topicType"gt ltxsdelement
name"name" type"xsdstring"/gt ltxsdelement
name"book" type"bookType" minOccurs"0"/gtlt/xsd
complexTypegt ltxsdcomplexType name"bookType"gt
ltxsdelement name"title" type"xsdstring"/gt
ltxsdelement name"author" type"xsdstring"/gt
ltxsdattribute name"isbn" type"isbnType"/gtlt/xsd
complexTypegtltxsdsimpleType name"isbnType"gt
ltxsdrestriction base"xsdstring"gt
ltxsdpattern value"\0-93-0-93-0-93
"/gt lt/xsdrestrictiongtlt/xsdsimpleTypegt
ltxsdschema xmlnsxsd"http//www.w3.org/2001/XMLS
chema"gtltxsdannotationgt ltxsddocumentation
xlmlang"en"gt XML Schema for a Bookstore as
an example. lt/xsddocumentationgtlt/xsdannotatio
ngt ltxsdelement name"bookstore"
type"bookstoreType"/gtltxsdcomplexType
name"bookstoreType"gt ltxsdsequencegt
ltxsdelement name"name" type"xsdstring"/gt
ltxsdelement name"topic" type"topicType"
minOccurs"1"/gt lt/xsdsequencegtlt/xsdcomplexTyp
egt
8
SOAP (like Dove?)

• Simple Object Access Protocol
• The SOAP envelope - defines an overall framework
  for expressing what is in a message who should
  deal with it, and whether it is optional or
  mandatory
• The SOAP encoding rules defines a serialization
  mechanism that can be used to exchange instances
  of application-defined datatypes
• The SOAP RPC representation defines a convention
  that can be used to represent remote procedure
  calls and responses

9
SOAP (a message embedded in HTTP)

• POST /StockQuote HTTP/1.1Host
  www.stockquoteserver.comContent-Type text/xml
  charset"utf-8"Content-Length nnnnSOAPAction
  "Some-URI"ltSOAP-ENVEnvelope  xmlnsSOAP-ENV"h
  ttp//schemas.xmlsoap.org/soap/envelope/"  SOAP-E
  NVencodingStyle"http//schemas.xmlsoap.org/soap/
  encoding/"gt   ltSOAP-ENVBodygt       ltmGetLastTr
  adePrice xmlnsm"Some-URI"gt           ltsymbolgtDI
  Slt/symbolgt       lt/mGetLastTradePricegt   lt/SOAP
  -ENVBodygtlt/SOAP-ENVEnvelopegt

10
Why do we need XML Security?
Wide variety of hardware software
The need for a modular approach.
Different administrative applications and
security requirements

• XML
• Adopted widely
• Basis for distributed systems protocols
• Text based designed for modularity and
  expandability

11
Whats wrong with older Enryption tools?

• They encrypt whole documents only
• They are not designed for the content management
  approach
• They provide security only over the data
  connection

12
So Whats so good about XML Security?

• It provides means for integrity, authentication,
  and confidentiality
• It is integrated with XML and maintains all XMLs
  advantages.
• It also provides end-to-end security

Sounds Peachy, But

• It damages documents searchability
• Gets complicated when it comes to signatures
• Vulnerable to plain text attacks

13
Security Mumbo Jumbo

• Authentication Determine identity of a
  person/object
• Authorization Determine what the person is
  allowed to do
• Integrity Ensure the data was not altered on
  its way to you
• Signature Validate the source of the data
• Confidentiality Limit the people allowed to
  view the data
• Privacy Make sure no one abuses your data
• Digital Rights Management Limit users from
  doing whatever they want

14
Encryption Talk

• Encryption Algorithm
• Keys
• Symmetric Key Encryption
• Shared secret key
• Relatively fast
• A-Symmetric Encryption
• Public keys
• Private Keys
• Complex and slow

15
XML Security Standards

• XML Vocabulary for security information is
  defined
• Standards comply with other XML standards
• Security should be applied to
• Whole XML Documents
• Specific XML Elements
• XML Element Content
• Security is associated with content (not
  transport, like SSL)
• XML Security uses existing crypto methods

16
XML Digital Signature

• The Purpose
• DS creates verifies portable electronic
  signatures
• DS provides persistent content integrity

Reminder a signature can be created only by one
person, A, but anyone can verify that A signed it
17
XML Digital Signature

