XMLDSIG 99 Richard D Brown Globe Set Inc
XML-DSIG’ 99 Richard D. Brown Globe. Set, Inc. Austin TX - U. S. Proposal for XML Digital Signature XML-DSIG’ 99
Summary u u u Motivations Objectives Specification Process Driving Requirements Syntax Proposal Conclusion XML-DSIG’ 99
Motivations u XML enables production and exchange of structured data, but this is not sufficient. Ø u Existing binary syntaxes are not satisfactory for building authentication in XML applications. Ø u The usefulness of such structured data depends upon our ability to assess its origin and authenticity. These syntaxes tend to externalize signature from the application logic. The lack of XML cryptography standard is a real show stopper for our industry. Ø Ø Slow down development and adoption of XML applications. Rapid proliferation of proprietary and limited solutions. XML-DSIG’ 99
Objectives u Define syntax and procedures for the computation, verification, and encoding of digital signatures using XML Ø Ø Signing XML document and element Using XML for signing WEB resources XML-DSIG’ 99
Specification Process XML-DSIG’ 99
Specification Process XML-DSIG’ 99
Specification Process XML-DSIG’ 99
Requirements u u u u Ease signature support in XML applications and propose an XML alternative to binary syntaxes Support for digital signatures and authentication codes Support for certificate-based and account-based authentication schemes Authentication of internal and external resources Authentication of part or totality of a document Support for composite documents Support for extended signature functionality such as co-signature, endorsement, etc. . . XML-DSIG’ 99
Syntax Basics <Signature> <Manifest> (authenticated attributes) </Manifest> <Value> (encoded signature value) </Value> </Signature> <Certificates> (certificate information blocks) </Certificates> XML-DSIG’ 99
Signature Manifest <Manifest> (resources information block) (other authenticated attributes) (originator information block) (recipient information block) (key-agreement algorithm information block) (signature algorithm information block) </Manifest> XML-DSIG’ 99
Resources <Resources> <Resource> <Locator href=‘resource locator’/> <Content. Info type=‘type qualifier’/> <Digest> (encoded digest value) </Digest> </Resource> … </Resources> XML-DSIG’ 99
Attributes <Attributes> <Attribute type=‘resource locator’ critical=‘boolean/> (ANY attribute value) </Attribute> … </Attributes> XML-DSIG’ 99
Originator and Recipient <Originator. Info> (ANY identification information blocks) (ANY keying material information block) </Originator. Info> <Recipient. Info> (ANY identification information blocks) (ANY keying material information block) </Recipient. Info> XML-DSIG’ 99
Signature and Key-agreement <Key. Agreement. Algorithm> (algorithm information block) </Key. Agreement. Algorithm> <Signature. Algorithm> (algorithm information block) </Signature. Algorithm> XML-DSIG’ 99
Signature Principles u u u Enabling signature in XML applications Encapsulating arbitrary content Implementing endorsement Supporting composite documents Enabling one-pass processing XML-DSIG’ 99
Signature in XML Applications <App. Doc xmlns: dsig=‘signature DTD URI’> <App. Element id=‘authenticated’> … </App. Element> <dsig: Signature>. . . <dsig: Resource> <dsig: Locator href=‘#authenticated’/> … </dsig: Signature> </App. Doc> XML-DSIG’ 99
Encapsulating Arbitrary Content <dsig: Package id=‘authenticated’> <dsig: Content. Info type=‘type qualifier’/> <dsig: Value encoding=‘scheme’> (encoded value) </dsig: Value> </dsig: Package> XML-DSIG’ 99
Implementing Endorsement <dsig: Signature id=‘signature’>. . . </dsig: Signature> <dsig: Signatue id=‘counter-signature’>. . . <dsig: Resource> <dsig: Locator href=‘#signature’/> … </dsig: Signature> XML-DSIG’ 99
Supporting Composite Documents <dsig: Resources id=‘shared-resources’>. . . </dsig: Resources> <dsig: Signature>. . . <dsig: Resource> <dsig: Locator href=‘#shared-resources’/>. . . </dsig: Signature> XML-DSIG’ 99
Enabling One-Pass Processing <dsig: Digest. Algorithms> <dsig: Algorithm id=‘SHA 1’ type=‘urn: nist-gov: sha 1’/> <dsig: Algorithm id=‘MD 5’ type=‘urn: rsasdi-com: md 5’/> </dsig: Digest. Algorithms> <App. Element id=‘authenticated’ dsig: eval=‘SHA 1 MD 5’> … </App. Element> <dsig: Signature>. . . <dsig: Resource> <dsig: Locator href=‘#authenticated’/> <dsig: Digest> <dsig: Algorithm type=‘urn: nist-gov: sha 1’/>. . . </dsig: Signature> XML-DSIG’ 99
Algorithms u u Element Definition Supported Algorithms XML-DSIG’ 99
Algorithm Element <!ELEMENT Algorithm (Parameter*)> <!ATTLIST Algorithm id ID #IMPLIED type CDATA #REQUIRED > <!ELEMENT Parameter ANY> <!ATTLIST Parameter type CDATA #REQUIRED > XML-DSIG’ 99
Algorithm Element <dsig: Algorithm id=‘DSA-XHASH-SHA 1’ type=‘urn: nist-gov: dsa’> <dsig: Parameter type=‘digest-algorithm’> <dsig: Algorithm type=‘urn: globeset-com: xhash’> <dsig: Parameter type=‘digest-algorithm’> <dsig: Algorithm type=‘urn: nist-gov: SHA 1’/> </dsig: Parameter> </dsig: Algorithm> <dsig: Algorithm id=‘DSA-XHASH-SHA 1’ type=‘urn: xmldsig: dsa-xhash-sha 1’/> XML-DSIG’ 99
Supported Algorithms u u Digest Algorithms Key-agreement Algorithms Key-exchange Algorithms Signature Algorithms XML-DSIG’ 99
Digest Algorithms u Surface String Digest Algorithms Ø u NIST SHA 1 Canonical Digest Algorithms Ø Ø IBM DOM-HASH Globe. Set XHASH XML-DSIG’ 99
Key-agreement Algorithms u RSA Laboratories PKCS 12 PBE XML-DSIG’ 99
Key-exchange Algorithms u Static Diffie Hellman XML-DSIG’ 99
Signature Algorithms u Authentication Codes Ø u IETF HMAC Public-key Signature Algorithms Ø Ø Ø NIST DSA RSA Labs RSA Encryption T 1 ? ECDSA XML-DSIG’ 99
Conclusion u Current Proposal Ø Ø u A good start Enter phase 3 Next Ø Ø Ø First Implementations Standard Body Formalization XML-DSIG’ 99
- Slides: 29