Kein Folientitel

1
Content Analysis, Retrieval and MetaData
Effective Networking A Global-Info project
Period 1.10.99 - 28.02.2002 Subproject
Digital Signatures and Metamaker with Upload
Facility for a Distributed Informationsystem

• Dr. Michael Kaplan
• Zentrum Mathematikder
• Technischen Universität München
• Email kaplan_at_ma.tum.de
• 16.1.2002 Osnabrück

2
XML-Signatures

• XML Signatures are digital signatures designed
  for use in XML Web transactions.
• Digital signatures add authentication, data
  integrity and non repudiation to any form of data
  that they sign.
• The nature of XML digital signatures make it easy
  for applications to sign resources located on
  theWeb.

3
XML-Signature is a W3C standard
4
Resources

• An XML Signature can sign more than one resource.
  
• A single XML Signature might encompass
  character-encoded data - such as an HTML page,
  binary-encoded data - such as a GIF, XML-encoded
  data, and a specific section of an XML file.
• The following example illustrates the variety of
  objects that can be signed using XML Signatures.

5
Objects that can be signed
6
Separate and embedded XML-Signatures
7
Creating a Signature

• Determine the resources to be signed
• Calculate the digest of each resource in a
  ltReferencegt tag
• Collect all ltReferencegts in ltSignedInfogt
• Calculate the digest of ltSignedInfogt, sign the
  digest and put the signature in ltSignatureValuegt
• Include necessary keying information in ltKeyInfogt
• Put ltSignedInfogt, ltSignatureValuegt and ltKeyInfogt
  in a ltSignaturegt tag. That's the XML Signature!

8
The Resources to be Signed

• Determine the resources to be signed via their
  URI. The resource can be a reference to an
  external document or to another element in the
  same XML instance, for example
• http//www.w3.org/TR/xml-stylesheet/ will be
  referenced in
• ltReference URIhttp//www.w3.org/TR/xml-styleshee
  t/gt
• ... more code ...
• lt/Referencegt
• Reference to the element with the identifier
  id1 in the same document
• ltReference URIid1gt
• ... more code ...
• lt/Referencegt

9
Digests 1

• XML-Signature uses the Secure Hash Standard
  (SHA-1) by the U.S. Department of Commerce and
  the National Institute of Standards and
  Technology.
• A hash is a fixed length, mathematical summary of
  a piece of data. This hash summary is a
  unique-identifying digital fingerprint of the
  data. If even a single bit of the data changes,
  the hash code will dramatically change.

10
Digests 2
It is conjectured that it is computationally
infeasible to produce two messages having the
same message digest, or to produce any message
having a given prespecified target message digest.
Example
Could you please transfer 100 from my checking
account to the account of Mr. Smith?
SHA-1(
)
fdd047a5b3e49f2df49289b15d022d93037f9cea
Could you please transfer 1000 from my checking
account to the account of Mr. Smith?
SHA-1(
)
3a7193b551c98ffbd2a4ae28836247a981ac067a
NoteThe linebreaks are included for readabilty
and not included in the hashes.
11
SignedInfo

• All ltReferencegt-blocks with their associated
  digests are collected within a ltSignedInfogt
  element. The structure of this tag includes the
  canonicalization algorithm, a signature
  algorithm, and one or more references. The
  SignedInfo element may contain an optional ID
  attribute that will allow it to be referenced by
  other signatures and objects. The required
  ltSignedInfogt element is the information that is
  actually signed. In this way also the algorithm
  names and the canonicalization algorithm are
  signed to resist attacks based on substituting a
  weaker algorithm.

12
SignatureMethod

• ltSignatureMethodgt specifies the algorithm used
  for signature generation and validation. This
  algorithm identifies all cryptographic functions
  involved in the signature operation (e.g.
  hashing, public key algorithms, etc.).
• ltSignatureMethodgt is a combination of a digest
  algorithm and a key dependent algorithm (and
  possibly other algorithms).

13
Public Key Algorithms 1

• The XML-Signature specification defines a set of
  algorithms, their URIs, and requirements for
  implementation.
• Signature algorithms take two implicit
  parameters, their keying material determined from
  ltKeyInfogt and the octet stream output by
  ltCanonicalizationMethodgt.

14
Public Key Algorithms 2

• XML-Signature uses two well known public key
  algorithms, called
• DSA and
• RSA
• The ltSignatureValuegt is calculated over the
  SHA-1 digest of ltSignedInfogt.
• The signature algorithms are therefore called
  DSAwithSHA1(short DSSDigital Signature Standard)
  and RSAwithSHA1

15
Example
ltSignature Id"MySig" xmlns"http//www.w3.org/200
0/07/xmldsig"gt
ltSignedInfogt
... Some code not shown ...
ltSignatureMethod Algorithm"http//www.w3.org/2000
/07/xmldsigdsa-sha1"/gt
ltReference URI"http//www.w3.org/TR/2000/REC-xhtm
l1-20000126/"gt
... Some code not shown ...
ltDigestMethod Algorithm"http//www.w3.org/2000/07
/xmldsigsha1"/gt
ltDigestValuegt...lt/DigestValuegt
lt/Referencegt
ltReference ...gt
... Some code not shown ...
lt/Referencegt
lt/SignedInfogt
ltSignatureValuegt...lt/SignatureValuegt
ltKeyInfogt ... Some code not shown
... lt/KeyInfogt
lt/Signaturegt
16
Metadata of a publication for humans
17
Old html metatags included in the resource
18
RDF metadata for the resource in an extra xml file
19
Softwaretools 1
20
Software- tools 2
21
Software- tools 3
22
Commercial providers of xml-security software
23
Available java software with a friendly license
24
The signing process
25
The work of the signing applet
26
Key exchange via PKCS 12
27
Certificate-Management in Netscape - own
certificates
28
Import of an OpenSSL generated self signed
certificate
29
Accepting foreign cerificates (e.g. to give
rights to an applet)
30
Allow the applet to read local files and
then read in the private key as p12-file
31
Collection of the material to be signed with
xerces help
32
A complete XML-signature for a publication
33

• Problems
• Not very widespread usage of certificates. Low
  acceptance
• Dependence of browsers (IE, Netscape,...) and
  Java Versions (builtin, plugin, IBM, Sun,
  ...)

Danke für Ihre Aufmerksamkeit!