• Features
• You can sign just about anything in the document
• You can use XML Canonicalization for robustness
• You can separate the signature from the document

18
XML Digital Signature

• Creating an XML Digital Signature

lt?xml version"1.0" encoding"UTF-8"?gt
ltSignature xmlns"http//www.w3.org/2000/09/xmlds
ig"gt ltSignedInfo Id"foobar"gt
ltCanonicalizationMethod Algorithm"http//www.w3.o
rg/TR/2001/REC-xml-c14n-20010315"/gt
ltSignatureMethod Algorithm"http//www.w3.org/2000
/09/xmldsigdsa-sha1" /gt ltReference
URI"http//www.abccompany.com/news/2000/03_27_00.
htm"gt ltDigestMethod Algorithm"http//www.w
3.org/2000/09/xmldsigsha1" /gt
ltDigestValuegtj6lwx3rvEPO0vKtMup4NbeVu8nklt/DigestV
aluegt lt/Referencegt ltReference
URI"http//www.w3.org/TR/2000/WD-xmldsig-core-200
00228/signature-ex.xml"gt ltDigestMethod
Algorithm"http//www.w3.org/2000/09/xmldsigsha1"
/gt ltDigestValuegtUrXLDLBIta6skoV5/A8Q38GEw44
lt/DigestValuegt lt/Referencegt lt/SignedInfogt
ltSignatureValuegtMC0ELElt/SignatureValuegt
ltKeyInfogt ltX509Datagt
ltX509SubjectNamegtCNEd Simon,OXMLSec
Inc.,STOTTAWA,CCAlt/X509SubjectNamegt
ltX509Certificategt MIID5jCCA0gA...lVN
lt/X509Certificategt lt/X509Datagt lt/KeyInfogt
lt/Signaturegt
ltSignedInfo Id"foobar"gt ltCanonicalizationMetho
d Algorithm"http//www.w3.org/TR/2001/REC-xml-c14
n-20010315"/gt ltSignatureMethod
Algorithm"http//www.w3.org/2000/09/xmldsigdsa-s
ha1" /gt ltReference URI"http//www.abccompany.c
om/news/2000/03_27_00.htm"gt ltDigestMethod
Algorithm"http//www.w3.org/2000/09/xmldsigsha1"
/gt ltDigestValuegtj6lwx3rvEPO0vKtMup4NbeVu8nklt
/DigestValuegt lt/Referencegt ltReference
URI"http//www.w3.org/TR/2000/WD-xmldsig-core-200
00228/signature-ex.xml"gt ltDigestMethod
Algorithm"http//www.w3.org/2000/09/xmldsigsha1"
/gt ltDigestValuegtUrXLDLBIta6skoV5/A8Q38GEw44lt/
DigestValuegt lt/Referencegt lt/SignedInfogt
ltReference URI"http//www.abccompany.com/news/200
0/03_27_00.htm"gt ltDigestMethod
Algorithm"http//www.w3.org/2000/09/xmldsigsha1"
/gt ltDigestValuegtj6lwx3rvEPO0vKtMup4NbeVu8nklt/D
igestValuegt lt/Referencegt ltReference
URI"http//www.w3.org/TR/2000/WD-xmldsig-core-200
00228/signature-ex.xml"gt ltDigestMethod
Algorithm"http//www.w3.org/2000/09/xmldsigsha1"
/gt ltDigestValuegtUrXLDLBIta6skoV5/A8Q38GEw44lt/Di
gestValuegt lt/Referencegt
19
XML Digital Signature

• Verifying an XML Signature
• Recalculate the signature of ltSignedInfogt
• If its correct, recalculate the signature of
  each reference.

20
XML Encryption

• Purpose
• Allow users to encrypt and decrypt data
• Provide confidentiality in transport and in
  storage
• Features
• Defined vocabulary for ciphers and encryption
  information
• Both XML and non-XML content can be encrypted
• Encryption granularity element content
• Encrypted infromation stays in XML form.
• Compatible with signatures
• Supports for many encryption algorithms

21
XML Encryption

• Key Concepts
• Encrypted elements are replaced by an
  ltEncryptedDatagt element
• ltEncryptedDatagt element contains
• A Type attribute indicates the type of the
  information encrypted
• Information about the algorithm used for
  encryption
• An ltEncryptedKeygt element
• ltCipherDatagt A Reference to the cipher, or the
  cipher itself
• ltEncryptedKeygt - used for encrypting secret keys
  in symmetric key encryption

