Team-Fly |
XML, Web Services, and the Data Revolution By Frank P. Coyle | |
Table of Contents | |
Chapter 7. XML Security |
Before we examine the issues related to XML security, it's important to understand the basics of e-commercebased security so we can take note of the special issues introduced by XML. Figure 7.1 illustrates the three basic security requirements for e-business:
Figure 7.1. The three pillars of secure e-commerce.
These three dimensions of secure e-commerce rest on a foundation of cryptography. All cryptography operates according to the same basic principle: some algorithm or formula is used to scramble or encipher information so that it is difficult to determine its meaning without an appropriate key to unscramble or decipher the information. Approaches to cryptography fall into two main categories: single-key encryption, which relies on a single secret key to encode and decode information, and public-key cryptography, which uses two keys, one private and the other public, to encode and decode data. Single-Key Cryptography
In the past, most encryption systems used a single secret key for encoding and decoding information. However, single-key encryption systems face the problem of making the single key known to the message recipient. During World War II, a similar but more sophisticated scheme was used when letter sequences from pages in popular novels were used as the basis for encrypting messages. However, schemes employing a single key exhibit one fundamental weakness: the decoding key must be somehow communicated from sender to receiver. Whether one uses a letter-offset technique such as replacing "a" with "b," "b" with "c," and so on, or a state-of-the-art 1024-bit encryption key to mathematically compute a substitute letter, there is still the problem of making the key known to the message recipient.
In electronic commerce, single-key systems are effective for secure communication between fixed devices such as ATM machines and servers, since encryption keys can be determined in advance and stored on both the server and the ATM machine. However, single keys don't work well on the Web, where commerce depends on individuals just showing up to do business. For the Web, the answer lies in public-key cryptography. Public-Key Cryptography
Public-key cryptography enables secure communication between parties without the need to exchange a secret key . It is the basis for privacy, authentication, data integrity, and nonrepudiation, the basic elements for any Web-based e-commerce system. Public-key cryptography uses a complex mathematical formula to generate two separate but related keys, one open to public view and the other private, known only to one individual. The complementary public and private keys can be used to handle confidentiality and authentication. Each requires key usage in a slightly different way. Confidentiality
Confidentiality in digital communication can be accomplished by using someone's public key to send a message. As Figure 7.2 shows, messages encoded with a public key can be decoded only by the corresponding private key, ensuring that the message is kept confidential. The owner of the private key never has to reveal that key to anyone . Figure 7.2. Public-key (asymmetric) cryptography uses mathematically generated public and private keys.
Authentication
Keeping messages secret is only one aspect of electronic communication. Although a public key guarantees secrecy , it is impossible to authenticate the sender of the message encoded with a public key. However, messages encoded with the private key can be decoded only by the public key, thereby ensuring authentication. Data Integrity
Data integrity ensures that the message received is the message sent. The technology for validating messages is called digital hashing. A digest or digital hash is an algorithmically generated short string of characters that uniquely characterizes a document. As Figure 7.3 shows, if the document changes in any way, recomputing the digest will yield a different result; if the document is copied verbatim, the digest will be exactly the same. Thus, to test the integrity of a document, one compares the digital hash of the original document with that of the version received; if the hashes do not match, the data integrity of the document has been compromised. Although it's theoretically possible for two different documents to generate the same digital hash, it's practically impossible to use this fact to defeat the comparison procedure. Figure 7.3. A document digest is an algorithmically generated, abbreviated, unique representation of a document. If one character of the document is altered, the document digest will be different.
Digital Signatures
A digital signature is like writing your name across the face of a document. A digital signature in combination with public-key encryption is used to authenticate the identity of the sender by encrypting with a private key and to validate the content of the message by transmitting a copy of the digital hash of the message. Digital signatures can be used in a range of applications from online credit card purchases to the verification of complex legal documents. For example, if you send your will electronically to your attorney in another city, you want the assurance that someone can't intercept it along the way and make changes to it; you want a guarantee that the document that goes into your attorney's file is identical to the one you actually sent, and you want your attorney to have the assurance that the will actually came from you. To accomplish this, you must
Upon receiving the will, your attorney will
If the hashes match, the will can safely be recorded; if the hashes do not match, the will has been tampered with. Managing Certificates and Private Keys
While digital signing is an important technology for ensuring secure e-commerce, keeping certificates and private keys secure remains one of the biggest security challenges. Unlike short passwords, which are usually easy to memorize, private- and public-key pairs are very difficult to memorize because they are mathematically generated. Certificate authorities address the problem of how to be sure that, when your lawyer retrieves your public key, it's really your public key and not someone else's. Certificates are issued by a CA, a trusted entity that manages certificate distribution. If each party in a transaction has a certificate issued from a trusted CA, the transaction can be completed. Once a CA is chosen , certificates from companies signed by that authority are trusted. However, trusting a CA is a matter of choice. Netscape Navigator and Microsoft Internet Explorer come with a list of certificates for some trusted CAs (like Verisign and Entrust). Current versions of both browsers let you manage that list, adding certificates for CAs you trust and removing those you choose not to trust.
When issued, a certificate is given a set life span, for example, 365 days. When it expires, a new certificate must be issued. However, the question of certificate revocation must also be addressed. There are many reasons why a certificate might need to be revoked long before it expires . For example, an e-commerce site may close down, in which case the certificate should be revoked so that it can't be used for improper purposes. |
Team-Fly |
Top |