Kein Folientitel - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

Kein Folientitel

Description:

Email: kaplan_at_ma.tum .de. 16.1.2002 Osnabr ck. XML Signatures are digital ... Digital signatures add authentication, data integrity and non repudiation to any ... – PowerPoint PPT presentation

Number of Views:45
Avg rating:3.0/5.0
Slides: 34
Provided by: mka61
Category:

less

Transcript and Presenter's Notes

Title: Kein Folientitel


1
Content Analysis, Retrieval and MetaData
Effective Networking A Global-Info project
Period 1.10.99 - 28.02.2002 Subproject
Digital Signatures and Metamaker with Upload
Facility for a Distributed Informationsystem
  • Dr. Michael Kaplan
  • Zentrum Mathematikder
  • Technischen Universität München
  • Email kaplan_at_ma.tum.de
  • 16.1.2002 Osnabrück

2
XML-Signatures
  • XML Signatures are digital signatures designed
    for use in XML Web transactions.
  • Digital signatures add authentication, data
    integrity and non repudiation to any form of data
    that they sign.
  • The nature of XML digital signatures make it easy
    for applications to sign resources located on
    theWeb.

3
XML-Signature is a W3C standard
4
Resources
  • An XML Signature can sign more than one resource.
  • A single XML Signature might encompass
    character-encoded data - such as an HTML page,
    binary-encoded data - such as a GIF, XML-encoded
    data, and a specific section of an XML file.
  • The following example illustrates the variety of
    objects that can be signed using XML Signatures.

5
Objects that can be signed
6
Separate and embedded XML-Signatures
7
Creating a Signature
  • Determine the resources to be signed
  • Calculate the digest of each resource in a
    ltReferencegt tag
  • Collect all ltReferencegts in ltSignedInfogt
  • Calculate the digest of ltSignedInfogt, sign the
    digest and put the signature in ltSignatureValuegt
  • Include necessary keying information in ltKeyInfogt
  • Put ltSignedInfogt, ltSignatureValuegt and ltKeyInfogt
    in a ltSignaturegt tag. That's the XML Signature!

8
The Resources to be Signed
  • Determine the resources to be signed via their
    URI. The resource can be a reference to an
    external document or to another element in the
    same XML instance, for example
  • http//www.w3.org/TR/xml-stylesheet/ will be
    referenced in
  • ltReference URIhttp//www.w3.org/TR/xml-styleshee
    t/gt
  • ... more code ...
  • lt/Referencegt
  • Reference to the element with the identifier
    id1 in the same document
  • ltReference URIid1gt
  • ... more code ...
  • lt/Referencegt

9
Digests 1
  • XML-Signature uses the Secure Hash Standard
    (SHA-1) by the U.S. Department of Commerce and
    the National Institute of Standards and
    Technology.
  • A hash is a fixed length, mathematical summary of
    a piece of data. This hash summary is a
    unique-identifying digital fingerprint of the
    data. If even a single bit of the data changes,
    the hash code will dramatically change.

10
Digests 2
It is conjectured that it is computationally
infeasible to produce two messages having the
same message digest, or to produce any message
having a given prespecified target message digest.
Example
Could you please transfer 100 from my checking
account to the account of Mr. Smith?
SHA-1(
)
fdd047a5b3e49f2df49289b15d022d93037f9cea
Could you please transfer 1000 from my checking
account to the account of Mr. Smith?
SHA-1(
)
3a7193b551c98ffbd2a4ae28836247a981ac067a
NoteThe linebreaks are included for readabilty
and not included in the hashes.
11
SignedInfo
  • All ltReferencegt-blocks with their associated
    digests are collected within a ltSignedInfogt
    element. The structure of this tag includes the
    canonicalization algorithm, a signature
    algorithm, and one or more references. The
    SignedInfo element may contain an optional ID
    attribute that will allow it to be referenced by
    other signatures and objects. The required
    ltSignedInfogt element is the information that is
    actually signed. In this way also the algorithm
    names and the canonicalization algorithm are
    signed to resist attacks based on substituting a
    weaker algorithm.

12
SignatureMethod
  • ltSignatureMethodgt specifies the algorithm used
    for signature generation and validation. This
    algorithm identifies all cryptographic functions
    involved in the signature operation (e.g.
    hashing, public key algorithms, etc.).
  • ltSignatureMethodgt is a combination of a digest
    algorithm and a key dependent algorithm (and
    possibly other algorithms).

13
Public Key Algorithms 1
  • The XML-Signature specification defines a set of
    algorithms, their URIs, and requirements for
    implementation.
  • Signature algorithms take two implicit
    parameters, their keying material determined from
    ltKeyInfogt and the octet stream output by
    ltCanonicalizationMethodgt.

14
Public Key Algorithms 2
  • XML-Signature uses two well known public key
    algorithms, called
  • DSA and
  • RSA
  • The ltSignatureValuegt is calculated over the
    SHA-1 digest of ltSignedInfogt.
  • The signature algorithms are therefore called
    DSAwithSHA1(short DSSDigital Signature Standard)
    and RSAwithSHA1

15
Example
ltSignature Id"MySig" xmlns"http//www.w3.org/200
0/07/xmldsig"gt
ltSignedInfogt
... Some code not shown ...
ltSignatureMethod Algorithm"http//www.w3.org/2000
/07/xmldsigdsa-sha1"/gt
ltReference URI"http//www.w3.org/TR/2000/REC-xhtm
l1-20000126/"gt
... Some code not shown ...
ltDigestMethod Algorithm"http//www.w3.org/2000/07
/xmldsigsha1"/gt
ltDigestValuegt...lt/DigestValuegt
lt/Referencegt
ltReference ...gt
... Some code not shown ...
lt/Referencegt
lt/SignedInfogt
ltSignatureValuegt...lt/SignatureValuegt
ltKeyInfogt ... Some code not shown
... lt/KeyInfogt
lt/Signaturegt
16
Metadata of a publication for humans
17
Old html metatags included in the resource
18
RDF metadata for the resource in an extra xml file
19
Softwaretools 1
20
Software- tools 2
21
Software- tools 3
22
Commercial providers of xml-security software
23
Available java software with a friendly license
24
The signing process
25
The work of the signing applet
26
Key exchange via PKCS 12
27
Certificate-Management in Netscape - own
certificates
28
Import of an OpenSSL generated self signed
certificate
29
Accepting foreign cerificates (e.g. to give
rights to an applet)
30
Allow the applet to read local files and
then read in the private key as p12-file
31
Collection of the material to be signed with
xerces help
32
A complete XML-signature for a publication
33
  • Problems
  • Not very widespread usage of certificates. Low
    acceptance
  • Dependence of browsers (IE, Netscape,...) and
    Java Versions (builtin, plugin, IBM, Sun,
    ...)

Danke für Ihre Aufmerksamkeit!
Write a Comment
User Comments (0)
About PowerShow.com