22
XML Encryption Simple Example
lt?xml version'1.0'?gt ltPaymentInfo
xmlns'http//example.org/paymentv2'gt
ltNamegtJohn Smithlt/Namegt ltCreditCard
Limit'5,000' Currency'USD'gt ltNumbergt
ltEncryptedData xmlns'http//www.w3.org/2001/04/x
mlenc Type'http//www.w3.org/2001/04/x
mlencContent'gt ltCipherDatagt
ltCipherValuegtA23B45C56lt/CipherValuegt
lt/CipherDatagt lt/EncryptedDatagt
lt/Numbergt ltIssuergtExample Banklt/Issuergt
ltExpirationgt04/02lt/Expirationgt lt/CreditCardgt
lt/PaymentInfogt
lt?xml version'1.0'?gt ltPaymentInfo
xmlns'http//example.org/paymentv2'gt
ltNamegtJohn Smithlt/Namegt ltCreditCard
Limit'5,000' Currency'USD'gt ltNumbergt4019
2445 0277 5567lt/Numbergt ltIssuergtExample
Banklt/Issuergt ltExpirationgt04/02lt/Expirationgt
lt/CreditCardgt lt/PaymentInfogt
ltEncryptedData Id? Type? MimeType? Encoding?gt
ltEncryptionMethod/gt? ltdsKeyInfogt
ltEncryptedKeygt? ltAgreementMethodgt?
ltdsKeyNamegt? ltdsRetrievalMethodgt?
ltdsgt? lt/dsKeyInfogt? ltCipherDatagt
ltCipherValuegt? ltCipherReference URI?gt?
lt/CipherDatagt ltEncryptionPropertiesgt?
lt/EncryptedDatagt
23
XML Encryption Complex Example
ltPatientRecord xmlns"http//www.medical.org/"
xmlnslab"http//www.lab.org/tests"gt
ltNamegtJohn Doelt/Namegt ltEncryptedData
Type'http//www.w3.org/2001/04/xmlencElement' x
mlns'http//www.w3.org/2001/04/xmlenc'gt
ltEncryptionMethod Algorithm'http//www.w3.org/200
1/04/xmlenc3des-cbc'/gt ltdsKeyInfo
xmlnsds'http//www.w3.org/2000/09/xmldsig'gt
ltEncryptedKey Id'EK' xmlns'http//www.w3.org
/2001/04/xmlenc'gt ltEncryptionMethod
Algorithm"http//www.w3.org/2001/04/xmlencrsa-1_
5" /gt ltdsKeyInfo xmlnsds'http//www.w3
.org/2000/09/xmldsig'gt ltdsKeyNamegt
Dr Kutter's public key pair
lt/dsKeyNamegt lt/dsKeyInfogt
ltCipherDatagt ltCipherValuegtxyzabclt/C
ipherValuegt lt/CipherDatagt
ltCarriedKeyNamegt Dr Kutter's
symmetric key lt/CarriedKeyNamegt
lt/EncryptedKeygt ltdsKeyNamegt
Dr Kutter's symmetric key lt/dsKeyNamegt
lt/dsKeyInfogt ltCipherDatagt
ltCipherValuegta17xj2zlt/CipherValuegt
lt/CipherDatagt lt/EncryptedDatagt
ltSignature xmlns'http//www.w3.org/2000/09/xmlds
ig'gt ltSignedInfogt ltSignatureMethod
Algorithm"http//www.w3.org/2000/07/xmldsigrsa-s
ha1" /gt lt!-- signature on entire
PatientRecord before encryption is
default interpretation --gt ltReference
URI""gt ltTransforms Algorithm"http//www.
w3.org/TR/2000/WD-xml-c14n-20000710" /gt
ltDigestMethod Algorithm"http//www.w3.org/2000/07
/xmldsigsha1" /gt ltDigestValuegtkjsdflt/Dige
stValuegt lt/Referencegt lt/SignedInfogt
ltSignatureValuegtxjksdasdlt/SignatureValuegt
ltKeyInfogt ltKeyNamegtSally Smith's
Integrity Keylt/KeyNamegt lt/KeyInfogt
lt/Signaturegt lt/PatientRecordgt
24
XML Key Management Specification

