Question: The status/design of XML Signatures and Encryption

There is a requirement to ensure integrity (signature) and confidentiality (encryption) to parts of XML documents.
Operating on a "bucket of bits" is easy. Operating on parts of XML documents requires the identification and processing of XML in an abstract (parsed) and consistently serialized (octets) context.
For example:
- Alice creates a form that will be filled in by a user Bob and sent on to CogsRUs
- Alice encrypts the payment authorization element in a key shared with CogsRUs.
- Alice signs all of the form except for the shipping address which is filled in by Bob.
- Bob passes the form to CogsRUs. He was unable to ascertain Alice's authorization, nor alter other portions of the form to his advantage.
- CogsRUs confirms the form is originally from Alice (signer-authenticity), it hasn't been modified (integrity), and then decrypts Alice's payment authorization information for order fulfillment.

2. dsig:Status

A joint WG of the IETF/W3C.
- Security and XML Coordination/Review
Signature Processing and Syntax in Candidate Recommendation / Proposed Standard.
Canonical XML is Proposed Recommendation / Informational RFC
Implementers have been exchanging and comparing examples on list since summer of 2000.

3. dsig: Design Principles

http://www.w3.org/TR/1999/WD-xmldsig-requirements-19991014.html#design-principles-scope

The specification must describe how to use XML syntax to represent a signature over digital content (and XML content in particular).
XML-signatures are generated from a hash over a list of references and the digest value of the references' content.
The meaning of a signature is simple: The XML-signature syntax associates the content of resources listed with a key via a strong one-way transformation.

4. dsig:Syntax

<Signature> 
 <SignedInfo> 
 <CanonicalizationMethod/>? 
 <SignatureMethod/> 
 <Reference (URI=)?> 
 <Transforms/>? 
 <DigestMethod/> 
 <DigestValue/> 
 </Reference>+ 
 </SignedInfo> 
 <SignatureValue/> 
 <KeyInfo/>? 
 <Object/>* 
 </Signature>

5. dsig:Features

Works with enveloped http://www.w3.org/2001/Talks/0525-xmldsig-xenc/all.htm#def-SignatureEnveloped signatures (signature within content being signed), envelopinghttp://www.w3.org/2001/Talks/0525-xmldsig-xenc/all.htm#def-SignatureEnveloping signatures (content is within signature being signed) and http://www.w3.org/2001/Talks/0525-xmldsig-xenc/all.htm#def-SignatureDetacheddetached signatures (over data external to the signature document).
Meets requirement of signing portions of documents via Transforms: processing the document before signing (e.g., C14N, XPath, etc.).
Very extensible.
Uses XML Schema (and DTD) to describe content model.
Dereferencing and transforms operate over octets or XPath node-sets. Conversion from one to the other requires canonicalization or parsing.

6. dsig:KeyInfo

KeyInfo permits extensible content; though we
- Provide explicit placeholders for X509, PGP, and SPKI structures.
- Define DSA and RSA key structures.
KeyInfo structures will also be used by XML Encryption.

7. dsig:Algorithms

[s04] <SignatureMethod Algorithm= "http://www.w3.org/2000/02/xmldsig#dsa"/>

Algorithm identifiers are URIs: extensible, with a few required to implement:

Type	Algorithm	Requirements	Algorithm URI
Digest	SHA1	REQUIRED	http://www.w3.org/2000/09/xmldsig#sha1
Encoding	Base64	REQUIRED	http://www.w3.org/2000/09/xmldsig#base64
MAC	HMAC-SHA1	REQUIRED	http://www.w3.org/2000/09/xmldsig#hmac-sha1
Signature	DSAwithSHA1 (DSS)	REQUIRED	http://www.w3.org/2000/09/xmldsig#dsa
Canonicalization	Canonical XML	REQUIRED	http://www.w3.org/TR/2000/WD-xml-c14n-20000907
Others	XPath	RECOMMENDED	http://www.w3.org/TR/1999/REC-xpath-19991116

8. xenc:Status

A W3C WG, first met March 2001
Hopes to quickly publish the following Working Drafts
- XML Encryption Requirements
- XML Encryption Processing and Syntax
- Encryption Signature Transform: a signature transform that allows encryption and signature to be combined.

