XMLDSIG99 - PowerPoint PPT Presentation
1 / 29
Title:
XMLDSIG99
Description:
... tend to externalize signature from the application logic. ... Ease signature support in XML applications and propose an XML alternative to binary syntaxes ... – PowerPoint PPT presentation
Number of Views:41
Avg rating:3.0/5.0
Title: XMLDSIG99
1
XML-DSIG99
- Richard D. Brown
- GlobeSet, Inc. Austin TX - U.S.
- Proposal for XML Digital Signature
2
Summary
- Motivations
- Objectives
- Specification Process
- Driving Requirements
- Syntax Proposal
- Conclusion
3
Motivations
- XML enables production and exchange of structured
data, but this is not sufficient. - The usefulness of such structured data depends
upon our ability to assess its origin and
authenticity. - Existing binary syntaxes are not satisfactory for
building authentication in XML applications. - These syntaxes tend to externalize signature from
the application logic. - The lack of XML cryptography standard is a real
show stopper for our industry. - Slow down development and adoption of XML
applications. - Rapid proliferation of proprietary and limited
solutions.
4
Objectives
- Define syntax and procedures for the computation,
verification, and encoding of digital signatures
using XML - Signing XML document and element
- Using XML for signing WEB resources
5
Specification Process
6
Specification Process
7
Specification Process
8
Requirements
- Ease signature support in XML applications and
propose an XML alternative to binary syntaxes - Support for digital signatures and authentication
codes - Support for certificate-based and account-based
authentication schemes - Authentication of internal and external resources
- Authentication of part or totality of a document
- Support for composite documents
- Support for extended signature functionality such
as co-signature, endorsement, etc...
9
Syntax Basics
ltCertificatesgt (certificate
information blocks) lt/Certificatesgt
- ltSignaturegt
- ltManifestgt
- (authenticated attributes)
- lt/Manifestgt
- ltValuegt
- (encoded signature value)
- lt/Valuegt
- lt/Signaturegt
10
Signature Manifest
ltManifestgt (resources information block)
(other authenticated attributes) (originator
information block) (recipient information
block) (key-agreement algorithm information
block) (signature algorithm information
block) lt/Manifestgt
11
Resources
- ltResourcesgt
- ltResourcegt
- ltLocator hrefresource locator/gt
- ltContentInfo typetype qualifier/gt
- ltDigestgt
- (encoded digest value)
- lt/Digestgt
- lt/Resourcegt
- lt/Resourcesgt
12
Attributes
- ltAttributesgt
- ltAttribute typeresource locator
- criticalboolean/gt
- (ANY attribute value)
- lt/Attributegt
- lt/Attributesgt
13
Originator and Recipient
- ltOriginatorInfogt
- (ANY identification information blocks)
- (ANY keying material information block)
- lt/OriginatorInfogt
- ltRecipientInfogt
- (ANY identification information blocks)
- (ANY keying material information block)
- lt/RecipientInfogt
14
Signature and Key-agreement
- ltKeyAgreementAlgorithmgt
- (algorithm information block)
- lt/KeyAgreementAlgorithmgt
- ltSignatureAlgorithmgt
- (algorithm information block)
- lt/SignatureAlgorithmgt
15
Signature Principles
- Enabling signature in XML applications
- Encapsulating arbitrary content
- Implementing endorsement
- Supporting composite documents
- Enabling one-pass processing
16
Signature in XML Applications
- ltAppDoc xmlnsdsigsignature DTD URIgt
- ltAppElement idauthenticatedgt
- lt/AppElementgt
- ltdsigSignaturegt
- ...
- ltdsigResourcegt
- ltdsigLocator
hrefauthenticated/gt - lt/dsigSignaturegt
- lt/AppDocgt
17
Encapsulating Arbitrary Content
- ltdsigPackage idauthenticatedgt
- ltdsigContentInfo typetype qualifier/gt
- ltdsigValue encodingschemegt
- (encoded value)
- lt/dsigValuegt
- lt/dsigPackagegt
18
Implementing Endorsement
- ltdsigSignature idsignaturegt
- ...
- lt/dsigSignaturegt
- ltdsigSignatue idcounter-signaturegt
- ...
- ltdsigResourcegt
- ltdsigLocator hrefsignature/gt
- lt/dsigSignaturegt
19
Supporting Composite Documents
- ltdsigResources idshared-resourcesgt
- ...
- lt/dsigResourcesgt
- ltdsigSignaturegt
- ...
- ltdsigResourcegt
- ltdsigLocator hrefshared-resour
ces/gt - ...
- lt/dsigSignaturegt
- ltdsigSignaturegt
- ...
- ltdsigResourcegt
- ltdsigLocator hrefshared-resour
ces/gt - ...
- lt/dsigSignaturegt
20
Enabling One-Pass Processing
- ltdsigDigestAlgorithmsgt
- ltdsigAlgorithm idSHA1 typeurnnist-govs
ha1/gt - ltdsigAlgorithm idMD5 typeurnrsasdi-com
md5/gt - lt/dsigDigestAlgorithmsgt
- ltAppElement idauthenticated dsigevalSHA1
MD5gt - lt/AppElementgt
- ltdsigSignaturegt
- ...
- ltdsigResourcegt
- ltdsigLocator hrefauthenticated
/gt - ltdsigDigestgt
- ltdsigAlgorithm
typeurnnist-govsha1/gt - ...
- lt/dsigSignaturegt
21
Algorithms
- Element Definition
- Supported Algorithms
22
Algorithm Element
lt!ELEMENT Algorithm (Parameter)gt lt!ATTLIST
Algorithm id ID
IMPLIED type CDATA
REQUIRED gt lt!ELEMENT Parameter ANYgt lt!ATTLIST
Parameter type CDATA REQUIRED gt
23
Algorithm Element
ltdsigAlgorithm idDSA-XHASH-SHA1
typeurnnist-govdsagt ltdsigParameter
typedigest-algorithmgt ltdsigAlgorithm
typeurnglobeset-comxhashgt
ltdsigParameter typedigest-algorithmgt
ltdsigAlgorithm typeurnnist-govSHA1/gt
lt/dsigParametergt
lt/dsigParametergt lt/dsigAlgorithmgt
ltdsigAlgorithm idDSA-XHASH-SHA1
typeurnxmldsigdsa-xhash-sha1/gt
24
Supported Algorithms
- Digest Algorithms
- Key-agreement Algorithms
- Key-exchange Algorithms
- Signature Algorithms
25
Digest Algorithms
- Surface String Digest Algorithms
- NIST SHA1
- Canonical Digest Algorithms
- IBM DOM-HASH
- GlobeSet XHASH
26
Key-agreement Algorithms
- RSA Laboratories PKCS12 PBE
27
Key-exchange Algorithms
- Static Diffie Hellman
28
Signature Algorithms
- Authentication Codes
- IETF HMAC
- Public-key Signature Algorithms
- NIST DSA
- RSA Labs RSA Encryption T1
- ? ECDSA
29
Conclusion
- Current Proposal
- A good start
- Enter phase 3
- Next
- First Implementations
- Standard Body
- Formalization
Recommended
CrystalGraphics Presentations