• Purpose
• XKMS is designed to manage the sharing of public
  keys.
• Managing includes verifying signatures
• Managing also includes encrypting messages to
  recipients.
• XKMS defines XML messages for registering and
  finding keys
• XKMS saves the work for applications

25
XKMS

• Features
• XKRSS XML Key Registration Service
  Specification
• Allows registering key pairs
• Saves the key pairs as ltKeyBindinggt elements
• Supports backing up restoring keys
• XKISS XML Key Information Service Specification
• Enables clients to request ltKeyBindinggts
  associated with ltKeyInfogt elements.
• LOCATE operation locates a requested key
• VALIDATE operation validates ltKeyBindinggts
• XKMS defines SOAP binding

26
XKMS

• Key Concepts
• Defined messages to from a trusted server
• These messages are bound to the SOAP protocol
• XKMS uses SML Signatures for proof of key
  ownership
• XKMS allows users to request a reply format
  (ltRespondWithgt)
• XKMS can specify what the key is used for
  (ltUseKeyWithgt)

27
XKMS - Examples
ltValidateResult xmlnsds"http//www.w3.org/2000/0
9/xmldsig" xmlnsxenc"http//www.w3.org/2001/0
4/xmlenc" Service"http//test.xmltrustcenter.o
rg/XKMS" ResultMajor"Success"
RequestId"zzjmNi9YLdnkRXzDoqPoQ"
ResponseId"0WeinJVdbyBKruXhiqTscg"
xmlns"http//www.w3.org/2002/03/xkms"gt
ltKeyBinding Id"m0/p5bekjemI4tVFPBkig"gt
ltKeyInfogt ltdsKeyValuegt
ltdsRSAKeyValuegt ltdsModulusgt...lt/dsMod
ulusgt ltdsExponentgtAQABlt/dsExponentgt
lt/dsRSAKeyValuegt lt/dsKeyValuegt
lt/KeyInfogt ltKeyUsagegtSignaturelt/KeyUsagegt
ltUseKeyWith Application"urnietfrfc2633"
Identifier"alice_at_alicecorp.test" /gt
ltReasongtIssuerTrustlt/Reasongt
ltReasongtRevocationStatuslt/Reasongt
ltReasongtValidityIntervallt/Reasongt
lt/KeyBindinggtlt/ValidateResultgt
ltValidateRequest xmlnsds"http//www.w3.org/2000/
09/xmldsig" xmlnsxenc"http//www.w3.org/2001
/04/xmlenc" Service"http//test.xmltrustcente
r.org/XKMS" RequestId"zzjmNi9YLdnkRXzDoqPoQ
" xmlns"http//www.w3.org/2002/03/xkms"gt ltRe
spondWithgtKeyNamelt/RespondWithgt ltRespondWithgtKeyV
aluelt/RespondWithgt ltRespondWithgtMultiplelt/Respond
Withgt ltKeyBindingQuery Id"T/QMi7gGuKCcNWPi120A/w
"gt ltKeyInfogt ltdsX509Datagt
ltdsX509Certificategt certificate encoded
as text lt/dsX509Certificategt
lt/dsX509Datagt lt/KeyInfogt
ltKeyUsagegtSignaturelt/KeyUsagegt ltUseKeyWith
Application"urnietfrfc2633"
Identifier"alice_at_alicecorp.test"
/gt lt/KeyBindingQuerygtlt/ValidateRequestgt
28
Security Assertion Markup Language

• Purpose
• Authentication is used to identify clients who
• Require limited access
• Participate in transactions
• Require personalized content
• Authorization assertions are used to
• Share authentications for single sign-on
• Enable third party authenticators

29
SAML

• Features
• A vocabulary for sharing security assertions
• A request/response protocol with binding to SOAP.
• Assertions are associated with subject
• SAML establishes a general framework for
  assertions

30
SAML

• Key Concepts
• Detailed authentication authorization
  expressions
• Schema for Security Assertions
• Types Authentication, Attribute, Authorization
  Decision, user defined
• Information in each Assertion
• Assertion ID
• Subject (name security domain)
• Conditions for assertion validity
• Any additional info (such as how the assertion
  was created)
• Examples
• Authorization decision by subject S, for access
  type A, to resource R, given evidence E.