9. xenc: Design Goals

http://www.w3.org/TR/1999/WD-xmldsig-requirements-19991014.html#design-principles-scope

Describe how to use XML to represent a digitally encrypted Web resources including XML, and portions thereof. Presently limited to elements (not attribute values).
Provide for the separation of encryption information from encrypted data, and support reference mechanisms for addressing encryption information from encrypted data sections and vice versa.
Provide for recursive encryption (capable of encrypting XML with portions already encrypted)

10. xenc:Example

In the encrypted version of an XML instance, the <EncryptedData> element will appear in place of an encrypted element or its content.

Before:

<Animals> <Cat/> <Rodents> <Rabbit/> 
<Mouse/> </Rodents> <Dog/> <Animals>

After Rodents are encrypted

<Animals> <Cat/> <EncryptedData xmlns=""> 
<CipherText>M3MXCV...</CipherText> 
</EncryptedData> <Dog/> <Animals>

11. xenc:Syntax

<EncryptedData Id="" Type=""> 
<EncryptedKey/>? <EncryptionMethod/>? 
<ds:KeyInfo> ... <enc:EncryptedKey/> 
</ds:KeyInfo>? 
<CipherText URI="">iamscrambled</CipherText> 
</EncryptedData>

12. xenc:Features

Element Encryption.
Uses structures and features of XML Signature wherever possible.
Very extensible
Can be used with XML Signature such that a recipient knows which encrypted blocks were encrypted before and after signature creation: she needs to leave those encrypted before signature generation untouched for the signature to validate.
Uses XML Schema to describe content model.

13. xenc:Algorithms

Algorithm identifiers are URIs: extensible, with a few required to implement:

Type	Algorithm	Requirements
Block Encryption	AES/3DES	REQUIRED
Key Transport	AES-RSA-OEAP 3DES-RSA-v1.5	REQUIRED
MAC	AES/3DES with SHA1	OPTIONAL
Signature	XML Signature	OPTIONAL
Canonicalization	Canonical XML	OPTIONAL
Compression et al	n/a

14. References

XML-Signature Syntax and Processing http://www.w3.org/TR/xmldsig-core/
Canonical XML http://www.w3.org/TR/xml-c14n
XML Encryption WG http://www.w3.org/Encryption/2001/

Biography

Joseph Reagle, Jr.

Policy Analyst, W3C/LCS/MIT
Massachusetts Institute of Technology
Cambridge
Massachusetts
USA
Email: reagle@w3.org Web: www.w3.org/People/Reagle

Joseph Reagle - Joseph Reagle is a Research Engineer at the MIT Lab for Computer Science where he serves as a W3C public policy analyst, and Working Group Chair for the joint IETF/W3C XML-Digital-Signature Working Group and the W3C XML Encryption Working Group. At the W3C, he has also worked on privacy, content-selection/free-speech, and intellectual property issues as they relate to the Internet. Mr. Reagle has a Computer Science degree from UMBC and a Masters from MIT's Technology and Policy Program, where he was a Research Assistant at the Research Program on Communication Policy. Joseph has been a Resident Fellow at the Berkman Center for Internet & Society at the Harvard Law School where he wrote about Web-data schema design and contract law, computer agents and legal agency, and Internet culture and democratic/anarchist principles. He's also done short consulting projects for Open Market (electronic commerce protocols) McCann-Erickson (Internet and interactive media) and go-Digital (Internet gambling).

	21-25 May 2001 Internationales Congress Centrum (ICC) Berlin, Germany
Home \| Indexes \| Relations \| Search \| About \| Help