31
SAML
32
SAML Implementations

• JSAML A toolkit by Netegrity (http//www.netegri
  ty.com/)
• JSR 155 (Java Community Process)

33
XML Access Control Markup language

• Purpose
• XACML defines a vocabulary for making the
  authorization rules.
• Features
• A defined vocabulary for expressing authorization
  rules
• A defined vocabulary for expressing condition for
  rules
• Rules combinations and evaluation
• Policies which apply rules to subjects

34
XML Access Control Markup language

• Key Concepts
• Compatibility with SAML (same subject/action
  definitions)
• Rules are defined as targets, effects and
  conditions
• Target includes resources, subjects, and
  actions
• Effect - ltAllowDenygt
• Conditions predicates defined in XACML
• Policy A collection of rules, and obligations
  (actions performed on authorization)

35
XACML - Example
ltRule RuleId"//medico.corules/rule3"
Effect"Permit"gt ltTargetgt ltSubjectsgt
ltsamlAttribute AttributeName"RFC822Name"
AttributeNamespace"//medico.com"gt
ltsamlAttributeValuegtlt/samlAttributeValuegt
lt/samlAttributegt lt/Subjectsgt
ltResourcesgt ltsamlAttribute
AttributeName"documentURI"
AttributeNamespace"//medico.com"gt
ltsamlAttributeValuegt//medico.com/records.lt/saml
AttributeValuegt lt/samlAttributegt
lt/Resourcesgt ltActionsgt
ltsamlActiongtreadlt/samlActiongt lt/Actionsgt
lt/Targetgt ltConditiongt ltEqualgt
ltAttributeDesignator AttributeName"urnoa
sisnamestcxacmlidentifiersAccessSubject" /gt
ltAttributeDesignator AttributeName"patientNa
me" /gt lt/Equalgt lt/Conditiongtlt/Rulegt
36
XML Security Applications

• WS Security
• Web Services rely on XML Protocol messages to
  link applications across enterprises and
  platforms.
• Securing those inter-connections is essential.
• Microsoft and IBM released a Web Services
  Security architecture
• The Goal Define a uniform, flexible, and
  extensible security framework for Web Services.

37
WS Security

• Terminology
• Web service
• Security Token
• Signed Security Token
• Claims
• Subject
• Proof-of-Possession
• Web Service Endpoint Policy
• Intermediaries
• Actor

38
WS Security

• Web Services Security Model Principles
• End-to-end security
• Initial Specifications
• WS Security describes attachment of signatures
  and encryption headers to SOAP messages.
• WS Policy describes capabilities and
  limitations of endpoints and intermediaries.
• WS Trust a framework for trust models in which
  services can interoperate
• WS Privacy describes how subjects will declare
  privacy preferences

39
WS Security

• Follow-On Specifications
• WS SecureConversation describes how to
  dynamically establish trusted connections
• WS Federation describeshow to manage
  relationships in a federated environment
• WS Authorization describes means of data
  authorizing management.

40
WS Security
lt?xml version"1.0" encoding"utf-8"?gtltSEnvelope
xmlnsS"http//www.w3.org/2001/12/soap-envelope"
xmlnsds"http//www.w3.org/2000/09/xmldsig"gt
ltSHeadergt lt!-- WS-Security specific
information here --gt ltwsseBinarySecurityToken
xmlnswsse"http//schemas.xmlsoap.org/Ws/2
002/04/secext" Id"myToken"
ValueType"wsseX509v3" EncodingType"wsseBas
e64Binary"gt MIIEZzCCA9CgAwIBAgIQEmtJZc0...
lt/wsseBinarySecurityTokengt
ltwsseSecurity xmlnswsse"http//schemas.xmlsoap.
org/ws/2002/04/secext"gt ltdsSignaturegt
lt!-- XML Digital Signature on the MsgBody
below to provide payload integrity --gt
lt/dsSignaturegt lt/wsseSecuritygt
lt/SHeadergt lt!-- the Id provides a simple way
for the security part of the header to refer to
the body --gt ltSBody Id"MsgBody"gt
lttruStockSymbol xmlnstru"http//fabrikam123.com
/payloads"gt QQQ lt/truStockSymbolgt
lt/SBodygtlt/SEnvelopegt

• Example

41
Platform For Privacy Preference

• Purpose
• Control access to personal information
• Prevent misuse of personal information
• Lets users control what information to distribute
• Save the user to bother of reading the policies

42
P3P Platform for Privacy Preference

• Features
• An XML vocabulary for defining users/sites
  privacy preferences
• Defines who collects the data
• For what purpose is the data being used
• Who can access the data
• Etc.
• A tool for retrieving policies easily
• Transparency User does not have to look for the
  policies.

43
P3P Client Implementations

• Idcide Privacy Companion
• Browser plug in
• Allows user to set a privacy level, and warns
  when its reached
• Keeps a tracking history
• YOUpowered Orby Privacy Plus
• A tool bar on the desktop
• Basically does the same
• www.youpowered.com

44
P3P Policy Generators

• IBM P3P Policy Editor
• Allows websites to create policies in P3P and
  English
• http//www.alphaworks.ibm.com/tech/p3peditor
• PrivacyBot.com
• An online interface for creating policies.
• YOUpowered Consumer Trust Policy Manager Wizard
• http//www.youpowered.com/

45
P3P Enabled Websites

• www.aol.com
• www.att.com
• www.cdt.org
• www.engage.com
• www.hp.com
• www.ibm.com
• www.idcide.com

• www.microsoft.com
• www.pg.com
• www.ttuhsc.edu
• www.youpowered.com
• www.vineyard.net
• www.w3.org
• www.whitehouse.gov

46
Digital Rights Management

• Purpose
• Control the use of content according to a license
• Keep this control after content is copied/moved
• Allow interoperability among content viewers
• Features
• XrML defines a framework for expressing
• Rights,
• Definitions,
• Rules

47
XrML eXtensible rights Markup Language

• Key Concepts
• Principal unique, authenticated individual
• Resource an object (i.e. a movie, a book)
• Right an action a principal can perform on a
  resource
• Grant a right of a principal to use a resource
• Condition terms which must be met to execute a
  grant
• License a collection of grants, along with
  issuers info
• XrML uses XML to define grants and provide
  extensibility
• XrML takes advantage of XML Signatures for
  signing licenses

48
XrML - Example
ltlicense xmlnsdsig'http//www.w3.org/2000/09/xml
dsig'gt ltinventorygt lt!-- PRINCIPAL
specified by public key here --gt ltkeyHolder
licensePartId"issuedToParty"gt ltinfogt
ltdsigKeyValuegt specify public key
lt/dsigKeyValuegt lt/infogt lt/keyHoldergt
lt!-- RESOURCE specified by URI --gt
ltcxdigitalWork licensePartId"eBook"gt
ltcxlocatorgt ltnonSecureIndirect
URI"http//www.contentguard.com/sampleBook.spd"
/gt lt/cxlocatorgt lt/cxdigitalWorkgt
lt/inventorygt lt!-- collection of GRANTs
including general conditions on all --gt
ltgrantGroupgt ltkeyHolder licensePartIdRef"issu
edToParty" /gt ltsxfeegt information about the
fee, including type, amount, currency,
etclt/sxfeegt ltgrantgt lt!-- RIGHT to
play, for the validity interval of 1 year
(CONDITION) --gt ltcxplay /gt
ltcxdigitalWork licensePartIdRef"eBook" /gt
ltsxvalidityIntervalFloatinggt validity
interval, possibly unique identifier
lt/sxvalidityIntervalFloatinggt lt/grantgt
lt/grantGroupgt
ltissuergt ltdsigSignaturegt XML Digital
Signature of issuer of license
lt/dsigSignaturegt ltdetailsgt
lttimeOfIssuegt2001-11-15T040302lt/timeOfIssuegt
lt/detailsgt lt/issuergtlt/licensegt
49
XML Security - Conclusion

• Using all of the described tools, XML Security
  provides a secure environment in which users and
  Web Services communicate and interact.
• The base of these tools are the XML Digital
  Signatures and XML Encryption.

50
Bibliography

• XML, SOAP, XML Digital Signatures, XML
  Encryption, XKMS, P3P
• http//www.w3.org/XML/
• http//www.w3.org/2000/xp/Group/
• http//www.w3.org/Signature/
• http//www.w3.org/Encryption/2001/
• http//www.w3.org/2001/XKMS/
• http//www.w3.org/P3P/
• XACML www.oasis-open.org/committees/xacml/
• SAML www.oasis-open.org/committees/security ,
  www.simc-inc.org/archive0002/February02/
  devwed1015_rouault.pdf
• WS Security www.alphaworks.ibm.com/develo
  perworks/security/library/ws-secmap/